Built-in pop-ups

Author
Discussion

simpo two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
After a heavy days surfing yesterday I found that something had snuck into my PC and changed the default homepage. I corrected it via Tools and it seemed OK but then I got a pop-up instead. After switching on again this morning the alien homepage had returned (and no, it wasn't porn!).

So I dug deeper and found the relevant lines in the registry (scary) and put them right - but I'm still getting the pop-up each time I open Internet Explorer.

Can anyone tell me where to find this germ and kill it?

FourWheelDrift

90,145 posts

295 months

Thursday 18th December 2003
quotequote all
could try....

Letting the popup appear, then "crtl, alt, del" to bring up the Windows Task Manager and have a look in the processes running for an abnormal program. Then search for it and delete it where it is stored. Then look in the registry for any identically named folders/files and delete those. You can search on the net for the process names, the odd one may well be listed on a search and be called Spyware or something similar.

*Only to be done if you know what should be running in the process list first so you don't stop or delete a critical program running.

simpo two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
I looked at that, but there are 30-40 things in there and I wouldn't know which is the odd one out. Nothing says 'Spyware'!

When I open IE the only thing new that appears - assuming they go to the top of the list - is IEXPLORE.EXE.

It's something to with IEXPLORE.EXE - if I click on the Applications tab there are two things running: Explorer and the pop-up. Right-clicking on either line and selecting 'Go to Process' tells me they are both IEXPLORER.EXE....

>> Edited by simpo two on Thursday 18th December 13:27

tvrtim

438 posts

273 months

Thursday 18th December 2003
quotequote all
I had the same problem.
If you search for CWShredder you will find a free download which clears the problem.
Best to keep it on your desktop for the next infestation.

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
what you need to do is

a) install a firewall, www.sygate.com has a very good free one, as does www.zonelabs.com
b) install a spyware removal tool, I prefer Spybot (http://download.com.com/3000-2144-10194058.html?tag=lst-0-1), run that and it'll get rid of all the stuff you don't want
c) run msconfig, goto to the startup and disable everyhting you recognise and that you don't want.
d) if this is XP or NT let us know and we'll direct you as to what services you can stop successfully (for security purposes as well

FunkyNige

9,335 posts

286 months

Thursday 18th December 2003
quotequote all
docevi1 said:
b) install a spyware removal tool, I prefer Spybot (http://download.com.com/3000-2144-10194058.html?tag=lst-0-1), run that and it'll get rid of all the stuff you don't want


I use ad-aware (www.lavasoft.de [hopefully]) too, it seems ad-aware gets some of the things that spybot doesn't, and vica versa.

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
have they been updating adaware? I heard they gave up and stopped, then they released v6 or something and did the same (especially for the free one).

Spybot is updated often enough for me

ooo, and you'll want an anti virus prog as well for good measure, AVG from www.grisoft is a dandy free one as well

Simpo Two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
Wow, that's a good list. I should have mentioned that I already have ZoneAlarm (free version) and the ISP's firewall, plus fully updated Norton AV. So how this bugger got in I don't know! Some websites try to install things but I've always had a security alert and clicked 'no'.
I'm not confident enough top start disabling things in msconfig/startup - I might break it completely! - and there's lots of stuff I don't recognise.
Re XP, I got a security patch via my ISP recently but have to be careful as I don't want to disable the clever little exe that's keeping it going
I'll go for Spybot though and see if that turfs the critter out!
Thanks very much for the advice.. will keep you posted!

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
it's easy enough to modify the stuff in msconfig, just make sure you know what you are disabling and if it's something you need, retick the box.

Why not make a list of the stuff there (print screens) and post them on here, we'll say "aahhhhh" and "ooooooh" and "OMG" lots, but you'll get the idea

Simpo Two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
OK, I downloaded Spybot and it's sitting in a file waiting to be installed. It's not installed yet becasue I found this review at http://download.com.com/3302-2144_4-10194058.html?pn=1&fb=2. Rather put me off, as you can imagine:

'If you download this product, you may as well buy a new computer" Hmmm, let's see.....I read all of the help like people had said in their comments before doing anything, I did every thing the program had said. This thing screwed up my computer, I had a computer whiz look at my computer and he got every thing out, but, the "BIG" but, he told me to buy a new computer or pull out the hard drive and start from fresh because no matter how much you think you get this thing out of your memory, It doesn't happen, it is sleeping in your computer and just opens when it feels like it and attacks your computer. This thing is SPYWARE. He had to take out so much out of my computer and I lost 50% of my important saved work from my computer. Now that I have a new computer, I am having no problems. I just want to make you people aware of this because this is a scam so they can get into your computer, eat it alive and sit back and laugh. Anyone who gives this thing a thumbs up or a good rating, you should be ashamed of yourself. God has a place where he puts all of the good people and I don't think you will be following'

>> Edited by Simpo Two on Thursday 18th December 16:25

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
um, how to put this politely, I as a reasonable knowledgable person spotted far too many mistakes in that "review" to give it any credit.

