Possibe Virus? "I HATE Pops!"

I was recently hacked by the "I Hate Pops" ad, which actually opens an Internet Explorer window whenever it appears. It works by presenting an invitation to download an innocent-looking Internet Explorer plug-in while you're surfing the net, and if you hit OK you're sunk. I tried all of the fixes suggested here--installing and running various spyware/adware detection programs and turning off Instant Messenging and Windows Messenger Service. Nothing worked. Finally, I followed several leads to a file named "iefeatures.exe" in the Windows/System32 folder; apparently it was loading before my antivirus/firewall software was activated at startup, so it could then execute at will. At first I couldn't delete this file because it was "in use," so I ran "msconfig" to select a diagnostic startup so the file couldn't load, and then I was able to remove it completely. The obnoxious ad hasn't reappeared since. Hope this helps others.

 

With the leads provided by recent posts, I ran www.google.com on Popnav
http://www.google.com/search?sourceid=navclient&q=popnav
and iefeatures.exe
http://www.google.com/search?sourceid=navclient&q=iefeatures.exe
Quite a few suggestions for removal offered, but it ain't so easy.
One of the best, perhaps,
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_POPMON.A down near the bottom.
This seems to be part of the CoolWebSearch family, but although I did not read all the details, surprisingly I did not see a suggestion to run CWShredder
http://www.merijn.org/cwschronicles.html
Again see at bottom of this very long article.

 

It's a never-used feature that has been replaced by the various well known, popular, and feature-rich instant messaging systems.

Errrr - Welshjim, maybe on home or small networks that is the case. On larger business networks, I think you'll find otherwise.

Many commercial software apps use messenger service pop-ups to notify sysadmins of problems. With some it's the only option and with others, it's an option and usually the one that creates the least system load. For this sort of thing, 'feature-rich' is the last thing you want. For instance:

Trend Micro Server Protect notifies a half dozen of us if a server gets hit by a virus. Not only servers on my local LAN but others that are in different states and use T1 lines to do lots of WAN communications. Messenger is great since it is not a bandwidth hog.

Our main Oracle dB system (running on a server cluster) sends them in case of problems as do at least a half-dozen other products.

I use it regularly as an easy way to tell around 150 machine operators on the production floor if I need to do something that will affect their systems.

I completely agree that home and small LAN users can just disable the service. But for us, firewall settings were a much better option so we see the pops from our own systems but not from internet sites that mis-use it.

 

[on Windows XP Home machine]

Made a backup of my files then:

Ran Hijack This on the affected computer and my laptop (which mirros the affected computer) and got rid of everything that didn't match up.

Ran Spybot Search and destroy.

Then ran Shoot the Messenger.

This seems to have solved the problem completely...thanks for the help.

 

Newt--

I was only quoting Steve Gibson. (Note quotation marks.)

 

Darkhunter - glad you are cured.

Welshjim - I had missed the quote part before. M. Gibson has been known to speak with too little thought in the past and looks like he done it again, he did.

Even though the comment is safe for most home/SOHO users, I did want to toss in the caution though just to make sure that if anybody reads this thread and then goes to their office PC and blows away a needed app, they can't blame us.

 

Welshjim---I cannot believe all of the response. I really appreciate it! I have not had a chance to read all of these and to try the recommendations. I plan to do so this weekend and will let you know the results.

 

OK...Here are some things.

Here is the Hijack This Log. Let me know what to delete.
++++++++++++++++++++++++++++++++++++++++
Logfile of HijackThis v1.97.7
Scan saved at 12:15:40 AM, on 1/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BELKIN SENTRY BULLDOG\UPSD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\DADS_STUFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;47.*;localhost;<local>
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://triweb.us.nortel.com/labhome/ "); (C:\Program Files\Netscape\Users\rstanley_pcnt\prefs.js)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WinProfile] C:\Command.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Windows] c:\msdos98.exe
O4 - HKLM\..\Run: [UPSentry Smart 2000] C:\Program Files\BELKIN SENTRY BULLDOG\upsd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe "
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [UPSentry Smart 2000] C:\Program Files\BELKIN SENTRY BULLDOG\upsd.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadBlackD] C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE "
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - User Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - User Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - User Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .SC2: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .rmf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPBeatSP.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {87BC8721-3CDD-11D1-B027-0060971611DA} (Newstick Control) - http://channel.cnn.com/intro/tick.cab
O16 - DPF: {ABD85B93-9BF9-11D1-B08B-0040953108D6} (UKsysctrl.UKsystem) - file://C:\Program Files\Quantex\UKsysctrl.CAB
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft.com/update/Nov23/OSB/9/conveyer1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.mtv.com/mtv/tubescan/animation/vbill/install/Plugins/AxPulse.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerStub.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/addynamix_giftcard.exe


CWSHREDDER
++++++++++
Ran this. My system is completely clean.

