View Full Version : Plagued by Pop-up ads and unwanted webpage ‘redirects’

Bob Kessler
10-07-2014, 02:25 PM
For the past few weeks I have been experiencing numerous pop-up ads as well as being transferred to advertising web pages I did not click on. This has been happening on a wide variety of websites – including this one - but I have never noted it while on secure sites.

I use Mozilla Firefox (at latest level 30), Windows XP (at latest/final level) Microsoft Security Essentials (updated daily), and a D-Link ‘wired’ router.

I have examined my Startup list using Windows ‘Msconfig’ and the free program Starter.exe and see nothing obviously wrong.

I have run MalwareBytes and SpyBot S&D; and removed/quarantined the few files each recommended – and no improvement has resulted.

I have tried to run Ad-Aware (2009 Anniversary Edition) but get a message saying ‘Failed to connect to service’

I have now run HiJack This; and examined the results, but am afraid to ‘repair/delete any of the long list of entries it provides. Most seem valid but there are quite a few I don’t understand. The program advises against removing files without knowing what they are and suggests turning to experts for help.

So this is that call for Help! I hope someone will respond with advice and assistance. I will provide the resulting Logfile if told how to attach it to this thread.

Speedy Gonzales
10-07-2014, 02:34 PM
Post the hijackthis log here. And we'll see whats in it. Just copy and paste the log. No need to attach it

10-07-2014, 02:47 PM
You'll find there are infections deep in the reg, some will be hiding. Some wont be seen by Hijackthis either.

Download and run roguekiller (http://www.bleepingcomputer.com/download/roguekiller/) - while at that site, scroll down and download/Run AdwCleaner, while at it, get Junkware Removal tool . The download Links are Dark Blue, Eg: Download Now@ Authors Site ( some may be worded differently) but they will be the dark blue buttons.

Bob Kessler
10-07-2014, 03:05 PM
Hi Speedy!
Following is the logfile - hope you get it as I tried copy/pasting it to an earlier attempt to input a new thread - but it never appeared in the F1 listing??? So here goes.
PS: I've deleted/quarantined one suspect since this logfile was created - it's the one titled 'realdEaal' in the 02 - BHO section - but it didn't help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:06:47 a.m., on 9/07/2014
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21376)
Boot mode: Normal

Running processes:
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.findwide.com/?guid={11C136F0-7C3F-4245-B737-529F1B68E331}&serpv=22
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SoFtCoUp - {26AF35F3-63F5-9636-BC0A-449B61692878} - C:\Documents and Settings\All Users\Application Data\SoFtCoUp\lnY8.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: realdEaal - {BF72EE88-5961-26A9-7A44-E8B421137F56} - C:\Documents and Settings\All Users\Application Data\realdEaal\QnNc3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Google Update] "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/46.19/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1363203595046
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\docume~1\alluse~1\applic~1\perfor~1\perfor~1.dl l
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

End of file - 10323 bytes

Bob Kessler
10-07-2014, 03:09 PM
Hi again Speedy,
I just 'Quick replied' the logfile to you but wonder if you'll get it as I received the same response - something like 'has to await a moderator' I got last week on the entry I made that never showed up!!

Speedy Gonzales
10-07-2014, 03:16 PM
?? Cant see anything here. quick reply should end up in here. Not to me. Umm what you can do, altho you cant send me a PM until you're up to 10 posts.

Get teamviewer (http://www.teamviewer.com) install or run it / select personal underneath

It'll give you an ID and password. Since you cant send PM's yet. Give me the ID and password in a reply.

And I can check your system from here. Dont worry, you'll see what I"m doing

10-07-2014, 04:12 PM
Forums anti-spam picked it up coz of the links, and coz you have under X amount of posts. I've approved the post now though :)

Speedy Gonzales
10-07-2014, 04:32 PM
Hmm I see it now

You can run hijackthis again then tick these then tick fix checked. Or with the startup entries, get ccleaner (http://www.ccleaner.com) run it / click on advanced to opt out of Google chrome.

Then go to tools / startup. Highlight the startup entries then either disable or delete them

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

If AVG has been uninstalled get the removal tool (http://www.avg.com/ww-en/utilities)and it'll remove the rest of it

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')

This may have something to do with it

O20 - AppInit_DLLs: c:\docume~1\alluse~1\applic~1\perfor~1\perfor~1.dl l

After you do the above close browsers then run ccleaner again. So it'll remove temp files etc

See if a file called sprotector.exe is running. If it is kill it

Bob Kessler
10-07-2014, 05:55 PM
Hi Speedy,

Thanks very much for your 'speedy' - and thorough response.
I followed your advice:
1 Reran highjack this and fixed the 10 entries you listed
2 Downloaded and ran the AVG removal program - it took 3 Restarts to complete
3 Ran ccleaner - removed 430MB of stuff
4 Checked for sprotector.exe using Task Manager - no sign of it running
Not sure what you mean by 'startup entries' but assume you mean it as an alternative to using highjack this - so did not pursue

Then tried Firefox again. Connected to the CNET downloads page (one that has been failing in the past)

And, unfortunately it still does! It opens correctly, but within a minute or so it is overloaded by other sites, this time a sports page, but it has been different pages on other occasions.

