popups continue despite efforts

[Jaz]

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

All of the sudden a few popups appeared. I probably installed
something nasty, but I don't recall what. First I chased processes,
registry entries, etc.,

Then AdAware, but that seemed to cause an explosion of
self-installers, icons on the desktop, and spyware became rampant.
(Sorry if this is a bad assessment of cause and effect, but that was
my experience)

Next I resorted to Spybot Search & Destroy, SpywareGuard, and
SpywareBlaster, but it these haven't stopped all the popups.

I've updated Windows, updated NAV 2003, updated the three spyware
tools.

Since there are other Windows 2000 systems on the same network, should
I reformat and reload this troublesome PC as a precaution to
contracting nasties on the others, or is there an end-all product that
will stop all this stupidity?

Thanks
Jaz
(Please excuse the 'burp' when replying)

 

[SFB]

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

All of the sudden a few popups appeared. I probably installed
something nasty, but I don't recall what. First I chased processes,
registry entries, etc.,

Then AdAware, but that seemed to cause an explosion of
self-installers, icons on the desktop, and spyware became rampant.
(Sorry if this is a bad assessment of cause and effect, but that was
my experience)

Next I resorted to Spybot Search & Destroy, SpywareGuard, and
SpywareBlaster, but it these haven't stopped all the popups.

I've updated Windows, updated NAV 2003, updated the three spyware
tools.

Since there are other Windows 2000 systems on the same network, should
I reformat and reload this troublesome PC as a precaution to
contracting nasties on the others, or is there an end-all product that
will stop all this stupidity?

CWS shredder? http://www.spywareinfo.com/~merijn/downloads.html

 

[Morton Davis]

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

All of the sudden a few popups appeared. I probably installed
something nasty, but I don't recall what. First I chased processes,
registry entries, etc.,

Then AdAware, but that seemed to cause an explosion of
self-installers, icons on the desktop, and spyware became rampant.
(Sorry if this is a bad assessment of cause and effect, but that was
my experience)

Next I resorted to Spybot Search & Destroy, SpywareGuard, and
SpywareBlaster, but it these haven't stopped all the popups.

I've updated Windows, updated NAV 2003, updated the three spyware
tools.

Since there are other Windows 2000 systems on the same network, should
I reformat and reload this troublesome PC as a precaution to
contracting nasties on the others, or is there an end-all product that
will stop all this stupidity?

Thanks
Jaz
(Please excuse the 'burp' when replying)

I don't know why, but popups seem to be diminishing. I'm not running any
stopper system, but I don't get many popups. ould it be that advertisers
finally realized they were pissing people off?

-*MORT*-

 

[null]

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

Mozilla as your browser and Privoxy (or Proxomitron or Webwasher) for
ad blocking.


Art
http://www.epix.net/~artnpeg

 

[*Vanguard*]

"Jaz" said in news:[email protected]:

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

All of the sudden a few popups appeared. I probably installed
something nasty, but I don't recall what. First I chased processes,
registry entries, etc.,

Then AdAware, but that seemed to cause an explosion of
self-installers, icons on the desktop, and spyware became rampant.
(Sorry if this is a bad assessment of cause and effect, but that was
my experience)

Next I resorted to Spybot Search & Destroy, SpywareGuard, and
SpywareBlaster, but it these haven't stopped all the popups.

I've updated Windows, updated NAV 2003, updated the three spyware
tools.

Since there are other Windows 2000 systems on the same network, should
I reformat and reload this troublesome PC as a precaution to
contracting nasties on the others, or is there an end-all product that
will stop all this stupidity?

Thanks
Jaz
(Please excuse the 'burp' when replying)

Ad-aware and Spybot are not popup stoppers. They are anti-spyware products.
If you want to stop popups (which I assume you to mean for those that occur
when web browsing), get a popup stopper: PopUp Cop, Google Toolbar, PopUp
Inspector, and many others. I use PopUp Cop on my machine and the Google
Toolbar on a friend's machine (they didn't want to pay any more for better
features).

 

[Jennie]

Move to firefox 0.8.....no pop up and not the hassles of explorer...

http://www.mozilla.org/products/firefox/

Explorer is to much of a virus headache....

 

[Jaz]

"Jaz" said in news:[email protected]:

Ad-aware and Spybot are not popup stoppers. They are anti-spyware products.
If you want to stop popups (which I assume you to mean for those that occur
when web browsing), get a popup stopper: PopUp Cop, Google Toolbar, PopUp
Inspector, and many others. I use PopUp Cop on my machine and the Google
Toolbar on a friend's machine (they didn't want to pay any more for better
features).

Thanks for that, Vangaurd.

