Windows XP popping up internet addresses

  • Thread starter Thread starter P. Jayant
  • Start date Start date
P

P. Jayant

I have a peculiar pop-up messages problem: peculiar because the pop-ups are
not ads but Windows XP generated boxes saying “you or a program have
requested information from” followed by one of the following addresses which
keep coming by rotation. Probably, there are some others in the kitty of a
spy-program hiding somewhere which I have not trapped visually. The
cyclically r-appearing addresses are:
www.budweiser1.servebeer.com
www.fu2.deejay-fuzion.net.nz
www.pwned.ph33r.info
www.rit.edu and
irc.bogde.info

These pop-ups start as soon as Windows XP is started even before the PC is
on-line to my ISP or a program like Ineternet Explorer is opened.

I can stop the popping up by asking Windows not to show me the message until
next log-in but I can hear the audio beep signal in the background which I
have configured to be heard every time a new program is opened. Besides,
once the pop-ups start and I am connected to my ISP, without opening any
web-page, the spyware is hogging the outgoing kilobits capacity as can be
seen from the modem’s send blinking light.

I have been monitoring pop-up ads using AdAware 6.0 and also using the
Search and Destroy program for detecting and removing spyware. They do
detect suspicious programs and I do delete them but they have not been able
to find the program which seems to have these embedded web addresses. I am
regularly deleting all temporary Internet files and have asked I. E. 6 to
delete all cookies Windows Explorer has not been able to tell me any
location where these addresses are strored.
I also have a program named Process Explorer which can list the active
processes at any time but I do not know how to detect the culprits using
this software.

Could anyone suggest the method of detecting the source of these pop-ups and
destroying the spy software?

P. Jayant
 
Greetings --

There are at least three varieties of pop-ups, and the solutions
vary accordingly. Which specific type(s) is troubling you?

1) Does the title bar of these pop-ups read "Messenger Service?"

This type of spam has become quite common over the past year or
so, and unintentionally serves as a valid security "alert." It
demonstrates that you haven't been taking sufficient precautions while
connected to the Internet. Your data probably hasn't been compromised
by these specific advertisements, but if you're open to this exploit,
you most definitely open to other threats, such as the Blaster Worm
that still haunts the Internet. Install and use a decent, properly
configured firewall. (Merely disabling the messenger service, as some
people recommend, only hides the symptom, and does little or nothing
to truly secure your machine.) And ignoring or just "putting up with"
the security gap represented by these messages is particularly
foolish.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Whichever firewall you decide upon, be sure to ensure UDP ports
135, 137, and 138 and TCP ports 135, 139, and 445 are _all_ blocked.
You may also disable Inbound NetBIOS (NetBIOS over TCP/IP). You'll
have to follow the instructions from firewall's manufacturer for the
specific steps.

You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

Oh, and be especially wary of people who advise you to do nothing
more than disable the messenger service. Disabling the messenger
service, by itself, is a "head in the sand" approach to computer
security. The real problem is _not_ the messenger service pop-ups;
they're actually providing a useful, if annoying, service by acting as
a security alert. The true problem is the unsecured computer, and
you've been advised to merely turn off the warnings. How is this
helpful?

2) For regular Internet pop-ups, you might try the free 12Ghosts
Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper
from http://www.panicware.com/, or the free Google Toolbar from
http://toolbar.google.com/, which is what I use.

3) To deal with pop-ups caused by any sort of "adware" and/or
"spyware,"such as Gator, Comet Cursors, Xupiter, Bonzai Buddy, or
KaZaA, and their remnants, that you've deliberately (but without
understanding the consequences) installed, two products that are
quite effective (at finding and removing this type of scumware) are
Ad-Aware from www.lavasoft.de and SpyBot Search & Destroy from
www.safer-networking.org/. Both have free versions. It's even
possible to use SpyBot Search & Destroy to "immunize" your system
against most future intrusions. I use both and generally perform
manual scans every week or so to clean out cookies, etc.


Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
You need to uncheck them from here:

Right click My Network Places/Properties/Advanced (top toolbar)/Dial-Up
Preferences/Enable Auto-Dial by Location/Uncheck all locations and check off
always ask me before auto dialing. Also, Disable autodial while I am logged
on.

In the Enable Auto-Dial By Location dialog box, select each location for
which you want the automatic dialing feature to operate. Reboot.

Disable or Enable AutoDial (Line 91)
http://www.kellys-korner-xp.com/xp_tweaks.htm

To view the list of names and addresses recorded by AutoDial, type the
following command at a command prompt: rasautou -s

To delete a name or address entry from the list: Start/Run/Regedit

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses

Disable "Log on using dial-up connection" (Line 77)
http://www.kellys-korner-xp.com/xp_tweaks.htm
 
I am thankful for the suggestions I have received. Disabling auto-dialling,
I had already done. Firewall, I have activated in XP. I shall also take
other precautions. These steps may prevent any new addresses getting into
the system.

But the real issue is: how to delete those 40 thieves hiding in the bags of
Ali Baba? Those reminders for reminding budweiser and what not will keep
popping up with all the steps I take now.

I have deleted from the Registry autodial list, all those addresses which
were text format and did not appear in my list of favourites or frequently
required web-sites. The list of addresses in the Autodial sub-section of the
Registry which I checked using the step suggested by Kelly are mostly
numerical DNS addresses like the NewsServer addresses. So it is difficult to
make out unless I access each one of them and delete those which turn out
to be non-Server.

Jayant
 
Back
Top