Can't get rid of "Free Browser Enhancement" offer!

The problem just started today:
When I try to listen to a web-archived radio program using Windows Media Player, something that I have done for about two years without any problems, a window pops up that says:

"Good News! A free browser enhacement is available to be installed on your system immediately free of charge.
By installing our software, you agree to the terms and conditions stated here [X]*.
[CLOSE THIS WINDOW] "

Of course, I know better. The problem is that whether I end that task by pressing Alt-Ctrl-Del, or uncheck the pre-checked box and click on [Close...] the Media Player doesn't start and I can't listen to the program.

* There are no terms anywhere either!

I ran Adaware and Spybot, but the problems persists. Can anyone help me to fix this?

(Edited to add
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:09:36 AM, on 5/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\SYSTEM\psoft1.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab


Thanks!

Alex

 

That is a rather short log. You need to disable System Restore ME.
Reboot, and then rescan with HJT, and remove these items.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\SYSTEM\psoft1.exe

Then reboot and then delete this file.

C:\WINDOWS\SYSTEM\psoft1.exe

You can enable System Restore and reboot to get a Restore Point created.

What I would do at this point is instead boot the computer with a Bootdisk, choose without CDrom support, and do this command at the prompt.
deltree c:\_restore
Type a Y that you want to delete.
Then when done, take out floppy and reboot.
This will make sure the folder is clean, and will be rebuilt as windows starts up.

I notice no AV program or firewall running. The Quicklinks page below has good free ones listed.

 

Markp62,
Thank you.

I did what you suggested, including rebooting with a diskette and doing the deltree...

However, there was no \psoft1.exe of any file or folder with "psoft1 "

Unfortunately, the problem persists.

Here is the latest HJT log:
==================================
Logfile of HijackThis v1.99.1
Scan saved at 10:22:18 AM, on 5/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
========================
What next?

Yes, when this is done, I will get the AV program. As far as the firewall, is the one included with my Linksys BEFSR41 DSL Router not sufficient? (Although it is 2 years old...)

Thank you for your time -

Alex

 

Your HJT log isn't showing anything bad, now.
This popup can be nothing but the webpage just now doing this to you by activating your ActiveX controls. This could be something new they started. An ActiveX control is the same as when you went to the Norton webpage for a free scan, where you are asked to download and install and then run a new program.
Or another way to describe it, a way for a website to install and run programs on your computer.
There is a way to test for this, go into Internet Options, then click on the Security tab. With the Internet icon highlighted, click on the Custom Level button, and set to Disable these settings. There are at the top of the list.

Download unsigned ActiveX << this should be already disabled.
Download signed ActiveX
Initialize and script ActiveX not marked as safe<< this should be already disabled.

When you go to that link, and get the message that ActiveX controls are disabled, they or a third party website is the culprit.

Perhaps if you posted the link to where you go?

Your log doesn't show a software firewall being started up. Your router will act as a hardware firewall, preventing unsolicited incoming connections, but does nothing to stop an outgoing connection, or any program from opening a port and holding it open.

Let's make sure that file wasn't hidden from you, open a dos window and do these two commands.
attrib -h -r -s c:\windows\system\psoft1.exe
del c:\windows\system\psoft1.exe
If the first command returns a "file not found" error, then skip the second command. If you get a "bad filename or command" error, check for typos in the command.

BTW, unless you deleted it, I do not see the ActiveX control (they are DPF in the log) for the windows update site, leading me to believe you have never been there. Another clue for this is the absence of this in your startup.
c:\windows\system\kb891711\kb891711.exe
You should, but with those settings above as they are, go back into Internet Options, then click on the Trusted Sites icon, and then click on the Sites button. Uncheck the 'require HTTPS verification' box, and Add this in. Then you should have no problems with it.
*.windowsupdate.microsoft.com. This way the ActiveX will work for that site.
If you want, you can add this in too.
www-secure.symantec.com

 

Mark,
(1) The "Good news..." window opens up by just clicking any of my .MP3 music files, resident in my C: drive, which I had been able to play without any problems until the other day.

(2) The Active-X settings were as you suggested. I have also been in the habit of disabling any downloads, and reverse that setting only when I want to download a known program, such to update Adaware.

(3) DOS did not find that program, and I even looked for psof*.* - just in case.

Maybe if I were to download a new Media Player, or perhaps re-install the one I have?

Alex

 

I reinstalled the Win Med Player and no longer get the annoying, meaningless "free offer ".

Next, to download the AV program recommended.

Thanks -

Alex