In an earlier thread today someone mentioned Process Explorer
(procexp.exe) by sysinternals.com. I ran that and noticed a process
icon that I had seen very briefly as my PC was booting (as the desktop
was loading icons). That icon was three cubes arranged in a triagle
(recall Qbert?), and belonged to keyhost.exe. Googling found a post in
which someone recommended killing and deleting it (in
%systemroot%\system32). Sho'nuff, didn't see it on any of my other
Win2K systems.

After deleting it I still got popups, so installed Zone Alarm. After
rebooting... None. So it seems there's still a lingering dll, but
perhaps it's no run without it's parent/partner, keyhost.exe (i don't
think ZA is to thank here 'cause it's not warning me of any blocked
net access)

It surprises me that Spybot, et al, don't catch this bugger. It also
surprises me that Anti-virus proggies don't include spyware cleaners,
at least with the option, even if these nasties aren't technically
viruses.

And yes, I don't use IE (why-o-why did M$ integrate IE with Windows?
If they hadn't then the popup problem would be limited to your browser
of choice) and only use Windows for the wealth of programs and
utilites; if not for them I'd be running *nix

Cheers & Thanks
Jaz
(Please excuse the 'burp' when replying)

 

[siljaline]

<snip>

http://mvps.org/winhelp2002/nopopups.htm

HTH

 

[Jaz]

Move to firefox 0.8.....no pop up and not the hassles of explorer...

http://www.mozilla.org/products/firefox/

Explorer is to much of a virus headache....

Jennie,

Yes, IE is definately to blame, but unfortunately M$ built it into
Windows. I don't run IE except in rare occasions like when a website
that I need to use was written by some lazy-ass person who used .Net,
ASP or whatever. (Jeez, I hate that)

I'm using Firefox 0.8 and Thunderbird 4.0.

Thanks
Jaz

(Please excuse the 'burp' when replying)

 

[SFB]

Thanks for that, Vangaurd.

In an earlier thread today someone mentioned Process Explorer
(procexp.exe) by sysinternals.com. I ran that and noticed a process
icon that I had seen very briefly as my PC was booting (as the desktop
was loading icons). That icon was three cubes arranged in a triagle
(recall Qbert?), and belonged to keyhost.exe. Googling found a post in
which someone recommended killing and deleting it (in
%systemroot%\system32). Sho'nuff, didn't see it on any of my other
Win2K systems.

After deleting it I still got popups, so installed Zone Alarm. After
rebooting... None. So it seems there's still a lingering dll, but
perhaps it's no run without it's parent/partner, keyhost.exe (i don't
think ZA is to thank here 'cause it's not warning me of any blocked
net access)

It surprises me that Spybot, et al, don't catch this bugger. It also
surprises me that Anti-virus proggies don't include spyware cleaners,
at least with the option, even if these nasties aren't technically
viruses.

And yes, I don't use IE (why-o-why did M$ integrate IE with Windows?
If they hadn't then the popup problem would be limited to your browser
of choice) and only use Windows for the wealth of programs and
utilites; if not for them I'd be running *nix

Cheers & Thanks
Jaz
(Please excuse the 'burp' when replying)

After already sugesting CWS shredder I now urge you to use HijackThis and
either post the scan-log here or in the HJT forum.
http://mjc1.com/mirror/hjt/

 

[Mike]

Hi Jaz,

Do you ever get pop-ups when you are offline? Or just when you are online?

--Mike

 

[charlie R]

I haven't seen a popup since I installed ZoneAlarm Pro, a year and a
half ago. I have my Internet Security Zone on High, block popups, and
allow only session cookies, (unless I need to allow persistent). I
uninstalled my Popup Stopper, it just wasn't needed.

charlie R

 

[Jaz]

After already sugesting CWS shredder I now urge you to use HijackThis and
either post the scan-log here or in the HJT forum.
http://mjc1.com/mirror/hjt/

Thanks SFB,

I ran Hijackthis and got the below log. Then I ran CWSShredder and it
came up clean except for one "CWS variant" which it needed me to
reboot to clean. Ran again after reboot and CWSShredder claimed clean.

Do you see anything in the HijackThis log?

Thanks again!
Jaz

==============================
Logfile of HijackThis v1.97.7
Scan saved at 1:44:55 PM, on 2/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Norton AntiVirus\navapsvc.exe
C:\Programs\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Programs\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Documents and Settings\jaz\Application Data\saer.exe
C:\WINNT\system32\wnsintit.exe
C:\Programs\SpywareGuard\sgmain.exe
C:\Programs\SpywareGuard\sgbhp.exe
C:\Programs\MozillaFirebird\MozillaFirebird.exe
C:\Programs\Utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.searchant.com/r=6&s=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R3 - URLSearchHook: IncrediFindBHO Class -
{5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 172.16.30.16 ganymede harbell.<snip>.net
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} -
C:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programs\Spybot\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {BB9361E5-52F8-E083-E7AB-4576D31A9DC0} - (no
file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Programs\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programs\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} -
C:\WINNT\2020Search2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon
initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [FinePrint Dispatcher v5]
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [version] C:\WINNT\system32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\Keyhost.exe
O4 - HKLM\..\Run: [updater] C:\Programs\Common
files\updater\wupdater.exe
O4 - HKLM\..\Run: [Zone Labs Client]
C:\Programs\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [ntbalckup.exe] C:\WINNT\system32\ntbalckup.exe
O4 - HKCU\..\Run: [Atro] C:\Documents and Settings\jaz\Application
Data\saer.exe
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe
O4 - Startup: SpywareGuard.lnk = C:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37997.7060763889
O17 -
HKLM\System\CCS\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS1\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS2\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2

