IE Pop-ups while using FIREFOX...I suspect DNS catcher...

By Sp00ky_E.
Nov 9, 2005
  1. As this is my first post, I guess I should say, "HI" and thanks for even looking at this in the first place. :wave:

    I very rarely use IE, but lately have been getting pop-ups.
    I've been getting two kinds of pop-ups: One kind seems to be displaying links in response to my Google searches or in response to the web page I'm viewing. I did a bit of research and found that this could be a symptom of something called DNS Catcher. The other kind are advertisements for casino sites, travel agencies, etc. I've run several scans with both Symantec AntiVirus and Microsoft AntiSpyware. It found several problems, including DNS Catcher, some Trojan crap and other Adware and supposedly deleted/quarantined them but the problem still remains, however, I now seem to be getting more of the advertisement pop-ups than "search result" pop-ups.
    I ran additional scans in both Normal and Safe Mode, but no threats are detected now, even though the pop-ups continue.
    I doubt this'll help...but when I get a stack of the pop-ups minimized, it says "MQBETMAN" in the little taskbar block. Don't know what that could mean, but it's always consistent.

    Please, please help.
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  3. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    Much better! Thanks for the tip. I'm not getting as many pop-ups now, but somehow they're still around. I got one from just now. Here's my ewido Scan report, it fixed a whole bunch of stuff, but something may have slipped through the cracks. I'd appreciate it if you'd take a look.

    (I removed a few parts of the report on things that were cleaned to get it down to 100mb)

    Regards, Sp00ky. :)
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  5. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    I haven't gotten to following the last post yet, but I ran ewido again and got this warning while it was cleaning:

    The file "C:\Program Files\Common Files\system32.dll/gui.exe" cannot be removed because it is embedded in the archive "C:\Program Files\Common Files\system32.dll" Do you want to remove the whole archive?" Y/N

    What should I do? :confused:
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Fix everything else that's found except that gui.exe stuff.
    Post your HJT-log (only one from Safe mode) as described.
  7. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    That seems to have done the trick! I'm currently pop-up free.

    I've posted my HJT log, as instructed.

    Thanks for all your help!
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Run HJT in Safe Mode and let it 'fix' all these:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) -
  9. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    I fixed those things and then ran another scan (log attached).

    AdAware and Spybot are still finding problems in Normal Mode and now I'm only getting pop-ups from
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    The only place I can think of, where this might be coming from is:

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Brittany\Programs\aim.exe

    Uninstall it for the moment (Get rid of it really, it's a popular target for all sorts of mischief.)
    If that does not fix it, you can always reinstall it. Backup your contacts first.

    Other than that, look up online virusscanners in Google and run them all.
  11. deliriumx

    deliriumx TS Rookie

    Can you take a look at this for me?
    Can you tell me what to delete?
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...