cancel
Showing results for 
Search instead for 
Did you mean: 

unwanted pop up window in IE

N/A

unwanted pop up window in IE

Hello,
I have installed the google bar to block commercial pop-up, it works well until yesterday.
Now, each time I launch Internet explorer, I have 2 or 3 windows open with random links to adult website, amazon and so on...

My anti virus software does not detect a thing....
I have removed all cokies, and internet cache file...
I have uninstalled and re-installed the USB modem...
and I still have random webpage loading up....

Clues anyone ?


Stephane
15 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

unwanted pop up window in IE

You have a spyware / adware infection.

See General: Essential Security software for links to various apps you need to run.

Spybot & adaware are the two best ones. Also run CWshreadder.

You should also look at installing spywareguard and spywareblaster.
cookie141
Grafter
Posts: 51
Registered: 16-09-2007

unwanted pop up window in IE

remove google tool bar and download the popup stopper from this site


www.pcworld.com/downloads/file_description/0,fid,8060,00.asp

There are also some other useful tools you can download
Community Veteran
Posts: 14,469
Registered: 30-07-2007

unwanted pop up window in IE

This is not a pop-up stopper issue but a browser hijack. So just replacing the pop-up stopper will have no effect on this issue.
N/A

unwanted pop up window in IE

*cough* firefox *cough*
N/A

situation improved but not fixed

thanks all for your support....

So, following your advices, I installed several utilities, such as ad Aware, Spybot and CWShreder...
but i still have those windows coming up (sometimes it is dirty window, sometines it is something come from http://194.237.110.186/randomsites/pages/62.html....)

I re-run Spybot, and it found 6 new "DSO exploit". :?
After some search on the forums, I used Dsostop2
- aimed to protect IE from to DSO vulnerability -
but still, I still have that DSO exploit coming up....


Any ideas,

Cheers....

PS:
I know spyware are not new, but it is the first time that I am going through this, as I originally work under Mac OS environment.. and really, I am now realising how much trouble windows user must cope with...
All I am saying is that sometimes "small [market share] is beautifull..."


Stephane
Community Veteran
Posts: 14,469
Registered: 30-07-2007

unwanted pop up window in IE

The DSO report is a known problem with spybot and a fix is due soon. You can ignore it as it's not related to your problem.

If adaware, spybot and CWShreadder did not help, try running hijackthis and post your results (run it, click scan, then click save log and post the contents of the file saved).
N/A

unwanted pop up window in IE

Hi Peter..
Don t you ever sleep ? Cheesy
N/A

hijackthis log

Ok.. so here it is....

Beware.. it is quite long


------
Logfile of HijackThis v1.98.2
Scan saved at 02:19:03, on 15/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Moira\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Moira\mmtask.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\localadmin\My Documents\stef\IE maintenance soft\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [MMTray] C:\Moira\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [mmtask] C:\Moira\mmtask.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/293c60ef7999b4c3cc05/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GRPDOM.vwuk.corp
O17 - HKLM\Software\..\Telephony: DomainName = GRPDOM.vwuk.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{2995A777-09A6-4F8B-8860-61E25D8A88FF}: NameServer = 212.159.13.49 212.159.13.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E3F463-137F-4240-B28C-88E661CCEF80}: NameServer = 212.159.11.150,212.159.13.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GRPDOM.vwuk.corp
O17 - HKLM\System\CS1\Services\Tcpip\..\{2995A777-09A6-4F8B-8860-61E25D8A88FF}: NameServer = 212.159.13.49 212.159.13.50
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GRPDOM.vwuk.corp
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
-------

Voila !
Community Veteran
Posts: 14,469
Registered: 30-07-2007

unwanted pop up window in IE

The two main suspicious files are in the C:\Moira directory and are called mmtask.exe and mm_tray.exe.

Do you know what this Moira directory is?

In any case, rename the Moira directory to something else (e.g. Moira.old), reboot then see if you get the pop-ups when you start IE. Also check to make sure the Moira directory does not get created again after you rebooted.

If you don't get the pop-ups, then they are the culprits. Delete Moira.old

Then run Spybot, make sure you are in advanced mode (click mode at the top and select advanced). Then click Tools, make sure system startup is ticked, Then select system startup from the left menu.

If you see any lines with mmtask or mm_tray, delete them one at a time by clicking on the line then clicking the red X (delete) at the top. While you are there, you can also delete realsched and qttask, both of which are not needed.
N/A

unwanted pop up window in IE

I say use firefox its great
N/A

unwanted pop up window in IE

Peter :
I know what "Moira" folder is. indeed it is actually the laptop owner's personal folder.
I ll sure have a look at it this evening.

I think we are getting closer...


Stephane
Community Veteran
Posts: 14,469
Registered: 30-07-2007

unwanted pop up window in IE

In that case just rename the 2 files I mentioned and see what happens. They are not used by Windows XP and may be part of other ligitimate software installed in that folder but they are suspicious.
N/A

unwanted pop up window in IE

hello peter,
- I have renamed Moire folder into Moia_old, rebooted, and still got the unwanted URl coming up.

- Those two files you mentioned earlier, i know what they are : they are related to a iTunes-like software named Music Match.


Still looking into it.

Stephane
N/A

unwanted pop up window in IE

A simple solution, in my opinion, to any Internet Explorer related problem is to stop using it. Have a look at http://www.switch2firefox.com for info about Mozilla Firefox - a free browser that blocks pop-ups by default and is far faster and more secure than IE.