Pop-up problem

Status
Not open for further replies.
T

TheGr8Schlotzky

Posts: 27   +0
I'm back with a pop up problem on another computer. This computer seems to get excessive popups whether your using the web browser or not. Things like video sites, media sites, colleges, healthcare, and dating sites. The only lead I've seen was a link to 'buycheapadvertising.com' in one of hte sites privacy statements. I've now put hours and hours trying to track down the problem, but nothing seems to affect it. I've used all of the following programs which scanned (and found at least something) and deleted, but the problem persists: [all up-to-date] Ad-aware 2007, Spybot S&D, AVG Internet Security, Spywareblaster, Ewido, Malwarebytes, Vundofix, and McAfee.

Attached is my HijackThis log.

Any help is appreciated!
 
First and foremost did you set this setting yourself?

ProxyOverride = 192.168.111.*;169.254.128.*;10.1.10.*;127.0.0.*

--------------------------------------------------------------------------------------

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: 
@echo off
sc stop Viewpoint Manager Service
sc delete Viewpoint Manager Service
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

------------------------------------------------------------------------------------------

Have Hijackthis fix these left overs

O2 - BHO: (no name) - {3B91E695-F336-4E04-96C0-7C34A124421D} - (no file)
O2 - BHO: (no name) - {B4465068-1FB2-4A4C-ACE2-C6D768DC8C20} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

----------------------------------------------------------------------------------------------

  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

How to prevent it from being recreated every time you run the AOL software:
  • Open AOL
  • Go to Help on the toolbar
  • Select About AOL
  • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

--------------------------------------------------------------------------------------------------

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
--------------------------------------------------------------------------------------------

Here are 2 more secure browsers to choose from rather than IE:
1)Firefox -> http://www.mozilla.com/en-US/firefox/
2)Opera -> http://www.opera.com/



Post a fresh Hijackthis log back after doing the above
 
Thanks for the response.

There shouldn't be any proxies running on this machine, certainly nothing I've done, and I would put proxies way beyond the level of the person that usually works on this machine.

I followed your instructions, and attached is the new log.

As far as I know, there was never any AOL software on this computer, and I know there is none now. Is there another program that would install the Viewpoint manager?

IE settings required no changing, as they were already set to desired levels.

P.S. Between the time I saved the HijackThis log and the time I posted this, I was hit with four more pop up windows.
 
Do you get these popups in Firefox or Opera? They are both far more secure than IE.

However the popups still suggest a problem, lets do an online scan and go from there:

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Using Firefox, (or no browser at all for that matter) I still get consistent pop ups from IE.

The normal user of this computer prefers IE over Firefox, but I'll let her know that she'll be using Firefox from now on.

Kaspersky is at 60%, I'll post up when it's finished and i check back with this computer.
 
That was basically clean, just need to tidy up a bit.

1) Empty your recycle bin regularly starting now
2) Launch MBAM ->Quarantine tab -> delete everything

3)Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


4)Manually clear cache

  • Open an Explorer folder window (for example, double-click My Computer).
  • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.


5) Run 1 more scan with Hijackthis and attach me the log
 
Sorry about the delay, I didn't have a chance to check up.


Here's my latest HijackThis log.


NOTE: I still got one of the usual pop-ups between the time I finished your instructions and the time I posted this.
 
When it pops up what does it open to. Your log looks good


Generate Uninstall List

  • 1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
 
The only thing I noticed that looked wrong at all was the oggcodecs, though I know this computer was missing some necessary codecs a while back. Anyway, I uninstalled it and the popups still came, so that wasn't hte problem.
 
you still didn't answer thought when the IE pop up comes up what does it open to?

A file on your computer or a website?

If a website what is the address?

If a file what is the file location?
 
It opens IE to different websites. One that comes to mind is OVguide.com or "online video guide" other sites include college websites, other media sites and healthcare sites. I'll take note when they come up.


