Re: pop-up issue

>> What the heck is going on? <<

You have a virus.

~~

Remove drive.
Put in another system as second drive and DON'T EVEN LOOK AT the files on it.
Run anti-virus on the drive from host system.
Write down what it finds and does.

Put problem drive back in original system and start fixing damage done.

.

Re: pop-up issue

Scaning only with Ad Aware will not help. About 5 years ago, I had even more problems with viruses and spyware when I didn't know anything about firewalls, spyware, and such. Your best bet is to scan with at least 2 different programs. My suggestion is, go to download.com and download Webroot SpySweeper (should be a 30 day free trial), Spybot Search and Destroy (free), and HijackThis (also free). Prior to scanning, disconnect your internet, and restart your computer. That way, any spyware that might be open and connected to the internet won't be a problem when deleting.

First scan with SpySweeper, and permanently delete all spyware that it finds.

Then scan with Spybot Search and Destroy, and again delete any spyware that it finds.

Lastly, scan with HijackThis. Be extremely carefull though, since that program doesn't find know spyware but rather shows files in different vulnerable locations (most of which are Windows and IE/FF components and not spyware, so research every single entry. Google should be helpful here, however research from another computer and not the one your are cleaning).

Once done scaning and cleaning your computer, install Spyware Blaster and active its protection (turn off SpySweeper when doing that, though). What Spyware Blaster does is it registers known bad/spyware/virus-infected websites into the IE/FF registry so that when you try to view a website that might be infected or that has advertisements with spyware, IE/FF will not download the advertisement from that website. It works similar to the hosts file for FF that disables most of the common advertiesements. Best part is, once you active the Spyware Blaster protection, you will no longer need to have it running to be protected (though opening Spyware Blaster and updating its database once a month or so is desirable).

Once finished with all that, have yourself a firewall and anti-virus just in case. I have Zone Alarm and AVG-Free since they are both good and not heavy on system resources and are both free. I've also successfully cleaned many computers besides mine this same exact way, and never had a problem with them ever since, even when visiting some half-shady websites.
Sorry for the long post, and I hope this helps you somehow.

Re: pop-up issue

My 2 cents...

I have a hardware firewall built into my onboard LAN, plus I'm behind a router. I never trusted a software firewall, got infected many times with one (Black Ice Defender). Used to have McAffee too, got infected with that piece of garbage! Now I just run Panda Total Internet Security (about $20.00 a year), and with my hardware firewall and router, I've never had a problem since.

Re: pop-up issue

son of a...
How the hell did it get on here?!
I have no alternative system to boot off of The closest thing I have to a computer that runs ANY modern antivirus package is my parents computer and even then it's Norton Antivirus (better off with nothing).


EDIT: SON OF A BITCH!!!!
A quick check of the history logs finds links to pages about watercolor painting.
My mom has been using my computer again and knowing how she completely nuked our Telus email inbox (now we get DUPLICATES of spam) she probably was going to shady places on my computer too. Damnit! I need to get her a linux box. She destroys any windows pc she uses.

Re: pop-up issue

If you want you can post your HijackThis log in Techspot's "Security and the Web" section
Many very knowledgable guys in this field will be able to help you...
But please do read the stickies first...

http://www.techspot.com/vb/menu28.html

Re: pop-up issue

I would just reinstall windows. Getting the bugs out of a sick install is too much of a hassle.What I do is reinstall and make an image of the clean installation with ghost or acronis. That way if I make a mistake down the road I can have a functional system again in 5 minutes.

Another good thing is to have a small system partition. 20GB is more than enough. That way when you need to reinstall, you only have to move a few GB out of the system partition and then you can hose the whole system partition with a fast re-format using the windows setup, or just recover the ghost or acronis image (if you have one)

And to wrap it up: a Windows PE (pre-boot environment) boot CD is a great tool to have. There's a tool called BartPE that allows you to make one. It allows to boot a modified Windows from CD, and run applications from it. Some antivirus have plugins you can add to the BartPE CD, so that you can remove virus from your system when booting from the BartPE CD.

Re: pop-up issue

I'll take your word for it, but from the pictures I've seen you have more computers than the starship Enterprise.

Re: pop-up issue

i would do free avast first(boot time scan) and then these two
https://www.badcaps.net/forum/showth...ware#post52481
(hitman and malwarebytes)

by then you should (at very least) have idea what's causing it(most likely it'll be removed by that time), and then you can go to bleepingcomputer.com to see if there's guide to manually remove it...
http://www.bleepingcomputer.com/forums/forum55.html

your mum was very naughty, AGAIN!!??
hehe...

Re: pop-up issue

sounds like one of my neighbors infections.
turned out to be antivirus xp 2008.
a real piece of shit that is fun to get rid of.
this thing would pop up every 15 seconds warning you to download the fix for 39.95.
about the 10th time you close it it served about 50 porno popups.
the online scanners are broken due to hosts entries it made.

Re: pop-up issue

www.malwarebytes.org

This will rid you of XP200x virus. It runs equally well in safe mode.
Current version is 1.30, freeway. Best I have found to date. Very effective against VUndo also.

www.sandboxie.com

Use Sandboxie to surf anyplace dangerous.
I use it daily, and bought a registered copy. This is a serious internet condom for surfing suspect sites. When you close the browser, you can set it to automatically flush the sandbox. Bye, bye parasites.

Re: pop-up issue

Well I can't even use the system now.
I installed one antivirus program, restarted the system like it asked and now just after I log in the system hangs.
I tried to get into safe mode...what do we have here?
The god damned BioLogon program I use won't let me type my password in. Only through the scanner and to no surprise it was disabled when you got into safe mode.

WHAT THE #@$!???


EDIT: aaargh!
Even if I let the system sit at the login screen it will hang all on its own!

Re: pop-up issue

What's your onboard LAN chip?
I'm behind a router as well, but how does that make a difference?

I never heard of Black Ice Defender, thus I wouldn't be surprised if it was crap.
And yes, McAffee is garbage. Same goes for Norton Anti-Virus or Norton Internet Security. That thing makes computers slow too.

Zone Alarm is a different story. Never had a more reliable firewall than that. It keeps track of programs on your computer that try to connect to the internet and alerts you. After a few alerts, it remembers the settings for each program (or you can set them manually beforehand - this is really helpfull for Windows main programs/executables such as svchost.exe, services.exe, etc.). Of course, it's not 100% foolproof, but it's still a very decent firewall. Next best thing that comes after it is Comodo firewall and the Windows built-in firewall, but those are far more basic than ZA.

That's another very good alternative. I've tried Avast before (that was a few years back when it was only a 60 day trial ), and I really liked the boot time scan.

*Edit*
Woops, didn't see your above message Pentium. Assuming you have XP, try pressing F8 after boot up and select
"Directory Services Restore Mode (Windows domain controllers only)"
I found this to work in times even when Safe Mode did not.

Re: pop-up issue

I'll give that a try after I finish some scans.
I pulled the drive and put it in another system and after it finishes a Norton Antivirus scan (yeah, it's crap but we paid $$$ for it and a subscription) followed by an online scan via the House call scanner which I used in the past (It always kept my system clean and cleaned up the mess that my mom left the last time she tried to use my computer) I'll try what you say and hope it works.
As for reinstalling everything. I'm not going to. I'm replacing this lone 120Gb drive soon for two 500Gb drives. It would be stupid (and a waste of time) to reinstall, only to have to do it AGAIN a month or so later.

Re: pop-up issue

I deal with this kind of thing all the time. If the only other computer you have access to is one with Norton (worse than nothing IMO) then it's time to reinstall.

Usually I can throw the affected drive in my test computer, which dual boots XP and Fedora. The XP has AVG loaded on it, which scans the drive for viruses (goodbye Windows Antivirus 2008 ). The Linux will copy the files off as a backup (ignoring Windows permissions I might add) before I do anything so there's no possibility of losing customer data.

Just as an aside about Norton, one particular laptop I saw about a month ago had Symantec Endpoint Protection, "Advanced Antivirus" and "Windows Antivirus 2008" all running at the same time. Lot of good that Symantec did. After removal and installation of AVG, several more viruses were found and cleaned.

Norton / Symantec =

Edit: Pentium, you posted while I was typing.

Re: pop-up issue

I second the malwarebytes. I've used is on 3 PCs in the last 2 weeks to remove Antivirus 2009. Works fast and completely removes it.

Re: pop-up issue

Whilst on the topic of infection, I was reading google news recently about some other virus...

http://www.theregister.co.uk/2008/10..._trojan_heist/

Re: pop-up issue

Well in that case it then either came from some chinese site where I downloaded a component datasheet or when I was looking around google.

Re: pop-up issue

@ Pentium: this kind of malware may be hard to remove because it tries to be loaded at every boot (worst cases are Winlogon extensions: you can remove them only by killing Winlogon, which is the Windows authentication process and can't officially be closed).
I agree with most suggestions here: disconnect the computer from the net (just to stop the malware from infecting others or from being updated), clean it with Spybot S&D (download the new definitions with another pc: choose manual update), Spyware Blaster (the same), basic on-demand antivirus (nothing to install, just run) like McAfee Stinger; after the first cleaning, check autoloading programs with Autoruns and disable the suspicious ones with Process Explorer (both from MS Technet, formerly Sysinternals). Restart in Safe mode and kill the most resistant malware: for killing Winlogon extensions read Russinovich' Running Windows with no services, after killing services and Winlogon you can remove the last ones.
If you don't succeed in removing everything, then you have to backup all important files, format the drive and reinstall Windows.

Whatever you managed to clean the haunted Windows or reinstalled it, you've to block most common paths for infection:
- disable unneeded services (e.g. Remote desktop, Messenger [not MSN or Live messenger, only the Windows messaging service], WebClient, UPNP, anything with "share", etc.). If CIFS/SMB networking isn't required, then you can safely unbind "MS Network File and Printer Sharing" from all network cards: beware that disabling "NetBios on TCP/IP Helper" service may disable DHCP too, so better keeping it alive though unused [screw you Microsoft ].
- run Windows Worm Door Cleaner or SeconfigXP to close some listening ports, unnecessary for most people: read related links to know all side effects before turning everything off (e.g. closing RPC may block some Live messenger extensions, such as Remote folder sharing and such. Normal file transmission shouldn't be affected );
- create a limited user account for your mother: I don't think she'll install software and an user account limits the possible damage. If some programs she use require an Administrator account, then there are two choices: 1) keeping the limited user and writing some runas scripts to run those and only those programs as admin (suggestion: keep a folder writeable from both accounts and tell your mother she'll write and read all files from here); 2) giving up and running her account as admin (last choice);
- [if you know what to do] enforce NTFS ACLs for the limited user account: set Windows, System32 and System Restore as read/execute only and create a folder for temporary files dedicated to the account;
- install another browser and another mail client: both IE and Outlook Express are the main target for malware writers and their default configs suck a lot. Install Firefox (+NoScript), Opera (+ an UserJS extension) or at least a better browser using the IE engine for the former, Thunderbird for the latter.

Main point: tell your mother do not click on every attachment, flashy banner and such.
Microsoft don't love you, don't know your mail address and don't send patches by email (a client of mine was lured with fake patches ); the same for phishing sites.

[IRONIC] Happy cleaning [/IRONIC]

Zandrax

Re: pop-up issue

Ugh!
I had to abandon scanning with Norton as I had let it scan for the afternoon and it was only 10% done.
House call is working now and after hat I'll fire up Spybot S&D and pass it over the drive as well and then see what else I can do.

The system is secured with a biometric lock (there are some things your parents don't need to know about like , , and other things ) however there is the odd time where I leave the system and don't log out and my mom is too lazy to go and power the computer downstairs on (norton makes a mildly good spec system crawl).