Hi,

I have admitted before and I will admit again that I am the proverbial IT Dummy - How can I get rid of something which seems to have hijacked my computer - ?

When I am on the internet, another windows explorer window opens - and whenever I delete it , it just returns in a few minutes with pop-ups, of betting sites, and special offers etc - all crap of course....

Its even trying to persuade me to save screensavers and other unwanted stuff.....

I have some protection on my computer - Norton stuff - must be like wearing a condom with an hole in it....:laugh

Any offers ?

Thanks in advance, Merl.

Are the words internet optimizer involved anywhere?

Spunk Mail :D

No Marcus - should I look anywhere specific for this...?

No its just another anoying feature Microsnot added to I.E and sometimes apears on some computers.

Goto START>RUN
and type in MSCONFIG>OK
Hit the STARTUP tab, and uncheck everything. Reboot (you can always check back what you need later nothing is deleted)

When you have rebooted check the STARTUP again, and list every file under COMMAND ending with .exe on here

My guess is you've installed an advertising trojan, and it will be listed there.

If not you need to switch OFF/DISABLE "Messenger" in CONTROL PANEL>ADMINISTARTIVE TOOLS>SERVICES (Everyone should do that, although I think SP2 switches it off)

I'll state this again - once you've gone through Keith's advice to hunt down the hijacking trojan, right-click your Internet Explorer icon on the desktop and select the Properties option (don't launch IE and use Tools, Internet Options or you might start the trojan off again). Under the Advanced tab scroll down to the Browser options and make sure you've deselected the option to "Enable third-party browser extensions"

This should prevent the trojan and similar programs from hijacking your browser in future.

Installing SP2 should also give you better protection against these programs too.

You shoud also have SPYWAREGUARD installed and HIJACKTHIS (but you need to ensure your careful with that one)

Thanks for the help guys - followed both your instructions Keith and Glos - thankyou - got there in the end ! :yikes:

Good site called download.com for free spyware stuff

Hi again,

I havent seem to have solved the problem - I have 2 annoying , no very , very annoying thing happening now :yikes:

Everytime I open explorer, or another internet window - I get a rougue window opening, which really interferes badly with what I doing:yikes:

The rougues are popups.com, and something called a bloody bullseye network...

Where did they come from, how can I get rid of these blasted things..?

Thanks, Merl.

Use Hijackthis and delete their entries.

Hi Keith Thanks...

Which ? should I delete...from this screen shot...?

Logfile of HijackThis v1.97.7
Scan saved at 15:36:24, on 1/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Arquivos de programas\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Program Files\Winad Client\Winad.exe
C:\temp\msbb.exe
C:\WINDOWS\System32\lcrocm.exe
C:\WINDOWS\medload.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Arquivos de programas\Ulead Systems\Ulead Photo Express 3.0 SE\calcheck.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Computador\Configurações locais\Temporary Internet Files\Content.IE5\D8O3T9KL\HijackThis[5].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [edot] C:\WINDOWS\edot.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: KODAK Software Updater.lnk = C:\Arquivos de programas\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Arquivos de programas\Ulead Systems\Ulead Photo Express 3.0 SE\calcheck.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=10f08450ab596047f6c94d90b79b47d1528d9dc4c40924e2499f8b9bd779519ddd40d759133a448fde7f410342650f82cf1f1ae7:7ba4efda898ff66841613117fb4ea0f9
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEAF72A6-D4FD-44D3-AE51-E9A25F062492}: NameServer = 200.164.232.10

C:\Program Files\Winad Client\Winad.exe
C:\temp\msbb.exe
C:\Program Files\Winad Client\WinClt.exe

I think these are naughtys but let Keith/others confirm before getting rid. :)

WINAD is this http://www.2-spyware.com/file-winad-exe.html

msbb.exe is this http://www.winpatrol.com/db/freesample/msbb.html

WinClt.exe is similar to the above (you have been busy :))

Also Winnet.exe can be a beast, but you haven't got that one. Spybot/Adaware do not pick these up.

EVERYONE ON HERE TAKE NOTE. Run HIJACKTHIS and if you see a filename you do not think should be their, either post it here, or BETTER still, search for it in Google. If it's spyware, have HIJACK THIS DELETE IT.


Merlin, write down the program names, so after Hijack this has deleted them , and you've rebooted, you SEARCH your system for them and delete any reference to them left over.

Delete;
C:\Program Files\Winad Client\Winad.exe
C:\temp\msbb.exe
C:\Program Files\Winad Client\WinClt.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe


ALSO ENSURE THEY ARE UNTICKED IN >START>RUN>(type in MSCONFIG, press enter)>STARTUP

I bet a few on here will find these programs or their sisters, as they come under many names.

You are a ¨God¨thank you so much Keith (and Worky and others), Merl.