G
Guest
when i log onto internet popups in grey box tell me my registry is corrupt
and to go to various sites to fix can i delete this
and to go to various sites to fix can i delete this
D
Dan Seur
yes its ads
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0603-4, 01/20/2006
Tested on: 1/23/2006 9:15:11 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com
---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0603-4, 01/20/2006
Tested on: 1/23/2006 9:15:11 AM
avast! - copyright (c) 1988-2004 ALWIL Software.
http://www.avast.com
G
Galen
In jon had this to say:
My reply is at the bottom of your sent message:
You can stop the messenger service, update the OS, and add/configure a
firewall. Stopping the messenger service might stop the ads from getting
through but it will leave the port open still and doesn't actually cure the
problem. The best option is to install/configure a firewall.
--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/
"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes
My reply is at the bottom of your sent message:
You can stop the messenger service, update the OS, and add/configure a
firewall. Stopping the messenger service might stop the ads from getting
through but it will leave the port open still and doesn't actually cure the
problem. The best option is to install/configure a firewall.
--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/
"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes
D
David H. Lipman
From: "jon" <[email protected]>
| when i log onto internet popups in grey box tell me my registry is corrupt
| and to go to various sites to fix can i delete this
It is a con job !
To disable the Windows Messenger Service, you can open a Command Prompt and type the
following commands...
sc stop Messenger
sc config Messenger start= disabled
A Router such as the Linksys BEFSR41 will also block this at the WAN/LAN interface and such
messages won't be seen on a LAN PC.
If you are worried that you PC is infected, please usethe following Multi AV Scanning
Tool....
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
| when i log onto internet popups in grey box tell me my registry is corrupt
| and to go to various sites to fix can i delete this
It is a con job !
To disable the Windows Messenger Service, you can open a Command Prompt and type the
following commands...
sc stop Messenger
sc config Messenger start= disabled
A Router such as the Linksys BEFSR41 will also block this at the WAN/LAN interface and such
messages won't be seen on a LAN PC.
If you are worried that you PC is infected, please usethe following Multi AV Scanning
Tool....
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
J
Jim Byrd
Hi Jon - Just to suppliment David's remarks:
There are currently two classes of things going on that are causing people
popup difficulties. If you get popups even when your browser is not
connected to the Internet with a title bar reading "Messenger Service", then
these are most likely due to open NetBios TCP ports 135, 139 and 445 and UDP
ports 135, 137-138 and a UDP port in the range of 1026-1029.. You really
need to block these with a firewall as a general protection measure. You
can stop the popups by turning off Messenger Service; however, this still
leaves you vulnerable. If you have an NT-based OS such as XP or Win2k, you
should probably also specifically block TCP 593, 4444 and UDP 69, 139, 445,
and install the very important 824146 and 823980 patches from MS03-026 and
MS03-039, here: http://support.microsoft.com/default.aspx?kbid=824146 to
block the Blaster worm as well as several other parasites. There is a tool
available here to check for these patches:
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363
See: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do.
You can test your system and follow the 'Prevention' link to get additional
information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
reasons to keep this active, it should be turned off in Win2k and XP. Go
here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.
(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
necessary ports to prevent this use of Messenger Service. I don't know the
situation with regard to other firewalls.)
Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowadays infrequently) used by some applications to
provide popup messages to users. However, it can also be (and now frequently
is) used to introduce spam via this open NetBIOS channel. For a single user
home computer, it normally isn't needed and can be turned off which will
eliminate the spam popups. This DOESN'T, however, remove the vulnerability
of having these ports open, when in fact they aren't needed, since they can
be perverted in other ways as well, some of which can be much more damaging
than just a spam popup.
If you're getting a lot of popups while surfing, then the following may be
useful:
First: Make sure that you are up-to-date on ALL critical Windows
updates/hotfixes and that you have a hardware or software firewall and an
UPDATED Anti-Virus.
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info and download here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
For XP SP2, you can also use the Run command: netsh winsock reset catalog
to fix this problem without the need for these programs.
For XP pre-SP2, you can use this Run command: netsh int ip reset
resetlog.txt
Also, one MS technician suggested that the following sequence of Run
commands for XP may help in some cases:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
An alternative approach with necessary .reg files which will often work even
when the above doesn't is defined here, courtesy of Bob Cerelli:
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix Recommended.
Remember - you need to do any downloads ahead of time BEFORE you do any
malware cleaning.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF)(including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use.
