Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Popups - I need help from an expert

Started by JeffR , Dec 11 2004 08:17 PM

  • Please log in to reply

#31
Metallica
Posted 24 December 2004 - 02:32 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Those are OK and to be expected. We need to make another step.

Download and install Agent Ransack: http://www.mythicsof...x?page=download

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste 69.50.160.100

Then click Start Search.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Hopefully this will tell us which file(s) are calling those popups.

Regards,

Pieter
  • 0

Advertisements

#32
JeffR
Posted 24 December 2004 - 04:09 PM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OK, Pieter ...

I did the Agent Ransack search. (It did take a while.) I'm pasting the results below. The first time I saved the results to the clipboard, I left the checkmark in the "Contents" box, and it turned out to be huge. (121 pages when I pasted it into MS Word.) So I saved it again with just the File Name checked.

I looked quickly through the list of files found, (which I sorted by Location ... I hope that's OK.), and I'm afraid they all look like the results of all my own troubleshooting activity. As you can see, I've done lots of searchs on Google for the "69.50.160.100", and through that effort did find posts from several other people (on other forums as well) who are also having this problem.

The Registry Backup files you see in the list are ones that I made before I deleted entries from the Registry. (I was taught to always backup the Registry before making any changes.) In my Registry search I did find two "69.50.160.100" Data fields under the Value "FirstHomePage". And that Value did not appear in the Registry on my notebook PC (also Win2K), so I thought I really had something there. Unfortunately after deleting those entries, the problem kept recurring, so ... that wasn't it. :tazz:

Anyway, as I said ... this is a little over my head. Here's the Agent Ransack results. Let me know if you want me to post the content from any of these results.

Thanks again! Looking forward to hearing from you with your thoughts.

Jeff

And ... Merry Christmas! Based on your time zone, I think it's already tomorrow there! ;)


C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\index.dat (240 KB, 12/24/2004 4:07:54 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004121320041220\index.dat (48 KB, 12/21/2004 6:55:58 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004122020041221\index.dat (96 KB, 12/21/2004 5:35:24 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004122120041222\index.dat (32 KB, 12/22/2004 6:04:46 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004122220041223\index.dat (32 KB, 12/23/2004 7:51:58 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004122320041224\index.dat (32 KB, 12/24/2004 6:39:08 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\History\History.IE5\MSHist012004122420041225\index.dat (64 KB, 12/24/2004 2:55:36 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temp\History\History.IE5\index.dat (128 KB, 12/17/2004 9:22:42 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat (400 KB, 12/17/2004 9:22:42 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2768 KB, 12/24/2004 4:07:54 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\0X2Z4567\index[1].php (26 KB, 12/24/2004 4:07:26 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\0X2Z4567\showthreaded[2].php (24 KB, 12/20/2004 7:33:38 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\0X2Z4567\showthreaded[5].php (25 KB, 12/20/2004 7:49:42 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\ads[1].win (5 KB, 12/20/2004 7:49:38 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\dosearch[2].php (20 KB, 12/20/2004 8:28:48 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\index[1].php (97 KB, 12/24/2004 2:26:20 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\index[3].php (58 KB, 12/24/2004 2:23:02 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\index[5].php (53 KB, 12/24/2004 3:05:02 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\index[6].php (106 KB, 12/24/2004 3:14:34 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\postp396936[2].html (191 KB, 12/20/2004 7:44:12 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP\showthreaded[4].php (25 KB, 12/20/2004 7:46:36 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\8KKM85IN\index[1].php (83 KB, 12/24/2004 10:43:24 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\8KKM85IN\index[4].php (101 KB, 12/24/2004 3:01:20 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\8KKM85IN\index[6].php (21 KB, 12/24/2004 2:29:22 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\8KKM85IN\index[8].php (106 KB, 12/24/2004 3:05:26 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\A1MFIHAH\index[1].php (97 KB, 12/24/2004 2:22:12 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\A1MFIHAH\showflat[2].php (62 KB, 12/20/2004 7:49:00 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\ads[1].win (5 KB, 12/20/2004 7:33:30 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\custom[1].htm (9 KB, 12/20/2004 7:48:58 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\index[2].php (33 KB, 12/20/2004 7:26:02 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\index[3].php (88 KB, 12/24/2004 10:44:56 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\index[5].php (93 KB, 12/24/2004 10:51:12 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\index[7].php (50 KB, 12/24/2004 3:01:36 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\search[1].htm (14 KB, 12/20/2004 7:44:00 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\search[2].htm (12 KB, 12/20/2004 7:49:38 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\showflat[2].php (45 KB, 12/20/2004 8:12:32 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\index[1].php (14 KB, 12/20/2004 7:27:56 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\index[2].php (83 KB, 12/24/2004 10:44:32 AM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\index[4].php (58 KB, 12/24/2004 2:30:08 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\search[1].htm (13 KB, 12/20/2004 7:25:56 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\RU43FXSH\search[2].htm (13 KB, 12/20/2004 7:43:50 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\Y1R45W7U\index[2].php (31 KB, 12/20/2004 7:28:04 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\Y1R45W7U\index[3].php (101 KB, 12/24/2004 2:53:16 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\Y1R45W7U\index[5].php (106 KB, 12/24/2004 3:05:48 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\Y1R45W7U\showthreaded[3].php (25 KB, 12/20/2004 7:46:26 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\index[5].php (97 KB, 12/24/2004 2:30:54 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\postt90403[2].html (63 KB, 12/20/2004 7:32:22 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\search[1].htm (12 KB, 12/20/2004 7:33:30 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\search[2].100 (6 KB, 12/20/2004 7:25:48 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\search[2].htm (6 KB, 12/20/2004 7:43:48 PM)
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\ZZB6LESC\showthreaded[3].php (24 KB, 12/20/2004 8:17:02 PM)
C:\Registry Backups\Registry Backup 200412230720.reg (56806 KB, 12/23/2004 7:20:50 AM)
C:\Registry Backups\Registry Backup 69.50.160.100 entry 1.reg (4 KB, 12/23/2004 7:27:10 AM)
C:\Registry Backups\Registry Backup 69.50.160.100 entry 2.reg (3 KB, 12/23/2004 7:28:56 AM)
C:\Registry Backups\Registry Backup 69.50.160.100 entry 3.reg (3 KB, 12/23/2004 7:29:28 AM)
  • 0

