|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Opium89
Guest
|
 Posted: Fri Jun 04, 2004 12:45 pm Post subject: New Type of Popup? |
|
|
All,
I have recently started receiving a new type a popup inspite of having the Google Toolbar, Ad-Aware, Spybot S&D, and the Spywareblaster installed. The ad is generated once a day from the site http://www.usnpl.com/aznews.html. I have also seen this popup come from another of other sites.
When I hit the page, a small box that says "web" at the top of it flashes above the lower right corner of my task bar right above my system clock. I have written the advertiser about it but haven't heard anything back.
Any info on what this is and how to get rid of it would be greatly appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 9:18:02 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Windows\System32\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Joseph\Local Settings\Temp\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O15 - Trusted Zone: *.line6.net
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share...insctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz...ctiveX.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5034027778
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup...mAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/sh...wflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup...veData.cab |
|
| Back to top |
|
 |
John
Guest
|
| Posted: Fri Jun 04, 2004 7:21 pm Post subject: |
|
|
Here is how to read the hijackthis logfile .
Compare it with yours .
http://homepage.ntlworld.com/dvk01uk/tutorial.htm
http://www.spywareinfo.com/~merijn/htlogtutorial.html
http://www.help2go.com/article153.html
http://hjt.wizardsofwebsites.com/
http://www.spywareinfo.com/bhos/
http://www.spychecker.com/program/bholist.html
http://www.spywareinfo.com/~merijn/htlogtutorial.html#r
http://www.computercops.biz/postt6393.html
http://www.google.com/search?q=spyware+list
Beginners Guides: Browser Hijacking & How to Stop It
http://www.pcstats.com/articleview.cfm?articleID=1579
==============================================
Bazooka
http://www.webgrid.co.uk/security_2.html
http://www.winsite.com/bin/Info?17000000037943
http://www.kephyr.com/
Bazooka is freeware and Windows 95/98/ME/NT/2000/XP compatible
Click on the files found & you will be taken to a site that will show you how to remove , either with a program or manually .
It reports on all drives & partitions , so remember to check all these , when doing manual remove .
After the Download - It is important to remember that once the installation of Bazooka is completed , that you should update the File Signatures by clicking on the Update tab and check for an update .
Make sure you Update after installing & then regularly . |
|
| Back to top |
|
|
Opium89
Guest
|
| Posted: Fri Jun 04, 2004 7:55 pm Post subject: RE: Bazooka, Etc. |
|
|
| Well this is all fine and dandy but it doesn't solve my problem. According to what I read, nothing in my log appears to be of a malicious nature. Considering the trouble I go through to protect my system, I would expect it to be. I tried the the Bazooka but it says "nothing found". So what in the ^%$# is it? |
|
| Back to top |
|
|
Opium89
Guest
|
| Posted: Sat Jun 05, 2004 12:33 pm Post subject: This is something called a Po-Under |
|
|
Well, I did some hunting around and think I discovered the source of this aggrevation. It is called a Pop-Under and has something to do with Java-Script. I checked the source code of the page and discovered this:
<!-- FASTCLICK.COM POP-UNDER CODE v1.7e for microzoo.com -->
<script language="javascript"><!--
var doc=document; var url=escape(doc.location.href); var date_ob=new Date();
doc.cookie='h2=o; path=/;';var bust=date_ob.getSeconds();
if(doc.cookie.indexOf('e=llo') <= 0 && doc.cookie.indexOf('2=o') > 0){
doc.write('<scr'+'ipt language="javascript" src="http://media.fastclick.net');
doc.write('/w/pop.cgi?sid=5494&m=2&v=1.7e&u='+url+'&c='+bust+'"></scr'+'ipt>');
date_ob.setTime(date_ob.getTime()+43200000);
doc.cookie='he=llo; path=/; expires='+ date_ob.toGMTString();} // -->
</script>
<!-- FASTCLICK.COM POP-UNDER CODE v1.7e for microzoo.com -->
Anyone know how to prevent these little buggers from appearing? They are an absolute nightmare! |
|
| Back to top |
|
|
John
Guest
|
| Posted: Sat Jun 05, 2004 5:16 pm Post subject: |
|
|
These may help .
Recommended Minimal Security Settings
http://mvps.org/winhelp2002/unwanted.htm
Close all instances of Internet Explorer and Outlook Express
Control Panel > Internet Options > Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"
"Download signed ActiveX scripts" = Prompt
"Download unsigned ActiveX scripts = Disable
"Initialize and script ActiveX not marked as safe" = Disable
"Installation of Desktop items" = Prompt
"Launching programs and files in a IFRAME" = Prompt
Click on the "Content" tab, Click the "Publishers" button
Highlight and click "Remove" any unknowns, click Ok
Why is this so important? [read this]
http://mvps.org/winhelp2002/restricted.htm#Why
Click on the "Advanced" tab
Uncheck: "Install on demand (other)", click Apply\Ok
To test your setup after making the above changes [click here]
http://mvps.org/winhelp2002/restricted.htm#Testing
==========================================
Safe XP
http://free.hostdepartment.com/t/theorica/safexp.htm
http://free.hostdepartment.com/t/theorica/SafeXPHelp.htm
http://www.softcities.com/Safe-XP/download/10988.htm
http://freewebhosting.hostdepartment.co...wnload.htm
===========================================
I use this Free browser , which has a built in pop up stopper . ( don't add ,
About Blank , to your filter list )
Use very little resources ( No Add's ) & are as good as any other browser .
Intergrates quitely into your system , does not take over . You can still run your normal browser , if you wish .
GreenBrowser
http://www.all4you.dk/FreewareWorld/lin...e=3&cat=35
http://www.morequick.com/indexen.htm
Hit Cancel , when it ask's if you want to download the Language conversion . |
|
| Back to top |
|
|
Opium89
Guest
|
| Posted: Sat Jun 05, 2004 5:56 pm Post subject: |
|
|
I think that cured. I went in to "Privacy" and selected disable under Microsoft VM - Java Permissions, cleared out the cookies and it seems to not be coming back. Interesting to note that when I blocked the cookie for the site, it started coming up everytime. I guess the cookie was keeping track of the time so the damn thing would only appear every 24 hours.
Thanks for the assistance. |
|
| Back to top |
|
|
John
Guest
|
| Posted: Sat Jun 05, 2004 7:31 pm Post subject: |
|
|
| That's OK . |
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