A program called Copylock, here, http://noeld.com/programs.asp?cat=misc can
aid in the process of "replacing, moving, renaming or deleting one or many
files which are currently in use (e.g. system files like comctl32.dll, or
virus/trojan files.)"
Another is Killbox, here: http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often very useful is Delete Invalid
File, here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem.
A fourth useful program is Unlocker, here:
..http://ccollomb.free.fr/unlocker/ " Simply right click the folder or file
and select Unlocker. If the folder or file is locked, a window listing of
lockers will appear. Simply select the lockers and click Unlock and you are
done!" Works as advertised and is particularly helpful in identifying
malware components which are 'protecting' each other.
Download and run a FRESH COPY of Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/
Boot to Safe mode with Network Support (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
or a Clean Boot as above.
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest released
pattern file, here: http://www.trendmicro.com/download/pattern.asp Be sure
to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
(You might also want to get SYSCLEAN_FE, also written by David H. Lipman ,
available here: http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
There's a brief description here: http://www.ik-cs.com/more_information.htm.
(If you download and use the updater from the beginning, it will
automatically handle downloading the other files. Note: If you use
Sysclean_FE, then it MUST be in the C:\sysclean folder in order to work
correctly.) SYSCLEAN_FE offers the option of restarting in order to run
SysClean in Safe mode; however, I would recommend that you use a Clean Boot
to actually run both the SYSCLEAN_FE and SysClean programs when using the
updater. (Note BTW that SYSCLEAN_FE will make a copy of your HOSTS file [see
the end of this post for more about the HOSTS file], if any, renaming it
hosts.bak, and then delete the original HOSTS file. To restore it when
you've finished cleaning your machine, just rename hosts.bak back to HOSTS.)
NOTE: You can get a somewhat more current interim pattern file, the
Controlled Pattern Release, here and manually unzip it to your SysClean
folder: http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp
(Sorry, but the Updater won't get this one for you.) Look for the lptxxx.zip
file after you agree to the terms.
Place them in a dedicated folder after appropriate unzipping.
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take. See here: http://aumha.net/viewtopic.php?t=15265 Here are MVP Jim
Eshelman's specific recommendations from that document (with which I'm in
agreement):
(1) Know the risk of reinfection if you SystemRestore before it is cleaned.
(2) Until it is cleaned, don't use it unless you absolutely have to.
(3) Leave SR cache in place during cleaning since a leaky boat in a storm is
better than no boat in a storm, and returning to an infected computer state
is better than losing everything.
(4) Clean the machine.
(5) After the machine is clean, make a new SR point and purge all the old
ones.
(6) Rescan to make sure things remain clean.
Read tscreadme.txt carefully, then do a complete scan of your system and
clean or delete anything it finds.
Reboot and re-run SysClean and continue this procedure until you get a clean
scan or nothing further can be cleaned/removed.
Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Note that sometimes you need to make a judgement call about what the
programs below report as spyware. See here, for example:
http://www.imilly.com/alexa.htm They can also sometimes generate "false
positives" so look carefully before you delete things. There's a good list
of categorized "unknown, safe, optional, spyware/adware, virus" programs to
check against here: http://www.pcpitstop.com/spycheck/SWList.asp
Download and run the free or trial version of A2 Personal, here:
http://www.emsisoft.com/en/ UPDATE, then run from a Clean Boot or Safe Mode
with Show Hidden Files enabled as above.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. Tutorial here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the directions immediately
below and UPDATE and run this regularly from Safe mode or a Clean Boot to
get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove things
which are currently "in use" before it can then clean up others. Configure
Ad-aware for a customized scan (see below), and let it remove any bad files
found..... Also download the VX2 plug-in from that same Lavasoftusa site
and after running the AdAware scan, run this plug-in.
Setting up a customized scan, courtesy of NonSuch at Lockergnome:
Open Ad-aware then click the gear wheel at the top and check these options
to configure Ad-aware for a customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click "Activate Cloak". Than open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial here:
http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING, running from Safe mode or a Clean Boot and fixing ONLY RED
things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat
this cycle until you get a clean "no red" scan. The reason is that SpyBot
sometimes has to remove things which are currently "in use" before it can
then clean up others.
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
When done, go to Start|Run and enter one line at a time (or even easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get things cleaned up, you might want to consider installing Eric
Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully. Tutorials here:
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs, blocks spyware/tracking cookies, and restricts the actions of
potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ...
no CPU or memory load - but keep it UPDATED) The latest version as of this
writing will prevent installation or prevent the malware from running if it
is already installed, and, additionally, it provides information about and
fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html
All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Strongly Recommended as a
supplement to SpywareBlaster. Read all of the instructions in the Expert
package download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this list (or other programs, for that matter).
