Freakin popups!

[patentman]

UPDATE: OK, I appreciate everyones help in here, but unfortunately it was to no avail. Last night my laptop succumbed to an as yet unknown virus. At ~630 pm, my laptop started acting really funny, and when I checked, all of its memory resources were being used by some unknown program. When I switched off my wireless networking card, resources came back everything normal. In my second class, my AV popped up notifiying me that a trojan horse had been located and quarantine. Concerned, but still thinking no big deal, I continued taking notes, and after class I put the laptop in sleep mode. I went home, woke laptop up (to backup notes), and when I logged into my account everything went nuts.... Sounds came out of my speaker like none I have every heard before, the cpu cycled wildly from 0 load to 100% load, hard drive spun like nuts....etc....

I powr off the laptop, reboot in safe mode. Everything looks ok, until I try to run any program or open any of my files. As far as I can tell, every one of my non system files is now corrupted and unreadable.

Sigh... I was going to reinstall windows anyways, so I guess now is as good a time as any....

 

[RebateMonger]

Instead of spending time becoming a malware removal expert, spend the time on making a (necessary) backup and learning how to use your computer safely.

The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.
2) Reinstall your OS and your applications.
3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.
4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
6) Learn the rules of safe web surfing so you wont' have any more problems.

It's hard for anyone but an expert to know how badly you are contaminated. Even if you manage to remove your pop-up problem, you could VERY well have password-grabbing trojans or other nasties installed, too. Some are hard to catch. Why risk it when you can be GUARANTEED safe by a single OS re-install and some simple precautions?

 

[BigBobby]

Download and install Microsoft Windows AntiSpyware. It is still in Beta, but I have been using it for over 6 months and it works very well.

It works better than all the other tools I had to install prior to using this.... AdAware, Highjacker, and several others. I had to use several to do the job this one does.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

 

[anatawa]

i think you have some spyware/adware lurking on you laptop.. try removing it first using adware,spybot etc2.. then install pop up blocker, firewall,anti-virus bla2... constantly update your security program... stop downloading useless stuff... dont believe suspicious program even with digital signature... and be very extra careful when entering w4-r3z/pr.0n/h4c.k-z website.. prevention is better eh?

 

[patentman]

The most effective course of action (and least-time-consuming over the long run):
1) Back up your important data. You SHOULD have backups anyway. Hard drives fail ALL THE TIME.

-I do have backups of most of my data. As I thought my post conveyed above, I am not an idiot when it comes to computers and data storage.

2) Reinstall your OS and your applications.

-Please read my post. I work a full time job in a law firm from 7am to 4pm Monday to friday and then I am either going to class from 6-10pm at night or I am reading for class, writing papers, or doing some other homework. I see my wife ~10 minutes a day during the week. Hence, I repeat, I do not want to have to reinstall my OS if it is not absolutely necessary. I acknowledge that this is probably the best, safest option. That said, I do not use my laptop for anything but taking notes for school and browsing the web (I don't purchase anything on my laptop). I could really care less if some schmo gets an unauthorized look at my antitrust notes or the paper I'm writing for the law journal I'm a part of. The popups are just freakin annoying.

3) Install Antivirus and a single active Antispyware application. I recommend MS Antispyware, since it's free and works fairly well. Keep your AV and A-Spyware definitions current.

-For the love of god, read my post! What is it with IT guys and not paying attention? I have three, THREE commercial antivirus programs on my system, all with up to date definitions, and I've run many antispyware programs and keep their definitions up to date. (though I have not run MS's antispyware). Thats the issue, none of these programs get rid of whatever is on my machine that is causing these popups.

4) If you are using XP, be SURE to update to SP2 and keep the firewall ON.
- SHEESH!!! You really did not read a thing I wrote did you?

5) Create a Limited-Privileges account (Limited User in Windows XP) and USE IT. Do NOT use your computer with an account that has Administrator rights. It's asking for trouble.
-Ah, now this is good advice that I can implement now. Thanks for the tip.

6) Learn the rules of safe web surfing so you wont' have any more problems.
-Ok dad. FYI, I'm not a 10 year old who has no clue as to the dangers of the web. I'm 29 and I built my first pc by hand when I was 13. I've been on the net since VAX systems were common. I am well aware of the dangers of using the internet unprotected. I'm not some idiot who runs an unencrypted wireless network with a folder on my desktop labele "CREDIT CARD INFO HERE" on it.

It's hard for anyone but an expert to know how badly you are contaminated. Even if you manage to remove your pop-up problem, you could VERY well have password-grabbing trojans or other nasties installed, too. Some are hard to catch. Why risk it when you can be GUARANTEED safe by a single OS re-install and some simple precautions?

