Have any one have this pop-up that appears and it offers you to run a free scan with UCleaner? Well, it happened to me today and I need help to get rid of this pesky bug. Here’s my Highjack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:50 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188170533037
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188170496544
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 3651 bytes

Well any unsolicited offer to scan your system should be taken with extreme suspicion as you are as the likely end result may be an infected system. I hear you saying isn’t it infected but the thing that is doing the pop-ups isn’t malicious but some scum/scam-ware.

Try this tool first, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php and report its findings.

The HJT log looks a little thin, did you run it in safe mode ?
Other than that I see nothing obvious.

Are you really running firefox 2 beta 1 as your programs folder suggests ?

I was in normal mode when running HJT. I have Firefox 2 beta 1 and I only use it for testing nightly builds. I was using the latest Firefox 2.0.0.7 when the pop-up occured.

Sorry about the double-posting. I forgot to mention, I was on www.esnips.com and I was using the search button on the site and that’s when the pop-up message occured. If you go to the site, I recommend that you should not use the search function. This happened to me three times already.

That being the case, your HJT log also seems a little shy of an active firewall ?

It is somewhat different in that the pop-up came as a result of interaction on a web site than what I had assumed, I though it was on your hdd.

I suggest that you read the report on esnips.com, http://www.siteadvisor.com/sites/esnips.com as there are some that have reported a similar experience to you. So personally I would stay away from this site and report your experience on the siteadvisor page for esnips.com.

I think provided you didn’t actually click on the ucleaner scan pop-up you should be OK. I had a look at the site with ff 2.0.0.7 and no script (plus running under DropMyRights, I assume that you have to log-on to be able to use the search function.

I tried a search and only got an 404 error page. So either noscript killed any script and the search failed, or they have taken down the page having found a problem, or you really have to sign-in to use the search.

Correct, I was logged in on the site when I used the search button. I removed my old firewall after I had minor problem with a conflicting issue. I also used RogueRemover and the scan turned out negative. Anyway, they (esnips) have a forum where people are already posting about the pop-ups that are appearing on their website.
http://forum.esnips.com/posts/list/1797.page

Well it seems to have been going on for some considerable time (20/9/2007 almost 3 weeks), the only thing that seems to have changed is the scanner name.

It is quite a long thread and from the brief look I didn’t see any official response from esnips.com. Perhaps you should post the link to siteadvisor.com and show that people are reporting this and it could well earn esnips a read flag.

I have already done that and I also downloaded Siteadviser for Firefox too.

As a back-up, using LinkScannerLite http://linkscanner.explabs.com/linkscanner/default.asp is also effective.

Have you thought of using a program called Sandboxie for surfing, I’ve been using it for a few weeks now,and its no where near as complicated as I thought it would be.If you want to test new software or visit sites you may have had resevations about ( even youtube can be dodgy, I hear ) or check email attatchments, then this program is another defence against malware.When you have finished browsing untrusted sites,(eg, the search bar at Esnips, perhaps ) simply delete the contents of the box.Apparentley some sandboxed progams can still read sensitive data on your computer ( until the box is emptied ) so it is by no means an answer to everything, but another tool against getting infected.
http://www.sandboxie.com/