Next, install and keep updated a good HOSTS file. It can help you avoid most
adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm (Be sure
it's named/renamed HOSTS - all caps, no extension) Additional tutorials
here: http://www.spywarewarrior.com/viewtopic.php?t=410 (overview) and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus
Then, there are a variety of third party "Popup Killers" available. I
normally use AdShield, which, if you maintain its Block List every now and
then, almost totally stops this. In addition, it stops a variety of
ads/banners/etc. (particularly spyware like doubleclick) on pages I access.
This is probably all you'll need; however, I've also investigated a program
called webwasher which appears to be very good, but decided that AdShield
was sufficient. At the bottom of this post, you'll find a list provided
courtesy of bc_acadia of a number of free popup blockers with links.
****** NOTE: As of 28 Apr 03 AdShield appears to have partnered with a new
reseller, and AdShield is no longer free. There is a trial version of
AdShield3; however, IMO it is seriously crippled in not being able to import
or export block lists and I think for reasonable utility one would have to
go to the full version. While I don't normally recommend non-free software,
I personally will continue to use AdShield3, since I think it is the best
currently available combined Popup/Ad/Malware blocker, but you should be
aware of the fact that it now costs, ($29.95 when I last looked), whereas
the earlier versions upon which I based my original recommendation were
free, although not nearly as capable as the AdShield3 release. I've included
below links to both the older free version and the new paid version. You'll
have to investigate and make your own choice in the matter. *******
Here are a number of AdShield-related links:
http://www.fsd1.org/technology/Files/AdShield.exe - AdShield1.2 (free)
http://www.internettechs.net/utilities/AdShield.exe - AdShield1.2 (free)
http://euler.free.fr/Adshield/AdShield.exe - AdShield1.2 (free)
http://ftp.ural.ru/home/index/windows/networking/utils/AdShield -
AdShield1.2 (free)
http://www.megalog.ru/info/utilz/AdShield.zip - AdShield1.2 (free)
http://www.lossepladsen.dk/all4you/TheLostWorld/AdShield.php - AdShield1.2
(free)
http://www.allstarss.com/store/adshield.html - AdShield3
http://www.ad-shield.com/ AdShield3 Info/Purchase/Block List
http://www.mvps.org/winhelp2002/block.txt - (Mike Burgess' .txt Block List
for AdShield - Recommended)
http://www.mvps.org/winhelp2002/block.zip - Mike Burgess' Zipped Block List
for AdShield - Recommended)
http://www.songwave.com/software/adshield_blocklist.txt (40,000 pornsites
blocked - *VERY* large list - use at your own risk)
http://www.chrismyden.com/temp/block.abl (chrismyden's blocklist in .abl
format - Recommended)
http://www.staff.uiuc.edu/~ehowes/resource.htm#AdShield (Eric Howes AGNIS
for AdShield block list - Recommended) (BTW, Eric's site contains a wealth
of very valuable information about all aspects of net security - Very Highly
Recommended)
There is additional information about setting up and using AdShield, and
about using the Restricted Zone (and an additional list) here:
http://www.mvps.org/winhelp2002/hosts.htm
Here's a good AdShield test site, courtesy of siljaline: "Make ***SURE***
you have your block scripted popups enabled
http://www.mediaboy.net/1010100-1100001-1111010/gahk/>>>> [Warning this URL
opens a multitude of Browser windows almost instantly - YOU'VE BEEN
WARNED!]"
http://www.webwasher.com - Webwasher
For WinXP users, Service Pack 2 has a built-in popup stopper which at first
look appears to be fairly effective.
Additionally, some people have recommended Popup Stopper and PopupBuster,
but they have also been reported or experienced to cause perceived problems
for some people with "normal" links in IE6 such as Google search results and
links from OE. Some proponents of PopupBuster assert, however, that this is
normal operation for this program under certain circumstances which can be
overridden if necessary. YMMV Another "Proxy" type blocker similar to
Webwasher and Proxomitron but supposedly a bit easier to configure is
Privoxy here: http://www.privoxy.org/
Also, the free Google Tool Bar has a built-in popup blocker which is pretty
effective.
A very clever alternative approach to general ad (vice Popup) blocking is
outlined here:
http://www.sherylcanter.com/articles/oreilly_20040330_HostsPac.php
and here: http://s91363763.onlinehome.us/BlackHoleProxy/index.html
The approach is similar to that used in eDexter, but improved. I've tried
it, and it does work as advertised. (<groan> - sorry 'bout that!)
