TechSpot

IE Pop-ups while using FIREFOX...I suspect DNS catcher...

By Sp00ky_E.
Nov 9, 2005
  1. As this is my first post, I guess I should say, "HI" and thanks for even looking at this in the first place. :wave:

    I very rarely use IE, but lately have been getting pop-ups.
    I've been getting two kinds of pop-ups: One kind seems to be displaying links in response to my Google searches or in response to the web page I'm viewing. I did a bit of research and found that this could be a symptom of something called DNS Catcher. The other kind are advertisements for casino sites, travel agencies, etc. I've run several scans with both Symantec AntiVirus and Microsoft AntiSpyware. It found several problems, including DNS Catcher, some Trojan crap and other Adware and supposedly deleted/quarantined them but the problem still remains, however, I now seem to be getting more of the advertisement pop-ups than "search result" pop-ups.
    I ran additional scans in both Normal and Safe Mode, but no threats are detected now, even though the pop-ups continue.
    I doubt this'll help...but when I get a stack of the pop-ups minimized, it says "MQBETMAN" in the little taskbar block. Don't know what that could mean, but it's always consistent.

    Please, please help.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  3. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    Much better! Thanks for the tip. I'm not getting as many pop-ups now, but somehow they're still around. I got one from 888.com just now. Here's my ewido Scan report, it fixed a whole bunch of stuff, but something may have slipped through the cracks. I'd appreciate it if you'd take a look.

    (I removed a few parts of the report on things that were cleaned to get it down to 100mb)

    Regards, Sp00ky. :)
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  5. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    I haven't gotten to following the last post yet, but I ran ewido again and got this warning while it was cleaning:

    The file "C:\Program Files\Common Files\system32.dll/gui.exe" cannot be removed because it is embedded in the archive "C:\Program Files\Common Files\system32.dll" Do you want to remove the whole archive?" Y/N

    What should I do? :confused:
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Fix everything else that's found except that gui.exe stuff.
    Post your HJT-log (only one from Safe mode) as described.
     
  7. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    That seems to have done the trick! I'm currently pop-up free.

    I've posted my HJT log, as instructed.

    Thanks for all your help!
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Run HJT in Safe Mode and let it 'fix' all these:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1119009841668
    O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
     
  9. Sp00ky_E.

    Sp00ky_E. TS Rookie Topic Starter

    I fixed those things and then ran another scan (log attached).

    AdAware and Spybot are still finding problems in Normal Mode and now I'm only getting pop-ups from CheapTickets.com.
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    The only place I can think of, where this might be coming from is:

    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Brittany\Programs\aim.exe

    Uninstall it for the moment (Get rid of it really, it's a popular target for all sorts of mischief.)
    If that does not fix it, you can always reinstall it. Backup your contacts first.

    Other than that, look up online virusscanners in Google and run them all.
     
  11. deliriumx

    deliriumx TS Rookie

    Can you take a look at this for me?
    Can you tell me what to delete?
     
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.