Undetectable Popup spawners??

[tunaman]

I do a pretty good job usually of keeping my system clean of spyware, adware, and malware but this one has obviously got me. For some reason, popups now come up on my machine every 10 minutes or so. Interestingly, they come up in Internet Explorer even though I use IE for only 3 things, to download Mozilla Firefox when I first reformatted my machine, 2 visit Windows Update, and to access a webservice that requires IE. Aside from those, I never use IE. Now, I have run Ad-Aware and nothing. I have run a virus scan, nothing. I have checked the registry for anything running on startup, nothing. I check the process list and nothing is out of place. WHAT IS GOING on?! I can't figure out how these popups are coming up on my machine! Do you guys have any ideas?

 

[XOR != OR]

Something is slipping by ad aware. Try spybot.

And we're talking about web popups, right? Not system popups?

 

[Craig56]

Run HijackThis maybe? After you find that sumbitch, install SpywareBlaster to keep them out.

 

[elation]

Make sure ad-aware is up-to-date. I had a system here at work that that the newest spybot did NOT detect only the very latest ad-aware only partially recognized but could not clean it.

It was VX2.betterinternet. Had to remove autoupdate.exe from HKLM...Run. Had to remove %systemroot%\system32\AGD.CPY.DLL and AGD.DLL - only way to kill them was to boot with an NTFS dos boot disk or slave the drive. Safe mode didn't work. So I hope that's not it but if it is here's something to go by.

GL

 

[Nazo]

Definitely sounds like adware, though it might be a semi-valid one (popups are NEVER valid IMO, but tell that to THEM......) I used to use weatherbug before I found weatherpulse and it would occasionally open IE windows at the most annoying moments (I swear it has a system in place to make it pop up when I'm at the most frantic points of some fast paced game.) Even when I blocked the site it would still open them. In fact, it once got stuck in a permanent loop where it would keep popping up windows until I killed the program or my computer froze from just extremely severe resource usage after 500 or so windows. d-:

 

[vinnie]

But... if you're not using ie... it's utterly impossible to have any kind of computer problems at all, let alone popups and adware and spyware! Haven't you been paying attention? You must be doing it wrong.

But yes, adaware on its own misses a fair bit from my experiences helping other people clean up the mess the make. Try spybot s&d as well, make sure that you Adware 6.181 and not an older build- builds don't update in the internal updater.

 

[Nazo]

Originally posted by vinnie
But... if you're not using ie... it's utterly impossible to have any kind of computer problems at all, let alone popups and adware and spyware!.

God I wish that were true! Unfortunately, if you are using windows, and you are using a variety of programs that use the internet, the chances are sadly high that at least one of those USES IE, even if you don't and your default browser is set to something else. For example, in the case I mentioned earlier, Weatherbug uses IE. Basically these programs have some kind of integration thing where they call part of IE or something.

Oh, and adware/spyware are only moderately related to the browser you choose. There are only a few that can only target IE. Most adware/spyware applications are like trojans in that they come in a seperate program and the few that you get through your browser usually use scripts/etc that will run even in Mozilla if you let them, but of course all the browsers but IE are much stricter, so only a few get through scripts. Nonetheless, you still don't have to even have IE installed (win98 lite perhaps) to still get some adware/spyware. First of all, by the very name, adware is anything that uses ads (take, for example, the free version of DivX.) You can actually set DivX up to work in Linux, so I kind of doubt you can blame IE for it... The real problem with those is mainly that they love to collect information they have no right to, making them also spyware.

 

[vinnie]

Originally posted by Nazo
Oh, and adware/spyware are only moderately related to the browser you choose. There are only a few that can only target IE. Most adware/spyware applications are like trojans in that they come in a seperate program and the few that you get through your browser usually use scripts/etc that will run even in Mozilla if you let them

Shh.. you'll scare the mozilla whores and they'll sic their DDoS zombies on to you. Truth is secondary to miseducated personal views on the internet

, but of course all the browsers but IE are much stricter, so only a few get through scripts.

Out of the box perhaps. 15 months since last format and I'm yet to see a single piece of spyware, adware, virus, malware, 'toolbar' or anything of the sort here... I can only assume that IE is perfectly configureable to be as secure as any other browser. Either that or it's the user, not the browser that matters most. I'm happy with either conclusion.

