TechSpot

Pop-up problem

By TheGr8Schlotzky
May 8, 2008
  1. I'm back with a pop up problem on another computer. This computer seems to get excessive popups whether your using the web browser or not. Things like video sites, media sites, colleges, healthcare, and dating sites. The only lead I've seen was a link to 'buycheapadvertising.com' in one of hte sites privacy statements. I've now put hours and hours trying to track down the problem, but nothing seems to affect it. I've used all of the following programs which scanned (and found at least something) and deleted, but the problem persists: [all up-to-date] Ad-aware 2007, Spybot S&D, AVG Internet Security, Spywareblaster, Ewido, Malwarebytes, Vundofix, and McAfee.

    Attached is my HijackThis log.

    Any help is appreciated!
     
  2. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    These pop ups are ridiculous. As stated, I did everything in the sticky and I've still got the problem. Any help is appriciated!
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    First and foremost did you set this setting yourself?

    ProxyOverride = 192.168.111.*;169.254.128.*;10.1.10.*;127.0.0.*

    --------------------------------------------------------------------------------------

    We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    Code:
    @echo off
    sc stop Viewpoint Manager Service
    sc delete Viewpoint Manager Service
    del service.cmd and exit
    Save it to your desktop as File name: service.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

    ------------------------------------------------------------------------------------------

    Have Hijackthis fix these left overs

    O2 - BHO: (no name) - {3B91E695-F336-4E04-96C0-7C34A124421D} - (no file)
    O2 - BHO: (no name) - {B4465068-1FB2-4A4C-ACE2-C6D768DC8C20} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    ----------------------------------------------------------------------------------------------

    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

    --------------------------------------------------------------------------------------------------

    Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
    --------------------------------------------------------------------------------------------

    Here are 2 more secure browsers to choose from rather than IE:
    1)Firefox -> http://www.mozilla.com/en-US/firefox/
    2)Opera -> http://www.opera.com/



    Post a fresh Hijackthis log back after doing the above
     
  4. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Thanks for the response.

    There shouldn't be any proxies running on this machine, certainly nothing I've done, and I would put proxies way beyond the level of the person that usually works on this machine.

    I followed your instructions, and attached is the new log.

    As far as I know, there was never any AOL software on this computer, and I know there is none now. Is there another program that would install the Viewpoint manager?

    IE settings required no changing, as they were already set to desired levels.

    P.S. Between the time I saved the HijackThis log and the time I posted this, I was hit with four more pop up windows.
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do you get these popups in Firefox or Opera? They are both far more secure than IE.

    However the popups still suggest a problem, lets do an online scan and go from there:

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  6. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Using Firefox, (or no browser at all for that matter) I still get consistent pop ups from IE.

    The normal user of this computer prefers IE over Firefox, but I'll let her know that she'll be using Firefox from now on.

    Kaspersky is at 60%, I'll post up when it's finished and i check back with this computer.
     
  7. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Been busy, just got back to this computer, to find 34 IE windows open!

    Here's the kaspersky report:
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That was basically clean, just need to tidy up a bit.

    1) Empty your recycle bin regularly starting now
    2) Launch MBAM ->Quarantine tab -> delete everything

    3)Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    4)Manually clear cache

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.


    5) Run 1 more scan with Hijackthis and attach me the log
     
  9. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Sorry about the delay, I didn't have a chance to check up.


    Here's my latest HijackThis log.


    NOTE: I still got one of the usual pop-ups between the time I finished your instructions and the time I posted this.
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    When it pops up what does it open to. Your log looks good


    Generate Uninstall List

    • 1. Start HijackThis
      2. Click on the Config button
      3. Click on the Misc Tools button
      4. Click on the Open Uninstall Manager button.
      5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
     
  11. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    The only thing I noticed that looked wrong at all was the oggcodecs, though I know this computer was missing some necessary codecs a while back. Anyway, I uninstalled it and the popups still came, so that wasn't hte problem.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    you still didn't answer thought when the IE pop up comes up what does it open to?

    A file on your computer or a website?

    If a website what is the address?

    If a file what is the file location?
     
  13. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    It opens IE to different websites. One that comes to mind is OVguide.com or "online video guide" other sites include college websites, other media sites and healthcare sites. I'll take note when they come up.


    EDIT: one just came up for "signup4college.com"

    direct url: http://www.signup4college.com/search/?source=ADONSEARCH

    EDIT2: here's another:

    http://www.adscampaign.com/advert.html?url=http://trafficdaily.com/adserve/ad2.html

    EDIT3: and another:

    http://www.distance-education-review.info/?keyword=techspot.com_112086

    ^this one appears to be watching my web browsing as it has "techspot.com" in the url. It popped up in IE as does everything else, and I am currently browsing in firefox.