Probably should only be considered by more knowledgeable users, as it's a
little complicated to set up using the directions given if you don't already
know a bit. (It also has some tendency to block some things you'd rather it
didn't at times if PAC files are used instead of the HOSTS file due to its
use of regular expressions for blocking definitions without some tuning.)
Lastly, ZoneAlarmPro3/4 has added provisions for stopping adds/popups,
handling cookies, web bugs, and scripting/ActiveX components in addition to
it's firewall functionality. Not free, but I have used it with my other
AdBlocking stuff (AdShield, etc.) turned off as a test, and it appears to be
very good indeed. So far I've experienced no problems at all with it set in
its High Security modes for Ads although others have reported the need to
temporarily turn it off to reach some sites. Also, Agnitum's Outpost
Firewall supports a plug-in for this: "Pre-configured to block most banner
advertisement. Can be configured manually or by simply dragging and dropping
unwanted banners into the Ad Trashcan." I have no experience as to how
effective it is, but I have received a favorable report.
There's good information about hijacking in general and fixes available for
specific hijackers here: http://spywareinfo.com/articles/hijacked/
http://gmpservicesinc.com/Articles/hijack.asp
http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
http://www.doxdesk.com/parasite/
bc_acadia's list:
"Some popup blockers. All of these are 100% pure freeware, no trial
periods. Some of these do more than just handle popups.
Pow!: http://www.analogx.com/contents/download/network/pow.htm
NoAds: http://www.southbaypc.com/NoAds/
PopupEraser: http://www.webknacks.com/popuperaser.htm
Stop-the-Pop: http://www.bysoft.se/sureshot/stopthepop/index.html
Internet Organizer: http://www.sf.yucom.be/wdprojects/
PopKi: http://ranfo.com/popki.html
PopUpKiller: http://sourceforge.net/projects/puk/
AdCruncher Proxy:
http://mysite.verizon.net/~mr_fish/AdCruncher/ReadMe.html
KillAd: http://www.iomagic.org/fsc/
ClickOff: http://www.johanneshuebner.com/en/download.html
PopupBuster: http://www.popupbuster.com/PopUpBuster/
Free Surfer: http://www.kolumbus.fi/eero.muhonen/FS/
Window Shades: http://www.g-m-m.com/Software/WindowShades/index.php
AdShield (my personal favorite): http://www.ad-shield.com/
PopupStopper: http://www.panicware.com/popupstopper.html
Proxomitron (Is no longer supported and has a learning curve):
http://www.proxomitron.org/
For those who don't want third party stuff, your own pc's built-in
host file:
http://www.mvps.org/winhelp2002/hosts.htm and
http://www.accs-net.com/hosts/
Here is a review of 61 popup killers, not all of them are free:
http://www.popup-killer-review.com/index.htm"
NOTE that this site also contains a good, comprehensive series of popup
killer tests. Some good additional tests are also available here:
http://www.webknacks.com/aptest.htm
There's another popup test page here:
http://www.kephyr.com/popupkillertest/index.html
Another good test page and lists of both free and cost popup blockers is
here: http://www.popuptest.com/ Recommended
An excellent test site here: http://www.popupcheck.com/ Highly
Recommended.
Another list of some popup blockers:
http://www.messaging-software.net/popup-killer-software.htm
Perhaps these will help.
There are currently two classes of things going on that are causing people
popup difficulties. If you get popups even when your browser is not
connected to the Internet with a title bar reading "Messenger Service", then
these are most likely due to open NetBios TCP ports 135, 139 and 445 and UDP
ports 135, 137-138 and a UDP port in the range of 1026-1029.. You really
need to block these with a firewall as a general protection measure. You
can stop the popups by turning off Messenger Service; however, this still
leaves you vulnerable. If you have an NT-based OS such as XP or Win2k, you
should probably also specifically block TCP 593, 4444 and UDP 69, 139, 445,
and install the very important 824146 and 823980 patches from MS03-026 and
MS03-039, here: http://support.microsoft.com/default.aspx?kbid=824146 to
block the Blaster worm as well as several other parasites. There is a tool
available here to check for these patches:
http://support.microsoft.com/default.aspx?scid=kb;en-us;827363
See: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do.
You can test your system and follow the 'Prevention' link to get additional
information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
reasons to keep this active, it should be turned off in Win2k and XP. Go
here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.
(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
necessary ports to prevent this use of Messenger Service. I don't know the
situation with regard to other firewalls.)
Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowadays infrequently) used by some applications to
provide popup messages to users. However, it can also be (and now frequently
is) used to introduce spam via this open NetBIOS channel. For a single user
home computer, it normally isn't needed and can be turned off which will
eliminate the spam popups. This DOESN'T, however, remove the vulnerability
of having these ports open, when in fact they aren't needed, since they can
be perverted in other ways as well, some of which can be much more damaging
than just a spam popup.
If you're getting a lot of popups while surfing, then the following may be
useful:
First: Make sure that you are up-to-date on ALL critical Windows
updates/hotfixes and that you have a hardware or software firewall and an
UPDATED Anti-Virus.
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info and download here: http://www.spychecker.com/program/winsockxpfix.html
Directions here: http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
For XP SP2, you can also use the Run command: netsh winsock reset catalog
to fix this problem without the need for these programs.
For XP pre-SP2, you can use this Run command: netsh int ip reset
resetlog.txt
Also, one MS technician suggested that the following sequence of Run
commands for XP may help in some cases:
netsh int reset all
ipconfig /flushdns
See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
An alternative approach with necessary .reg files which will often work even
when the above doesn't is defined here, courtesy of Bob Cerelli:
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix Recommended.
Remember - you need to do any downloads ahead of time BEFORE you do any
malware cleaning.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF)(including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use.
A program called Copylock, here, http://noeld.com/programs.asp?cat=misc can
aid in the process of "replacing, moving, renaming or deleting one or many
files which are currently in use (e.g. system files like comctl32.dll, or
virus/trojan files.)"
Another is Killbox, here: http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often very useful is Delete Invalid
File, here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem.
A fourth useful program is Unlocker, here:
..http://ccollomb.free.fr/unlocker/ " Simply right click the folder or file
and select Unlocker. If the folder or file is locked, a window listing of
lockers will appear. Simply select the lockers and click Unlock and you are
done!" Works as advertised and is particularly helpful in identifying
malware components which are 'protecting' each other.
Download and run a FRESH COPY of Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page: http://vil.nai.com/vil/stinger/
Boot to Safe mode with Network Support (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
or a Clean Boot as above.
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest released
pattern file, here: http://www.trendmicro.com/download/pattern.asp Be sure
to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
(You might also want to get SYSCLEAN_FE, also written by David H. Lipman ,
available here: http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
There's a brief description here: http://www.ik-cs.com/more_information.htm.
(If you download and use the updater from the beginning, it will
automatically handle downloading the other files. Note: If you use
Sysclean_FE, then it MUST be in the C:\sysclean folder in order to work
correctly.) SYSCLEAN_FE offers the option of restarting in order to run
SysClean in Safe mode; however, I would recommend that you use a Clean Boot
to actually run both the SYSCLEAN_FE and SysClean programs when using the
updater. (Note BTW that SYSCLEAN_FE will make a copy of your HOSTS file [see
the end of this post for more about the HOSTS file], if any, renaming it
hosts.bak, and then delete the original HOSTS file. To restore it when
you've finished cleaning your machine, just rename hosts.bak back to HOSTS.)
NOTE: You can get a somewhat more current interim pattern file, the
Controlled Pattern Release, here and manually unzip it to your SysClean
folder: http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp
(Sorry, but the Updater won't get this one for you.) Look for the lptxxx.zip
file after you agree to the terms.
Place them in a dedicated folder after appropriate unzipping.
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take. See here: http://aumha.net/viewtopic.php?t=15265 Here are MVP Jim
Eshelman's specific recommendations from that document (with which I'm in
agreement):
(1) Know the risk of reinfection if you SystemRestore before it is cleaned.
(2) Until it is cleaned, don't use it unless you absolutely have to.
(3) Leave SR cache in place during cleaning since a leaky boat in a storm is
better than no boat in a storm, and returning to an infected computer state
is better than losing everything.
(4) Clean the machine.
(5) After the machine is clean, make a new SR point and purge all the old
ones.
(6) Rescan to make sure things remain clean.
Read tscreadme.txt carefully, then do a complete scan of your system and
clean or delete anything it finds.
Reboot and re-run SysClean and continue this procedure until you get a clean
scan or nothing further can be cleaned/removed.
Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Note that sometimes you need to make a judgement call about what the
programs below report as spyware. See here, for example:
http://www.imilly.com/alexa.htm They can also sometimes generate "false
positives" so look carefully before you delete things. There's a good list
of categorized "unknown, safe, optional, spyware/adware, virus" programs to
check against here: http://www.pcpitstop.com/spycheck/SWList.asp
Download and run the free or trial version of A2 Personal, here:
http://www.emsisoft.com/en/ UPDATE, then run from a Clean Boot or Safe Mode
with Show Hidden Files enabled as above.