Johnna...
+++++++
I.m running W98SE, so I do not know what you're talking about with the admin tool - services.

Markp62 and Welshjim...
++++++++++++++++++
YES, I had http://free.aol.com in the trusted sites. I deleted it and added it to the restricted sites.

Welshjim.....
+++++++++
I'm running OE 6.00.2462.000 and I do not have the option you mentioned under tools-options-general tab.

Lonny Jones...
+++++++++++
Did you mean to post some links to Navpop + Ihatepos Hijackthis Log? Now that you mention this, when we startup IE (sometimes...I have user profiles and logins on this machine), it starts at the POPNAV screen.

JerseyGirl...
+++++++++
I do not have this file in the windows-system32 folder

Darkhunter....
++++++++++
Did you mean to include a link for "Shoot the messenger "?

That's all for now. Maybe you guys can tell me something in the hijack log. Also this.....whatever program is starting this whole mess, it definitely starts Internet Explorer. I normally use Netscape, so normally, whenever you start Internet Explorer you always get that display telling you that Internet Explorer is not your default browser and asking you if you want to make it your default. Whenever this IHATEPOPS thing starts, the above IE display will start first.

Thanks for all the posts.

Rick Stanley

 

Place a check next to these items close all IE's and programs that show in the taskbar and hit fix selected.
Items in blues are optional

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL


O4 - HKLM\..\Run: [WinProfile] C:\Command.exe(see below)
I would say leave this one and get several online anti virus scans.. let them deal with it

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.26/Hiwire.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsear...ix_giftcard.exe

reboot find and delete these files
C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe<---file
C:\WINDOWS\SYSTEM\IEFEATURES.exe<-----file
You might have to
to show hidden files and folders.: http://www.xtra.co.nz/help/0,,4155-1916458,00.htm




WinProfile X Command.exe Added as a result of the BUDDY VIRUS! http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BUDDY.E
theres a link to there online on that page .. best to get one from other than you av's site for a better second opinion
here's another to choose from to
Trend Micro - Free online virus Scan: http://housecall.trendmicro.com/


Now post a fresh hijackthis log

 

O4 - HKLM\..\Run: [Windows] c:\msdos98.exe
Added as a result of the PWSTEAL VIRUS!


O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
Really not needed at startup.


O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
While the name Backweb is associated with spyware, this checks for updates for a Logitech device, not need at startup.

O4 - HKLM\..\RunServices: [LoadBlackD] C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
This firewall isn't all that good. It does nothing to stop what is running on your computer from connecting out. The PWSTEAL from above was doing as it pleased. Give it the Leaktest.

AVG AV for free
ZoneAlarm Free
Kerio Personal Firewall
Housecall, online AV scan
Online Trojan Scan

 

rtstanley--Looking forward to hearing that all is now well!!
"Shoot the Messenger" is available here
http://www.grc.com/stm/shootthemessenger.htm

Somewhat surprised to hear that. Are you sure you were looking under Outlook Express Tools and not Internet Explorer Tools?
But if things are now OK, then you probably do not need to use either of these two suggestions.
But your version of OE (and IE) is slightly out of date. (In fact it is a beta version of IE 6 prior to the IE6 Service Pack 1. OE version numbers usually follow IE's.) Do you use Windows Update from time to time to get Critical Updates? You really should download and install IE6 SP 1.

 

JerseyGirl.........
++++++++++++

After sending my post yesterday, I thought to search for the
file you mentioned (dummy me for just looking in one folder).
I found the iefeatures.exe file in two places. Both are 124KB.
Both had a timestamp of 01/14/2004 (about when all this started).

