Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 11 of 11 Posts

178 Posts
Discussion Starter · #1 ·
I seem to have this interesting bug in my pc that can do some pretty weird things. Every now and then I get these little square pop-ups when I'm online. I think they're blank as well. They pop up and disappear immediately. Thing is, it's able to turn off my ie pop-up blocker. Everytime I open ie I have to go into tools and turn my pop-up blocker back on, and then it almost instantly turns it off again. Any help would be greatly appreciated.

Gone but Never Forgotten
17,735 Posts

So, does this thread you started on the same day, mean that you still have popups etc after UNinstalling WeatherBug, which according to your post, solved the same popup etc problems?

Is that thread for your same computer?

Weatherbug is an ad-supported program but it does not create outside popups....unless it is running an advertisement within it, that is not so great..and your browser security is not set so great maybe but I doubt it....let's see if we can help you narrow down the problem. The program is still detected because of what it contains, but it itself is not harmful, and we usually advise that it is an optional program to remove....fiercely concerned privacy conscious folks, or businesses, might not want it running, but the program can and has saved lives with it's emergency alerts. There certainly are other free weather utilities that you could use...

Certain versions of Weatherbug may vary, so do what is below:

Please do this as the first step in looking for any cause of popups etc:

go to Click here to download HJTsetup.exe
  • On that page, select one of the servers in the list under the Free Downloads heading
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • Don't use the Analyse This button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

_ _ _ _
Please also do this:
  • Open Hijack This and click on the "Open the Misc Tools section" button.
  • Click on the "Open Uninstall Manager" button.
  • Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
  • Copy and paste that list here in your reply

178 Posts
Discussion Starter · #3 ·
Yes, I'm sorry. It appears that I may have jumped to conclusions with Weatherbug. However, the problems did seem to start when I downloaded it. And yes again, I have recently noticed that the problems have continued to some degree. However, I'll have to keep an eye on it, because since running Spyware Doctor, the bug seems to have disappeared. This has happened before though, so I'll have to wait and see. Thanks for the reply though, Byteman.

Gone but Never Forgotten
17,735 Posts
A quick check of a hijackthis log could save you time and trouble...but it's your call, I would be glad to check a log.

178 Posts
Discussion Starter · #5 ·
I think Spyware Doctor may have solved the issue. However, I sometimes wish I didn't have anything to do with them again. After paying for another year's subscription, I can't use it until a tech gets back to me about the fact that the scan won't start. Anyway, here's my HJT log concerning my spyware issue:

Logfile of HijackThis v1.99.1
Scan saved at 12:47:42 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\Program Files\Program Files 2\Tools\Adaware\aawservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\tbctray.exe
C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Program Files 2\Tools\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\PROGRA~1\Tools\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {E588935D-3FA7-18FD-4BBF-8566251CE1F6} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\tbcdata\Tad.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI699F~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Program Files 2\Tools\Adaware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\Program Files 2\Tools\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Program Files 2\Tools\Spyware Doctor\pctsSvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Gone but Never Forgotten
17,735 Posts

No malware seen- just a few leftovers to fix with Hijackthis:

You can start up Hijackthis with this window open as a guide...but before you remove items with Hijackthis, you MUST have all Internet related windows, and open programs, CLOSED. Just after you put the checkmarks next to the items you see in your next Scan with Hijackthis, close all browsers, email, chat, IM, game, etc windows...including THIS window...and, when you have the items checked off, click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {E588935D-3FA7-18FD-4BBF-8566251CE1F6} - (no file)

Close Hijackthis after you fix the items.

You should be good to go....

Though, you do need to check things out with an online scan, do one of these if you have not...when you have time as they take a good hour or so usually.

HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Or this one: Kaspersky online full scan
  • Please go HERE and click Free Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  • Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

If anything except tracking Cookies is found, please post the results of the scan here.

Gone but Never Forgotten
17,735 Posts
Hi, I'm not at all sure it would, it looks to be more for virus detection (I might be wrong, you didn't post the list of installed software so I am not sure what your McAfee contains actually)....isn't that why you also have Ewido and Spyware Doctor, to check for that type of malware?

That's what online scanners do detect...the whole general various types of "malware"....adware, spyware, virii, trojans, rootkits even....but, you may skip that online scan if you wish to!

178 Posts
Discussion Starter · #10 ·
I was told a few times before that it's good to stay away from online scanners, as they're looking at more than just malware. They're spying on everything on your harddrive. But hey, I don't know.

Gone but Never Forgotten
17,735 Posts

That is outrageous! These are public services provided by security companies that make antimalware you know what would happen to them if they were discovered snooping into computers? We'd have all heard something about that long before now....

It's up to you whether you want help here, or not.
1 - 11 of 11 Posts
Not open for further replies.