Multiple IE Windows with nasty sites open by themselves

By skasu123
Dec 29, 2009
Topic Status:
Not open for further replies.
  1. My computer opens multiple internet windows with nasty sites by itself. This mostly happens after a person starts the first window. Adware scan found 1 MRU that was removed. Seems to pop-up every now and then on Adware scan. Would appreciate any help?

    I am attaching the Hijackthis log.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot. I'll be glad to help you. But you are going to have to begin again. You have used a Beta version of HijackThis. This is not appropriate and it is not the version found in our preliminary removal.

    But because of the length the log presents with the Logitech Desktop Messenger, I am going to have you remove those entries and disable it.

    Please reopen HijackThis to 'do system scan only.'. Check ALL of the following as instructed. Do not click on "Fix Checked" until you have checked them all:
    Begin checking with the first entry here:
    O18 - Protocol: bw+0 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    >>>>>> continue to check ALL of the 018-Protocol entries, ending with>>>>>>>>>>>>>>>>>
    O18 - Protocol: offline-8876480 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in CMD
    Copy the following and paste it in at the C prompt:

    RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL -removeonly

    Enter.
    When finished, reboot back into Normal Mode and begin the steps.

    Please follow the steps HERE. When you have finished, attach all 3 of the logs to your next reply for review.

    What is the D drive? You are running the following from it:
    d:\opt\MBCASE\pm\bin\mcp.exe
    d:\opt\MBCASE\WIS\TBCD\tbmux32.exe
    D:\opt\MBCASE\pm\bin\cmserver.exe
    D:\opt\MBCASE\pm\bin\lic_srv.exe
    O23 - Service: konfig - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: license - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: mcp - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - d:\opt\MBCASE\WIS\TBCD\tbmux32.exe



    Please delete the Beta HijackThis log when you have completed the above.

    You also have Symantec/Norton entries running. If Avira is not the security and the Symantec uninstall was not complete, please download the Norton Removal Tool. Save to your desktop. I'll have you run it next time around
  3. skasu123

    skasu123 Newcomer, in training Topic Starter

    Thanks for trying to help.

    Step 1 for below- worked fine.
    Please reopen HijackThis to 'do system scan only.'. Check ALL of the following as instructed. Do not click on "Fix Checked" until you have checked them all:
    Begin checking with the first entry here:
    O18 - Protocol: bw+0 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    >>>>>> continue to check ALL of the 018-Protocol entries, ending with>>>>>>>>>>>>>>>>>
    O18 - Protocol: offline-8876480 - {7E01A16B-D101-4BB4-9A88-8EB84305C5BE} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


    Step 2 for below - get error:- Missing entry:Launc

    RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,Launc hSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL -removeonly

    Following entries are for a Mercedes Benz Automobile Software. Have not used in a while, can be removed.

    What is the D drive? You are running the following from it:
    d:\opt\MBCASE\pm\bin\mcp.exe
    d:\opt\MBCASE\WIS\TBCD\tbmux32.exe
    D:\opt\MBCASE\pm\bin\cmserver.exe
    D:\opt\MBCASE\pm\bin\lic_srv.exe
    O23 - Service: konfig - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: license - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: mcp - Unknown owner - d:\opt\MBCASE\pm\bin\mcp (file missing)
    O23 - Service: TransBaseService - TransAction Software, D 81737 Munich - d:\opt\MBCASE\WIS\TBCD\tbmux32.exe

    I have attached the updated Hijackthis log. Thank you
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Oh my goodness! I didn't give you the rest of the instructions! It should have said:

    Please follow the steps HERE. When finished, attach all 3 logs o your next reply for review.

    Normally I wouldn't have done anything with a Beta HJT, but the Logitech entries needed to go and that shortens the log greatly. And we can't clean with just a HijackThis log. I'm going to give you some more removals and then I would like you to go and run Malwarebytes, Superantispyware and a rescan with HJT using the like I left.

    Let's handle Zango- many entries will be handled in SAS:
    This is a big part of your problem: Zango. It's adware
    (I'm leaving some descriptions:)

    Please reopen HJT to 'do system scan only'. Check each of the following if present:

    O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exeOEAddOn.exe

    (Status: ZangoOE should not be running at startup.)

    O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe"
    ZangoSA.exe

    (Status: ZangoSA should not be running at startup.)

    O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)>> Hotbar, Zango
    Filename: HostIE.dll
    Location: %ProgramFiles%\Zango\bin\**.*.**.*
    Description: Hotbar - now Zango - adware

    O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.37.0\Weather.exe" -auto
    (Status: Zango.WeatherDPA. This weather toolbar installs without proper user consent along other Zango products. Like all Zango applications advertising is shown by Zango.WeatherDPA.

    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Go to the Control Panel> Add/Remove Programs> Uninstall Zango and any other related entries.

    Make sure you set your file manager to display hidden and system files.
    In Windows Explorer: Click on Tools> Folder Options> View tab>> Check 'show hidden files and folders]'> Uncheck 'hide protected and system folders- Recommended.

    Please use Windows Explorer to locate and delete these folders.

    • The path is My Computer> Local Drive (C)> User\(username)> Applications.
    • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA\Weather_XML".
    • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA".
    • The directory at "<$APPDATA>\WeatherDPA\Weather".
    • The directory at "<$APPDATA>\WeatherDPA".
    • The directory at "<$APPDATA>\WeatherDPA".
    • The directory at "<$APPDATA>\WeatherDPA\Weather".
    • The directory at "<$APPDATA>\WeatherDPA\Weather\Weather_XML".
    • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA".[/b]
    • The directory at "<$APPDATA>\WeatherDPA\Weather\WeatherDPA\Weather_XML".[/b]

    Close all open Windows except for HijackThis. Click on "Fix Checked."

    Please re-hide the files and folders and Empty the Recycle Bin

    How Did My PC Get Infected with 180 Solutions Zango?

    Edit: My apology for the mess I left for you in this reply! I actually fell asleep at the computer last night. Obviously it was before I did a spell check and checked the tags!
  5. skasu123

    skasu123 Newcomer, in training Topic Starter

    I want to thank you. I no longer have IE sites popping up. Your assistance is greatly appreciated.
  6. brucethetech

    brucethetech TechSpot Enthusiast Posts: 301

    finally a follow-up from someone. Thanks for following up skasu. It will make it easier for other users who browse that thread.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    skasu123, I have edited my entire reply! You surely couldn't have gotten much out of it. See if it makes more sense now.

    It would be best to follow up and make sure all of the malware has been removed. I would imagine I scared you off with the mess I left! I should know better than to press 'send' when I've fallen asleep at the computer.

    You should go through the steps and run Malwarebytes and Superantispyware following with new HijackThis scan.

    Again, my apology for letting such a reply go through.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.