Re: Pop up stoppers?

Thanks, Jim, for all the great info.

Donna
--
Donna Aten, Coordinator
Project Linus - Boise/SW Idaho Chapter
Website: www.LinusIdaho.org

"Jim Byrd" <jrbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23eCxif8RFHA.1564@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Donna - Just saw this thread.
>
> There are currently two classes of things going on that are causing people
> popup difficulties. If you get popups even when your browser is not
> connected to the Internet with a title bar reading "Messenger Service",
> then
> these are most likely due to open NetBios TCP ports 135, 139 and 445 and
> UDP
> ports 135, 137-138 and a UDP port in the range of 1026-1029.. You really
> need to block these with a firewall as a general protection measure. You
> can stop the popups by turning off Messenger Service; however, this still
> leaves you vulnerable. If you have an NT-based OS such as XP or Win2k,
> you
> should probably also specifically block TCP 593, 4444 and UDP 69, 139,
> 445,
> and install the very important 824146 patch from MS03-039, here:
> http://support.microsoft.com/default.aspx?kbid=824146 to block the Blaster
> worm as well as several other parasites.
>
>
> See: Messenger Service Window That Contains an Internet Advertisement
> Appears http://support.microsoft.com/?id=330904 which identifies reasons
> to
> keep this service and steps to take if you do.
>
> You can test your system and follow the 'Prevention' link to get
> additional
> information here:
> http://www.mynetwatchman.com/winpopuptester.asp Unless you have very good
> reasons to keep this active, it should be turned off in Win2k and XP. Go
> here and do what it says:
> http://www.itc.virginia.edu/desktop/docs/messagepopup/ or, even better,
> get
> MessageSubtract, free, here, which will give you flexible control of the
> service and viewing of these messages:
> http://www.intermute.com/messagesubtract/help.html Recommended.
>
> (FWIW, ZoneAlarm's default Internet Zone firewall configuration blocks the
> necessary ports to prevent this use of Messenger Service. I don't know the
> situation with regard to other firewalls.)
>
> Messenger Service is not per se Spyware or something that MS did wrong -
> It
> provides a messaging capability which is useful for local intranets and is
> also sometimes (albeit nowadays infrequently) used by some applications to
> provide popup messages to users. However, it can also be (and now
> frequently
> is) used to introduce spam via this open NetBIOS channel. For a single
> user
> home computer, it normally isn't needed and can be turned off which will
> eliminate the spam popups. This DOESN'T, however, remove the vulnerability
> of having these ports open, when in fact they aren't needed, since they
> can
> be perverted in other ways as well, some of which can be much more
> damaging
> than just a spam popup.
>
>
>
> If you're getting a lot of popups while surfing, then the following may be
> useful:
>
> #########IMPORTANT#########
> Before you try to remove spyware using any of the programs below, download
> both a copy of LSPFIX here:
>
> http://www.cexx.org/lspfix.htm
>
> AND a copy of Winsockfix for W95, W98, and ME
> http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
> Directions here: http://www.tacktech.com/display.cfm?ttid=257
>
> or here for Win2k/XP
> http://files.webattack.com/localdl834/WinsockxpFix.exe
> Info here: http://www.spychecker.com/program/winsockxpfix.html
> Directions here: http://www.iup.edu/house/resnet/winfix.shtm
>
> The process of removing certain malware may kill your internet connection.
> If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable
> you
> to regain your connection.
>
> NOTE: It is reported that in XP SP2, the Run command netsh winsock
> reset
> will fix this problem without the need for these programs. (You can also
> try this if you're on XP SP1. There has also been one, as yet
> unconfirmed,
> report that this also works there.) Also, one MS technician suggested the
> following sequence:
>
> netsh int reset all
> ipconfig /flushdns
>
> See also: http://windowsxp.mvps.org/winsock.htm for additional XPSP2
> info/approaches using the netsh command.
> #########IMPORTANT#########
>
>
>
> #########IMPORTANT#########
> Show hidden files and run all of the following removal tools from Safe
> mode
> or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
> running these tools, be sure to clear all Temp files and your Temporary
> Internet Files (TIF)(including offline content.) Reboot and test if the
> malware is fixed after using each tool.
>
> HOW TO Enable Hidden Files
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
>
> Clean Boot - General Win2k/XP procedure, but see below for links for other
> OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
> http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
>
> 1. StartRun enter msconfig.
>
> 2. On the General tab, click Selective Startup, and then clear the
> 'Process
> System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
> boxes. Leave the 'boot.ini' boxes however they are currently set.
>
> 3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
> and then click the "Disable All" button. If you use a third party firewall
> then re-check (enable) it. For example, if you use Zone Alarm, re-check
> the
> True Vector Internet Monitor service (and you may also want to re-check
> (enable) the zlclient on the Startup tab.) Equivalent services exist for
> other third party firewalls. An alternative to this for XP users is to
> enable at this time the XP native firewall (Internet Connection Firewall -
> ICF). Be sure to turn it back off when you re-enable your non-MS services
> and Startup tab programs and restore your normal msconfig configuration
> after cleaning your machine.
>
> 4. Click OK and then reboot.
>
> For additional information about how to clean boot your operating system,
> click the following article links to view the articles in the Microsoft
> Knowledge Base:
>
> 310353 How to Perform a Clean Boot in Windows XP
> http://support.microsoft.com/kb/310353
> 281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
> http://support.microsoft.com/kb/281770/EN-US/
> 267288 How to Perform a Clean Boot in Windows Millennium Edition
> http://support.microsoft.com/kb/267288/EN-US/
> 192926 How to Perform Clean-Boot Troubleshooting for Windows 98
> http://support.microsoft.com/kb/192926/EN-US/
> 243039 How to Perform a Clean Boot in Windows 95
> http://support.microsoft.com/kb/243039/EN-US/
> #########IMPORTANT#########
>
>
> Sometimes the tools below will find files which they are unable to delete
> because they are in use. A program called Copylock, here,
> http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
> "replacing, moving, renaming or deleting one or many files which are
> currently in use (e.g. system files like comctl32.dll, or virus/trojan
> files.)" Another is Killbox, here:
> http://www.downloads.subratam.org/KillBox.zip
> A third which is a bit different but often useful is Delete Invalid File,
> here: http://www.purgeie.com/delinv.htm which handles invalid/UNC
> file/folder name deleting, rather than the in use problem
>
>
>
> Download and run Stinger.exe, here:
> http://download.nai.com/products/mcafee-avert/stinger.exe or from the
> link
> on this page: http://vil.nai.com/vil/stinger/ ME/XP users be sure to
> read:
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>
>
> Boot to Safe mode with Network Support (HowTo here:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
> or a Clean Boot as above.
>
> Download sysclean.com , from Trend Micro, here:
> http://www.trendmicro.com/download/dcs.asp along with the latest released
> pattern file, here: http://www.trendmicro.com/download/pattern.asp Be sure
> to read the "How-to" info here:
> http://www.trendmicro.com/ftp/products/tsc/readme.txt
>
> (You might also want to get Art's updater, SYS-UP.Zip, here for future
> updating of these: http://home.epix.net/~artnpeg/). The updater files plus
> a
> short tutorial on using them and SysClean are also available in one
> package
> here: http://www.ik-cs.com/Programs/virtools/SYSCLEAN%20UTILITY.exe (If
> you
> download and use the updater from the beginning, it will automatically
> handle downloading the other files.)
>
> NOTE: You can get a somewhat more current interim pattern file, the
> Controlled Pattern Release, here and manually unzip it to your SysClean
> folder: http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp
> (Sorry, but the Updater won't get this one for you.) Look for the
> lptxxx.zip
> file after you agree to the terms.
>
> Place them in a dedicated folder after appropriate unzipping.
>
> Show hidden and system files (HowTo here:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
>
> If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
> tools below) may find infections within Restore Points which it will be
> unable to clean. You may choose to disable Restore if you're on XP or ME
> (directions here:
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
> eliminate ALL previous Restore Points, or alternatively, you can wait
> until
> cleaning is completed and then use the procedure within the *********'s
> below to delete all older, possibly infected Restore Points and save a
> new,
> clean one. This approach is in the sprit of "keep what you've got" so that
> you can recover to an at least operating albeit infected system if you
> inadvertently delete something vital, and is the approach I recommend that
> you take.
>
> Read tscreadme.txt carefully, then do a complete scan of your system and
> clean or delete anything it finds.
> Reboot and re-run SysClean and continue this procedure until you get a
> clean
> scan or nothing further can be cleaned/removed.
>
> Now reboot to normal mode and re-run the scan again.
>
> This scan may take a long time, as Sysclean is VERY extensive and
> thorough.
> For example, one user reported that Sysclean found 69 hits that an
> immediately prior Norton AV v. 11.0.2.4 run had missed.
>
>
> Popups - The best way to start is to get Ad-Aware SE Personal Edition,
> here:
> http://www.lavasoftusa.com/support/download/. UPDATE, set it up in
> accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 and run
> this regularly to get rid of most "spyware/hijackware" on your machine.