Get Ad-Aware SE Personal Edition, here:
http://www.lavasoftusa.com/support/download/. Tutorial here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
UPDATE, set it up in accordance with this:
http://forum.aumha.org/viewtopic.php?t=5877 or the directions immediately
below and UPDATE and run this regularly from Safe mode or a Clean Boot to
get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove things
which are currently "in use" before it can then clean up others. Configure
Ad-aware for a customized scan (see below), and let it remove any bad files
found..... Also download the VX2 plug-in from that same Lavasoftusa site
and after running the AdAware scan, run this plug-in.
Setting up a customized scan, courtesy of NonSuch at Lockergnome:
Open Ad-aware then click the gear wheel at the top and check these options
to configure Ad-aware for a customized scan:
General> activate these: "Automatically save log-file" and "Automatically
quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes",
"Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
sites," and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during
scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
objects prior to deletion" and "Let Windows remove files in use after
reboot."
Click "Proceed" to save your settings, then click "Start." Make sure
"Activate in-depth scan" is ticked green, then scan your system. When the
scan is finished, the screen will tell you if anything has been found, click
"Next." The bad files will be listed. Right click the pane and click "Select
all objects" - This will put a check mark in the box at the side, click
"Next" again and click "OK" at the prompt "# objects will be removed.
Continue?"
Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT: If
Ad Aware is automatically shut-down by a malicious software, first run
AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
opening Ad Aware. When AAWCloak is open, click "Activate Cloak". Than open
Ad Aware and scan your system.
Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. Tutorial here:
http://www.safer-networking.org/en/index.html I recommend using both
normally. Be sure and use the Default (NOT Advanced or Beta) Mode in
Settings.
After UPDATING, running from Safe mode or a Clean Boot and fixing ONLY RED
things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat
this cycle until you get a clean "no red" scan. The reason is that SpyBot
sometimes has to remove things which are currently "in use" before it can
then clean up others.
Both of these programs should normally be UPDATED and run after doing any
other fix such as CWShredder and, as a minimum, normally at least once a
week.
When done, go to Start|Run and enter one line at a time (or even easier,
open a DOS box and copy the following in its entirety and then paste it into
the box):
regsvr32 /i browseui.dll
regsvr32 /i shdocvw.dll
regsvr32 /i mshtml.dll
regsvr32 mshtmled.dll
regsvr32 actxprxy.dll
regsvr32 /i urlmon.dll
regsvr32 scrrun.dll
regsvr32 comcat.dll
regsvr32 Oleaut32.dll
regsvr32 /i Shell32.dll
regsvr32 Msoeacct.dll
regsvr32 "C:\Program Files\Outlook Express\Msoe.dll"
regsvr32 msjava.dll
regsvr32 jscript.dll
regsvr32 Olepro32.dll
regsvr32 Hlink.dll
regsvr32 Asctrls.ocx
regsvr32 Inetcpl.cpl /i
regsvr32 Dxtrans.dll
regsvr32 Dxtmsft.dll
regsvr32 Imgutil.dll
regsvr32 Msxml.dll
regsvr32 Msjava.dll
regsvr32 Jscript.dll
regsvr32 Softpub.dll
regsvr32 Wintrust.dll
regsvr32 Initpki.dll
regsvr32 Dssenh.dll
regsvr32 Rsaenh.dll
regsvr32 Gpkcsp.dll
regsvr32 Slbcsp.dll
regsvr32 Cryptdlg.dll
regsvr32 Msjet40.dll
regsvr32 pdm32.dll
regsvr32 Msjtor40.dll
regsvr32 Dao360.dll
regsvr32 Sccbase.dll
with a Return after each .dll. You'll get a message about successful
completion of the re-registration process after each one, then enter the
next (with the DOS box they'll be continuous except for the last one).
If you use Win98x and get an error on Shell32.dll, ignore it. Only the ME,
Win2k and XP versions of windows have shell32 as an object that needs
registering. (For these earlier operating systems, run "regsvr32
shdoc401.dll " instead of "regsvr32 Shell32.dll".) Depending on your
system, you may also get "not found" error messages on some or all of the
last five - if so, ignore them.
Re-start your computer when you've finished.
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones.
