# Multiple IE Windows with nasty sites open by themselves

By skasu123
Dec 29, 2009
1. My computer opens multiple internet windows with nasty sites by itself. This mostly happens after a person starts the first window. Adware scan found 1 MRU that was removed. Seems to pop-up every now and then on Adware scan. Would appreciate any help?

I am attaching the Hijackthis log.

2. ### BobbyeHelper on the FringePosts: 16,392   +36

Welcome to TechSpot. I'll be glad to help you. But you are going to have to begin again. You have used a Beta version of HijackThis. This is not appropriate and it is not the version found in our preliminary removal.

But because of the length the log presents with the Logitech Desktop Messenger, I am going to have you remove those entries and disable it.

Please reopen HijackThis to 'do system scan only.'. Check ALL of the following as instructed. Do not click on "Fix Checked" until you have checked them all:
Begin checking with the first entry here:
O18 - Protocol: bw+0 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
>>>>>> continue to check ALL of the 018-Protocol entries, ending with>>>>>>>>>>>>>>>>>
O18 - Protocol: offline-8876480 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in CMD
Copy the following and paste it in at the C prompt:

RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL -removeonly

Enter.
When finished, reboot back into Normal Mode and begin the steps.

What is the D drive? You are running the following from it:
d:\opt\MBCASE\pm\bin\mcp.exe
d:\opt\MBCASE\WIS\TBCD\tbmux32.exe
D:\opt\MBCASE\pm\bin\cmserver.exe
D:\opt\MBCASE\pm\bin\lic_srv.exe
O23 - Service: konfig - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - d:\opt\MBCASE\WIS\TBCD\tbmux32.exe

Please delete the Beta HijackThis log when you have completed the above.

You also have Symantec/Norton entries running. If Avira is not the security and the Symantec uninstall was not complete, please download the Norton Removal Tool. Save to your desktop. I'll have you run it next time around

3. ### skasu123TS RookieTopic Starter

Thanks for trying to help.

Step 1 for below- worked fine.
Please reopen HijackThis to 'do system scan only.'. Check ALL of the following as instructed. Do not click on "Fix Checked" until you have checked them all:
Begin checking with the first entry here:
O18 - Protocol: bw+0 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
>>>>>> continue to check ALL of the 018-Protocol entries, ending with>>>>>>>>>>>>>>>>>
O18 - Protocol: offline-8876480 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Step 2 for below - get error:- Missing entry:Launc

RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,Launc hSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL -removeonly

Following entries are for a Mercedes Benz Automobile Software. Have not used in a while, can be removed.

What is the D drive? You are running the following from it:
d:\opt\MBCASE\pm\bin\mcp.exe
d:\opt\MBCASE\WIS\TBCD\tbmux32.exe
D:\opt\MBCASE\pm\bin\cmserver.exe
D:\opt\MBCASE\pm\bin\lic_srv.exe
O23 - Service: konfig - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: license - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: mcp - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - d:\opt\MBCASE\WIS\TBCD\tbmux32.exe

I have attached the updated Hijackthis log. Thank you

4. ### BobbyeHelper on the FringePosts: 16,392   +36

Oh my goodness! I didn't give you the rest of the instructions! It should have said:

Normally I wouldn't have done anything with a Beta HJT, but the Logitech entries needed to go and that shortens the log greatly. And we can't clean with just a HijackThis log. I'm going to give you some more removals and then I would like you to go and run Malwarebytes, Superantispyware and a rescan with HJT using the like I left.

Let's handle Zango- many entries will be handled in SAS:
(I'm leaving some descriptions

Please reopen HJT to 'do system scan only'. Check each of the following if present:

(Status: ZangoOE should not be running at startup.)

O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
ZangoSA.exe

(Status: ZangoSA should not be running at startup.)

O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)>> Hotbar, Zango
Filename: HostIE.dll
Location: %ProgramFiles%\Zango\bin\**.*.**.*
Description: Hotbar - now Zango - adware

O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
(Status: Zango.WeatherDPA. This weather toolbar installs without proper user consent along other Zango products. Like all Zango applications advertising is shown by Zango.WeatherDPA.

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to the Control Panel> Add/Remove Programs> Uninstall Zango and any other related entries.

Make sure you set your file manager to display hidden and system files.
In Windows Explorer: Click on Tools> Folder Options> View tab>> Check 'show hidden files and folders]'> Uncheck 'hide protected and system folders- Recommended.

Please use Windows Explorer to locate and delete these folders.

• The path is My Computer> Local Drive (C)> User\(username)> Applications.
• The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA\Weather_XML". • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA".
• The directory at "<$APPDATA>\WeatherDPA\Weather". • The directory at "<$APPDATA>\WeatherDPA".
• The directory at "<$APPDATA>\WeatherDPA". • The directory at "<$APPDATA>\WeatherDPA\Weather".
• The directory at "<$APPDATA>\WeatherDPA\Weather\Weather_XML". • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA".[/b]
• The directory at "<\$APPDATA>\WeatherDPA\Weather\WeatherDPA\Weather_XML".[/b]

Close all open Windows except for HijackThis. Click on "Fix Checked."

Please re-hide the files and folders and Empty the Recycle Bin

How Did My PC Get Infected with 180 Solutions Zango?

Edit: My apology for the mess I left for you in this reply! I actually fell asleep at the computer last night. Obviously it was before I did a spell check and checked the tags!

5. ### skasu123TS RookieTopic Starter

I want to thank you. I no longer have IE sites popping up. Your assistance is greatly appreciated.

6. ### brucethetechTS EnthusiastPosts: 301

finally a follow-up from someone. Thanks for following up skasu. It will make it easier for other users who browse that thread.

7. ### BobbyeHelper on the FringePosts: 16,392   +36

skasu123, I have edited my entire reply! You surely couldn't have gotten much out of it. See if it makes more sense now.

It would be best to follow up and make sure all of the malware has been removed. I would imagine I scared you off with the mess I left! I should know better than to press 'send' when I've fallen asleep at the computer.

You should go through the steps and run Malwarebytes and Superantispyware following with new HijackThis scan.

Again, my apology for letting such a reply go through.

Topic Status:
Not open for further replies.