> If
> it has to fix things, be sure to re-boot and rerun AdAware again and
> repeat
> this cycle until you get a clean scan. The reason is that it may have to
> remove things which are currently "in use" before it can then clean up
> others. configure Ad-aware for a customized scan, and let it remove any
> bad
> files found.....
>
> Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the
> gear
> wheel at the top and check these options to configure Ad-aware for a
> customized scan:
>
> General> activate these: "Automatically save log-file" and "Automatically
> quarantine objects prior to removal"
>
> Scanning > activate these: "Scan within archives", "Scan active
> processes",
> "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned
> sites," and "Scan my Hosts file"
>
> Tweaks > Scanning Engine> activate this: "Unload recognized processes
> during
> scanning."
>
> Tweaks > Cleaning Engine: activate these: "Automatically try to unregister
> objects prior to deletion" and "Let Windows remove files in use after
> reboot."
>
> Click "Proceed" to save your settings, then click "Start." Make sure
> "Activate in-depth scan" is ticked green, then scan your system. When the
> scan is finished, the screen will tell you if anything has been found,
> click
> "Next." The bad files will be listed. Right click the pane and click
> "Select
> all objects" - This will put a check mark in the box at the side, click
> "Next" again and click "OK" at the prompt "# objects will be removed.
> Continue?"
>
> Courtesy of http://www.nondisputandum.com/html/anti_spyware.html: HINT:
> If
> Ad Aware is automatically shut-down by a malicious software, first run
> AWCloak.exe, http://www.lavasoftnews.com/downloads/AAWCloak.exe, before
> opening Ad Aware. When AAWCloak is open, click ?Activate Cloak?. Than open
> Ad Aware and scan your system.
>
>
>
> Another excellent program for this purpose is SpyBot Search and Destroy
> available here: http://security.kolla.de/ SpyBot Support Forum here:
> http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
> using both normally. Update before starting, then after fixing ONLY RED
> things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and
> repeat
> this cycle until you get a clean "no red" scan. The reason is that SpyBot
> sometimes has to remove things which are currently "in use" before it can
> then clean up others.
>
> Then, there are a variety of third party "Popup Killers" available. I
> normally use AdShield, which, if you maintain its Block List every now and
> then, almost totally stops this. In addition, it stops a variety of
> ads/banners/etc. (particularly spyware like doubleclick) on pages I
> access.
> This is probably all you'll need; however, I've also investigated a
> program
> called webwasher which appears to be very good, but decided that AdShield
> was sufficient. At the bottom of this post, you'll find a list provided
> courtesy of bc_acadia of a number of free popup blockers with links.
>
> ****** NOTE: As of 28 Apr 03 AdShield appears to have partnered with a new
> reseller, and AdShield is no longer free. There is a trial version of
> AdShield3; however, IMO it is seriously crippled in not being able to
> import
> or export block lists and I think for reasonable utility one would have to
> go to the full version. While I don't normally recommend non-free
> software,
> I personally will continue to use AdShield3, since I think it is the best
> currently available combined Popup/Ad/Malware blocker, but you should be
> aware of the fact that it now costs, ($29.95), whereas the earlier
> versions
> upon which I based my original recommendation were free, although not
> nearly
> as capable as the AdShield3 release. I've included below links to both the
> older free version and the new paid version. You'll have to investigate
> and
> make your own choice in the matter. *******
>
> Here are a number of AdShield-related links:
>
> http://www.fsd1.org/technology/Files/AdShield.exe - AdShield1.2 (free)
> http://www.internettechs.net/utilities/AdShield.exe - AdShield1.2 (free)
> http://ftp.ural.ru/home/index/windows/networking/utils/AdShield -
> AdShield1.2 (free)
> http://www.megalog.ru/info/utilz/AdShield.zip - AdShield1.2 (free)
> http://www.allstarss.com/store/adshield.html - AdShield3
> http://www.ad-shield.com/ AdShield3 Info/Purchase/Block List
> http://www.mvps.org/winhelp2002/block.txt - (Mike Burgess' .txt Block List
> for AdShield - Recommended)
> http://www.mvps.org/winhelp2002/block.zip - Mike Burgess' Zipped Block
> List
> for AdShield - Recommended)
>
> http://www.songwave.com/software/adshield_blocklist.txt (40,000 pornsites
> blocked - *VERY* large list - use at your own risk)
> http://www.chrismyden.com/temp/block.abl (chrismyden's blocklist in .abl
> format - Recommended)
> http://www.staff.uiuc.edu/~ehowes/resource.htm#AdShield (Eric Howes AGNIS
> for AdShield block list - Recommended) (BTW, Eric's site contains a wealth
> of very valuable information about all aspects of net security - Very
> Highly
> Recommended)
>
>
> Here's a good AdShield test site, courtesy of siljaline: "Make ***SURE***
> you have your block scripted popups enabled
> http://www.mediaboy.net/1010100-1100001-1111010/gahk/>>>> [Warning this
> URL
> opens a multitude of Browser windows almost instantly - YOU'VE BEEN
> WARNED!]"
