Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Can't get rid of this adware
New Posts  All Forums:Forum Nav:

Can't get rid of this adware

post #1 of 20
Thread Starter 
No idea where this came from, but I am having random browser pop-ups

Usually happens right when I open the browser (Firefox 3.x), sometimes when I open new links (that aren't supposed to have popups).

I have AVG Free installed, did a full scan and it's still happening.

Did a full scan with Spybot and Malwarebytes, they came up with nothing.

Help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:01:45 PM, on 3/27/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\\Windows\\system32\askeng.exe
C:\\Windows\\system32\\Dwm.exe
C:\\Program Files\\Connectify\\ConnectifyService.exe
C:\\Windows\\system32\askhost.exe
C:\\Windows\\Explorer.EXE
C:\\Program Files\\Connectify\\Connectifyd.exe
C:\\Program Files\\PowerISO\\PWRISOVM.EXE
C:\\Program Files\\AVG\\AVG9\\avgtray.exe
C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe
C:\\Windows\\System32\\hkcmd.exe
C:\\Windows\\System32\\igfxpers.exe
C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe
C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\acrotray.exe
C:\\Program Files\\Synaptics\\SynTP\\SynTPHelper.exe
C:\\Program Files\\Trillian\rillian.exe
C:\\Program Files\\Skype\\Phone\\Skype.exe
C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe
C:\\Program Files\\Mozilla Firefox\\firefox.exe
C:\\Program Files\\Mozilla Firefox\\plugin-container.exe
C:\\Windows\\system32\\SearchFilterHost.exe
C:\\Users\\Ron\\Desktop\\HijackThis.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,CustomizeSearch =
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Local Page =
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion \\Internet Settings,ProxyOverride = *.local
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.d ll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\\Program Files\\AVG\\AVG9\\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files\\Java\\jre6\\bin\\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l
O4 - HKLM\\..\\Run: [PWRISOVM.EXE] C:\\Program Files\\PowerISO\\PWRISOVM.EXE
O4 - HKLM\\..\\Run: [AVG9_TRAY] C:\\PROGRA~1\\AVG\\AVG9\\avgtray.exe
O4 - HKLM\\..\\Run: [SynTPEnh] %ProgramFiles%\\Synaptics\\SynTP\\SynTPEnh.exe
O4 - HKLM\\..\\Run: [IgfxTray] C:\\Windows\\system32\\igfxtray.exe
O4 - HKLM\\..\\Run: [HotKeysCmds] C:\\Windows\\system32\\hkcmd.exe
O4 - HKLM\\..\\Run: [Persistence] C:\\Windows\\system32\\igfxpers.exe
O4 - HKLM\\..\\Run: [Adobe Reader Speed Launcher] "C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"
O4 - HKLM\\..\\Run: [Adobe ARM] "C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"
O4 - HKLM\\..\\Run: [Adobe Acrobat Speed Launcher] "C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrobat_sl.exe"
O4 - HKLM\\..\\Run: [Acrobat Assistant 8.0] "C:\\Program Files\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe"
O4 - HKUS\\S-1-5-19\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-19\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\\S-1-5-20\\..\\Run: [Sidebar] %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\\S-1-5-20\\..\\RunOnce: [mctadmin] C:\\Windows\\System32\\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEFavClient.dl l/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\\PROGRA~1\\MICROS~1\\Office12\\EXCEL.EXE/3000
O9 - Extra button: @C:\\Windows\\WindowsMobile\\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\\Windows\\WindowsMobile\\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\Windows\\WindowsMobile\\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\\Windows\\WindowsMobile\\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\Windows\\WindowsMobile\\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\PROGRA~1\\MICROS~1\\Office12\\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\\Program Files\\AVG\\AVG9\\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\\PROGRA~1\\COMMON~1\\Skype\\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\\Program Files\\AVG\\AVG9\\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\\Program Files\\Bonjour\\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\\Windows\\system32\\GameMon.des.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\\Program Files\\WinPcap\
pcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\\Program Files\\Spybot - Search & Destroy\\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\\Program Files\\Common Files\\Steam\\SteamService.exe

