Free PC Support
PC Help Forums from the Experts at Technical-Assistance.co.uk
 
Google
 
Search The Web Search This Site
 RSS FeedRSS Feed   FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Zedo popups

 
Reply to topic    Free PC Support Forum Home -> Helproom
Author Message
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Mon Sep 10, 2007 6:40 pm    Post subject: Zedo popups Reply with quote

Can anybody help me get rid of these annoying popups, there from a site called zedo and only popup when im looking at my msn hotmail as this uses explorer or if i happen to uses firefox which i rarely do. There just very annoying when i wanna check my hotmail, they dont effect me when im browsing as im using opera.

heres my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 18:54:44, on 04/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: (no name) - {59338191-32ED-477A-A5F1-3850E1D7754B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\JAFFA\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://jaffasplaypen.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150892750343
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0016524.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Mon Sep 10, 2007 7:27 pm    Post subject: Reply with quote

Open Regedit and look for the following folder in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Core

If this exists, then from Safe Mode, delete the core folder. Reboot in to normal mode and scan your system with AV and Anti Spyware software.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Tue Sep 11, 2007 12:34 pm    Post subject: Reply with quote

Thanks mate i'll try this now
Back to top
View user's profile Send private message
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Tue Sep 11, 2007 12:43 pm    Post subject: Reply with quote

Hi i just looked and i cannot find that registry you told me to look for, where else could this be?
Back to top
View user's profile Send private message
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Wed Sep 12, 2007 10:38 am    Post subject: Reply with quote

Can anybody help me remove these zedo pop-ups please, If someone knows what files/registry's i need to move can you reply back thanks.
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Tue Sep 18, 2007 6:55 pm    Post subject: Reply with quote

Try running your Housecall Online Virus Scanner to identify if there are any viruses found. I think you may have Worm_Spybot.B in which case you will need to go through the removal instructions here:
http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=WORM_SPYBOT.B
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Mon Sep 24, 2007 12:28 pm    Post subject: Reply with quote

Thanks for the information mate, iv'e run a virus check with Trend Micro and system is clean apart from one virus which is TROJ_BHO.LF

I downloaded the lates virus patch which was recommended to remove this but for some reason it still wont delete??

Do you know where to look for this trojan, i know its in windows system32 but are there any registrys i should look for?
Back to top
View user's profile Send private message
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Mon Sep 24, 2007 1:10 pm    Post subject: Reply with quote

Right the corrupted file is C:\WINDOWS\system32\_c0016524.dat

Its showing as a Neroshowtime folder but when i try to delete it, it says i cant because its being used, so i need to know how to safely remove this file from my computer. Anybody know how to remove this, will be much appreciated thanks.
Back to top
View user's profile Send private message
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Mon Sep 24, 2007 1:11 pm    Post subject: Reply with quote

Oh i tried deleting in safe mode as well, but it says it is still be used by another application
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Mon Sep 24, 2007 1:41 pm    Post subject: Reply with quote

I'm not sure what this virus is, or what it has done. I've looked on the Trend website, but it is not listed.

To delete the file download Killbox from http://killbox.net/

Run the program and put C:\WINDOWS\system32\_c0016524.dat in the section for Full Path of File to Delete then click on the red circle with the X in. This should delete the file for you. If it doesn't, try selecting the option to End Explorer Shell while Killing File. Again if this doesn't work select Delete on Reboot and it will delete the file when the PC reboots.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
MoNkEyMaGiK



Joined: 10 Sep 2007
Posts: 8

PostPosted: Mon Sep 24, 2007 2:52 pm    Post subject: Reply with quote

I'm stumped on this one, tried it and it cant find the file, but when i do a search the file is clearly there????

Doing my head in now, must be a way to remove these zedo popups surely.
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Mon Sep 24, 2007 4:54 pm    Post subject: Reply with quote

OK, try the following then:

Arrow Click Start then Run
Arrow Type in cmd and press Enter - This will open a Command Prompt window
Arrow Type in \WINDOWS\system32\ and press Enter
Arrow Press Ctrl - Alt - Del and select Task Manager
Arrow Select the Processes tab at the top
Arrow Highlight explorer.exe and click End Process
Arrow Go back to the Command Prompt window (do not close task Manager) and type del __c0016524.dat (note there are 2 _ characters at the start of this filename) and press Enter - this should delete the file
Arrow Go back to the Task Manager window again and click on File then New Task
Arrow Type in explorer.exe and click OK
Arrow Close everything back down and the file should be gone.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Reply to topic    Free PC Support Forum Home -> Helproom All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 



Powered by phpBB © 2001, 2005 phpBB Group

2005 - 2017 All Rights Reserved www.technical-assistance.co.uk
Terms and Conditions