PC getting decimated from OFF-LINE popups!

Discussion in 'Tech Talk' started by Santa CruZin, Mar 28, 2005.

  1. Santa CruZin

    Santa CruZin Searching

    Messages:
    9,186
    Likes Received:
    297
    Joined:
    Jun 19, 2000
    Location:
    Dixie
    A friend of mine called and asked me to help her with a popup problem on her PC. I had no idea what I was about to get involved with.

    She's on Comcast DSL. I think the first mistake she made was not understanding how to properly close a popup (outmost perimeter X, NEVER hit a response button). Something has installed itself on her PC, and she now gets floods of popups, as many as thirty at a time, with the DSL physically unplugged!

    We installed the latest McCafee virus scan software, and it finds trojan horses that re-appear from nowhere after being deleted (still off-line, mind you). When trying to figure this out with Task Manager, I would find processes that would reappear instantly after deleting them. On one occassion, I went out and attempted to delete a suspicious .exe file, and the system went into shutdown mode, and I couldn't prevent it. I later killed the file.

    I have deleted all IE temp folders, history, cookies etc. I have painstakingly reviewed the Program Files, Windows and User directories, and cleaned everything that might even look slightly suspicious.

    No change. I've never seen anything like this in my 15 years of working with PCs. If I kill the IEXPLORE process, the windows all die off, and about 20 seconds later the whole damn process repeats itself. I'm about ready to put a few rounds into the center of the monitor.

    Short of reformatting the hard drive and starting from scratch, what tools are out there that might clean this up once and for all? Any suggestions?

    Thanks!
     
  2. Hauptmann6

    Hauptmann6

    Messages:
    4,444
    Likes Received:
    336
    Joined:
    May 22, 2002
    Location:
    Portage, MI
    Run all the tools from safe mode...
     

  3. Santa CruZin

    Santa CruZin Searching

    Messages:
    9,186
    Likes Received:
    297
    Joined:
    Jun 19, 2000
    Location:
    Dixie
    In Windows XP, how do you even get into safe mode? I tried that (old F key method anyway), and XP just ignored me and loaded right up...
     
  4. Emmiline

    Emmiline Cybil

    Messages:
    740
    Likes Received:
    0
    Joined:
    Sep 1, 2004
    Location:
    The Rainbows End
    I got the same virus in the same way...

    Closing by the x does NOT always work...better to close from the system tray.

    Hubby had to buy something called PC Bug Doctor and run it to get rid of it. He got it off the net. We also run Privacy Eraser Pro and Adaware. They usually take care of everything but that virus was NASTY.

    After you get this cleared up, get your friend on Firefox. Since switching I have had NO issues and I had problems almost weekly w/ IE.

    Good luck...that is VERY frustrating.
     
  5. westwindmike

    westwindmike

    Messages:
    85
    Likes Received:
    0
    Joined:
    Nov 10, 2004
    Location:
    Middle Tennessee
    Try Adaware and Spybot, both free. If they don't work try Microsofts new AntiSpyware program. All should work well. I also use RegSeeker to clean up the registry. Hope this helps.
     
  6. Emmiline

    Emmiline Cybil

    Messages:
    740
    Likes Received:
    0
    Joined:
    Sep 1, 2004
    Location:
    The Rainbows End
    forgot to say you can get the Privacy Eraser for a free trial (14 or 30 days?) it is a really good program. We ended up buying it...it has a program to permanently delete stuff off your computer.
     
  7. Santa CruZin

    Santa CruZin Searching

    Messages:
    9,186
    Likes Received:
    297
    Joined:
    Jun 19, 2000
    Location:
    Dixie
    Great suggestions everyone, thanks! Have I ever got my work cut out for me...
     
  8. Glocks&Ducs

    Glocks&Ducs

    Messages:
    4,051
    Likes Received:
    1
    Joined:
    Apr 24, 2004
    I saw the same thing with the computers at work. Our resident computer nerd could not get them to stop, he wound up zapping the computer and reformatting. The adware stuff and all that would not work because the windows popped up so quick you couldn't see an application long enough to run it.


    These particular pop-ups were not the typical 1 or 2 a second, you could see them cascade at the rate of about 10 a second and just kept going.
     
  9. Santa CruZin

    Santa CruZin Searching

    Messages:
    9,186
    Likes Received:
    297
    Joined:
    Jun 19, 2000
    Location:
    Dixie
    That's EXACTLY what I'm facing.

    I have found that killing the IEXPLORE process when this happens will give me about 10 to 30 seconds to get something done. When it hits again, I just go straight back to the Task Manager and kill it again. By repeating this, I should be able to get some good tools loaded and installed (eventually).