C:\Windows\SYSTEM\iefeatures.exe
C:\Windows\Profiles\lstanley\Temporary Internet Files\Content.IE5\F2GBZHOP\iefeatures[1].exe

I deleted the second one without any issue (the iefeatures[1].exe file

However, when trying to delete the one in the windows-system folder,
I received an error "Cannot delete. Access is denied. Make sure the disk
is not full or write protected and that the file is not currently in use ".

I ran msconfig and in the Startup tab, I found an entry for this file - and
it was checked. I unchecked it, restarted the PC, and then deleted the
file.

Lonny Jones
+++++++++++
I checked everything suggested and deleted. However, the 04-iefeatures
line is not there anymore - I suppose because of the deletions I did above.

Also, not sure what you mean about the 04-HKLM item of "get several
online anti virus scans..let them deal with it ". What do you mean by this?

Anyway, below is a new/fresh hijack log.

BTW, how does a person remove lines in the startup tab of
msconfig - when these lines are NOT checked (and do not run).
Isn't there a way to clean out this stuff. Maybe I should post this
on another forum?

I'll let everyone know.

markp62...
++++++++
Are you telling me to check and delete the items you posted?

New hijack log
+++++++++++
Logfile of HijackThis v1.97.7
Scan saved at 7:45:30 PM, on 1/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\BELKIN SENTRY BULLDOG\UPSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\DADS_STUFF\PC_STUFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;47.*;localhost;<local>
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://triweb.us.nortel.com/labhome/ "); (C:\Program Files\Netscape\Users\rstanley_pcnt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WinProfile] C:\Command.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Windows] c:\msdos98.exe
O4 - HKLM\..\Run: [UPSentry Smart 2000] C:\Program Files\BELKIN SENTRY BULLDOG\upsd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe "
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [UPSentry Smart 2000] C:\Program Files\BELKIN SENTRY BULLDOG\upsd.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE "
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - User Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - User Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - User Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .SC2: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .rmf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPBeatSP.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {87BC8721-3CDD-11D1-B027-0060971611DA} (Newstick Control) - http://channel.cnn.com/intro/tick.cab
O16 - DPF: {ABD85B93-9BF9-11D1-B08B-0040953108D6} (UKsysctrl.UKsystem) - file://C:\Program Files\Quantex\UKsysctrl.CAB
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft.com/update/Nov23/OSB/9/conveyer1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.mtv.com/mtv/tubescan/animation/vbill/install/Plugins/AxPulse.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mplayer.com/MplayerStub.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe

 

The first item in my last post you should uncheck and delete. You should do a virus scan at the Housecall link. You are infected by more than one.

The next two I suggest only unchecking from startup.

 

I agree with Broni- a lot of work to do. Might be easier to burn your data files and reinstall the OS clean. Run Belarc to give yourself a software checklist.

If you do a clean install, turn your modem off, unplug it,disconnect it whatever. Do not be online during the install. When you are done, install your internet security, enable it and go online for your MS updates, then start installing software.

Only install the software you use. When you reinstall the software, go for the custom installs, and be selective. Each individual program usually has a setting inside itself to disable it from the start up menu, and you can use this tool to make further adjustments.

At this point, it will be faster to start fresh than clean up the mess and the residuals. Two pluses: a neat and tidy computer, and improved performance.

Just my two cents,
Johanna

 

I've gone through everything Broni suggested.
I also got rid of the Black Ice firewall and installed Norton Internet Security (any comments)?

I've cleaned up this machine about as much as possible (I think). There are 4 users on this machine (2 teenagers). I guess the big point is NO MORE "I HATE POPS! ".

In any event, I appreciate all of the help and suggestions. Every trip to this forum is a learning experience and I'm thankful for all the experience out there. This forum is the best ever!

rtstanley

BTW...anyone know how to get rid of all those lines in msconfig-startup tab...the ones that are not checked to run?

 

You got a better firewall, good to hear.
To get rid of those entries, go to Start\Run, type in Regedit. Use the + signs to get to these Keys.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-
Delete them. Note there is a minus sign at the end of the names, very similar to the ones that you want to keep.

 

I recently have experienced the same problem but I believe it is either a file called c;\programfiles\clearsearch\loader.exe or c;\win\system32\stcloader.exe or c;\programfiles\commonfiles\slmss\slmss.exe
I think my daughter contracted this when she went to a Mathmatics page for school.
good luck to all