-Fair enough, but as I said, I do not use my laptop for anything but taking notes and browsing the web, so I could care less if anyone gets access to what is on it for the time being. Once the summer rolls around I am planning to completely re-install the OS. I was just looking to see if anyone could give me a tip as to what was causing my issue and how I could resolve it without resorting to that yet.

 

[patentman]

Originally posted by: anatawa
i think you have some spyware/adware lurking on you laptop.. try removing it first using adware,spybot etc2.. then install pop up blocker, firewall,anti-virus bla2... constantly update your security program... stop downloading useless stuff... dont believe suspicious program even with digital signature... and be very extra careful when entering w4-r3z/pr.0n/h4c.k-z website.. prevention is better eh?

1) Please read my post re: antispyware/antivirus.

2) You are probably right, but seeing as how I pretty much use my laptop to surf major newsreporting websites (cnn, espn, drudge, slashdot, anandtech) I'm not certain how these programs got on my system. Only thing I can think of is that they got pushed onto my system from my schools network (which is a) unprotected; and b) riddled with nasties).

3) And for the record, I don't use my laptop to download "useless stuff." It is used strictly for notetaking purposes and some minor net browsing, nothing else.

 

[patentman]

Originally posted by: BigBobby
Download and install Microsoft Windows AntiSpyware. It is still in Beta, but I have been using it for over 6 months and it works very well.

It works better than all the other tools I had to install prior to using this.... AdAware, Highjacker, and several others. I had to use several to do the job this one does.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Thanks for the tip. I will make sure to check this AS software out.

 

[BadThad]

Post a hijackthis log for us to look over, maybe we can help.

 

[RebateMonger]

Patentman:

I read every word of your orginal post. I wasn't trying to insult you. I gave you my FULL suggestions for a removing the infections and PREVENTING a re-infection. A fully-patched XP, SP2 computer, with XP's firewall turned on, and up-to-date antivirus, doesn't magically get infected with popups all by itself. Even on a university network. Most likely, you clicked on the wrong thing. People do that. I see the results all the time.

I consider it irresponsible to list a partial solution (like "here's how to remove the spyware") without telling a client how to prevent re-infection. The answer is NOT, "How to remove Spyware...". The answer is, "How to prevent re-infection...". Removing Spyware does no good if the client gets re-infected a month later. If you follow ALL of the suggestions I provided, the odds of re-infection are pretty low.

I have no magical way of knowing that you don't shop online or log onto your company's email system or browse your personal email. I can't know whether you or your employer care whether your passwords or documents might be exposed. I can't know if you will ever log onto your Company's VPN and infect their network.

Here's a complete, professional procedure for scanning and removing spyware, adware, viruses, worms, and trojans. It'll take longer than it takes to re-install your OS, but, chances are, you'll stop the popups. And, hey, you'll be an expert at spyware removal:

TheFlyingPenguin.com - one of the best documented procedures available.

If it was my computer, I'd also run a rootkit scanner, but interpretation of the results can be tough. Also, be sure to check that your DNS settings haven't been hijacked. Being directed to a DNS server in Russia, rather than your ISP's DNS server, really sucks. But if the computer belonged to somebody that I cared about, I'd re-install the OS.

Otherwise, download the common anti-spyware applications and run them in Safe Mode. Maybe you'll find one that will remove your popups. But you said you already tried that.

You can also post in one of the many excellent Spyware Removal Forums available. Doing so, and following their experienced directions, will probably take a while, too, but they'll probably help you stop your popups.

 

[DBSX]

-For the love of god, read my post! What is it with IT guys and not paying attention? I have three, THREE commercial antivirus programs on my system, all with up to date definitions, and I've run many antispyware programs and keep their definitions up to date. (though I have not run MS's antispyware). Thats the issue, none of these programs get rid of whatever is on my machine that is causing these popups.

This may be a (or part of) the cause of your problems. Use one antivirus tool, not three. Not only do three tools consume a lot of resources, three tools more than likely trample all over each other causing all of them to be less effective. Pick one you like best, and use that one. I am well aware that no single AV product will catch every virus, but it is far better to pick one that will catch most vs three that will conflict and create more problems resulting in perhaps many more infections/problems. If you really feel you must use three products, install only one and scan with the other two.

\Dan

Edited for spelling.

 

[BadThad]

Originally posted by: DBSX

-For the love of god, read my post! What is it with IT guys and not paying attention? I have three, THREE commercial antivirus programs on my system, all with up to date definitions, and I've run many antispyware programs and keep their definitions up to date. (though I have not run MS's antispyware). Thats the issue, none of these programs get rid of whatever is on my machine that is causing these popups.

This may be a (or part of) the cause of your problems. Use one antivirus tool, not three. Not only do three tools consume a lot of resources, three tools more than likely trample all over each other causing all of them to be less effective. Pick one you like best, and use that one. I am well aware that no single AV product will catch every virus, but it is far better to pick one that will catch most vs three that will conflict and create more problems resulting in perhaps many more infections/problems. If you really feel you must use three products, install only one and scan with the other two.

