TechSpot

Pop up problems with Heavy.com and PartyPoker

By tushart
Sep 15, 2006
  1. Hi,
    I am getting constant pop-ups from number of sites mainly heavy.com and partypoker. I ran all types of antispywares and adwares but still the popups continue.
    Can anyone suggest me a way to get rid of these?

    Thanks
    Tushar
     
  2. JMMD

    JMMD TechSpot Chancellor Posts: 854

    Have you read through all the sticky posts at the top of this forum? Do that before doing anything else.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:
     
  4. tushart

    tushart TS Rookie Topic Starter

    still getting pop-up

    I tried all the steps as mentioned. My system works fast now but still getting pop-up from heavy.com

    I am attaching hijackthis log and ewido log of full system scan.

    Thanks for your help with this.

    Tushar
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    IPConfig
    SIFXINSTRun

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    IPConfig - Sprint

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    IPConfig.exe
    SIFXINST.EXE

    Close task manager.

    HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINNT\system32\nst4D.dll

    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE

    Fix all 015-Trusted ip range entries.

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab

    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - https://www.ueclassroom.sprint.com/SiteRoots/main/Install/CentraDownloader
    .cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.sprint.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.sprint.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.sprint.com,central.sprint,ad.sprint.com,it.sprintspectrum.com,intranet.sprintspectrum.com,us.nextel.com,nextel.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.sprint.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.sprint.com,central.sprint,ad.sprint.com,it.sprintspectrum.com,intranet.sprintspectrum.com,us.nextel.com,nextel.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.sprint.com,central.sprint,ad.sprint.com,it.sprintspectrum.com,intranet.sprintspectrum.com,us.nextel.com,nextel.com

    Only fix the above 017 entries if they don`t belong to your ISP or domain.

    O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)

    O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll

    O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)

    O20 - Winlogon Notify: ccnotify - C:\Program Files\Rational\bin\ccnotify.dll (file missing)

    O23 - Service: IPConfig - Sprint - C:\PROGRA~1\IPConfig\IPConfig.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\IPConfig
    C:\Program Files\SIFXINST

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINNT\system32\nst4D.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of tushart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. tushart

    tushart TS Rookie Topic Starter

    Thanks Howard - It worked

    I followed the steps as you mentioned and my system is not showing any pop-ups now.
    It was really a good learning for me. I want more info on Hijack this logs and how to interprete those. Hope you can send me some usefull links.

    Thanks
    Tushar
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d still like you to post a fresh HJT log, so I can check to make sure you`ve no other problems.

    Regards Howard :)

    This thread is for the use of tushart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    In the future use Spybot search and destroy to immunize your system
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s ok Tedster. Instructions for SS&D immunisation are in the link I gave in post #3.

    Regards Howard :)
     
  10. tushart

    tushart TS Rookie Topic Starter

    Hi Howard,

    The system works great now. no popups. Here is the hijack this log as per your request.

    Thanks
    Tushar
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry.

    O1 - Hosts: 207.40.65.7 retailservices.it.sprintspectrum.com

    Other than that, your HJT log looks clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of tushart only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...