--
End of file - 6894 bytes
Edited by flushentitypacket - 3/27/11 at 11:04am
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
post #2 of 20
Try Ad-Aware.
Indignant Mk. III
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5-2500k @ 4.5GHz MSI P67A-GD65 (B3) HIS Radeon HD 6950 2GB (flashed to 6970) 4GB G.Skill RipJawsX DDR3-1600 
Hard DriveOSMonitorKeyboard
Crucial C300 128GB, 2 X Spinpoint F4 (RAID0) Windows 7 Pro 64 Acer GD235HZ [1920X1080, 1080p, 120Hz] Logitech Illuminated 
PowerCaseMouse
Antec EarthWatts EA750 Antec 300 Illusion Logitech MX518 
  hide details  
Reply
Indignant Mk. III
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5-2500k @ 4.5GHz MSI P67A-GD65 (B3) HIS Radeon HD 6950 2GB (flashed to 6970) 4GB G.Skill RipJawsX DDR3-1600 
Hard DriveOSMonitorKeyboard
Crucial C300 128GB, 2 X Spinpoint F4 (RAID0) Windows 7 Pro 64 Acer GD235HZ [1920X1080, 1080p, 120Hz] Logitech Illuminated 
PowerCaseMouse
Antec EarthWatts EA750 Antec 300 Illusion Logitech MX518 
  hide details  
Reply
post #3 of 20
I had a problem like that once, related to a piece of malware called WinFix. I went to mybleepingcomputer.com and they helped me get it resolved.

However, if you would install and run hijackthis and post a log here as a quote, we might be able to find the culprit...
Pro Tem
(15 items)
 
  
CPUMotherboardGraphicsGraphics
i5 25oo MSI P67A-GD65 B3 MSi GTX56oTX-Ti Asus Direct CUii GTX56o Ti 
RAMHard DriveOptical DriveCooling
CORSAIR XMS3 8GB C3oo 128GB / 2x5ooGB WDGreen / 1.5TB SG LG DvD Burner Hyper 212+ 
OSMonitorPowerCase
Win7 HP 64 AcerH233H / Acer X2o3H Antec 75oW Raidmax Smilodon Extreme fan mod 
  hide details  
Reply
Pro Tem
(15 items)
 
  
CPUMotherboardGraphicsGraphics
i5 25oo MSI P67A-GD65 B3 MSi GTX56oTX-Ti Asus Direct CUii GTX56o Ti 
RAMHard DriveOptical DriveCooling
CORSAIR XMS3 8GB C3oo 128GB / 2x5ooGB WDGreen / 1.5TB SG LG DvD Burner Hyper 212+ 
OSMonitorPowerCase
Win7 HP 64 AcerH233H / Acer X2o3H Antec 75oW Raidmax Smilodon Extreme fan mod 
  hide details  
Reply
post #4 of 20
What exactly are the pop-ups and do they only happen when you're in a browser and not idle at the Desktop?

Ctrl-Alt-Dlt and check the processes. Anything unusual you don't recognize? I used to browse a forum that had viral advertising, and it would run the scripts, download a PDF file and then open it in Photoshop. Thus, giving me a crapstorm of issues.

I recommend you download Noscript for Firefox. I've used Noscript for about two years now. I promise you I have never gotten a virus from browsing the internet in those two years. What it does is unless you're allowing the site (if you trust the site and you go to it often) it WILL not allow scripts to run or execute if you are not allowing the site.
post #5 of 20
I would suggest dumping AVG and go with the free version of Avast
I used to get a lot of false positives and adware with AVG, since switching to Avast I have experianced none of these
Pa's Puter
(15 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 i930@4.2ghz. Gigabyte EX58-UD4P EVGA GTX 970 FTW + GSkill DDR3-1600 12 gig 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD  DVDROM EK supreme HF Cu gold plated/ XSPC 480 Windows 7 Pro. 64 bit 
MonitorKeyboardPowerCase
LG 27EA63 IPS monitor merc stealth Corsair TX850 Corsair 700D 
MouseMouse PadAudio
logitech G5 Rocketfish dual surface Creative Xfx extreme and Zalman 5.1 headphones 
  hide details  
Reply
Pa's Puter
(15 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 i930@4.2ghz. Gigabyte EX58-UD4P EVGA GTX 970 FTW + GSkill DDR3-1600 12 gig 
Hard DriveOptical DriveCoolingOS
Samsung Evo SSD  DVDROM EK supreme HF Cu gold plated/ XSPC 480 Windows 7 Pro. 64 bit 
MonitorKeyboardPowerCase
LG 27EA63 IPS monitor merc stealth Corsair TX850 Corsair 700D 
MouseMouse PadAudio
logitech G5 Rocketfish dual surface Creative Xfx extreme and Zalman 5.1 headphones 
  hide details  
Reply
post #6 of 20
Quote:
Originally Posted by E-Peen View Post
What exactly are the pop-ups and do they only happen when you're in a browser and not idle at the Desktop?