    EDIT4: another

    http://www.collegeanduniversity.net/?event=l.lp&CID=1294&SID=234&csrc=adon

    EDIT5: ...

    http://www.justluxe.com/resources/exotic-cars.php

    EDIT6:

    http://yellowpages.superpages.com/l...sionId=&MCBP=true&CS=L&C=Shipping&L=Salem,+OR

    EDIT 7:

    http://hotjobs.yahoo.com/

    EDIT 8: ...

    http://www.webcrawler.com/webcrawle...e/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Launch IE -> Tools

    Mouse over Popup Blocker

    Select Popup blocker settings

    #1 check the allowed sites section
    #2 check the filter level
    #3 consider increasing the filter level and removing sites from the allowed section

    Note you may first have to turn the popup blocker on before checking these settings

    -----------------------------------------------------

    The other thing you can do is add the main sites to restricted list
    ie.www.signup4college.com to the restricted sites

    First go to tools -> options -> securtiy tab -> trusted sites -> click Sites and remove anything there

    Then click on the restricted sites -> Sites button and add any that you remember and more as they happen.

    --------------------------------------------------------

    Another thing get spybot S&D and update it then Immunize and it will set up known bad sites to add to the loopback in the hosts file. Scan with Spybot and I also suggest getting and scanning with ad-aware 2007.

    Links

    Spybot Search and Destroy
    Ad-aware
     
  15. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    updated pop up blocker settings. I've scanned with S&D and aa2007 many times in the past few weeks, and just finished a full system scan in aa where it found several temp cookies to delete and nothing else. I'll do S&D again, but I've been updating them daily and i'm not finding anything new.

    edit: currently the only allowed sites are google.com and jcpenny.com. I removed them anyway, just got the distance-education-review.com pop up again.
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    go to mode -> advanced -> tools -> make sure there is a check mark next to hosts file

    Make sure there are no updates and you are immunized
     
  17. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    checked hosts. No updates available and I am already immunized. Scanning now.
     
  18. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    i'll note that ie pop up settings are on High :block all pop ups, and I just got the collegeanduniversity.net pop up again.
     
  19. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Though I'm not entirely sure if smithfraud could be causing my problems, it seems to be a reoccuring find in S&D. S&D has found Smithfraud-C.CoreService the last 3-4 times I've done scans. What would be installing this? Each time I remove it, and each time it comes back.

    Ugh. Regarding the restricted sites idea, I just got a pop up from collegeanduniversity.net, which I had already added to the restricted site list. It's doing this with all other sites that I have added to the restricted area as well.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter
    • It will open rapport.txt in notepad attach it here

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
     
  21. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    I used this according to the sticky and did a safe mode clean at the time, but here is my current log.
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Print this out or copy and paste into notepad then save to desktop to have while in safe mode. Also run ATF cleaner again afterwards but while still in safe mode.

    Run Smitfraudfix
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:

    For Internet Explorer 7

    * Click Start, click Control Panel, and then double-click Internet Options.
    * On the General tab, click Delete... under Browsing History.
    * Next to Temporary Internet Files, click Delete files, and then click OK.
    * Next to Cookies, click Delete cookies, and then click OK.
    * Next to History, click Delete history, and then click OK.
    * Click the Close button.
    * Click OK.

    For Mozilla 1.x and Up

    * Click Edit from the Mozilla menubar.
    * Click Preferences... from the Edit menu.
    * Expand the Advanced menu by clicking the plus sign.
    * Click Cache.
    * Click the Clear Cache button.

    For Opera

    * Click File from the Opera menubar.
    * Click Preferences... from the File menu.
    * Click the History and Cache menu.
    * Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
    * Click Ok to close the Preferences menu.

    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

    Run ATF Cleaner

    After Rebooting to normal mode attach rapport.txt and a fresh Hijackthis log
     
  23. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

    Alright here are my newest logs.


    The smithfraud report, the rapport.txt was well over the uploadable limit on this site, so I deleted the "hosts" section entirely and attached it below...
     
  24. TheGr8Schlotzky

    TheGr8Schlotzky TS Rookie Topic Starter Posts: 27

  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Are you still getting popups? I don't see anything that could possibly be causing them

    1 thing we could do is manually add them all to the hosts file

    Also what firewall are you using? and is it active?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...