 

[fusionrs]

Rule of thumb...

ALL WINDOWS UPDATES! Then run ad-aware, then spybot search and destroy, finally run Hijack This. After that visit http://housecall.antivirus.com After that check msconfig for fradulent spyware or virus. If it still does not work remove everything from msconfig and go one at a time. If that still doesn't work. Format C: /s

Enjoy

 

[jpmkm]

I don't consider IE to ever be as secure as any other browser no matter how you configure it simply due to the fact that it is so integrated into the operating system. You can secure it all you want and browse the web as carefully as you can but there is still the possibility there that a web page can bring down your entire operating system. There is just no reason a userland program like a web browser should be tied so tightly to the operating system. A user should not have to tiptoe around the internet for fear of crippling his operating system. A user should not have to reconfigure his browser in order to protect himself from websites. I go wherever I want whenever I want. I go to porn sites and sites I can't even mention here and have never so much as had a popup or a memory leak or anything. I am sick and tired of people blaming IE's problems on user ignorance or software misconfiguration. Those arguments only go so far before you realize that the software is what allows the user ignorance to be a problem.

tunaman: are these boxes by any chance just like a little dialog box with an okay button? I'm going out on a limb here but that is a possibility. If so, that is something completely different(but quite easy to fix).

 

[Nazo]

Please PLEASE tell that to microsoft... They are under the impression that integrating everything into fricking everything else is a GOOD idea... I personally like having choices, but they sure do work hard to make it tough.

Anyway, vinnie, firstly it relies on just how many different programs you download and what types they are. For example, if you start playing around with those things like weatherbug, you'll find the number jumps rather surpringly fast. Also, spybot has some kind of immunization thing. I have no idea what it does, but since I started using that, I've seen almost no real spyware get through, and most of what did was cookies (darn it, it's just too much work to manually approve all the correct domains and all that junk, so I have to turn them on full -- and you'd be surprised how many legitimate places for some reason completly unknown to me actually use 3rd party cookies...)


Oh, btw, jpmkm, you might be quite interested to know that people have found a way to actually remove IE from windows xp. It makes a lot of things stop working, but most of them aren't even important and the few that are you can still get alternatives to. I'd do it myself, but it's just so much work it's not worth it IMO.


And tunaman, jpmkm's suspicino is well grounded. My parents had a LOT of issues with this even back when they were on dialup until I convinced them to install a firewall. The only thing is that this shouldn't involve IE in any noticable way since he is suspecting the windows messenger which is a seperate program (wow, there IS such a thing...)

EDIT: Lol, don't I just sound like such a MS basher. Can you blame me though? Frankly I don't form hatred towards any one company very easily. Microsoft and AOL are practically the only ones on that list of companies I'd personally execute the CEOs of if I could... d-:

 

[vinnie]

Originally posted by jpmkm
A user should not have to reconfigure his browser in order to protect himself from websites.

Says who? I say a user without the 20-30 seconds required to do that shouldn't be using the internet at all.

I go wherever I want whenever I want. I go to porn sites and sites I can't even mention here and have never so much as had a popup or a memory leak or anything.

I go wherever I want whenever I want too. I'm neither a pervert not a criminal, so I tend to not go to the kind of sites you do, but strangely I have no malware problems, never see popups and nor do I have memory leaks. Who's the man now?

I am sick and tired of people blaming IE's problems on user ignorance or software misconfiguration. Those arguments only go so far before you realize that the software is what allows the user ignorance to be a problem.

I have three computers in this house. All with windows as the main OS, all with IE as the main browser. Ocassional scans with adaware and spybot reveal that none have ever had any kind of problem.

The only conclusion I can make is that the fault lies in individuals not bright enough to operate a computer properly and that are either perverts, criminals or both, rather than in the equipment. If you ever work a trade, you'll know there's no point in blaming the tools when the operator is at fault.

Originally posted by Nazo

EDIT: Lol, don't I just sound like such a MS basher. Can you blame me though? Frankly I don't form hatred towards any one company very easily. Microsoft and AOL are practically the only ones on that list of companies I'd personally execute the CEOs of if I could... d-:

Yes, I can blame you

AOL and Microsoft have done more to advance various aspects, and the dissemination thereof, new and emerging computing technologies than just about any other entity. For all of everyones bitching and whining, the fact is that these companies have produces products consumed by the better part of a billion people that no one else had.

