hi,
i have been getting serveral popups from different sites in the recent week.
i have been reading up on this forum and had tried many futile attemps to remove this popups.
i have been getting website popups from:
http://dnaads.com/servlet/ajrotator/...?zone=enternet
z1.adserver.com, casemedia.com and many more.
i have downloaded adaware, spybot s&d, spyblaster and hijackthis. i also have norton interenet sercurity and antivirus. i have run adaware and spybot many many times already but the popup still remains. help..

this is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:15 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Cheng\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezka32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15014/CTSUEng.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A23DD6-3324-438C-8FBC-90DE7D6BCDCC}: NameServer = 123.123.123.123
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


help,
Jn

fredg

Hi,
I realize you already have most of the programs listed below, but have you ran them in Safe Mode, and ran them 2 or 3 times?
Here are steps to do that:

If you think you already have Spyware/Advertising Ware in your computer, run these as follows:

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3
(If you use the Spyware Blaster free program, then don't set SpyBot to the Immunization feature)

AdAware at:
http://www.lavasoftusa.com
Download: AdAware_SE V 1.06

CWShredder at:
http://www.intermute.com/products/cwshredder.html
(CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run. Download the free version by clicking on "Download stand alone version of CW Shredder".

All 3 of the above programs run better and much faster when run in SafeMode.

To get into SafeMode:
Re-boot the computer, and immediately after starting up, Press and hold down, F8, at top of keypad.
When the options show on the screen, use the up and down arrow keys on the keyboard to select
"Safe Mode".
Press Enter

It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
time.

If you wish to have a great program, after you clean out Spyware/Advertising Ware:
Spyware Blaster 3.3
This program stops this stuff from getting into the computer in the first place, by placing URL's in the browser, stopping them instantly.
You do not have to do scans with SpyWare Blaster, just update it every week with new "definitions". I really haven't used any of the spyware scanners since using this great program.

http://www.javacoolsoftware.com/sbdownload.html

Best wishes,
fredg

labman24

hello,
This is all spyware. The other expert's advice should get rid of it, using SafeMode.
Here is a link with some info about one of them:

http://www.securemost.com/articles/t...server.com.htm

labman24

I, fredg, and labman24 are the same person. I apologize to all those concerned for my actions.
fredg

Curlyben

For crying out load Fred, stop pissing about and using this crap alias to backup your equal crap answers with y links !!!!!

fredg

Hi,
By now, I hope you have run your spyware programs in Safe Mode, and have solved the issue.
Best wishes,
fredg

Press2Esc

After you gert rid of the spyware (and related popups), immediately get rid yourself of IE - change browsers. I prefer Avant Browser (avantbrowser.com), other alt browsers would be Netscape (.com), Firefox (mozilla.org), etc. Popups commonly arrive via IE's (6) known security exploits.

For what it worth, I can personally vouch for Avant's b/i pop-up blocker - as a 2+ year user of AB, NO popups come through.... Outstanding.

Good Luck. P2E

wzartv

I completely agree with Press2Esc - I prefer Firefox, it has a lot of really neat features that you can personalize it with, it seems to be more stable, it is less vulnerable, and comes with a built in pop-up blocker that blocks pop-ups about 97% of the time. I have no problems with it as compared to IE where it would be constantly locking up, giving me errors, etc. www.firefox.com

crazygirl

Okay what ya need to do is get a spyware detector its kinda like a virus detector only it finds spyware when it does a scan and takes them off your comp for you. Personally i like spy bot search and destroy or spy sweeper they are two of the best i have found so far

Press2Esc

The only problem I see in your HiJack list is ctfmon.exe. Per iamnotageek.com, Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. In any case, if you are not using any of these technologies, get rid of it...

Other, more specific, info about ctfmon can be viewed at http://support.microsoft.com/default...;EN-US;q282599

P2E

bewareofdoor

The problem file in your HijackThis report is C:\windows\system32\elitezka32.exe, just as it is in mine. Adaware has never found it, although I have yet to try this safe mode idea, and HijackThis cannot fix it, as it reappears or possibly just continues to run after I check its box and "fix it." I got this adware in a bad link sent to me by a couple of friends over AOL Instant Messenger, although they did it involuntarily. Clicking the link (which of course contains the words sexy and funny along with various URL gibberish, which should have been obvious, but coming from a friend it seemed fine) sends a message with a link identical to the one I fell for to all online screen names on the Buddy List, and replaces any extra content toolbar in Internet Explorer (and probably other programs) with the "Elite Toolbar." It also uses the elitezka32 application mentioned above to spawn popup ads, or so I believe (strangely, a search for all files containing elite also found a similarly named "elitekza32" file, but no file with the same spelling that HijackThis shows. I also found a file called something like "elitedfn32" and deleted it, but the first file would not delete as it was "write protected or in use." while I was trying to get rid of it with HijackThis, elitekza32 disappeared from the search results list, and nothing relating to this elite adware has shown up in subsequent searches). I get the same popups this earlier fellow mentioned. Since a couple of days ago when I first received the linked IM, I have gotten the message many more times, implying that many of the people I know have gotten this link and possibly also fallen for it. I will try the safe mode trick and get back to you all. I recommend you don't open any links in any messenger program even if they seem fine.

Sam