    10 a second is about right. :(
     
  10. vote Republican

    vote Republican White and nerdy Moderator

    Messages:
    11,362
    Likes Received:
    2,441
    Joined:
    Aug 23, 2002
    Location:
    OAF Mecca, MD
    Sent you a PM, but resposting the meat of it for others:

    I would start with webroot spy sweeper- I find that it locates more of the buggers than anything else. Install & run, make sure you update the definitions first. It will probably cull you down from a few hundred buggers to a few. Reboot, run again. Take note of what is still there- you can say remove but this is the pop back in immediately thing that is so bad. (I actually did regedit & deleted the entries & saw it immiediately come back).

    This is where you need to take notes & reboot into safe mode, or even better safe mode with command prompt. In webroot, if there's some buggers that won't come out, look for the .exe or .dll file location, then you can delete them in safe mode.

    When done, also run ad aware, it may clean some stuff up for you.
     
  11. 45acp4me

    45acp4me Pissed puppet

    Messages:
    1,139
    Likes Received:
    0
    Joined:
    May 11, 2001
    Location:
    Farmington, MI
    Download the software you need then unplug that puppy from the network. Install your software, run it once wtih the old data in place, then reboot. Connect it back up to the Internet, download the updates then run it again.

    I doubt you'll get pop ups if you kill off it's connection.

    Regards,
    Glen
     
  12. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    You sure it's IE and not windows messaging?

    What Windows Messenger Service Allows to Happen on Your Computer

    Should a pop up box appear on your screen with the words "Messenger Service" in the title bar such as the one below, chances are that you have Windows Messenger Services enabled.

    Messenger Service Box



    In their initial state, Microsoft Windows operating systems (98, ME, XP, 2000, NT) allow anyone on the internet to pop up Windows on your screen. There is no need for them to know anything about your computer and your computer does not care who does it.



    Even less savory individuals may pop up messages on your screen that try to fool you into taking actions that may not be in your best interest.



    The important thing to remember is that anyone, anywhere in the world can pop up one of these messages on your computer. At this time it looks as though all these messages will have "Messenger Service" in the Window title. It would be wise to verify with support staff any such message that appears on your computer that instructs you to to take actions that may divulge sensitive information, change your password, leads you to a web site, or take other, unusual actions on your computer.

    Also know that spam senders are using the Windows Message Service as another way to distribute their advertisements.

    Keep in mind that faculty and staff are advised to check with their computer support staff before disabling any service so that you do not inadvertently disable a service that your department uses.





    Disabling the Messenger Service

    To remove the ability for anyone in the world to pop up messages on your computer, you can disable the Messenger service. Its easy to reverse at a later time if you wish to do so.



    Windows 2000

    1. Click Start-> Settings-> Control Panel-> Administrative Tools->Services
    2. Scroll down and highlight "Messenger"
    3. Right-click the highlighted line and choose Properties.
    4. Click the STOP button.
    5. Select Disable or Manual in the Startup Type scroll bar
    6. Click OK



    Windows XP Home

    1. Click Start->Settings ->Control Panel
    2. Click Performance and Maintenance
    3. Click Administrative Tools
    4. Double click Services Scroll
    5. down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties.
    7. Click the STOP button.
    8. Select Disable or Manual in the Startup Type scroll bar
    9. Click OK



    Windows XP Professional
    1. Click Start->Settings ->Control Panel
    2. Click Administrative Tools
    3. Click Services
    4. Double click Services Scroll
    5. down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties.
    7. Click the STOP button.
    8. Select Disable or Manual in the Startup Type scroll bar
    9. Click OK



    Windows NT

    1. Click Start ->Control Panel
    2. Double Click Administrative Tools
    3. Select Services-> Double-click on Messenger
    4. In the Messenger Properties window, select Stop,
    5. Then choose Disable as the Startup Type
    6. Click OK

    Windows 98 & ME
    Windows Messenger Service cannot be disabled
     
  13. Santa CruZin

    Santa CruZin Searching

    Messages:
    9,186
    Likes Received:
    297
    Joined:
    Jun 19, 2000
    Location:
    Dixie
    "iexplore" is the process driving the popups. If I end it, the popups go away (iexplore re-launches many seconds later, and the whole mess then repeats). Each popup is contained in a Microsoft IE window, so I'd have to say this isn't a product of the messenger service.
     
  14. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    Okay, just making sure. The messenger thing is something that drives people nuts as well.