*******
Once you get things cleaned up, you might want to consider installing Eric
Howes' IESpyAds, SpywareBlaster and SpywareGuard here to help prevent this
kind of thing from happening in the future:
IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds
a long list of sites and domains associated with known advertisers,
marketers, and crapware pushers to the Restricted sites zone of Internet
Explorer. Once you merge this list of sites and domains into the Registry,
the web sites for these companies will not be able to use cookies, ActiveX
controls, Java applets, or scripting to compromise your privacy or your PC
while you surf the Net. Nor will they be able to use your browser to push
unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
carefully. Tutorials here:
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs, blocks spyware/tracking cookies, and restricts the actions of
potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ...
no CPU or memory load - but keep it UPDATED) The latest version as of this
writing will prevent installation or prevent the malware from running if it
is already installed, and, additionally, it provides information about and
fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html
All three Very Highly Recommended
SpywareBlaster is probably the best preventive tool currently available,
expecially if supplemented by using the Immunize function in SpyBot S&D and
a good HOSTS file (see next). IMPORTANT NOTE: A good additional source of
preventive blocking for ActiveX components is the Blocking List available
here: http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Strongly Recommended as a
supplement to SpywareBlaster. Read all of the instructions in the Expert
package download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this list (or other programs, for that matter).
Next, install and keep updated a good HOSTS file. It can help you avoid most
adware/malware. See here: http://www.mvps.org/winhelp2002/hosts.htm (Be sure
it's named/renamed HOSTS - all caps, no extension) Additional tutorials
here: http://www.spywarewarrior.com/viewtopic.php?t=410 (overview) and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)
Finally, be sure that you have a good hardware or software firewall and an
AntiVirus
Then, there are a variety of third party "Popup Killers" available. I
normally use AdShield, which, if you maintain its Block List every now and
then, almost totally stops this. In addition, it stops a variety of
ads/banners/etc. (particularly spyware like doubleclick) on pages I access.
This is probably all you'll need; however, I've also investigated a program
called webwasher which appears to be very good, but decided that AdShield
was sufficient. At the bottom of this post, you'll find a list provided
courtesy of bc_acadia of a number of free popup blockers with links.
****** NOTE: As of 28 Apr 03 AdShield appears to have partnered with a new
reseller, and AdShield is no longer free. There is a trial version of
AdShield3; however, IMO it is seriously crippled in not being able to import
or export block lists and I think for reasonable utility one would have to
go to the full version. While I don't normally recommend non-free software,
I personally will continue to use AdShield3, since I think it is the best
currently available combined Popup/Ad/Malware blocker, but you should be
aware of the fact that it now costs, ($29.95 when I last looked), whereas
the earlier versions upon which I based my original recommendation were
free, although not nearly as capable as the AdShield3 release. I've included
below links to both the older free version and the new paid version. You'll
have to investigate and make your own choice in the matter. *******
Here are a number of AdShield-related links:
http://www.fsd1.org/technology/Files/AdShield.exe - AdShield1.2 (free)
http://www.internettechs.net/utilities/AdShield.exe - AdShield1.2 (free)
http://euler.free.fr/Adshield/AdShield.exe - AdShield1.2 (free)
http://ftp.ural.ru/home/index/windows/networking/utils/AdShield -
AdShield1.2 (free)
http://www.megalog.ru/info/utilz/AdShield.zip - AdShield1.2 (free)
http://www.lossepladsen.dk/all4you/TheLostWorld/AdShield.php - AdShield1.2
(free)
http://www.allstarss.com/store/adshield.html - AdShield3
http://www.ad-shield.com/ AdShield3 Info/Purchase/Block List
http://www.mvps.org/winhelp2002/block.txt - (Mike Burgess' .txt Block List
for AdShield - Recommended)
http://www.mvps.org/winhelp2002/block.zip - Mike Burgess' Zipped Block List
for AdShield - Recommended)
http://www.songwave.com/software/adshield_blocklist.txt (40,000 pornsites
blocked - *VERY* large list - use at your own risk)
http://www.chrismyden.com/temp/block.abl (chrismyden's blocklist in .abl
format - Recommended)
http://www.staff.uiuc.edu/~ehowes/resource.htm#AdShield (Eric Howes AGNIS
for AdShield block list - Recommended) (BTW, Eric's site contains a wealth
of very valuable information about all aspects of net security - Very Highly
Recommended)
There is additional information about setting up and using AdShield, and
about using the Restricted Zone (and an additional list) here:
http://www.mvps.org/winhelp2002/hosts.htm
Here's a good AdShield test site, courtesy of siljaline: "Make ***SURE***
you have your block scripted popups enabled
http://www.mediaboy.net/1010100-1100001-1111010/gahk/>>>> [Warning this URL
opens a multitude of Browser windows almost instantly - YOU'VE BEEN
WARNED!]"
http://www.webwasher.com - Webwasher
For WinXP users, Service Pack 2 has a built-in popup stopper which at first
look appears to be fairly effective.