\Dan

Edited for spelling.

Good advice. Also, be aware that no single malware removal tool will catch everything. That's why it's recommended to use serveral different software packages to catch and remove malware.

Bottom line, you're getting unwanted pop-ups, your system is infected with malware.

 

[mechBgon]

patentman, what are the names of the adware/spyware that you've removed, if you can recall some? Know thine enemy and all that

Scan the system with F-Secure's Blacklight rootkit detector too: http://www.f-secure.com/blacklight

You mentioned "Spyware Nuker." That's a rogue antispyware program. Get it off of there. Ditto for the extra two antivirus programs. If you want a "second-opinion" scan, do what I wrote up here: http://www.omnicast.net/~tmcfadden/scan.txt. Follow directions precisely.

 

[BadThad]

Originally posted by: mechBgon
patentman, what are the names of the adware/spyware that you've removed, if you can recall some? Know thine enemy and all that

Scan the system with F-Secure's Blacklight rootkit detector too: http://www.f-secure.com/blacklight

You mentioned "Spyware Nuker." That's a rogue antispyware program. Get it off of there. Ditto for the extra two antivirus programs. If you want a "second-opinion" scan, do what I wrote up here: http://www.omnicast.net/~tmcfadden/scan.txt. Follow directions precisely.

COOL! I wasn't aware of the Blacklight rootkit detector. Thanks for the link! Good Stuff! :thumbsup:

 

[RebateMonger]

Originally posted by: BadThad
COOL! I wasn't aware of the Blacklight rootkit detector. Thanks for the link! Good Stuff! :thumbsup:

Sysinternals.com also has a good and free rootkit detector, RootkitRevealer.. That's what they used to discovery the Sony DRM Rootkit.

 

[patentman]

I tried" rootkit revealer" a while back and it pulled up a number of items. I deleted a few that I knew I could get rid of, but most of them look like they may be associated with system operations so I left them alone (I am after all trying not to create more problems then I have already). I'll post a log when I get a chance.

Thanks for all the comments

 

[kylebubp]

I wouldn't put too much stock in MS AntiSpyware. I'm not anti-MS. but when I installed McAfee Anti-Spyware 2006, it found 168 things that MS Anti-Spyware didnt.

 

[cubby1223]

Originally posted by: kylebubp
I wouldn't put too much stock in MS AntiSpyware. I'm not anti-MS. but when I installed McAfee Anti-Spyware 2006, it found 168 things that MS Anti-Spyware didnt.

Well I've got these pop up ads that tell me I've got 364 more things infecting my computer than either MS AntiSpyware or McAfee Anti-Spyware tell me. So that means I should definately click on what the pop up ad tells me...

Seriously, that is one of the knocks against some software programs, such as Ad-Aware that I like a lot. Ad-aware typically cleans up just enough of the program to stop the programs from running again. So it might leave the log files, or sometimes a blank directory. Then that's what the other software picks up on and makes you believe their software is so much more effective, when it really isn't.



Anyways, when you get to a point where none of the usual tools fix the problem, you have to start learning about what's going on, and do some google searches. Like none of the usual tools could get rid of Vundo, Spy Axe, or Aurora - but with enough key words into google, the answers are out there, and the fixes are very specific to what crap is on the machine.

 

[kitkat22]

Just a thought, when you ran your AS software, did you run them under "safe mode?" If not this is what I would do:
1) Install Ad-aware, Spybot, Spyblaster and MS Antispyware - get rid of any others.
2) Install your favorite AV and firewall
3) Update them all
4) Restart in safe mode and enjoy watching all the spyware drop like flies.

To finish off, restart your computer and visit www.trendmicro.com they have an online AV and Spyware tool that's pretty good. I usually finish off with that to make sure I got everything.

 

[RebateMonger]

Lots of folks like MS's AntiSpyware. Frankly, I've seen it ignore a lot of stuff that it shouldn't ignore. But it's free, easy to use, and at least keeps the I.E. home page from being hijacked. And if you set User rights to "Limited User", you really can't install much evil stuff in Windows XP.

I saw a client's computer that got TOTALLY destroyed by malware while he was running MS's Antispyware in active mode. With two mouse clicks, he got the following installed on his PC:
BackOrifice
Three Password-grabbing Trojans
A Trojan that installs NEW spyware was installed.
Several Adware Programs
A fake antispyware application (UnSpyPC) was installed.
His DNS setting was set to a rogue DNS server in Russia.
Several programs were installed as "Run at Boot" in the Registry.

Scan results:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications. But several of them "came back" upon reboot.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

By the time I finished these scans, I'd invested several hours in scanning and still had an unsafe system. And I still hadn't scanned for rootkits.

I wiped it and re-installed XP.