=====================================

(Please excuse the 'burp' when replying)

 

[Jaz]

<snip>

http://mvps.org/winhelp2002/nopopups.htm

HTH

Well, I really want to get to the root of the problem, rather than
installing barriers. The problem is that there are nasties lurking on
my PC and the only real solution is to clean them off. Since I'm
running non-IE from behind a firewall, the popups are comming from
processes running on my pc, not from messenger service connections
from reomte TCP.

Thanks for the suggestion.

(Please excuse the 'burp' when replying)

 

[Jaz]

Hi Jaz,

Do you ever get pop-ups when you are offline? Or just when you are online?

--Mike

Well, not sure. I'm on a firewalled DSL connection, so I haven't tried
unplugging ethernet wire... tho I imagine the trojan is written so
that no popup would appear unless it can get a dns lookup (staying
hidden)

As of now I think i'm in the clear, but if it comes back then I'll
experiment and report back.

Thanks!
(Please excuse the 'burp' when replying)

 

[Jaz]

Hi folks,

Can anyone suggest and end-all popup stopper and spyware cleaner?

All of the sudden a few popups appeared. I probably installed
something nasty, but I don't recall what. First I chased processes,
registry entries, etc.,

<snip>

Okay, Zone Alarm is reporting that "sear1 MFC Application" is trying
to get to the Internet. The process is 'wnsintit.exe' -- this sounds
like a nasty to me. Anyone?

PS, I'm now running/using:

- NAV 2003
- Zone Alarm Pro
- Spybot S&D
- SpywareBlaster
- SpywareGaurd
- HijackThis
- CWSShredder

ALL of which now say I'm clean (tho Spybot S&D has found and delete
TONS of items. PSS, this is my hacking around system (games, etc.) and
has only been installed for a few months. I guess I don't practice
enough caution on this one.

TIA,
Jaz



(Please excuse the 'burp' when replying)

 

[Beauregard T. Shagnasty]

Quoth the raven named Jaz:

==============================
Logfile of HijackThis v1.97.7
Scan saved at 1:44:55 PM, on 2/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: ....
C:\WINNT\svchost.exe
C:\WINNT\System32\svchost.exe

Are there supposed to be /two/ svchost.exe files? I've got Win2K SP4
as well, and I do not have a copy in c:\winnt.

To quote C. Lambert, "There can be only one."

 

[SFB]

Thanks SFB,

I ran Hijackthis and got the below log. Then I ran CWSShredder and it
came up clean except for one "CWS variant" which it needed me to
reboot to clean. Ran again after reboot and CWSShredder claimed clean.

Do you see anything in the HijackThis log?

Too much but we must start someware.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchant.com/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.searchant.com/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://www.searchant.com/sp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.searchant.com/r=6&s=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R3 - URLSearchHook: IncrediFindBHO Class -
{5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 172.16.30.16 ganymede harbell.<snip>.net
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} -
C:\Programs\SpywareGuard\dlprotect.dll

DELETE the above.

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} -
C:\Programs\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {BB9361E5-52F8-E083-E7AB-4576D31A9DC0} - (no
file)

Delete the above

O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} -
C:\WINNT\2020Search2.dll

Delete the above

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\inetadpt.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37997.7060763889
O17 -
HKLM\System\CCS\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS1\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2
O17 -
HKLM\System\CS2\Services\Tcpip\..\{5A4B41E3-8E4B-4A6B-8C3C-6CF2FFC6C813}:
NameServer = 4.2.2.1,4.2.2.2

=====================================

(Please excuse the 'burp' when replying)

After cleaning as suggested post the next log, I was not able to set my mind
to see through all cullprits.
I will set it again after the first cleansing.

 

[SFB]

<snip>

Okay, Zone Alarm is reporting that "sear1 MFC Application" is trying
to get to the Internet. The process is 'wnsintit.exe' -- this sounds
like a nasty to me. Anyone?

Sounds very Nasty.
Keep posting though I am trying to find out your problem.

 

[SFB]

Sounds very Nasty.
Keep posting though I am trying to find out your problem.

Are you sure about the name? WNSINTIT.EXE I think you miss-typed.