Pop-ups cannot be eliminated

Printable View

January 31st, 2004, 02:50 AM
iankestor

Pop-ups cannot be eliminated

Help! What is the problem and how do I get rid of it?
Near the end of my wits after 15 hours trying to clean a Windows XP PC. I have uninstalled a huge chunk of software, deleted cookies, history & temp internet files, run updated Spybot, Norton & McAfee, combed the registry, emptied Windows Temp directory. All this, and my user still suffers from spontaneous combustion (7 Internet Explorer ad pop-ups open when the user does nothing and gets nowhere near any kind of Internet application or Explorer of any kind).
I am next going to have the user verify that Windows Messenger was not somehow re-activated.
I will also try installing Ad-Aware - once that is installed and updated (along with McAfee and SpyBot), I will restart and disconnect from the network. I will log in holding down the <Ctrl> key, and go through the whole deleting files business again. Once all the protection software has done checks and dealt with any problems I hope the PC will be clean.
Have I missed anything? If Ad-Aware does not finally get this thing, I am afraid it will be down to formatting the hard drive.

Here are the things commonly detected: eZula, WebSearch, ClientMan, Avenue A, Zesty-Find (they put a shortcut on user's desktop without permission or warning), gonna-search (all over the registry anywhere a URL is supposed to appear), AdGoblin, ILookup and more.
In three separate SpyBot sweeps in three consecutive days, an average of 40 items is detected, but the problem remains the same.
The most common things are an Internet Explorer session showing a Next Aisle ad for some kind of Shield (anti-virus) software, a session titled "about:blank", and one for "69.20.62.53 yyy.s.html". The IP address will tracert to a U.S. company called "Inter-Nic Technologies" (web1.nictechnetworks.com [69.20.62.53])... here is what Network Solutions says in their whois on this domain name:
"Registrant: Domains by Proxy, Inc.

Registered through: GoDaddy.com
Domain Name: NICTECHNETWORKS.COM

Domain servers in listed order:
NS1.PRIMARYDNS.COM
NS2.PRIMARYDNS.COM

For complete domain details go to:
http://whois.godaddy.com"
January 31st, 2004, 02:53 AM
576869746568617

Install the Google Toolbar ;)
January 31st, 2004, 03:23 AM
Agent_Steal

Here you go give these two websites a browse :

1. Spyware Guide
2. Spyware Info

Hope this helps.
January 31st, 2004, 03:30 AM
Boogymantroy

Im with Hex up there, install google bar and learn to use it. I was using pop-up killer for a long time till he refered me to google.

Boogymantroy
January 31st, 2004, 04:08 AM
OverdueSpy

From the NicTechnologies web site.
____________________
Advertising
With a reach of over ten million monthly Internet users, NicTech Networks is able to offer highly-targeted online advertising solutions.
____________________

Other than the main page the site is dead. However, on my test box, after closing the page, every subsequent attempt to open IE caused my Pop-UP-blocking software to crank off. Had to Press the bypass keys to access my standard home page, and no further pop-ups have been seen.

I get the sneaking suspicion that this site is attempting to take advantage of a known OS or IE vulnerability to push out their advertising. I am kind of anal-retentive about security and would wipe the system just to be safe. Additionally I would block access to the site via firewall or IE monitoring software. I'll monitor my test system for a few hours and let you know if I see anything else suspicious.

Good hunting.
January 31st, 2004, 04:17 AM
576869746568617

Oh....another Idea! Download wintasks 4 and hijack this!....check out the services that are running.
January 31st, 2004, 04:19 AM
Boogymantroy

Yeah wintasks4 or hijackthis! both good programs, you might wanna try Ad-aware too, just to see if there are more that the first do don't show

Boogymantroy
January 31st, 2004, 04:24 AM
576869746568617

Um...he already said that...

Quote:

I will also try installing Ad-Aware
January 31st, 2004, 04:38 AM
Boogymantroy

Ok ok, you got me, I didnt read the whole thread.. Im going to go sit in the corner for 10 minutes....
January 31st, 2004, 06:07 PM
da'dodo

Hmmm, just an idea, why don't you try adding the offending site to your hosts file?

