Popup window at startup

[Steve]

Whenever my system starts, a popup ad window loads. Best
as I can tell, the site serving the pages has a Fastclick
domain. The window only loads once within a 24-hour
period. If I reboot my computer within that period, the
window will not appear. I've done much research to try and
find out how I can remove whatever is loading this popup.
I've used many spyware/adware-busting programs (including
Ad-aware, and Spybot S&D, and Hijack This!--all with the
latest updates installed), but none have worked. I've also
run Norton AntiVirus (with the most recent definitions) to
no avail. I've looked in autoexec.bat, config.sys,
win.ini, system.ini, and used msconfig.exe. I've also
examined the various registry keys associated with startup
programs and have not been able to find anything. One
characteristic of this insidious vermin is that it is the
last thing that loads. That is, it doesn't appear until
after the final program in the Startup folder has run.
What is the OS facility that could be loading this popup
such that it is the very last thing that is loaded at
system startup after all startup processes have been
initiated and the Desktop is in place?

 

[Frank Saunders, MS-MVP]

Whenever my system starts, a popup ad window loads. Best
as I can tell, the site serving the pages has a Fastclick
domain. The window only loads once within a 24-hour
period. If I reboot my computer within that period, the
window will not appear. I've done much research to try and
find out how I can remove whatever is loading this popup.
I've used many spyware/adware-busting programs (including
Ad-aware, and Spybot S&D, and Hijack This!--all with the
latest updates installed), but none have worked. I've also
run Norton AntiVirus (with the most recent definitions) to
no avail. I've looked in autoexec.bat, config.sys,
win.ini, system.ini, and used msconfig.exe. I've also
examined the various registry keys associated with startup
programs and have not been able to find anything. One
characteristic of this insidious vermin is that it is the
last thing that loads. That is, it doesn't appear until
after the final program in the Startup folder has run.
What is the OS facility that could be loading this popup
such that it is the very last thing that is loaded at
system startup after all startup processes have been
initiated and the Desktop is in place?

First eliminate any scumware.
See
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each need to be updated before every use, even when just
downloaded.

If trying everything at that site does not fix the problem please post back
in the same thread.

 

[H Leboeuf]

Search for all ( *.reg ) files in your computer
Any thing unusual?

 

[Peder]

Whenever my system starts, a popup ad window loads.

<cut>

I dont know if this is the problem. But you allways can look
on this page and try the program "shoot the messenger":

http://grc.com/stm/ShootTheMessenger.htm

/Peder

 

[Jim Byrd]

Hi Steve - If you get popups even when your browser is not connected to the
Internet with a title bar reading "Messenger Service", then these are most
likely due to open NetBios TCP ports 135, 139 and 445 and UDP ports 135,
137-138 and a UDP port in the range of 1026-1029.. You really need to block
these with a firewall as a general protection measure. You can stop the
popups by turning off Messenger Service; however, this still leaves you
vulnerable. If you have an NT-based OS such as XP or Win2k, you should
probably also specifically block TCP 593, 4444 and UDP 69, 139, 445, and
install the very important 823980 patch from MS03-026, here:
http://support.microsoft.com/?kbid=823980 to block the Blaster worm..


See: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do.

You can test your system and follow the 'Prevention' link to get additional
information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
reasons to keep this active, it should be turned off in Win2k and XP. Go
here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.

(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
necessary ports to prevent this use of Messenger Service. I don't know the
situation with regard to other firewalls.)

Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messaages to users. However, it can also be (and now
frequently is) used to introduce spam via this open NetBios channel. For a
single user home computer, it normally isn't needed and can be turned off
which will eliminate the spam popups. This DOESN'T, however, remove the
vulnerability of having these ports open, when in fact they aren't needed,
since they can be perverted in other ways as well, some of which can be much
more damaging than just a spam popup.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In

 

[Guest]

Jim:

Thanks for your thoughtful response. I should've stated at
the outset that i'm running Win98. The problem is not
Messenger Service-based. I did check the sites you
referred to.

Again, thanks.

Steve

 

[Steve]

Frank:

I did check this page (mvps.org/winhelp2002/unwanted.htm)
earlier and looked into or applied most of its
recommendations/suggestions. Still no success.

Thanks,

Steve

 

[Steve]

Henri:

As you suggested, searched for all *.reg files and found
many. As far as I know, though, nothing unusual.

Thanks,

Steve

 

[Steve]

Thanks for the link. I'm using Win98 and the problem is
not connected with the Messenger Service.

Steve

 

[Mike Burgess]

Steve,
You say you used HijackThis ..... now did you post your log file
to the Forum suggested or did you try fixing the problem yourself?

If you posted your log, who did you sign on as, and I'll have a look.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-26-03]
Please post replies to this Newsgroup, email address is invalid

 

[Steve]

Mike:

I didn't post to the forum because there was nothing
unusual, and everything seemed to be legit based on what
I've read on the topic. What loads after the programs in
the Startup folder are launched?

Thanks,

Steve