    DanH
     
  15. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    i've run into this before on a computer at school. i tried norton, microtrend, adaware, spybot, etc.

    i couldn't fix it b/c i didn't have admin rights.

    have you checked the registry?

    regedit
    hkey current user ->software -> microsoft ->windows -> currentversion -> run

    and under hkey local machine
     
  16. Wingnut357

    Wingnut357 Killer Casual

    Messages:
    122
    Likes Received:
    0
    Joined:
    Dec 13, 2004
    Location:
    Miami
    If it's this bad, I would consider backing up the essentials in safe-mode and reformatting in NTFS. It's the best way to be sure, and most computers could use a fresh start more often than their owners think.
     
  17. g19/15+1

    g19/15+1 Girl+Gun= Sexy

    Messages:
    66
    Likes Received:
    4
    Joined:
    Jul 15, 2004
    I have used both adaware and spybot. Both have worked fairly well, although they still will not get everything.

    One thing you could try for the popups is the google tool bar http://toolbar.google.com/?promo=mor-tb-en I very rarely get popups between that and the popup blocker in xp sp2.
     
  18. UtahIrishman

    UtahIrishman BLR

    Messages:
    7,414
    Likes Received:
    2,005
    Joined:
    Nov 11, 2001
    Location:
    Utah
    We use Ad Aware Professional where I work and it catches many bots that the non-professional version won't if you want to spring for the bucks. I'd also consider a different anti-virus program.

    The best anti-virus program I've found to date is Panda Anti-Virus. We run Panda Anti-Virus Enterprise at work but you can get a personal version as well. Both McAfee and Norton Anti-Virus do ok but in my opinion Panda catches more.

    There are two approaches to cleaning up a mess like you describe. First to close the pop-ups I would use Alt-F4. That will save you some time rather than trying to get the CTRL-ALT-DEL sequence for the Task Manager up. Then run your anti-virus program of choice...reboot. After reboot run your anti-virus program again checking for any viruses that were not caught the first time. If you still have viruses you will need to write down which one's you have then reboot in safe-mode (which you can do in XP you just have to be fast). Once in safe mode delete all remaining viruses. Then restart and run your virus program AGAIN. Make sure it comes up clean.
    Now run your Ad-Aware and Spy-bot programs to clean up what's left. You need to have the latest definitions and I strongly recommmend the professional version of Ad-Aware, it's really worth it.

    Second approach: Reformat

    Finally get this person a personal firewall. Zone Alarm free version works very well. Don't rely on the firewall that comes with Norton's it's useless in my opinion. The firewall that comes with XP Service Pack 2 is actually very good but Zone Alarm is easier to configure.

    If you've read this far you've probably figured out that I do this a lot. Yep. About once a week some bozo where I work has to visit some strange web page that runs amok with Pop ups and bots and trojans etc. We use Norton Ghost re-image their drive and restrict their web access after that. You probably can't do that with your situation but at least try and keep her from clicking on every ad that comes up. Use ALT-F4 if you want to close out a suspect window. It will save you tons of grief.
     
  19. cgwahl

    cgwahl Sheriffs a near

    Messages:
    6,973
    Likes Received:
    2,354
    Joined:
    Feb 15, 2002
    Location:
    CA
    http://www.xblock.com/download/xcleaner_free.exe

    This is a nice little utility as well. Run it in safe mode. Then maybe run it again just to be sure. Then reboot and run it another time.

    Neighbor asked me to fix his computer a couple days ago...had 80 processes running (could hardly do anything with all the popups. Open IE and 10 windows would immediately open as well). Also didn't help when I found his NAV was last updated sometime in 2003...after many hours of scanning and rescanning of antiviruses, spyware killers, etc. I finally got it down to 30. There were just one or two little buggers though that just wouldn't die.

    Use lavasoft adaware, the MS spyware killer, and that above thing. Spybot is good too I've heard, but never cared for it much. Probably didn't give it much of a chance though.

    Another good thing to do is go to http://www.trend.com and run an online scan just in case the antivirus they are using has been disabled by the viruses.

    Also, Avast! (antivirus) does an awesome job. Only installed it in on his computer since I wanted to see what it was like (use AVG normally). Actually uninstalled AVG to try it on mine and it found stuff AVG didn't see.
     
  20. Kevin108

    Kevin108 THIS IS IN ALL CAPS

    Messages:
    7,035
    Likes Received:
    1,228
    Joined:
    Mar 2, 2005
    Location:
    Virginia Beach, VA
    3 things will fix this permanently.

    1. Download and install Mozilla Firefox
    2. Delete every icon you can find for Internet Explorer
    3. Download, install, and run Webroot Spysweeper