About every 15-30 minutes an unwanted (sex ad) popup appears. I can't get rid of it. I deleted all cookies, and can't find any application to remove in the add/remove control panel. It comes up even when off line, so it is buried in the operating system somewhere.

Help! Does anyone know how to get rid of this?

Andre

Hi Andre - welcome to CTH. Go here (http://www.spywareinfo.com/files/startuplist.zip) and download and run Startup List. It will generate a log file. Copy the log and paste it back into this thread (you may have to halve it and make two posts).

We should be able to see where its starting from and help you get rid of it.

Ann Marie,

I'm impressed . . . thank you for your response. I think I know where you are going . . . as a former Mac user, I guess this would be like an 'init' that comes up when you first boot the computer, and must be deleted to rid of the problem. Correct? Only it's not so simple with Windows. So your help is greatly appreciated.

Here's the entire list generated from my log file:


StartupList report, 12/12/2002, 10:39:50 PM
StartupList version: 1.40.3
Started from : C:\DOCUME~1\Andrew\LOCALS~1\Temp\StartupList.EXE
Detected: Windows 2000 SP1 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Connected\CBRegCap.exe
C:\Program Files\Connected\CBlaunch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\XSM.EXE
C:\WINNT\Explorer.Exe
C:\WINNT\System32\s3hotkey.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\System32\ICONSPY.EXE
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Support.com\Client\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\InFocus\Projector Manager\Projmgr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Enfish Corporation\Client\EtiTray.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Connected\CBSYSTRAY.EXE
C:\Program Files\Enfish Corporation\Client\PropMSvr.exe
C:\Program Files\Sierra Wireless Inc\AirCard 555\Verizon\Watcher.exe
C:\Program Files\RapidBlaster\rb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Andrew\Start Menu\Programs\Startup]
Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSYSTRAY.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
Billminder.lnk = C:\QUICKENW\billmind.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
S3Hotkey = s3hotkey.exe
Apoint = C:\Program Files\Apoint\Apoint.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
Mouse Suite 98 Daemon = ICONSPY.EXE
JOGSERV2.EXE = C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
Tgcmd = "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
ZTgServerSwitch = C:\Program Files\support.com\client\lserver\server.vbs
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
AirCardEnabler = C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
QuickTime Task = C:\WINNT\System32\qttask.exe
Projector Manager = C:\Program Files\InFocus\Projector Manager\Projmgr.exe -hide
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
POINTER = point32.exe
RapidBlaster = C:\Program Files\RapidBlaster\rb32.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

FocusFocus_Video_Phone = "C:\Program Files\FocusFocus\FFDesktop.exe"
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Slingshot Tray App = C:\Program Files\Enfish Corporation\Client\EtiTray.exe /startup

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

*Registry value not found*
*Registry value not found*
*Registry key not found*
*Registry key not found*
*Registry value not found*
*Registry value not found*
*Registry key not found*
*Registry key not found*

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

*INI section not found*
*INI section not found*
*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.Exe
*Registry value not found*
*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\WINNT\System32\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINNT\MCBin\Shared\MGBrwFld.dll
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

[{1678F7E1-C422-11D0-AD7D-00400515CAAA}]
CODEBASE = http://files.cometsystems.com/cometcursor/21_cometzone/comet.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINNT\System32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,9/mcinsctl.cab

[Google Activate]
InProcServer32 = c:\winnt\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINNT\DOWNLO~1\ieatgpc.dll
CODEBASE = http://meetingcenter5.webex.com/client/latest/webex/ieatgpc.cab

[AInst Class]
InProcServer32 = C:\WINNT\DOWNLO~1\ACTIVE~1.DLL
CODEBASE = http://216.129.173.30/xxxnaughty/activeinstaller.dll

--------------------------------------------------
End of report, 8,683 bytes
Report generated in 0.400 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hi again Andre - I found a couple of problem apps. One is a Home Page Hijacker that delivers adult content to your PC.

C:\Program Files\RapidBlaster\rb32.exe

Go to Control Panel and have a look and see if there is entry for it in Add/Remove Programs. If not, back up your registry and go to Start > Run and type:

regedit

Then OK. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run and look in the right hand pane for the below entry. When you find it, delete it.

RapidBlaster = C:\Program Files\RapidBlaster\rb32.exe

Reboot. Now run a search for rb32.exe and delete it.

The other is an ActiveX Control that also looks as if has the same function.

[AInst Class]
InProcServer32 = C:\WINNT\DOWNLO~1\ACTIVE~1.DLL
CODEBASE = http://216.129.173.30/xxxnaughty/activeinstaller.dll

Open Internet Explorer and go to Tools > Internet Options and click on the General Tab. Where it says Temporary Internet Files, click on Settings. Now click on View Objects. if you are not sure which is which, rightclick on each and select Properties. Once you find it, delete it.

BTW - what can you tell me about this file?

C:\WINNT\System32\XSM.EXE

If you dont know what it is, could you check in the properties and paste back the information.

Yeaahh! That did it. Rapidblaster was the offending application, which I uninstalled. I let it run all day and nothing came up.

I did a search on XSM and when I pulled up properties, all I found was that it was listed as an application. Nothing more.

So, it has run all day and the offending popups, or whatever they were are gone.

Thank you for your help. I'm a convert to Cyber Tech!

Andre

Thats great news Andre and you are very welcome :D