Given the choice of having all the whingy people with a grudge against either company leading technology commercialisation and dissemination, or the companies in question, I'd go for the companies every time.

The basic fact is AOL have provided net access to hundreds of millions, MS have provided operating systems and other products to billions and lots of other people have done nothing except bitch and whinge when they've done nothing more creative or useful in their life than a year 3 pastel paint drawing of a house for Miss Watson.


Back on topic now... a process does not neccesarily need appear in the task list nor in any of the easily visible startup means to be running. There are ways around these things.. so not being able to see something easily doesn't need mean it's not there.

 

[tunaman]

I am already behind a hardware firewall, and I do have the messenger service turned off so its not that. (Hehe, I used to wreak havoc with that in college on NT and 2000 systems all over the school.) I am not a beginner at this, its just that this has completely stumped me and I have checked all of the usual places. Registry, google, startup folder, services, running processes, etc.

I downloaded Spybot and ran that. Surprisingly, it found quite a few things that Adaware did not catch. I also ran Hijack this which only detected a small number of things that were not altogether contributing to the problem. (browser redirects, hosts file entrys, etc.)
Hopefully Spybot did the trick. I am about to hit the sack right now, so I will report back tomorrow about any sucess.

Thanks!

 

[Nazo]

Originally posted by vinnie

Originally posted by jpmkm
A user should not have to reconfigure his browser in order to protect himself from websites.

Says who? I say a user without the 20-30 seconds required to do that shouldn't be using the internet at all.

Says all of us. It's not about the time, it's about the fact that, first of all, the browser really should be configured properly to be secure to begin with as it gets tiresom having to fix that on every PC you ever work with after every install, and secondly, not all users know HOW to configure it.

nor do I have memory leaks.

More often than not those are the result of poorly programed legitimate programs. And why are you so sure? Have you allowed your PC to run for several weeks at a time without a reboot?

AOL and Microsoft have done more to advance various aspects, and the dissemination thereof, new and emerging computing technologies than just about any other entity. For all of everyones bitching and whining, the fact is that these companies have produces products consumed by the better part of a billion people that no one else had.

No, I agree with you. They HAVE. However, you'll note that we both used the past tense. Now they are just using their names and semi-monopolies to make money. Or do you really think it's truly 100% necessary for all users and businesses to have to upgrade every single time microsoft puts out a new windows? You'd be surprised at how many businesses were just as well off with NT4 and even in some cases perhaps 95 (my ancient laptop still uses this, you'd be surprised at how stable 95 actually was.) My problem isn't so much that there are big companies out there, but the fact that they are taking advantage of their monopolies and, rather than trying to educate the average user to be able to do the things they need to, they go out of their way to make things TOO simple to the extent that they make things worse. Not to mention how competition unfriendly they are. I don't want IE integrated into everything, I want to use opera whenever it comes to ANYTHING involving browsing the internet.

Back on topic now... a process does not neccesarily need appear in the task list nor in any of the easily visible startup means to be running. There are ways around these things.. so not being able to see something easily doesn't need mean it's not there.

Well, he is right about that much. Some things can set themselves to be hidden unfortunately, or run through something else which gets really tricky to track them down. Some slightly things you can track down by turning on the option to show all 16-bit tasks as well as the option to show all tasks by all users. If you need to look at the things running through other things though, as far as I know, your best bet is to use an external program such as ProcessExplorer (there is no shortage of those that do this, this is just the one I liked enough not to keep looking for others, so try places like cnet for others.)

Also, when things are sneaking an automatic run in behind your back, you can often catch them by running msconfig (you have to manually type it in in the run box) and looking under the startup things. Be careful not to get the wrong things, but don't worry too much as it will pop back up at the next bootup and give you the option of undoing the previous changes.

Anyway, between spybot and adaware, I've never had any that seemed to slip by, so that should probably do the trick. Hijack this, while technically having the potential to do even better than either in some things, is a little too sensitive IMO. It gets tiresome sorting through all the registry entries/etc, when the worst those can be is simple spying and the real issue is that stuff that installs and runs on your PC.