Additionally, some people have recommended Popup Stopper and PopupBuster,
but they have also been reported or experienced to cause perceived problems
for some people with "normal" links in IE6 such as Google search results and
links from OE. Some proponents of PopupBuster assert, however, that this is
normal operation for this program under certain circumstances which can be
overridden if necessary. YMMV Another "Proxy" type blocker similar to
Webwasher and Proxomitron but supposedly a bit easier to configure is
Privoxy here: http://www.privoxy.org/
Also, the free Google Tool Bar has a built-in popup blocker which is pretty
effective.
A very clever alternative approach to general ad (vice Popup) blocking is
outlined here:
http://www.sherylcanter.com/articles/oreilly_20040330_HostsPac.php
and here: http://s91363763.onlinehome.us/BlackHoleProxy/index.html
The approach is similar to that used in eDexter, but improved. I've tried
it, and it does work as advertised. (<groan> - sorry 'bout that!)
Probably should only be considered by more knowledgeable users, as it's a
little complicated to set up using the directions given if you don't already
know a bit. (It also has some tendency to block some things you'd rather it
didn't at times if PAC files are used instead of the HOSTS file due to its
use of regular expressions for blocking definitions without some tuning.)
Lastly, ZoneAlarmPro3/4 has added provisions for stopping adds/popups,
handling cookies, web bugs, and scripting/ActiveX components in addition to
it's firewall functionality. Not free, but I have used it with my other
AdBlocking stuff (AdShield, etc.) turned off as a test, and it appears to be
very good indeed. So far I've experienced no problems at all with it set in
its High Security modes for Ads although others have reported the need to
temporarily turn it off to reach some sites. Also, Agnitum's Outpost
Firewall supports a plug-in for this: "Pre-configured to block most banner
advertisement. Can be configured manually or by simply dragging and dropping
unwanted banners into the Ad Trashcan." I have no experience as to how
effective it is, but I have received a favorable report.
There's good information about hijacking in general and fixes available for
specific hijackers here: http://spywareinfo.com/articles/hijacked/
http://gmpservicesinc.com/Articles/hijack.asp
http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
http://www.doxdesk.com/parasite/
bc_acadia's list:
"Some popup blockers. All of these are 100% pure freeware, no trial
periods. Some of these do more than just handle popups.
Pow!: http://www.analogx.com/contents/download/network/pow.htm
NoAds: http://www.southbaypc.com/NoAds/
PopupEraser: http://www.webknacks.com/popuperaser.htm
Stop-the-Pop: http://www.bysoft.se/sureshot/stopthepop/index.html
Internet Organizer: http://www.sf.yucom.be/wdprojects/
PopKi: http://ranfo.com/popki.html
PopUpKiller: http://sourceforge.net/projects/puk/
AdCruncher Proxy:
http://mysite.verizon.net/~mr_fish/AdCruncher/ReadMe.html
KillAd: http://www.iomagic.org/fsc/
ClickOff: http://www.johanneshuebner.com/en/download.html
PopupBuster: http://www.popupbuster.com/PopUpBuster/
Free Surfer: http://www.kolumbus.fi/eero.muhonen/FS/
Window Shades: http://www.g-m-m.com/Software/WindowShades/index.php
AdShield (my personal favorite): http://www.ad-shield.com/
PopupStopper: http://www.panicware.com/popupstopper.html
Proxomitron (Is no longer supported and has a learning curve):
http://www.proxomitron.org/
For those who don't want third party stuff, your own pc's built-in
host file:
http://www.mvps.org/winhelp2002/hosts.htm and
http://www.accs-net.com/hosts/
Here is a review of 61 popup killers, not all of them are free:
http://www.popup-killer-review.com/index.htm"
NOTE that this site also contains a good, comprehensive series of popup
killer tests. Some good additional tests are also available here:
http://www.webknacks.com/aptest.htm
There's another popup test page here:
http://www.kephyr.com/popupkillertest/index.html
Another good test page and lists of both free and cost popup blockers is
here: http://www.popuptest.com/ Recommended
An excellent test site here: http://www.popupcheck.com/ Highly
Recommended.
Another list of some popup blockers:
http://www.messaging-software.net/popup-killer-software.htm
Perhaps these will help.