Do you want to see an updated hijackthis log - or (hopefully) do you have more tricks up your sleeve??

Bob Kessler


Bob Kessler
10-07-2014, 06:02 PM
Thank you for your suggestions wainutech - I'll give them a go along with the advice from Speedy Gonzales and will reply with outcomes asap.

kahawai chaser
10-07-2014, 06:03 PM
As WT noted above, try AdwCleaner. (http://www.bleepingcomputer.com/download/adwcleaner/) Has removed PUP and Adware for me.

Speedy Gonzales
10-07-2014, 06:16 PM
Then tried Firefox again. Connected to the CNET downloads page (one that has been failing in the past)

I would say this is where your problem started.

AVOID this site / CNET and DON'T download anything off it. If you use their downloader, what they were doing, or probably still doing is they were repackaging valid downloads, and repackaging them with their own installers, and added malware to their installers. And I would also avoid filehippo. I read the other day they're starting to do the same thing. Or something similar to what CNET and download.com were doing / are doing now.

And yup by startup entries if you've installed ccleaner, if you go to tools / startup. The entries you saw in hijackthis will appear here too

10-07-2014, 06:39 PM
Also, manually go through your browser addons, the dumb ones are listed and can be removed there.

kahawai chaser
10-07-2014, 06:39 PM
Wandering if extensions or rogue search engine have sneaked in Firefox, maybe check extensions/search engine (unwanted) in FF settings.

10-07-2014, 07:22 PM
Wandering if extensions or rogue search engine have sneaked in Firefox, maybe check extensions/search engine (unwanted) in FF settings. While its in IE, chances are very high its also someplace else.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.findwide.com/?guid={11C136F0-7C3F-4245-B737-529F1B68E331}&serpv=22These modern infections sometimes wont show in Hijackthis, but one is.

Manual removal instructions, but one of the three programs I suggested before should catch it.


On that page, scroll right down, shows programs to run ( some I mentioned) as well as HitmanPro ( forgot that one - oops) I run them out of habit without having to think about it ;)

10-07-2014, 07:47 PM
CNET installer,has it been downloaded as this may be a problem

See in the news that File Hippo has added a installer that add's crapware if you add it

just noticed the second page

Bob Kessler
10-07-2014, 10:00 PM
Thanks pctek - it looks like you solved my problem!!

I checked my Firefox addons and found 3 Extensions I'd not seen there before (nor were they on my Windows8 pc) so I removed them. They were named dealsEak 1.6, realdEaal 1.9 and SoufTCoupp 3.12. Tried a few websites, including the troublesome CNET downloads site, and have experienced no more popups/redirects. More time will tell, but I feel confident - at least right now!

So, my thanks to everyone who 'chipped in', especially you and Speedy Gonzales, for your help.

And, Speedy, I'll follow your last advice to stop using CNET's Download page in the future as I fully agree that they make clicking on the wrong thing very easy!

10-07-2014, 10:41 PM
I feel your pain Bob. :D Just gave up on my old HP with XP because it had suddenly slowed to being unuseable. I thought it was a conflict between the last Microsoft updates but now think a rootkit virus somehow sneaked in. So I took it to a doctor because its a good pc and useful to have as a spare for the teenagers.

Ran Combofix which cured some problems but not enough. Mind you it could be a failing drive but if so it isn't obvious.

Anyway, when downloading software always start at the developers site. Otherwise I use Majorgeeks but the important thing is to choose a custom install because then you can opt out from the toolbars etc they generously :D include.

Speedy Gonzales
11-07-2014, 07:46 AM
No probs Bob !

11-07-2014, 03:25 PM
You need to carry on sorting this but once you do I can recommend adblock plus plug-in and the pop up blocker they make as well, I see little or no adds and annoying pop-ups not at all.

Also while spybot was long one of the best tools it is no longer, MBAM is very likely to catch everything spybot will so no real point running spybot any more. There is one exception though, much like CCleaner spybot in advanced mode has a startup tool that lets you view, disable, or remove start-up entries and gives a description of many of them. It also bold's any entries that have recently changed.

On the off chance that it's firefox that's playing up you could reset it to defaults, instructions here https://support.mozilla.org/en-US/kb/reset-preferences-fix-problems