#33
Metallica
Posted 25 December 2004 - 04:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
You are right. Those are all in your index.dat, temp inet files and those registry backups.

Can you tell if the popups immediately open at the IP address? Or are you redirected form somewhere else?

Click Start > Run > copy the command below into the dialog box and click OK:

regedit /e c:\1sthp.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FirstHomePage"


That will create C:\1sthp.txt if that registry key exists.
Post the content if it is created.

And Merry Chistmas to you too. :tazz:

Regards,

Pieter
  • 0

#34
JeffR
Posted 25 December 2004 - 06:24 AM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Can you tell if the popups immediately open at the IP address? Or are you redirected form somewhere else?

I don't really know. I rarely catch it when it actually happens. 9 out of 10 times I just come back to my PC and it's there on my desktop. Occasionally I'm in the middle of doing something (e.g. composing an email message, working on an Excel spreadsheet, looking at some [legitimate] web site, etc.) and it just pops up for no reason. I see no indication that it is redirected from somewhere else ... and I wouldn't even know the IP address, except for what I find in the IE history entry. Oh ... maybe that's the answer(?) ... there are no other questionable entries in the history display.

That will create C:\1sthp.txt if that registry key exists.
Post the content if it is created.

I executed your regedit command, and the file was not created. After that, I also tried a regedit search for FirstHomePage (keys, values, & data), and it found nothing (except my own MRU entry from the previous regedit command).

I may be on to something else, however. I was thinking ... it seems to be happening on some kind of timed interval (always some precise number of hours). But we see no evidence of any unknown processes going on. What known running processes do timed events? I thought about my Norton Antivirus Automatic LiveUpdate process, which is in the scheduler to check for updates every 4 hours. I turned that off, and ... it didn't help. I couldn't think of any more processes like that ... until ... I remembered the Windows Update - Automatic Update feature. Somehow that checks (at some interval unknown to me) if an internet connection is available, and goes out to Microsoft and checks for new updates. (And optionally downloads and/or installs them.) Could it be that some (now removed) piece of spyware/adware altered or replaced some Automatic Update file(s) to instead go out to their site and open the popup address? I thought of this yesterday afternoon, and decided to try turning off the Automatic Update feature. I turned it off around 6:00 pm, and it's now been almost 13 hours without a popup! That's not conclusive, however, because I've seen it go sometimes 19 hours before. (And sometimes 1 or 2 hours.)

Also, I had another idea, and I went to the Microsoft download site and re-downloaded and installed IE 6, and all the security updates. I know it's not good to try 2 fixes at one time ... but I've gotten so frustrated and impatient that I did it anyway. So now I have both turned off Automatic Updates and also downloaded and installed a new IE. If the popups come back, then it wasn't either of those. If they don't come back after another 12 hours or so, then I'll try turning on Automatic Updates again to see what happens.

I'll let you know what happens! Thanks again for sticking with this, Pieter!

Jeff
  • 0

#35
Metallica
Posted 25 December 2004 - 06:35 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Did you also check the Scheduled Tasks?

That is another place where we recently found adware starting itself.

Regards,

Pieter
  • 0

#36
JeffR
Posted 25 December 2004 - 06:56 AM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I've checked the Scheduled Tasks several times ... but all I ever see are my own (backups to my external disk drive), and the Symantec (Norton) NetDetect. Are there any other "hidden" scheduled activities I should look for?
  • 0

#37
Metallica
Posted 25 December 2004 - 07:17 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Not to my knowledge.