It depends on the way the ads are being fetched, but if they are being fetched by a URL (as opposed to an IP address) then your PC first looks at the host file to see if there is an entry for it there. If there is then it won't bother looking it up on a DNS server, and will look at the address that is supplied in the host file. Therefore if that address points back to your PC it won't be able to fetch an add/cookie. All you need to do is goto c:\Windows\system32\drivers\etc and open 'hosts' Then add

127.0.0.1 www.ad-website.com

It won't help with lots of them, but it should help cut it down a bit...

Also, is it possible to use another browser (e.g. Netscape), as this would hopefully cut some of the IE specific ads, and allow you to block pop ups.
January 31st, 2004, 06:44 PM
576869746568617

Why didn't I think of that!

That's a good idea, da'dodo! :)
January 31st, 2004, 09:07 PM
g00n

well, for one it doesn't fix the problem. Being that there is some software somewhere on the pc that is loading the ads. This software shouldn't be there and needs to be removed.

I recommend along with ad-aware, spybot search & destroy (just google it), update the definitions, go to the advanced mode, and under the settings, select all the filesets. Make sure you immunize the pc, and then scan for problems.. You'd be suprised what you'll find.

Anyway, hope this actually HELPED.
January 31st, 2004, 10:15 PM
576869746568617

I'm confused, g00n...which one of my posts was useless? If you read the posts, you'd see that I came to the same conclusion that you did (covering up rather than fixing the problem) and added information related to FIXING the problem.

Also, do you even understand what the hosts file is? Apparently not!

And for that, you give negative antipoints? From what I just read in your post, all you did was echo what I and just about everyone else said earlier.

Now who's post was worthless?
January 31st, 2004, 10:56 PM
Und3ertak3r

As commented earlier..hijackthis.. run it .. get the list of running services/processes.. this will help find the little bugger that is hidding from everything else.. then..rescanning with spybot, adaware etc will only clean out what the replacement crap.. and perhaps the user will need to do it daily IF THEY PERSIST IN VISITING THE SAME INFECTED SITES.. (not I bundle parasite/Spy/adware with worms , trojans and virii)

Follow nihils advice... (ok he hasn't posted here yet) go to www.diamondcs.com.au and d/l registryprot this will even help you defend against worms and virii..

and BTW.. all advice has been valid..

Cheers

BTW: if you don't want the Avenue.a Cookie.. don't visit any Jupmedia site.. like AO.. or just set your browser to not accept cookies..

Agent_Steal: I checked out the Spywareguide link.. I am not sure about it's online scan.. I will report back after a registry search in safemode....

OK always caution on new products.. This one gave me a False positive in it's online scann..

Quote:

Detected Comload:
CLISDs (1) :
{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}

panic? not yet

OK here is an excerpt from the manual removal of the parasite from their website..

Quote:

HKEY_CLASSES_ROOT\Comload.loader
HKEY_CLASSES_ROOT\Comload.loader.1
HKEY_CLASSES_ROOT\Comload.loader2
HKEY_CLASSES_ROOT\Comload.loader2.1
HKEY_CLASSES_ROOT\dctl
HKEY_CLASSES_ROOT\CLSID\{9E1089BC-1AE8-4685-8D77-6721E5C318A8}
HKEY_CLASSES_ROOT\CLSID\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}
HKEY_CLASSES_ROOT\Interface\{19E91D82-7AD7-419F-866A-58C122DB1459}
HKEY_CLASSES_ROOT\Interface\{F5F779A9-24E5-4BCD-9AE5-6313D4B5AC24}
HKEY_CLASSES_ROOT\TypeLib\{266F948A-3DEE-4270-8F55-E79ACCD569FA}
Then open the System folder (inside the Windows folder, named 'System32' under Windows XP/2000/NT or just 'System' under Windows Me/98/95), and delete the file 'comload.dll'.

ok.. now I pacic.. none of these appear in a scann of the registry in normal mode.. well not when searching where they say the keys are..
Same story in safemode.. ok lets just search for the key AD7FAxxxxxxxxxxxx and not the path..

Bingo.. but not comload..

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\DownloadInformation]
"CODEBASE"="http://dload.ipbill.com/del/loader.cab"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\installer.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\InstalledVersion]
@="1,0,0,7"
"LastModified"="Tue, 02 Sep 2003 13:01:26 GMT"

I am still searching to find out what this key is.. as it isn't what is associated with comload.. FALSE POSITIVE.. (I will retract that if i am wrong)

Hmm seem that I am..
did a google on "http://dload.ipbill.com"

Quote:

IP/Bill
Internet Payments - payment solutions for a wired world
Integrated Payments - one source for all of your website billing
Intelligent Payments - sophisticated billing with straightforward setup
For information on our hosting services, click here.
For information on our ISP services, click here,

--------------------------------------------------------------------------------

Actively under construction. Server: freebsd17.coulomb.co.uk

I retract my earlier statement.. This was a good hit.. Thanks for that Link Agent-Steal something Spybot has missed.. (I won't be removing it just yet)

Sorry for hijacking the thread.. my way of apologising to agent steal

cheers
February 1st, 2004, 01:42 AM
576869746568617

Thanks for giving out the rundown, Und3ertak3r. I appreciate you picking up the slack for me.

Maybe next time, I'll elaborate a little more when I give advice. I just AssUMed that everyone would know what I was getting at.
February 1st, 2004, 09:44 AM
Dreamcast

Google Toolbar will solve all problems
February 1st, 2004, 09:52 AM
Und3ertak3r

I better not jump on Dreamcast ( for repeating 576869746568617's first comment..) Seeing as it was the first post..

Welcom to AO.. Some of us are ugly, other not too bad, but beware looks are decieving.. some bite.. the rest just..

Cheers

BTW: 576869746568617 can we shorten your Nick?.. to like "57" or "CC" (short for Credit Card)
February 1st, 2004, 05:02 PM
576869746568617

Actually, I've been thinking about changeing it because I don't use autocomplete or cookies, and typing that in all the time is beginning to be a b17c4!

Hello Dreamcast, and welcome to AO! Next time, read the ENITRE thread before you post. You'll avoid a lot of problems that way....trust me! :D
February 2nd, 2004, 08:53 PM
iankestor

Thank you all very much... it seems there are one or two more things to try that won't require a sleeping bag and multiple pizza deliveries to get through. I am going to try several of these one at a time (I want to know what solved the problem - if that happens) and will report back on success or lack thereof.
I will try...
1 ...try adding the offending site to your hosts file
2 ...block access to the site via firewall or IE monitoring software... (thank you for your interest and suggestions OverdueSpy, although I would guess you have an interest in what is going on with that domain/IP address just for its own sake - who says self-interest is incompatible with the greater good?)
3 Ad-Aware
4 wintasks 4 and hijack this
5 1. Spyware Guide, 2. Spyware Info
6 http://toolbar.google.com/
7 FORMAT THE HARD DRIVE AND RUN FOR THE HILLS!!!! (the hills are alive, and it's kind of scary)

...and that's ok Boogymantroy - it can be hard to follow everything when people write REALLY LONG entries (iankestor?)
February 12th, 2004, 09:30 PM
iankestor

Late follow-up on resolution

Looks like much of the help was exactly that (unlike what is - in theory - provided by the BIG BUSINESS uber-corp establishment).

I did not install any toolbars - I am trying to discourage my network users from adding stuff to the software they use. A separate program that is visible to the user is not much better (since user might then reason that he/she is ALSO allowed to install stuff). Still... what worked? read on

- SpyBot and McAfee did a nice job of catching and ejecting most of the bad stuff AFTER the computer was already infected. These were already on the PC and were no help before I came to Anti-Online.
- The HOSTS file tweak was able to stop more than 50% of the new stuff from invading, since the immoral NicTechnologies IP was redirected to the user's PC.
- Ad-Aware cleaned up 95% of what was left on the machine.

Thank you everyone - my user is happy to have his PC back (mostly) in his control!!
- Credit goes to anyone who recommended the HOSTS file & Ad-Aware solutions.
February 13th, 2004, 03:20 AM
firestarter5

Hopefully you will have continued luck with the Hosts file and Adaware. As a point after the fact, you might try using a different browser. I use Mozilla Firefox (was Firebird) and it blocks pop-ups and with a simple addition, it also blocks 99% of advertisements on all websites.

Good luck anyway!