Ctrl-Alt-Dlt and check the processes. Anything unusual you don't recognize? I used to browse a forum that had viral advertising, and it would run the scripts, download a PDF file and then open it in Photoshop. Thus, giving me a crapstorm of issues.

I recommend you download Noscript for Firefox. I've used Noscript for about two years now. I promise you I have never gotten a virus from browsing the internet in those two years. What it does is unless you're allowing the site (if you trust the site and you go to it often) it WILL not allow scripts to run or execute if you are not allowing the site.
NoScript and Ad Block Plus are the best add ons made for FireFox imo.
post #7 of 20
depending what the pop ups are (p0rn)? try under tools -> clear recent history-> select all -> clean

good starting point
    
CPUMotherboardGraphicsRAM
SB i5 2500k gigabyte P67 GTX 480 4x2GB ddr 1600 
Hard DriveOptical DriveOSMonitor
2x 160gb drives drives raid 0 500gb storage dvd+rw Win 7 20.1" LCD 
KeyboardPowerCaseMouse
HP PC&C 750w silencer rocket fish dynex 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
SB i5 2500k gigabyte P67 GTX 480 4x2GB ddr 1600 
Hard DriveOptical DriveOSMonitor
2x 160gb drives drives raid 0 500gb storage dvd+rw Win 7 20.1" LCD 
KeyboardPowerCaseMouse
HP PC&C 750w silencer rocket fish dynex 
  hide details  
Reply
post #8 of 20
Thread Starter 
Edit: Put Hijackthis log in first post.

I also have discovered that it attempts to redirect me to website with this domain when I try to click on google search results (DO NOT VISIT):
antro-co0ler.com
DO NOT VISIT SITE.

Edit2: The types of popups are those fake prize ones ("CONGRATULATIONS"), and fake anti-virus ads.

Edit3: I found a process called "AcroTray." Sounds fishy, but could just be part of Adobe Acrobat.
Edited by flushentitypacket - 3/27/11 at 11:09am
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
post #9 of 20
Thread Starter 
Ended the Acrotray process and removed it from my startup. It seems like that fixed the redirecting problem--I will let you guys know if there are any more problems!
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
Current
(12 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k ASRock Z68 Extreme4 Gen3 EVGA GTX 570 Classified 4x4GB Corsair XMS3 
Hard DriveCoolingPowerCase
Samsung 830 Thermaltake Frio OCZ ZS 850W Lian Li Lancool First Knight K9 
MouseAudioOtherOther
Logitech G500 Audinst HUD-MX1 Sennheiser HD598 Swan D1080MkII 
  hide details  
Reply
post #10 of 20
AcroTray

Please run Firefox and re-run the HJT then append the log file above with the new results.

This might let us see what is running when the pop-ups are there.
Pro Tem
(15 items)
 
  
CPUMotherboardGraphicsGraphics
i5 25oo MSI P67A-GD65 B3 MSi GTX56oTX-Ti Asus Direct CUii GTX56o Ti 
RAMHard DriveOptical DriveCooling
CORSAIR XMS3 8GB C3oo 128GB / 2x5ooGB WDGreen / 1.5TB SG LG DvD Burner Hyper 212+ 
OSMonitorPowerCase
Win7 HP 64 AcerH233H / Acer X2o3H Antec 75oW Raidmax Smilodon Extreme fan mod 
  hide details  
Reply
Pro Tem
(15 items)
 
  
CPUMotherboardGraphicsGraphics
i5 25oo MSI P67A-GD65 B3 MSi GTX56oTX-Ti Asus Direct CUii GTX56o Ti 
RAMHard DriveOptical DriveCooling
CORSAIR XMS3 8GB C3oo 128GB / 2x5ooGB WDGreen / 1.5TB SG LG DvD Burner Hyper 212+ 
OSMonitorPowerCase
Win7 HP 64 AcerH233H / Acer X2o3H Antec 75oW Raidmax Smilodon Extreme fan mod 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Can't get rid of this adware