Computer problem of the year

[BlindedByTheLite]

wellll here goes -

also, internet explorer pop-up ads come CONSTANTLY while i'm online now! even when i'm OFFLINE!!! they pop-up, whether i'm on a website with pop-up adds or not.
is there ANY WAY to get rid of internet explorer when i'm using Juno for my internet service?

this is really annoying. they pop up for no reason and i close them, and they come, and i close them. this happens anywhere from 2 to 16 times.
this seems to be causing other problems on my computer. slowing it down, getting the blue screen and shutting itself down automatically. it's unable to boot up sometimes, claiming the info on the floppy wasn't found or whatever.

does this sound like a virus? spyware? an entirely different animal?

i currently have Spybot, Adaware, and Spyware Blaster on my computer that i've been trying to combat these things with, to no avail (altho i do find a ton of other crap on the computer to get rid of).

where should i be looking and what should i be downloading to fight this crap off? /ubbthreads/images/graemlins/touche.gif

 

[TrevorNasko]

ooooh ick if you figure a way to get IE of you may be the first and as for the others well - my limited knowledge tells me 2 things- safemode may help but it sounds like thats a - get rid of it and it gets reloaded by a buddy bug that moniters it

 

[BlindedByTheLite]

LOL
damn. y'know it's rough when the first reply is "ooooh ick".

 

[tiktok 22]

Don't know about that specific problem, but you might want to check out Firefox in the future. It's a great browser without all the baggage.

 

[BlindedByTheLite]

i use Firefox as my default browers, and have Thunderbird on stand-by also.

but Juno runs on internet explorer and i can't get online without opening Juno.

it's sort of a Catch 22.

get online. internet explorer is automatically open. can't get rid of internet explorer.
use Firefox as my default browser and do everything on it, but with Juno open the homepage means internet explorer is automatically running.

it's chaos i tell you! madness man!

 

[IlluminatingBikr]

Shoot the messenger.

 

[eluminator]

I don't know your problem, but here are a few things to consider.

You must have a firewall. The one built-in to XP should do. Make sure it's enabled.

I.E. will give you popups unless you install a popup blocker. I like the Google toolbar for this because it's easy, fast, and handy.

You must have an anti-virus program. I use McAfee, but I don't want to get into any anti-virus wars.

Once some malware gets onto your computer, it can compromise your anti-malware software so it becomes invisible. You should do an online scan. Most anti-virus vendors have these. I use McAfee's, but again I don't want to get into anti-virus wars.

I've never encountered an ISP that required a specific browser, Juno seems less than ideal.

I don't use an instant messenger so I got rid of Windows Messenger. If you don't use yours you should get rid of it. If you use yours, you will need to do more research on this. Note, this is not the same as the messenger service which the "shoot the messenger" will disable. To get rid of Windows Messenger, use this:
http://www.dougknox.com/xp/utils/xp_mess_disable.htm

If an on-line scan doesn't find anything, or if it finds something it can't remove, you can try running Stinger:
http://vil.nai.com/vil/stinger/

 

[SilverFox]

Hello BlindedByTheLite,

I just went through a pop up problem myself. I have no idea where it came from, but during a virus scan (Norton 2004 Professional) I discovered several spy threats on my HD. Norton was unable to delete one of them so I downloaded Spybot Search and Destroy.

Spybot also recognized the problem and deleted the offending files. I would open IE and would get 1-3 pop up's, then nothing. This was less annoying, but still bugged me.

I re-booted and the problems came back. I did a test by getting rid of the "spy ware" and every time I re-booted it came back.

I had to review what Spybot found and delete entire registry keys relating to those entries. I did a search for the offending "1044" key and found it listed in 8 different areas. Deleting those keys solved my problem.

I now have no pop up problems.

CAUTION!!! When you edit the registry, you can screw up the whole system.

Tom

 

[Saaby]

http://www.microsoft.com/spyware

 

[jtr1962]

This sounds very similar to the problems on my sister's computer. It took me the better part of a day to clear out all the spyware, adware, and malware junk. Two months later, the machine came back in even worse shape. Besides all the registry keys I had to delete, there were also ~10,000 junk files like ef563hy.exe or z85ghtye.dll that I had to delete.

Since I obviously don't have your machine in front of me, I'll give a couple of general suggestions.

1) Physically disconnect the machine from the Internet before proceeding any further. Some malware programs will reload the junk from the Internet if you delete it.

2) Kill all running processes except explorer.exe. Again, some malware runs in the background and reinstalls stuff right after you delete it.

3) Next, you need to start deleting start-up items. Go to Programs-Startup and delete anything which you are unsure about.

4) Start regedit, and delete anything suspicious under the following registry keys (this list is by no means exhaustive):

HKLM\Microsoft\Windows\CurrentVersion\Run
HKLM\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Microsoft\Windows\CurrentVersion\Run
HKCU\Microsoft\Windows\CurrentVersion\RunOnce

HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER

5) Go to the folder C:\WINDOWS\All Users\Start Menu\Programs\StartUp and delete anything which looks strange.

6) Install and run Adaware to catch anything which the above procedures didn't catch.

7) Use Windows Explorer to view the C:\windows and C:\windows\system folders. Set it for detailed view, and view the files by date order. If you see a lot of files with the same creation date, and junk names like I mentioned earlier, delete them. Be aware that this may take some time if there are thousands of them.

8) Set your start page in IE or whatever browser you use to "blank". You can always change it back to CPF or whatever afterwards. Some malware puts an ad site with popups in the start page, so once you delete all the junk, it proceeds to put it back the minute you start IE.