I hope they stay away for your sake, but it will remain a mystery for now if they do.

Regards,

Pieter
  • 0

#38
Metallica
Posted 25 December 2004 - 07:19 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
As an afterthought.
Can you try and make a copy of:
C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\43TVQ2ZP

Zip it up and send it to pieterATwilderssecurity.org if possible.

Regards,

Pieter
  • 0

#39
JeffR
Posted 25 December 2004 - 07:58 AM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OK Pieter,

I zipped it and emailed it to you. (6 MB!) Hope you get it.

One other thing ... The last 2 or 3 times I got the popup, the IE History entry properties showed an address of

http://69.50.160.100...php?acc=acc0001

Before that, all of them showed

http://69.50.160.100...lick/popup2.php

This means nothing to me, but perhaps it just might be some kind of clue. The popups still look the same (Cialis, Online Poker, etc.) but the address has that extra ?acc=acc0001.

I've seen posts from several other people who have this exact same problem. If you figure it out, you'll be the world's authority on this! Good luck.

Jeff
  • 0

#40
Metallica
Posted 25 December 2004 - 08:12 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Thanks. Got it. :tazz:

I'll see if I find any clues and let you know.

Regards,

Pieter
  • 0

Advertisements

#41
JeffR
Posted 25 December 2004 - 08:19 AM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I just looked at the (handwritten) log I've been keeping of these popups and of my activities, and I see that I was incorrect in the times I told you about turning off Automatic Updates and reinstalling IE6. It turns out I turned off Automatic Updates yesterday at 12:30 pm EST, and reinstalled IE6 at 1:15 pm. And I haven't seen a popup since yesterday at 12:20 pm! That's 21 hours ago! That's the longest I've ever gone without a popup! (Since they started a few weeks ago.) :tazz:

I don't want to get too excited, but ... it's hard not to. If this keeps up (no popups) for another 48 hours, then I'll turn on Automatic Updates again and see what happens. If they then come back, I'll ask for your advice on how to fix that. If they don't come back, then I'll assume it was the IE6 reinstall that fixed it.

Keepin' my fingers crossed. This could be a very nice Christmas present.

Jeff
  • 0

#42
Metallica
Posted 25 December 2004 - 09:54 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I found something that I am unsure of if it is related.

Can you do an Agent Ransack search for:
ChitikaAdPopup

Also search the regsitry for any instances of it.

Regards,

Pieter
  • 0

#43
JeffR
Posted 25 December 2004 - 10:55 AM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
OK Pieter,

I just did the Agent Ransack ChitikaAdPopup search, and emailed the results to you. It found 3 files, but one was just the IE Temp Internet File of your post. Let me know what you think of the other two.

I searched the Registry, and it found nothing (except the Agent Ransack history of searches.)

Still no popups in 23 hours! (Knock on wood)

If any other posters or lurkers are also experiencing this exact problem, I'd be interested to hear if either (a) turning off Windows Automatic Updates (Settings > Control Panel > Automatic Updates -- Unclick the first box) or (b) reinstalling Internet Explorer 6 SP1 via the http:www.microsoft.com/downloads site [plus the critical updates] solves the problem. Of course, I'm no expert. So I take no responsibility for the results! :tazz:
  • 0

#44
Metallica
Posted 25 December 2004 - 11:11 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent. the .asp file is the one I found it in.

Can you send me a copy of C:\Documents and Settings\Jeffrey Rubenstein\Local Settings\Temporary Internet Files\Content.IE5\BRX7VHKW\CAUFSH6Z.htm

This webtoolbars cr@p keeps coming up when I search your temp internet files.
Can you think of a reason for that?

Regards,

Pieter
  • 0

#45
JeffR
Posted 25 December 2004 - 12:42 PM

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I'll send you that CAUFSH6Z.htm file. I just opened it. (I probably shouldn't have.) And it makes a little popup toolbar at the bottom of my browswer screen. I remember seeing that little toolbar pop up for the first time recently ... it seems like within the last 2 or 3 days. I can't remember exactly when it happened, but I distinctly remember that it first popped up when I went to some site for the purpose of working on my popup problem. I think it was when I went somewhere to download something as instructed by someone on this GeeksToGo topic. (Maybe even you.) But I just made two quick trips back to the Agent Ransack and DLLCompare download sites you gave me, and neither one made this pop up happen. So I'm not sure where it came from. But, again, I do know for sure that it only came up for the first time very recently, and I closed it immediately by clicking on the little "X" in its corner, and choosing to close the toolbar.

And it hasn't popped up again since. I'm pretty sure this is not the same problem. And I hope it's just a plain vanilla website popup. Hopefully not something sinister that's still lurking in my machine. Can you tell by looking at it?

Thanks again Pieter!

Jeff
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP