WARNING Long Reply - Re: Pop-ups


Jim Byrd

Hi Donald - There are currently two classes of things going on that are
causing people popup difficulties. If you get popups even when your browser
is not connected to the Internet with a title bar reading "Messenger
Service", then these are most likely due to open NetBios TCP ports 135, 139
and 445 and UDP ports 135, 137-138 and a UDP port in the range of
1026-1029.. You really need to block these with a firewall as a general
protection measure. You can stop the popups by turning off Messenger
Service; however, this still leaves you vulnerable. If you have an NT-based
OS such as XP or Win2k, you should probably also specifically block TCP
593, 4444 and UDP 69, 139, 445, and install the very important 823980 patch
from MS03-026, here: http://support.microsoft.com/?kbid=823980 to block
the Blaster worm..

See: Messenger Service Window That Contains an Internet Advertisement
Appears http://support.microsoft.com/?id=330904 which identifies reasons to
keep this service and steps to take if you do.

You can test your system and follow the 'Prevention' link to get additional
information here:
http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
reasons to keep this active, it should be turned off in Win2k and XP. Go
here and do what it says:
http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better, get
MessageSubtract, free, here, which will give you flexible control of the
service and viewing of these messages:
http://www.intermute.com/messagesubtract/help.html Recommended.

(FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
necessary ports to prevent this use of Messenger Service. I don't know the
situation with regard to other firewalls.)

Messenger Service is not per se Spyware or something that MS did wrong - It
provides a messaging capability which is useful for local intranets and is
also sometimes (albeit nowdays infrequently) used by some applications to
provide popup messages to users. However, it can also be (and now frequently
is) used to introduce spam via this open NetBios channel.
For a single user home computer, it normally isn't needed and can be turned
off which will eliminate the spam popups. This DOESN'T, however, remove the
vulnerability of having these ports open, when in fact they aren't needed,
since they can be perverted in other ways as well, some of which can be much
more damaging than just a spam popup.

If you're getting a lot of popups while surfing, then the following may be

Popups - The best way to start is to get Ad-Aware 6.0, Build 181 or later,
here: http://www.lavasoftusa.com/support/download/. Update and run this
regularly to get rid of most "spyware/hijackware" on your machine. If it
has to fix things, be sure to re-boot and rerun AdAware again and repeat
this cycle until you get a clean scan. The reason is that it may have to
remove things which are currently "in use" before it can then clean up

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. Update before starting, then after fixing things with
SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle
until you get a clean "no red" scan. The reason is that SpyBot sometimes
has to remove things which are currently "in use" before it can then clean
up others.

Then, there are a variety of third party "Popup Killers" available. I
normally use AdShield, which, if you maintain its Block List every now and
then, almost totally stops this. In addition, it stops a variety of
ads/banners/etc. (particularly spyware like doubleclick) on pages I access.
This is probably all you'll need; however, I've also investigated a program
called webwasher which appears to be very good, but decided that AdShield
was sufficient. At the bottom of this post, you'll find a list provided
courtesy of bc_acadia of a number of free popup blockers with links.

****** NOTE: As of 28 Apr 03 AdShield appears to have partnered with a new
reseller, and AdShield is no longer free. There is a trial version of
AdShield3; however, IMO it is seriously crippled in not being able to import
or export block lists and I think for reasonable utility one would have to
go to the full version. While I don't normally recommend non-free software,
I personally will continue to use AdShield3, since I think it is the best
currently available combined Popup/Ad/Malware blocker, but you should be
aware of the fact that it now costs, ($29.95), whereas the earlier versions
upon which I based my original recommendation were free, although not nearly
as capable as the AdShield3 release. I've included below links to both the
older free version and the new paid version. You'll have to investigate and
make your own choice in the matter. *******

Here are a number of AdShield-related links:

http://www.fsd1.org/technology/Files/AdShield.exe - AdShield1.2 (free)
http://www.internettechs.net/utilities/AdShield.exe - AdShield1.2 (free)
http://ftp.ural.ru/home/index/windows/networking/utils/AdShield -
AdShield1.2 (free)
http://www.megalog.ru/info/utilz/AdShield.zip - AdShield1.2 (free)
http://www.allstarss.com/store/adshield.html - AdShield3
http://www.mvps.org/winhelp2002/block.txt - (Mike Burgess' .txt Block List
for AdShield)
http://www.mvps.org/winhelp2002/block.zip - Mike Burgess' Zipped Block List
for AdShield - Recommended)
http://adshield.briankass.com/blocklists.html (lists a number of blocklists)
http://adshield.briankass.com/blocklist.abl (brian's blocklist in .abl
http://adshield.briankass.com/blocklist.txt (brian's blocklist in .txt
http://www.songwave.com/software/adshield_blocklist.txt (40,000 pornsites
blocked - *VERY* large list - use at your own risk)
http://www.chrismyden.com/temp/block.abl (chrismyden's blocklist in .abl
http://www.staff.uiuc.edu/~ehowes/resource.htm#AdShield (Eric Howes AGNIS
for AdShield block list - Recommended) (BTW, Eric's site contains a wealth
of very valuable information about all aspects of net security - Very Highly

There's also a new AdShield forum here:

Here's a good AdShield test site, courtesy of siljaline: "Make ***SURE***
you have your block scripted popups enabled
http://www.mediaboy.net/1010100-1100001-1111010/gahk/>>>> [Warning this URL
opens a multitude of Browser windows almost instantly]"

http://www.webwasher.com - Webwasher

Additionally, some people have recommended Popup Stopper and PopupBuster,
but they have also been reported or experienced to cause perceived problems
for some people with "normal" links in IE6 such as Google search results and
links from OE. Some proponents of PopupBuster assert, however, that this is
normal operation for this program under
certain circumstances which can be overridden if necessary. YMMV Another
"Proxy" type blocker similar to Webwasher and Proxomitron but supposedly a
bit easier to configure is Privoxy here: http://www.privoxy.org/ Also, the
free Google Tool Bar has a builtin popup blocker which fairly effective.

Also, if you're comfortable allowing changes to the registry, there is an
approach, IE-SPYAD, using the restricted sites list which can be used for
scripted popups. I use this and it works very well. See here:

There is additonal information about setting up and using AdShield, and
about using the Restriced Zone (and an additional list) here:
http://www.mvps.org/winhelp2002/hosts.htm and some of the Frequently Asked
Questions (FAQ's) about AdShield here: http://adshield.briankass.com

Lastly, ZoneAlarmPro3/4 has added provisions for stopping adds/popups,
handling cookies, web bugs, and scripting/ActiveX components in addition to
it's firewall functionality. Not free, but I have used it with my other
AdBlocking stuff (AdShield, etc.) turned off as a test, and it appears to be
very good indeed. So far I've experienced no problems at
all with it set in its High Security modes for Ads although others have
reported the need to temporarily turn it off to reach some sites. Also,
Agnitum's Outpost Firewall supports a plug-in for this: "Pre-configured to
block most banner advertisement. Can be configured manually or by simply
dragging and dropping unwanted banners into the Ad Trashcan." I
have no experience as to how effective it is, but I have received a
favorable report.

There's good information about hijacking in general and fixes available for
specific hijackers here: http://www.spywareinfo.com/hijacked.html

bc_acadia's list:

"Some popup blockers. All of these are 100% pure freeware, no trial
periods. Some of these do more than just handle popups.

Pow!: http://www.analogx.com/contents/download/network/pow.htm
NoAds: http://www.southbaypc.com/NoAds/
PopupEraser: http://www.webknacks.com/popuperaser.htm
Stop-the-Pop: http://www.bysoft.se/sureshot/stopthepop/index.html
Internet Organizer: http://www.sf.yucom.be/wdprojects/
PopKi: http://ranfo.com/popki.html
PopUpPopper: http://www.bayden.com/Popper/default.asp
PopUpKiller: http://sourceforge.net/projects/puk/
AdCruncher Proxy:
KillAd: http://www.wplus.net/pp/fsc/
ClickOff: http://www.johanneshuebner.com/en/download.html
PopupBuster: http://www.popupbuster.com/PopUpBuster/
Free Surfer: http://www.kolumbus.fi/eero.muhonen/FS/
Window Shades: http://www.g-m-m.com/Software/WindowShades/index.php
AdShield (my personal favorite): http://www.adshield.org/
PopupStopper: http://www.panicware.com/popupstopper.html
Proxomitron (has learning curve): http://www.proxomitron.org/
For those who don't want third party stuff, your own pc's built-in
host file:
http://www.mvps.org/winhelp2002/hosts.htm and
http://www.smartin-designs.com/ and http://www.accs-net.com/hosts/

Here is a review of 61 popup killers, not all of them are free:

NOTE that this site also contains a good, comprehensive series of popup
killer tests. Some good additional tests are also available here:

There's another popup test page here:

Another good test page and lists of both free and cost popup blockers is
here: http://www.popuptest.com/ Recommended

Finally, there's a new class of hijacker using Window's Messenger Service
(not Instant Messaging, BTW) that I discussed at first.

you might want to consider installing the SpywareBlaster and SpywareGuard
here to help prevent this kind of thing and other malware from happening in
the future:
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.

Perhaps these will help.

Please respond in the same thread.
Regards, Jim Byrd, MS-MVP




Alex Delarge

If Adshield would block javascript "annoyances" like window resizing
(chonse popup windows open maximized), statusbar modification, and
toolbar removal it would be perfect. It also doesn't handle the new
floating ads that are appearing on some sites.

Thanks for the information on all these popup blockers, I guess I'll
stick with Adshield for now and keep an eye out on the development of
Ad Muncher and Privoxy. Those seemed to be the best so far IMHO.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question