• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

HUGE spyware problem! Help!!

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Pollux

Member
Joined
Nov 29, 2003
I use mozilla firefox, but I get alot of pop-ups. these pop-ups are using IE, even though i dont havent it open. the pop-ups also come up even when NO browser is open, and often minimize games in playing. ive ran ad-aware 6.0, spybot seach and destroy, and pest patrol....all of them are up-to-date, HOWEVER, when i run a search, nothing is detected. how do i get rid of this? also, is their a pop-up blocker that doesnt require a browser to be open?
 

redduc900

Inactive Moderator
Joined
Dec 17, 2000
Location
Portland, OR
Assuming you're running either XP or W2K, check to make sure the "Messenger" service is disabled...Start | Run |Type services.msc and click OK | Scroll down to "Messenger", right-click and select "Properties" | "General" tab | Under "Startup type", choose 'Disabled' and then choose the 'Stop' button. After the service is stopped, click OK. Nothing in Windows or any real third-party applications should be affected by this.

The Messenger service is used to instant message others on the same LAN (using the "net send" command). It uses ports 135 and 139, and spammers have found a way to use this service to feed you pop-ups. A good firewall (or disabling the service altogether) will stop them, as ports 135 and 139 should NEVER be wide open to the internet.
 
Last edited:

jajmon

Member
Joined
Apr 19, 2002
Location
Burnsville, Minnesota
> set firefox to be your default browser
I'm using ffox .08 so this may be diff than .09
> tools | options | Web features | check the pop up windows box

hope this helps


*edit
ahh - good point redduc
 

nikhsub1

Unoriginal Macho Moderator
Joined
Oct 12, 2001
Location
Los Angeles
Yes, turn Messenger service OFF, then I would download CWShredder too, google for it. Next, I would DISABLE system restore (if running XP), right click my computer, properties, system restore tab, check to 'Turn off system restore'. Then I would reboot into safe mode, rerun ad-aware, spybot, and CWShredder. Keep running til all is clean. Reboot, reenable system restore and go and download Spywareblaster, this will keep activex malware out of your system.
 

nealric

Member
Joined
Sep 9, 2002
Location
under the floorboards
Two more proggies to try are spysweeper from webroot ( www.webroot.com) and hijackthis!. The former is in my experience a bit more thorough than ad aware, the seoond is very good ant getting rid of remanents (especially the ones that reinstall the spyware after it is removed)

Another thing to try is to go into the msconfig menu and unclick anything you dont recognize. Then search the registry with regedit and delete any key with "toolbar" in the name (there are a few exeptions, use common sense)
 
OP
Pollux

Pollux

Member
Joined
Nov 29, 2003
ok, i turned the messenger off, and it seemed to have worked, but i just got another pop-up this morning...no browser open.
 
OP
Pollux

Pollux

Member
Joined
Nov 29, 2003
ok i just tried the disabling system restore and reboot and scan in safe mod thing...still pop-ups.
 

nikhsub1

Unoriginal Macho Moderator
Joined
Oct 12, 2001
Location
Los Angeles
Pollux said:
ok i just tried the disabling system restore and reboot and scan in safe mod thing...still pop-ups.
Did you run CWShredder? Do you have any funky programs in add/remove programs that you know YOU didn't intentionally install? Go to Start>Run and type msconfig... what is checked?
 

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Pollux, I'm hoping you tried the things listed in that thread i referenced. As for CWS Shredder, the program is no longer updated, and hasn't been for a month or so if I remember correctly, so it will no longer seek out and remove newer CWS Variants, it will however still get rid of older versions...

Did you follow my instructions for deleting your Index.dat file? Your symptoms sound very familiar to a re-occuring infection caused by spyware in those files.
 

redduc900

Inactive Moderator
Joined
Dec 17, 2000
Location
Portland, OR
Mr. Chambers said:
Tell me, did you change your name? i've been here since 2001, and i don't remember seeing you around redduc900.
I have the same user name as I've always had Mr. Chambers...I just haven't been around for the past five or six months. I've always preferred the MS OS forum, and is primarily where I used to regularly hang out at, which could be why you don't remember seeing me around...I don't usually post in the other forums that often.
 

jajmon

Member
Joined
Apr 19, 2002
Location
Burnsville, Minnesota
redduc900 said:
I have the same user name as I've always had Mr. Chambers...I just haven't been around for the past five or six months. I've always preferred the MS OS forum, and is primarily where I used to regularly hang out at, which could be why you don't remember seeing me around...I don't usually post in the other forums that often.

yah it's true, the redduc has been AFK for quite some time, (me myself was wondering what was going on, not seeing the very helpful m$ posts)
 
OP
Pollux

Pollux

Member
Joined
Nov 29, 2003
i deleted the index.dat files....im still getting pop-ups...how am i supposed to stop this!??
 

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
Pollux said:
i deleted the index.dat files....im still getting pop-ups...how am i supposed to stop this!??

well lets break this down. shall we?

you disabled the messenger service?

you downloaded and installed and updated adaware and spybot, and maybe even spysweeper?

you restarted into safemode, and deleted all temp files, and cookies?

still in safemode, you deleted the index.dat files from all User accounts in XP?

while still in safemode, you did a full system scan with adaware/spybot/spysweeper/cws shredder/etc, fixing all the entries it found/restarting in safemode once more and scanning/fixing until no more entries are found?

you then restarted normally, and STILL have poppups?
 

Mr. Chambers

Member
Joined
Feb 25, 2001
Location
Iowa
redduc900 said:
I have the same user name as I've always had Mr. Chambers...I just haven't been around for the past five or six months. I've always preferred the MS OS forum, and is primarily where I used to regularly hang out at, which could be why you don't remember seeing me around...I don't usually post in the other forums that often.

Ah yes, that could probably be it. I've only recently been trying to help in this section. Glad to have you back though, at any rate :)
 
OP
Pollux

Pollux

Member
Joined
Nov 29, 2003
Mr. Chambers said:
well lets break this down. shall we?

you disabled the messenger service?

you downloaded and installed and updated adaware and spybot, and maybe even spysweeper?

you restarted into safemode, and deleted all temp files, and cookies?

still in safemode, you deleted the index.dat files from all User accounts in XP?

while still in safemode, you did a full system scan with adaware/spybot/spysweeper/cws shredder/etc, fixing all the entries it found/restarting in safemode once more and scanning/fixing until no more entries are found?

you then restarted normally, and STILL have poppups?

YES, and it's getting rediculous. I get all types of pop-ups, and they come up roughly every 10 minutes. Any other suggestions????
 

I.M.O.G.

Glorious Leader
Joined
Nov 12, 2002
Location
Rootstown, OH
I wrote this for the frontpage... Malware Warfare, but it basically outlines what everyone else has already walked you through, except for a couple oversites.

I want to know if you disabled, or stopped the messenger service. These are two different things. Disabling means it will not ever start up again, Stopping means it will turn back on after you next reboot.

At this point we need you to run hijack this and post the logs here - this will give us an idea of what is running in the background and where we need to focus our efforts. Without that log, I have nothing further to suggest for you. :-/