Printable Version of Topic

Posted by: jd66921 Oct 17 2006, 05:51 PM

Help,

I caught a f'ing popup generator. Can't find a process that's generating them.
AVG doesn't find it, AdAware doesn't find anything, and Windows Defender
won't either.

I'm reasonably knowledgeable. Can anyone give me any hints, process names,
or anything that might be the culprit? The popups are random, and some seem to
be legitimate companies. Hope they are not part of the problem!

I am pissed!!!!

Thanks,

Jeff

Posted by: Pnambic Oct 17 2006, 06:01 PM

Try http://www.safer-networking.org/en/index.html? I generally run Spybot and Adaware. Together they do a fine job for me (so far).

Posted by: Hammy Oct 17 2006, 06:14 PM

Posted by: KaptKaos Oct 17 2006, 06:27 PM

Spyware Doctor works well. Costs money, but works.

Posted by: smontanaro Oct 17 2006, 06:29 PM

Windows? Sorry, couldn't resist...

Skip

Posted by: jd66921 Oct 17 2006, 06:34 PM

You know what I hate most? "Free" blockers that then ask you for
money!!!!!

Spybot!!!


I'll probably find that it is the one that is generating the pop-ups!!!!

Posted by: Pnambic Oct 17 2006, 06:36 PM

It asks politely for donations, which you are free to decline. You can use the software for free. I've used Spybot for years now and will vouch for them.

Posted by: jd66921 Oct 17 2006, 06:53 PM

Lo siento! I am sorry!!

I choose the wrong one from the Google list, slightly different name!

I'm running it now to see if it helps.

Jeff

Posted by: jd66921 Oct 17 2006, 07:19 PM

Nope, Spybot didn't fix it!

Any other ideas?

Oh yeah, System Restore doen't work either!!

Jeff

Posted by: SirAndy Oct 17 2006, 08:00 PM

DNS hijack ...
check your DNS settings!

i had one that changed my primary and secondary DNS servers to:
85.255.115.22 and 85.255.112.228

every time you go to a site, you get routed through their DNS and they redirect you to a SPAM/PopUp page ...

if that's the case, revert them back to your correct settings and add the following to your "hosts" file (C:\WINDOWS\system32\drivers\etc\hosts):

127.0.0.1 85.255.115.22
127.0.0.1 85.255.112.228

where you replace the 85. IPs with the actual IPs of your hijack ....

Andy

Posted by: bd1308 Oct 17 2006, 08:14 PM

i remove the hosts file totally, its usually not needed to DHCP leases anyway.

Posted by: SirAndy Oct 17 2006, 08:38 PM

you are correct, it's not needed ... that's why it is EMPTY by default ...

you might want to read up on how your DNS lookup works ...

what i'm suggesting above is that he fixes his DNS settings (if they are compromised) and in *addition* adds the spam IPs to his hosts file so any application that might still be on his computer (think trojan) will never be able to reach those IPs anymore.

take a closer look at my post above and you'll see that those entries in the hosts file will create a endless loop for the lookup of those IPs, effectively rendering *any* software trying to reach those IPs useless ...

the hosts file lookups precede *any* other dns lookups in your system.
Andy

Posted by: bd1308 Oct 17 2006, 08:40 PM

Ok, i'm following now.

Yep, that trick works.

I was just partially confuzzled, I know how DNS lookup works

Posted by: Mamacita Oct 17 2006, 10:53 PM

I hate popups, too! I learned not to let my oldest son on my computer because he'll click on stupid stuff & get me popups and all kinds of nastiness (he helped me get a virus once...nearly kicked his tush for that one!).
Stacie

Posted by: ThinAir914 Oct 18 2006, 12:22 AM

After you get it cleaned up, get Firefox and never use IE again. That's the long-term solution. No pop-ups and no Active-X so no vulnerability for this kind of stuff.

To get it fixed, reboot into safe mode with network. Then try each of these free online scans:
www.antivirus.com (TrendMicro)
www.webroot.com

They can work miracles, but you'll never get anywhere with it if you aren't in safe mode because if the turd is running it will often be smart enough to put itself back in as soon as it is removed.

Posted by: jd66921 Oct 18 2006, 04:22 AM

Ok, a couple of questions. I looked at DNS settings in each network connection. All are automatic. Is that right? Nothing in hosts file.

I am running this computer through a wireless router. If I boot in safe mode, I lose the wirelss connection? Is that expected? Herd to run those other scans that way.

I am running www.antivirus.com stuff, but there is no indication it is doing anything. Is that normal. Most other antivirus stuff beats my disk to death! (Just trying this to see if it can find anything!

Latest is that the malware knows that I like 914's! I'm getting ads for them! Did I catch this from 914world.com? I amalso getting ads for Ebay. I hve looked at Ebay recently.
Is Ebay part of this conspiracy against me!!

The only software I added thatI know of is Windows live messenger. Any possible connection?

Thanks,

Jeff

Posted by: aircooledboy Oct 18 2006, 09:37 AM

Bosses computer has the EXACT same problem here. I ran Spybot, and it removed a bunch of stuff, but popups continue, including ones for Ebay, which I have never seen before.

Gonna try Ahhhndy's plan next.

Posted by: smontanaro Oct 18 2006, 05:45 PM

A similar trick works with the route command, at least on Unix-y systems. When our web server gets hammered by an email crawler or other cretinaceous moron, I simply execute disable-host:



You just route them to your loopback address and they are gone until the (optional) reenable time.

This command is pretty system-specific, even across dialects of Unix, so you may need to tweak it to get it working in your environment.

I have a disable-net command as well. It routes an entire network into the bit bucket.

Skip

Posted by: sgomes Oct 18 2006, 11:31 PM

This may not help but it sounds like you should try anything you can. Run CCleaner (a.k.a. Crap Cleaner). I use it and it really gives the computer a serious enema.

Posted by: bd1308 Oct 18 2006, 11:34 PM

OH OH OH OH

and search for HiJack This!

its a program where you have to know what you're doing, it gets rid of really nasty crap. It's like Immodium AD for your computer....

Posted by: ThinAir914 Oct 19 2006, 12:02 AM

On my laptop the pcmcia wireless card still works in safe mode, but the built-in card does not. I don't know how to activate it after Windows has finished booting up.

I believe that the tool from Webroot is one that you can download and then run, which would get you around the loss of your wireless network.

Another trick is to use the msconfig utility to selectively turn off things that start up automatically, then scan for stuff.


I've seen reports that the Windows Messenger service is one of the main tools for the folks who spread this stuff. I'm not sure if it's the same thing as "Windows live messenger". Assuming it is, you can disable it by going through the Control Panel to the Services applet. Once there, stop the Messenger service and change it's startup to manual or disable.