Pop-up woes & HJT Log

[mooncity]

For awhile now, I've been getting this annoying series of pop-ups whenever I'm online. It's the same 8 or 10 messages that look like old-style Windows error messaging.

I've run both Spybot & Ad-aware, and I've run one of the online virus checking services recommended before using HJT. I dowloaded HJT & the HJT Analyzer and ran them.

I freely admit I'm a novice when it comes to back-end code, as it's mostly Greek to me, but I think I followed the instructions correctly.

In any case, I sure would appreciate any help you folks could give to kill off these pop-ups. Here's the output of the HJT Log Analyzer:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Logfile of HijackThis v1.99.1
Scan saved at 9:00:01 PM, on 4/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\NetZero\qs\exec.exe
C:\Program Files\NetZero\qs\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Documents and Settings\Mark\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...rk_S.&Lang=Enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 35;64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-spee
d.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=041105 serial=pe02cbx-0000003-nmd lang=EN
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7265871D-C21C-4B73-9A9E-9CC16B6457F4}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================


Thanks!

[greyknight17]

Welcome to TSF.

Do you still have problems now? I don't see anything wrong in the log.

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[mooncity]

Yup, still gettin' 'em. I dunno if this helps, but the Task Manager says that, wherever the pop-ups are from, they're hiding in the "csrss.exe" file, which I understand is something the system actually needs to run properly. I had previously downloaded the XP fix, and today I switched over to the latest Firefox browser, but I still get the pop-ups.

Thanks!

Mark

[jgvernonco]

Let's see if they are Messenger pop-ups (not the IM Messenger, the one that allows computers to communicate on a network).

Please go to www.grc.com and run "Kill the Messenger", and see if that reduces the problem any.

A firewall would also help,and I don't see one in your log.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

Having followed these steps, let us know the results.

[mooncity]

I think killing the messenger did the trick. I downloaded the application and ran it, and was able to spend a few hours online without any more of the messages popping up. I feel my sanity is slowly returning. I'll beef up the protection using the options you folks advised. Thanks muchly!