BTW, when you are browsing the web, and something offers to install itself for you, always answer no. It's amazing how often I've found cometcursors and gator junk on people's pcs just because they went to a site and it offered to install this lovely little tool on their PC, never once mentioning that they were doing far more harm than good. Oh, and look out for software installations. If you can, you should probably use the custom install all of the time. The reason being that many seemingly legitimate programs will sneak and choose to install junk like the gator stuff. (And I still get sick of things installing AOL on my computer even though I don't want it and don't want it taking space on my HD...)

 

[fusionrs]

I have three computers in this house. All with windows as the main OS, all with IE as the main browser. Ocassional scans with adaware and spybot reveal that none have ever had any kind of problem.

I have 7 in the house all running windows as the main OS as well with IE as the main browser. Never ever have any problems. I scan with adaware, sbsad, and hijack. Never really find anything. Also keeping up with the windows updates helps.

The only conclusion I can make is that the fault lies in individuals not bright enough to operate a computer properly and that are either perverts, criminals or both, rather than in the equipment. If you ever work a trade, you'll know there's no point in blaming the tools when the operator is at fault.

Agreed.

 

[vinnie]

Originally posted by Nazo
More often than not those are the result of poorly programed legitimate programs. And why are you so sure? Have you allowed your PC to run for several weeks at a time without a reboot?

iexplore.exe                2776 Console                 0      1,120 K
taskmgr.exe                 3900 Console                 0      1,800 K
wmiprvse.exe                3044 Console                 0      5,724 K
cmd.exe                     3096 Console                 0      1,476 K
firefox.exe                  696 Console                 0     19,864 K

There's a section from my current tasklist.

I reset about once a week, at the end of the working week. Save everything, make sure everything that needs updating is updated, then since there's about 10 things that want a reboot, they get it.

The copy of IE that's open there has been going since last sunday, I've been slowly going through the archives of sinfest all week. 1.1mb.. not really taking that much memory is it. A freshly opened copy of firefox however is consuming nearly 20mb. I don't think IE is leaking much

 

[jpmkm]

I like to remind you that the iexplore.exe process is basically just a front end. IE is built in to the the operating system(that is why you can type an internet address in an explorer window and go there) so the real stuff probably isn't happening in iexplore.exe. Firefox is an entirely self-contained browser so it doesn't have the "advantage" of hiding itself in other processes.

 

[vinnie]

Originally posted by jpmkm
I like to remind you that the iexplore.exe process is basically just a front end. IE is built in to the the operating system(that is why you can type an internet address in an explorer window and go there) so the real stuff probably isn't happening in iexplore.exe. Firefox is an entirely self-contained browser so it doesn't have the "advantage" of hiding itself in other processes.

Sure

So where then is my memory leaking to? Excluding the game sitting in the background, the next biggest process if 19mb for exlorer, then 14 for apache and and svchost and trillian and so on down.

Maybe explorer is the recipient of my mystical memory leak! 20+1=21 ... so my desktop, several browser windows, bunch of folders open... adds up to... 1mb more than firefox!

There's my memory leak! Oh wait, I don't have one. No need to panic. Thank goodness!

 

[tunaman]

Well, after running spybot and adaware and hijack this I still have popups. Something else I noticed is that after I enter my password to login to my computer it takes about 30-45 seconds for the computer to get to the desktop. It just sits there on the splash screen saying Loading Personal Settings. I only have 3 things that startup so I know its not those. Is there any way to see what is being loaded at this time?

 

[Nazo]

Well, the personal settings thing is not so unusual. That means themes, personal settings, and about a million other such things. Mine will sit there loading for even longer, and you should just see how long it takes to shutdown because of saving personal settings...

Anyway, look into seeing if one of the programs you are running has IE integrated into it like the example I mentioned before. Of course, weatherbug gets detected as having a spyware type thing, but by default it doesn't get removed, but it's quite possible that a seemingly legitimate program can have IE integrated in a similar way that doesn't have actual spyware also.

BTW, one thing you might want to do is edit your hosts file (%SystemRoot%\System32\Drivers\etc in Windows NT,2K & XP and in Win9x you may have to just create one if there isn't one there already in C:\WINDOWS) and set all the domains those popups are using to 127.0.0.1. It won't stop the popups, but it will stop them from loading and that sort of thing which will help in the meantime. See the sticky thread about the hosts file for more details as well as a good blocklist.