EDIT: one just came up for "signup4college.com"

direct url: http://www.signup4college.com/search/?source=ADONSEARCH

EDIT2: here's another:

http://www.adscampaign.com/advert.html?url=http://trafficdaily.com/adserve/ad2.html

EDIT3: and another:

http://www.distance-education-review.info/?keyword=techspot.com_112086

^this one appears to be watching my web browsing as it has "techspot.com" in the url. It popped up in IE as does everything else, and I am currently browsing in firefox.

EDIT4: another

http://www.collegeanduniversity.net/?event=l.lp&CID=1294&SID=234&csrc=adon

EDIT5: ...

http://www.justluxe.com/resources/exotic-cars.php

EDIT6:

http://yellowpages.superpages.com/l...sionId=&MCBP=true&CS=L&C=Shipping&L=Salem,+OR

EDIT 7:

http://hotjobs.yahoo.com/

EDIT 8: ...

http://www.webcrawler.com/webcrawle...e/iq=true/zoom=off/_iceUrlFlag=7?_IceUrl=true
 
Launch IE -> Tools

Mouse over Popup Blocker

Select Popup blocker settings

#1 check the allowed sites section
#2 check the filter level
#3 consider increasing the filter level and removing sites from the allowed section

Note you may first have to turn the popup blocker on before checking these settings

-----------------------------------------------------

The other thing you can do is add the main sites to restricted list
ie.www.signup4college.com to the restricted sites

First go to tools -> options -> securtiy tab -> trusted sites -> click Sites and remove anything there

Then click on the restricted sites -> Sites button and add any that you remember and more as they happen.

--------------------------------------------------------

Another thing get spybot S&D and update it then Immunize and it will set up known bad sites to add to the loopback in the hosts file. Scan with Spybot and I also suggest getting and scanning with ad-aware 2007.

Links
Spybot Search and Destroy
Ad-aware
 
updated pop up blocker settings. I've scanned with S&D and aa2007 many times in the past few weeks, and just finished a full system scan in aa where it found several temp cookies to delete and nothing else. I'll do S&D again, but I've been updating them daily and i'm not finding anything new.

edit: currently the only allowed sites are google.com and jcpenny.com. I removed them anyway, just got the distance-education-review.com pop up again.
 
go to mode -> advanced -> tools -> make sure there is a check mark next to hosts file

Make sure there are no updates and you are immunized
 
Though I'm not entirely sure if smithfraud could be causing my problems, it seems to be a reoccuring find in S&D. S&D has found Smithfraud-C.CoreService the last 3-4 times I've done scans. What would be installing this? Each time I remove it, and each time it comes back.

Ugh. Regarding the restricted sites idea, I just got a pop up from collegeanduniversity.net, which I had already added to the restricted site list. It's doing this with all other sites that I have added to the restricted area as well.
 
Run Smitfraudfix
  • Download Smitfraudfix by S!ri from HERE
  • Double-click SmitfraudFix.exe
  • Select 1 and hit Enter
  • It will open rapport.txt in notepad attach it here

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
 
Print this out or copy and paste into notepad then save to desktop to have while in safe mode. Also run ATF cleaner again afterwards but while still in safe mode.

Run Smitfraudfix
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infected files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

For Internet Explorer 7

* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.

For Mozilla 1.x and Up

* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.

For Opera

* Click File from the Opera menubar.
* Click Preferences... from the File menu.
* Click the History and Cache menu.
* Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
* Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Run ATF Cleaner

After Rebooting to normal mode attach rapport.txt and a fresh Hijackthis log
 
Alright here are my newest logs.


The smithfraud report, the rapport.txt was well over the uploadable limit on this site, so I deleted the "hosts" section entirely and attached it below...
 
Are you still getting popups? I don't see anything that could possibly be causing them

1 thing we could do is manually add them all to the hosts file

Also what firewall are you using? and is it active?
 
Status
Not open for further replies.

Similar threads

C
Services.exe spikes up every so often
Replies
1
Views
1K
cpeach
C
Cal Jeffrey
Roku is running interactive pop-up ads during live TV broadcasts
Replies
8
Views
1K
Uncle Al
Uncle Al
N
Apple's AirTag is quickly becoming the perfect tool for stalking Android users
2
Replies
28
Views
4K
HumbleBumble
H

Latest posts

Back