 

[anatawa]

Originally posted by: patentman

Originally posted by: anatawa
i think you have some spyware/adware lurking on you laptop.. try removing it first using adware,spybot etc2.. then install pop up blocker, firewall,anti-virus bla2... constantly update your security program... stop downloading useless stuff... dont believe suspicious program even with digital signature... and be very extra careful when entering w4-r3z/pr.0n/h4c.k-z website.. prevention is better eh?

1) Please read my post re: antispyware/antivirus.

2) You are probably right, but seeing as how I pretty much use my laptop to surf major newsreporting websites (cnn, espn, drudge, slashdot, anandtech) I'm not certain how these programs got on my system. Only thing I can think of is that they got pushed onto my system from my schools network (which is a) unprotected; and b) riddled with nasties).

3) And for the record, I don't use my laptop to download "useless stuff." It is used strictly for notetaking purposes and some minor net browsing, nothing else.

sry for my sharp tounge.. never meant to offend you.. your problem is very critical so i assume you were doing something nasty.. and from all your story i also assume there could be internal attack.. from downloaded file or breach from outside (exploit on dangerous website, pr0n etc..)... sry for all my words.. i hope F-Secure blacklight totally fix your system..

i also fear its not just a rootkit.. could be a new variant of polymorphic malware.. i suggest not to connect to internet until you fix it..

only paranoid will survive O__o;;;

 

[Medea]

Originally posted by: BadThad
Post a hijackthis log for us to look over, maybe we can help.

:thumbsup:

 

[BadThad]

Originally posted by: RebateMonger
Lots of folks like MS's AntiSpyware. Frankly, I've seen it ignore a lot of stuff that it shouldn't ignore. But it's free, easy to use, and at least keeps the I.E. home page from being hijacked. And if you set User rights to "Limited User", you really can't install much evil stuff in Windows XP.

I saw a client's computer that got TOTALLY destroyed by malware while he was running MS's Antispyware in active mode. With two mouse clicks, he got the following installed on his PC:
BackOrifice
Three Password-grabbing Trojans
A Trojan that installs NEW spyware was installed.
Several Adware Programs
A fake antispyware application (UnSpyPC) was installed.
His DNS setting was set to a rogue DNS server in Russia.
Several programs were installed as "Run at Boot" in the Registry.

Scan results:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications. But several of them "came back" upon reboot.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

By the time I finished these scans, I'd invested several hours in scanning and still had an unsafe system. And I still hadn't scanned for rootkits.

I wiped it and re-installed XP.

Right on! MS Anti-spyware is only so effective, end of story. That's why, sadly, we are forced into using multiple tools to clean malware. You did the right thing in reinstalling XP. It's a helluv a lot faster to start over than to spend a bizillion hours trying to fix the OS. That's why I preach: Back-up your data and/or store it on a partition separate from the OS!

 

[Cal166]

One Word: ewido

Google it!

 

[clarkmo]

SpyBot has always worked for me. Several times I would have to reboot and run it again but it always ended up on top.
OEM's are notorious for placing spyware in their own software. I wouldn't be surprised if Acer didn't have something running that causes the popups. I don't use any oem software. They all try to phone home. You didn't mention your os. XP pro or home? sp1 or sp2?
The original xp build had a messenger service enabled and open which guaranteed free access to your computer by anyone who wanted to send an ad or popup.

 

[talyn00]

Originally posted by: RebateMonger
Lots of folks like MS's AntiSpyware. Frankly, I've seen it ignore a lot of stuff that it shouldn't ignore. But it's free, easy to use, and at least keeps the I.E. home page from being hijacked. And if you set User rights to "Limited User", you really can't install much evil stuff in Windows XP.

I saw a client's computer that got TOTALLY destroyed by malware while he was running MS's Antispyware in active mode. With two mouse clicks, he got the following installed on his PC:
BackOrifice
Three Password-grabbing Trojans
A Trojan that installs NEW spyware was installed.
Several Adware Programs
A fake antispyware application (UnSpyPC) was installed.
His DNS setting was set to a rogue DNS server in Russia.
Several programs were installed as "Run at Boot" in the Registry.

Scan results:
Microsoft's Malicious Software Removal Tool caught nothing.
Microsoft's Antispyware caught two (Trojan.Downloader.Small.Popcorn64 and PWS Pinch (password catcher))
Spybot S&D 1.4 caught (and supposedly removed) 53 items, including CoolWWWSearch and a dozen other major adware, spyware, and trojan applications. But several of them "came back" upon reboot.
HiJackThis 1.99 showed me the BackOrifice, plus three or four more trojans.

By the time I finished these scans, I'd invested several hours in scanning and still had an unsafe system. And I still hadn't scanned for rootkits.

I wiped it and re-installed XP.

Well Microsoft Antispyware is not a replacement for anti-virus.