9) Restart your machine when done, and check to make sure nothing suspicious is running.

10) If all else fails, back up your personal files, format your hard drive, and reinstall Windows. Thankfully I didn't need to do this, but it is a possibility if the spyware infection is bad enough.

Be prepared to spend the better part of a day doing this, and to endure some frustrations when everything isn't cleared the first time. Once your machine is clean, stay clear of sites that tend to put this junk on your machine. Such sites are generally one of a few categories-pornography, peer-to-peer, commercial-oriented in a consumerist type of way, personal web pages with links like "download this kool program!" Stick to legitimate sites and you should avoid 99% of problems. Run Adaware periodically anyway to check for junk. Or if you must go to these other types of sites (perhaps you just took a Viagra and need to make sure everything works OK /ubbthreads/images/graemlins/wink.gif), use an old computer set up simply to browse, and just reinstall everything whenever it gets hopelessly messed up. Don't browse questionable sites on your main machine where you keep all your precious files, and back up those files regularly regardless. Hard drives have a nasty habit of failing with little or no warning.

 

[kubolaw]

Sounds sort of like the malware CoolWebSearch. You can try downloading and running CWshredder to get rid of it. Note that some of the newest versions of CoolWebSearch can overcome CWshredder (which is no longer being updated, as far as I know).

John

 

[PhotonWrangler]

To make it easier to control what starts up automatically with Windows, get Mike Lin's excellent Startup Control Panel. There are two versions - one that integrates into the Control Panel, and a Standalone version that you can place anywhere. It saves loads of time searching through registry keys.

 

[BlindedByTheLite]

Aaron:
thanks, i'll have to add that to my arsenal.

eluminator:
thanks for the links. i'll install Google's toolbar later tonight and see how that works.

Tom:
i've been running Spybot Search and Destroy, Adaware, and Spyware Blaster, and the pop-ups keep on coming. *sigh* i'm going to have to run some virus scans, i guess. tho this doesn't seem like a virus. just really persistent spyware.

Saaby:
i do wish those two programs would clear up my problem, but no luck yet.

JT:
well, i found a ton of things i needed to clean up, but the pop ups are stilllll coming. i might have to reinstall Windows!! ahhhhhh!

John:
thanks for the heads up. that might be it. here are a few of the more common links coming thru in the pop-ups (i've disabled the links so noone accidentally clicks).
servedby.advertising.com/site=0000689346/mnum=0000113135/genr=1/logs=0/mdtm=1092755853/bins=1

jbigpops.cjt1.net/redirect/click.asp?AS=700&AW=421&PR=214684&ORD=246566880&URL=http://www.gamingclubpoker.com/a36784

servedby.advertising.com/click/site=0000689346/mnum=0000113135/genr=1/tkdt=B0P1R1T0/bnum=14884578

jbigpops.cjt1.net/HTM/421/0/JavaSiteRequest.asp?AW=421&LV=6000&DC=700&L=0&NF=0&IW=0&IH=0&ORD=1094326713052?

everyone stay clear of that junk!

PW:
you sir, are a gentleman and a scholar. wonderful link! thanks!

 

[Icebreak]

BlindedByTheLight -

I think the other guys are on the right track.

I'm not an expert but I think we can get rid of it for you.

It's a browser helper (BHO) in the form of a Hijacker generating pop-ups.

To get rid of it do these things.

Make sure Adaware and SearchAndDestroy have been updated today and then run them again.

If you've already done that, no need to do it again.

Make sure you have WinZip. If you don't get a free trial copy here: http://www.winzip.com/ddchomea.htm

Go here http://www.lurkhere.com/~nicefiles/index.html and download HiJackThis. It will come to you in a zip file. If that link doesn't work go here: http://www.spywareinfo.com/~merijn/downloads.html That's the guy who wrote it. I trust both of these sites.

Before proceeding know that we are going to be in your registry so go slow and be careful.

Shutdown your browser.

Open HiJackThis.

On the config button, make sure backups is checked. If we make a mistake we can go get your original registry. But we aren't going to make a mistake.

Run the program using the SCAN button. It's very fast. It is going to detect Adaware and that's OK.

Save the log by using that button. Copy and paste the log to notepad and save it.

What we are looking for is in a BHO (browser helper) [browser hijacker] and any registry entries that are associated with it.

If you are not comfortable with the process at this point you can copy/paste the log that you save in notepad and post it here in this thread and I'll tell you which BHOs and reg entries to checkmark.

If we go this way, some of the other guys might be of some help as they may recogize things that are problematic.

If you are comfortable with the process read the BHO entries and check box any that look suspicious. Then look at the rest of the entries and checkbox any that are associated with the BHOs you've checked. Review your check boxes. Then click "Fix Checked"

Again I'm not an expert but I've used this program to get rid of ShopNav hijacker at home and get rid of HotBar on machines at work. HotBar is a browser helper. ShopNav acts like a helper but is a hijacker. Here is what it looks like:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page=http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=

When I run HijackThis it detects only two entries for Symantic. I don't need them but I leave them there because they actually help.

I've got full Adobe at work so I leave that entry.

IOW if you recognize the entry as being associated with something you use, keep it.

I'll check back in either tonight or tomorrow to see how you are doing.

Again, the other guys are on the right track and all thier suggestions are correct IMO.

 

[PhotonWrangler]

[ QUOTE ]
BlindedByTheLite said:

PW:
you sir, are a gentleman and a scholar. wonderful link! thanks!

[/ QUOTE ]

You're welcome, BlindedByTheLight! I hardly live up to your description though!
/ubbthreads/images/graemlins/yellowlaugh.gif