I've had it on my machine here, updated regulary and never had any trouble. I run 2 firewalls (hardware and software), the latest AVG and all sorts and never had any trouble.

It's your choice, but if you are careful about what you disable (some programs require the spyware to run) you will not have any trouble what so ever. If however you are concerned, try AdAware.

Simpo Two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
Fair call Docev1l, I just have to keep my guard up and don't have your experience. However, I've used Webroot Windowasher for a while and trust them - and they do a spy tool as well http://download.com.com/3302-2144_4-10194058.html?pn=1&fb=2
As they are the devil I know, I feel more comfortable with that, but being very much a one-eyed man amongst the fully sighted here, what's your opinion of Webroot stuff?

lazyitus

19,928 posts

277 months

Thursday 18th December 2003
quotequote all
Docevi1, a list from the startup tab:

Windows shell library loader
Load power profile
Scheduling agent
Money agent
Winlogon
Scan registry
Task monitor
PCHealth
SSDPSRV
*StateMgr
StillimageMonitor
Mentor tray icon
Description of shortcut
Microsoft office startup

System tray
Low power profile
Second chance
Country selection
PCTVOICE
Lexstart
Lexmark printray
System service

Any thoughts?

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
Simpo Two said:
Fair call Docev1l, I just have to keep my guard up and don't have your experience. However, I've used Webroot Windowasher for a while and trust them - and they do a spy tool as well http://download.com.com/3302-2144_4-10194058.html?pn=1&fb=2
As they are the devil I know, I feel more comfortable with that, but being very much a one-eyed man amongst the fully sighted here, what's your opinion of Webroot stuff?


I've never heard of them, but as you say, if you're confident with them go for it. What has been mentioned before it the running of two different spyware detection progs, why not install the one you are more comfortable with and Spybot, once it's done it's job unistall/remove it.

docevi1

10,430 posts

259 months

Thursday 18th December 2003
quotequote all
Windows shell library loader - unknown
Load power profile - I remove, but does no harm
Scheduling agent - not sure,
Money agent - a program you use called Money Agent? Use it often? Disable if not
Winlogon - leave
Scan registry - disable
Task monitor - disable unless you have scheduled tasks
PCHealth - Norton, leave
SSDPSRV
*StateMgr
StillimageMonitor - you have a digicam or scanner? Use them often?
Mentor tray icon - This'll be a systray icon, if you use it leave it, if not disable it.
Microsoft office startup - disable
System tray - LEAVE
Low power profile - disable one of these (i.e. this or the other
Second chance - program reference, I would disable
Country selection - disable
PCTVOICE - some sort of voice recognition?
Lexstart -your Printer, leave
Lexmark printray - ditto above
System service


more importantly, what you need to do is remember what you did/what you disabled and do about 3 at a time. Sometimes programs rely on them starting and cause all manor of problems in startup. What the better idea is is to stop them from within the relevant program, or disable the related service (there'll be plenty of services you don't need).

Your list isn't too bad mind, if you're not happy fiddling I wouldn't worry at all, your's is far, far shorter than mine!

>> Edited by docevi1 on Thursday 18th December 17:06

lazyitus

19,928 posts

277 months

Thursday 18th December 2003
quotequote all
SSDPSRV
*StateMgr


No idea what these are?

FourWheelDrift

90,145 posts

295 months

Thursday 18th December 2003
quotequote all
lazyitus said:
SSDPSRV
*StateMgr


No idea what these are?


SSDPSRV - Simple Service Discovery Protocol and General Event Notification Architecture services for the Universal Plug and Play functionality and is a component designed for the future generation of Plug and Play devices. Leave it.

*stateMgr - System File Protection and System Restore overlap are run from *statemgr that is run from the registry on startup. Leave it

HTH

Simpo Two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
Right, back to the thread!

It wasn't what I thought! Sure Spybot found about 20 things and hoofed them out - but I still got the pop-up every time I went to my website (default homepage). Then I had a horrible thought - maybe the pop-up is not in my PC but at the site. So I changed my default homepage to Google and - ah - no pop-up!!!

So I fired up MS FrontPage and looked at the version of index.htm in my PC - and the pop-up was in there! In source mode I saw two grey lines of text at the top and deleted them, then uploaded over the problem index page. No better! Somehow the index page in my web in the PC is infected, and even looking through the source code I can't see anything obviously wrong (mind you I'm not html literate).
Any ideas now chaps?

lazyitus

19,928 posts

277 months

Thursday 18th December 2003
quotequote all
Spybot and Adaware have now both been run.

Still no change though!

Its beginning to do my head in.

Simpo Two

Original Poster:

88,031 posts

276 months

Thursday 18th December 2003
quotequote all
At last! Ran Adaware and at last my index pages are no longer infected. BTW the culprit was in.webcounter.cc - I found quite a lot of references to it on Google in various forums. I was really convinced it had managed to upload itself to my website, but seemingly not.
Phew!