Suddenly lots of popups

[Muse]

A few days ago I started getting a lot of popups. I've been hanging out in the AVS Forums, so I thought that might have had something to do with it. But this morning I booted my computer and came back a while later and there was a popup and IE wasn't even open. A few days ago I ran Adaware 6.0 and Spybot and whatever it is that is generating the popups was not detected. I'm running Windows 2000 and 6.0.28... IE. What can I do to stop this stuff. Thanks.

 

[azntiger0586]

-update spybot to its latest definitions. and run it again
-go to start menu, run, type in msconfig
- then click on startup tab and disable anything that might look like ads.
-go to start menu, run, type in services.msc
- go down to messenger and change it to "Manual or disable"

hope it works out.

PS: if u want to stop most of pop-ups, google toolbar is a nice free program to start with here.

 

[Muse]

Originally posted by: azntiger0586
-update spybot to its latest definitions. and run it again
-go to start menu, run, type in msconfig
- then click on startup tab and disable anything that might look like ads.
-go to start menu, run, type in services.msc
- go down to messenger and change it to "Manual or disable"

hope it works out.

PS: if u want to stop most of pop-ups, google toolbar is a nice free program to start with here.

azntiger, you rock! I was thinking about Google Toolbar for something else (form fill-ins), but didn't know it had popup protection. I'll try that stuff you said, in the order you said first, though. Thanks!

 

[lobadobadingdong]

you could also run spybot to remove the spyware. on top of the messenger fix.

 

[Muse]

Originally posted by: azntiger0586
-update spybot to its latest definitions. and run it again
-go to start menu, run, type in msconfig
- then click on startup tab and disable anything that might look like ads.
-go to start menu, run, type in services.msc
- go down to messenger and change it to "Manual or disable"

hope it works out.

PS: if u want to stop most of pop-ups, google toolbar is a nice free program to start with here.

I did everything and am still getting occasional popups. Less than I was, I'm pretty sure, but still getting more than I used to. So, I installed Google Toolbar. Here's my question at the moment - Google Toolbar with its default options hangs a toolbar off the IE menus and other toolbars (which include the address bar - for me essential). Will Google Toolbar still do its thing if you hide it? Thanks!

 

[afropick]

See if you have any files called "stcloader.exe" anywhere.

I had this popup 'virus' a little while ago and adaware, spybot, norton '04, popup stoppers, zonealarm, deleting registry keys, etc. would not get rid of it. I had to reformat my harddrive.

 

[Muse]

Originally posted by: afropick
See if you have any files called "stcloader.exe" anywhere.

I had this popup 'virus' a little while ago and adaware, spybot, norton '04, popup stoppers, zonealarm, deleting registry keys, etc. would not get rid of it. I had to reformat my harddrive.

Damn! Stcloader.exe is nowhere on my system, thank God. You couldn't just delete the f-----r, huh? I haven't had any popups for a few hours now, having installed Google Toolbar. I'm still wondering if I can hide it. What I'm trying to do is consolidate it with my other toolbar, "Standard Buttons", which seems to have room for the GT at the right side. The GT FAQ says you can do that and has instructions but, damnit, they don't work. Edit: I see the problem - my toolbars were locked! I may just live with it there. Google has long been my home page anyway and I do Google searches constantly. Now it's easier to do them: I just hit Alt-G, type my search string and a new Google search results window opens (I have it configured to open a new page).

 

[microAmp]

Link

 

[pyrojunkie]

Originally posted by: azntiger0586
-update spybot to its latest definitions. and run it again
-go to start menu, run, type in msconfig
- then click on startup tab and disable anything that might look like ads.
-go to start menu, run, type in services.msc
- go down to messenger and change it to "Manual or disable"

You can disable a service in Msconfig by just clicking on the Services tab.

 

[Muse]

Originally posted by: motoamd
Link

The link discusses the Messenger service and it's archived. Black Viper's Windows 2000 Services recommendations page says the following about the Messenger service (which he says you can safely disable, in a nutshell):



Messenger
This service provides the ability to send messages between clients and servers. This service needs not to be running under normal "home" conditions. It is also advisable to make this service go away to avoid the possibility of "net send" messages hitting your computer from the internet. This has nothing to do with MSN Messenger, nor is it "WinPopUp."

To test for this security vulnerability, at the command prompt, (run: cmd.exe) type:

net send 127.0.0.1 hi

If you get a popup "hi" message, you should disable the Messenger service.
If you get an error stating, "The message alias could not be found on the network," you are safe.

If, for whatever reason, you need the Messenger service running but wish not to have spam popups active, you can disable the particular ports at your firewall. The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445.

Default 2000 Server: Automatic
Default 2000 Pro: Automatic
Safe Setting: Disabled

Dependencies:

What services Messenger needs to function properly:

Remote Procedure Call (RPC)
Workstation
What other service require Messenger to function properly:

None

 

[Muse]

I did a number of things including running an updated Spybot and Adaware, turning off the Messenger Service, and removing a program or two that looked suspicious from my Startup, but I think the clincher was installing Google Toolbar. I've experienced ZERO popups since installing it. The Google Toolbar (integrated with my regular IE toolbar, so it takes up no extra space - that's one of their tips) says it's blocked 48 popups! I'm wondering where those 48 popups came from. Where they initiated by something on my box? Or is that the sort of stuff that's going on in the Internet these days? I'm not hanging out at sleazy sites, folks.

 

[pyrojunkie]

Google toolbar will only stop popups that are iniated by IE. It won't stop popups from spyware programs or other ad programs(like KaZaA).

 

[Muse]

Originally posted by: pyrojunkie
Google toolbar will only stop popups that are iniated by IE. It won't stop popups from spyware programs or other ad programs(like KaZaA).

Yes, indeed. That was my impression. Therefore I have to think that my popups have been coming from sites, not something on my box. Well, I thought my understanding may have been wrong. Reason is I suddenly seemed to be getting 5 times as many popups as I used to get. I don't know. I made several changes and when you do that it's hard to figure what caused what. Anyway, I'm getting ZERO popups now, and that's exactly how I like it.

 

[PC Freak]

I would reboot into Safe Mode and run Spybot again.

 

[Muse]

Originally posted by: PC_Freak
I would reboot into Safe Mode and run Spybot again.

Thanks for the idea. I read your post and did it. Spybot found around 12 new tracking cookies since the last time I ran it, which was around 5 days ago. Is that a lot? Seems like it. Well, they are removed now and will see what happens. Just from the time I posted yesterday there were 5 more blocked popups according to Google Toolbar, that previous to running Spybot in Safe Mode, which I JUST did.

 

[pyrojunkie]

Tracking cookies aren't that big of a worry. You'll get those a lot from many different sites. Their security risk is minimal.

 

[straubs]

If your problem is from popups when IE *isn't even running* then you have some other problem on your PC. Try pressing CTRL-SHIFT-ESC, then go to the processes tab. Look for things in there. If you took the time to list them, that would really help. Otherwise you can go here http://mjc1.com/mirror/hjt/ and get Hi-JackThis. If you run that, it will create a notepad doc, which you can then post here.

Actually, you should just go to http://www.spywareinfo.com and post your question there.

 

[Muse]

Originally posted by: straubs
If your problem is from popups when IE *isn't even running* then you have some other problem on your PC. Try pressing CTRL-SHIFT-ESC, then go to the processes tab. Look for things in there. If you took the time to list them, that would really help. Otherwise you can go here http://mjc1.com/mirror/hjt/ and get Hi-JackThis. If you run that, it will create a notepad doc, which you can then post here.

Actually, you should just go to http://www.spywareinfo.com and post your question there.

I downloaded and installed Hijackthis.exe. I reenabled all the items in my startup (msconfig), rebooted and ran Hijackthis and saved a log. This is it:

Logfile of HijackThis v1.97.7
Scan saved at 8:57:01 AM, on 12/14/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\System32\svchost.exe
G:\Programs\NORTON~1\NORTON~2\GHOSTS~2.EXE
G:\Programs\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\poweroff.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\system32\WFXSVC.EXE
D:\WINNT\System32\WBEM\WinMgmt.exe
G:\Programs\WinFax\WFXMOD32.EXE
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SymTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\Programs\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
G:\Programs\Ahead\InCD3.5.2.0_Full\InCD.exe
G:\Utility\Sound Utilities\Total Recorder\TotRecSched.exe
G:\programs\Video\WinFast\WFTVFM\WFWIZ.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\WINNT\system32\tbctray.exe
D:\WINNT\system32\RUNDLL32.EXE
G:\utility\AutoSizer\AutoSizer.exe
D:\WINNT\System32\WScript.exe
D:\WINNT\system32\rundll32.exe
G:\Utility\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe
G:\Utility\CLICFLIC\clicflic.exe
g:\utility\clicflic\cfaux.exe
G:\Utility\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - G:\Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - G:\Programs\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] G:\Programs\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Programs\Ahead\InCD3.5.2.0_Full\InCD.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "G:\Utility\Sound Utilities\Total Recorder\TotRecSched.exe"
O4 - HKLM\..\Run: [WinampAgent] "G:\Utility\Sound Utilities\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WinFast Schedule] g:\programs\Video\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SAHBundle] D:\DOCUME~1\DANMUS~1\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TraySantaCruz] D:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [TClockEx] G:\Utility\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AutoSizer] "G:\utility\AutoSizer\AutoSizer.exe" /h
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Brightness Controller.lnk = G:\Utility\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe
O4 - Startup: ClickFlick.lnk = G:\Utility\CLICFLIC\clicflic.exe
O4 - Startup: Shortcut to OUTLOOK.EXE.lnk = D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Shortcut to winlogo.exe.lnk = E:\Ans\winlogo.exe
O4 - Startup: WinFast FM.lnk = G:\programs\Video\WinFast\WFTVFM\WFFM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: &Check Spelling - res://D:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.6787384259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{421E8159-6B10-4804-84E7-B3DE6596379A}: NameServer = 192.168.0.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{421E8159-6B10-4804-84E7-B3DE6596379A}: NameServer = 192.168.0.1,4.2.2.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{421E8159-6B10-4804-84E7-B3DE6596379A}: NameServer = 192.168.0.1,4.2.2.2
- - - -

Bundle.exe is something that had looked suspicious to me, and I'd disabled it in startup in msconfig. It's now enabled, since I enabled everything in Startup in msconfig before running Hijack. I'm not getting popups (well, I did get one, just one a day or so ago), but it says that 72 have been blocked in the Google Toolbar, which I installed almost a week ago.

 

[gotasnake]

I'd run Ad-Aware and Spybot. I've found that one will catch some things that the other won't even with the latest definitions.

Also, if you're willing to switch browsers, Mozilla Firebird has built-in pop-up protection, plus a ton of other cool features (like tabbed browsing, autofind, etc).

You may also do a system scan at http://housecall.trendmicro.com


edit: linkage

 

[Muse]

Originally posted by: gotasnake
I'd run Ad-Aware and Spybot. I've found that one will catch some things that the other won't even with the latest definitions.

Also, if you're willing to switch browsers, Mozilla Firebird has built-in pop-up protection, plus a ton of other cool features (like tabbed browsing, autofind, etc).

You may also do a system scan at http://housecall.trendmicro.com


edit: linkage

If I install Firebird, can I keep all my IE Favorites? Will Google Toolbar run with it? I really would only want it for the auto-form-fill functionality if Firebird has popup protection, I guess.

 

[SoulAssassin]

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab[/Q

this guy looks shady, check out netpaloffers.net

 

[Muse]

Originally posted by: SoulAssassin

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab[/Q

this guy looks shady, check out netpaloffers.net

So, what do I do? Run Hijackthis again and check that entry and remove it? Thanks.