Pop up stopper knocks out browser

[grez]

Current situation is as follows:

*Dell on XP Pro runs like a champ.
*Can be on the internet for about 10 minutes or so, THEN, pop up stopper kicks in and then the browser's connection is lost, HOWEVER, I can ping any site all day in the command prompt.
*It will also then not allow Firefox to get a connection. The only way to restore browser use is to restart.

Other background info:
1)Uninstalled AV and FW just to be sure (running clean, nothing at startup).
2)There was some sort of virus called mpsegment which replicated itself. Found it and was able to successfully remove it manually.
3)Running adaware in safe mode now to see if it pulls a browser hijack...reason being is that after the connection is lost, and, you close IE and reopen it, the "tools" menu has CHANGED...no "pop up stopper" option, windows update, etc that IS there after a fresh restart.

The machine runs clean and like a champ otherwise, so I am very hesitant to reinstall. Any ideas? Never seen this one before. Thanks in advance!

 

[BadBigBen]

I would suggest:

You DL HiJackThis (

http://www.spywareinfo.com/~merijn/)

run a scan and paste LOG here in the Thread or go to the Online Analysis at

http://www.hijackthis.de/en

DL EWIDO Security Suite (

http://www.ewido.net),

best Trojan Hunter around imo... update it and RUN full scan...

Also, it may redirect the LSPs or the HOST file, by the way it sounds... it would be a good idea to have an AntiSpyware programm running in the background along with your AV and FW, ie. MS AntiSpyware or the TeaTimer from SpyBot S&D...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[grez]

Here it is. Any thoughts? FYI: I did already try the winsock xp fix (resets the host file...been very successful before with it).

Logfile of HijackThis v1.99.1
Scan saved at 6:55:32 AM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAD\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnzgc.dll/sp.html#87649
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnzgc.dll/sp.html#87649
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.dell.com/

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - Startup: TempCleaner.lnk = C:\Program Files\TempCleaner\TempCleaner.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125541642609

O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\q326324656.dll (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

 

[linney]

Removing adware & spyware
faq608-4650

Microsoft (GIANT Antispyware) Beta available
Thread779-979113

Try the free version of "Ewido"

http://www.ewido.net/

Use this site as a rough guide of things you should check in your log.

HijackThis log file analysis

http://www.hijackthis.de/index.php

Make sure you appreciate the difference between the old Winsock fix and the inbuilt SP2 Winsock fix which replaces it.

WinXP Connectivity Issues
Lost Connectivity after Registry or Malware Cleanup
faq779-4625

Make sure your options in IE/ Tools/ Internet Options/ Advanced are correct.

Uncheck the boxes for "Install on Demand" for IE and Other programs (two boxes).

Try running temporarily with the third box "Enable Third Party Browser Extensions" unchecked and see how this goes.

"This specifies that you want to disable features you installed for use with Internet Explorer that may have been created by companies other than Microsoft.
If you encounter problems with Internet Explorer that you cannot resolve, you can use this option to help determine if third-party features are causing the problems without uninstalling the feature. You must restart Internet Explorer after turning this option on or off."


If that stops your errors, you will know where the trouble is.

This article and the program BHOcop might be useful to you.

http://www.pcmag.com/article2/0,4149,8168,00.asp

 

[BadBigBen]

Hola,

fix these for certain:

O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)

O20 - Winlogon Notify: st3i - C:\WINDOWS\q326324656.dll (file missing)

and do you really need the following (the Citrix Remote Access? if so leave it...):

O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll

O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)

other than that your LOG seems clean, but I suggest you run HJT from a dedicated Folder not the TEMP and not from a ZIP file...

The reason I mentioned the LSP prob, was that FF could not access the Internet after IE crashed, this usually indicates a messed up WINSOCK... The HOST file should still be checked Manually (ie. through SpyBot, Notepad, or HOSTER)...

I would also suggest locking down the security level of IE, by disabling JavaScript and ActiveX (except where it is safe to do so, ie. Windows update...)






Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[cupid11213]

there is a pop up blocker built in internet explorer. This has been an issue for several people i know. it's under internet options /PRICAY TAB.
please make sure that the pop up blocker is not selected.

good luck!

Some people make things happen, some people watch things happen, while others wonder what happened.

 

[grez]

All,

After playing and playing with this problem, I wound up reformatting it and all is well of course. Registry hacks, spyware removal programs, a/v, you name it, couldn't kick it out at all.

The great thing that has come out of this is everyone's suggestion for Ewido. That program ROCKS! After running spysweeper, adaware on a few other machines, I put ewido on and it identified soooo much more. I like the user interface and everything about it, and, it's easy enough for clients to operate.

In addition, Ewido WILL remove Spyaxe, which NO OTHER one of the spyware programs did. Spyaxe was a PIA big time (pop up ad, someone went into a panic and wallah..spyaxe was installed....AND recreates itself). Ewido removed it after running it in safe mode and one full restart.

THANKS for helping me find the BEST in spyware protection, and, for your time and help!!

grez