Help please! I DONT want a free polyphonic ringtone

Hi

I am recieving an annoyance when I open internet explorer. It is a pop up advert telling me that I have been awarded a free polyphonic ringtone. All I gotta do is enter my phone number.

This advert appears no matter what page I am looking at and at regularly annoying intervals. My virus checker is upto date, I have run Lavasoft Adware to try and remove the hook, I sit the other side of a hardware firewall on the office network. I have looked through my files and register to try and find what is causing it, but have not found anything or am not sure what I am looking for.

Everything I try to stop this pop up has failed so far. It is annoying and like a scratch I cant itch.

Does anyone have any ideas about this? I have now found the pop up ad appearing on my computer at home . I am on my works computer. The two machines are completetly different and no software passes between them.

Thankyou in advance

Vortigern

 

Hi

Since you already have ran Ad-Aware
post a hijackthis log:
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

 

Ok the pop up is still appearing thought for a while that it had gone. Here is the Hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 12:43:18, on 21/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
R:\Support Database\support.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\amberCat\Help Desk\AmberCat.exe
D:\Downloads\adware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.2:8000
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem218.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [bios] bios.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1050a00ebb67e8912105/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38154.1733680556
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = connect4systems.co.uk

Thanks

Vortigern

 

Wait for our other forum member to reply please. they might
spot something I have missed.
Wild tagent is somewhat optional,, I suggest you fix and uninstall it though.

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix checked

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem218.dll
O4 - HKLM\..\Run: [bios] bios.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1050a00ebb67e8...ip/RdxIE601.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/...iker/wtinst.cab
=========
In addremove programs uninstall "Internet Optimizer" (if even there)

Restart PC find and delete (ONLY THESE EXACT) files and folder's,
Be very carefull if your unsure leave them be.
Set windows to show hidden file's, folder and extensions<< Link.
C:\Program Files\Internet Optimizer
C:\WINNT\bxxs5.dll
C:\WINNT\system32\automove.exe
C:\Program Files\VVSN

Read this if you havent already
http://www.windowsbbs.com/showpost.php?p=163453&postcount=6


Than make and post a new log

 

By crikey, the boy done good.

Lonny

That seems to have done the trick no more infuriating pop ups. Heres the lates Hijack this report:

~Logfile of HijackThis v1.97.7
Scan saved at 15:07:03, on 21/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Maximizer\MxAlarm.exe
C:\Program Files\Maximizer\MxFinder.exe
R:\Support Database\support.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
D:\Downloads\adware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.2:8000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38154.1733680556
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = connect4systems.co.uk

This has been a very interesting project, thankyou very much for your help. I will run check out my home computer tonight.

Cheers

Vortigern

 

C:\WINNT\system32\regsvc.exe
Normal if you run 2K server or advanced server OS. Otherwise probably not normal. Are you running a server OS on your PC?

C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
Do you really need this one? Most folks don't use it for keyboard mapping so it is just taking up space and consuming resources. SiS product and likely put there at install time for whatever piece of their hardware you use.

As a side note, since this PC is doing internet time synchs, are you pointing your other NT4/2K/XP PCs at it for their time updates?

 

Good work.

Your more than welcome to post logs from other PC's But please say they are and do so in a new topic.
and preferable Ad-Aware and SpyBot having first been ran
Regards