>
> http://www.webwasher.com - Webwasher
>
>
> For WinXP users, Service Pack 2 has a built-in popup stopper which at
> first
> look appears to be fairly effective.
>
>
> Additionally, some people have recommended Popup Stopper and PopupBuster,
> but they have also been reported or experienced to cause perceived
> problems
> for some people with "normal" links in IE6 such as Google search results
> and
> links from OE. Some proponents of PopupBuster assert, however, that this
> is
> normal operation for this program under certain circumstances which can be
> overridden if necessary. YMMV Another "Proxy" type blocker similar to
> Webwasher and Proxomitron but supposedly a bit easier to configure is
> Privoxy here: http://www.privoxy.org/
>
> Also, the free Google Tool Bar has a builtin popup blocker which is fairly
> effective.
>
>
> A very clever alternative approach to general ad (vice Popup) blocking is
> outlined here:
> http://www.sherylcanter.com/articles/oreilly_20040330_HostsPac.php
> and here: http://s91363763.onlinehome.us/BlackHoleProxy/index.html
> The approach is similar to that used in eDexter, but improved. I've tried
> it, and it does work as advertised. (<groan> - sorry 'bout that!) :)
> Probably should only be considered by more knowledgeable users, as it's a
> little complicated to set up using the directions given if you don't
> already
> know a bit. (It also has some tendency to block some things you'd rather
> it
> didn't at times if PAC files are used instead of the HOSTS file due to its
> use of regular expressions for blocking definitions without some tuning.)
>
>
> There is additional information about setting up and using AdShield, and
> about using the Restricted Zone (and an additional list) here:
> http://www.mvps.org/winhelp2002/hosts.htm
>
> Lastly, ZoneAlarmPro3/4 has added provisions for stopping adds/popups,
> handling cookies, web bugs, and scripting/ActiveX components in addition
> to
> it's firewall functionality. Not free, but I have used it with my other
> AdBlocking stuff (AdShield, etc.) turned off as a test, and it appears to
> be
> very good indeed. So far I've experienced no problems at all with it set
> in
> its High Security modes for Ads although others have reported the need to
> temporarily turn it off to reach some sites. Also, Agnitum's Outpost
> Firewall supports a plug-in for this: "Pre-configured to block most banner
> advertisement. Can be configured manually or by simply dragging and
> dropping
> unwanted banners into the Ad Trashcan." I have no experience as to how
> effective it is, but I have received a favorable report.
>
> There's good information about hijacking in general and fixes available
> for
> specific hijackers here: http://spywareinfo.com/articles/hijacked/
> http://gmpservicesinc.com/Articles/hijack.asp
> http://www.mvps.org/inetexplorer/Darnit.htm#pop_up
> http://www.doxdesk.com/parasite/
>
> bc_acadia's list:
>
> "Some popup blockers. All of these are 100% pure freeware, no trial
> periods. Some of these do more than just handle popups.
>
> Pow!: http://www.analogx.com/contents/download/network/pow.htm
> NoAds: http://www.southbaypc.com/NoAds/
> PopupEraser: http://www.webknacks.com/popuperaser.htm
> Stop-the-Pop: http://www.bysoft.se/sureshot/stopthepop/index.html
> Internet Organizer: http://www.sf.yucom.be/wdprojects/
> PopKi: http://ranfo.com/popki.html
> PopUpKiller: http://sourceforge.net/projects/puk/
> AdCruncher Proxy:
> http://mysite.verizon.net/~mr_fish/AdCruncher/ReadMe.html
> KillAd: http://www.iomagic.org/fsc/
> ClickOff: http://www.johanneshuebner.com/en/download.html
> PopupBuster: http://www.popupbuster.com/PopUpBuster/
> Free Surfer: http://www.kolumbus.fi/eero.muhonen/FS/
> Window Shades: http://www.g-m-m.com/Software/WindowShades/index.php
> AdShield (my personal favorite): http://www.ad-shield.com/
> PopupStopper: http://www.panicware.com/popupstopper.html
> Proxomitron (Is no longer supported and has a learning curve):
> http://www.proxomitron.org/
> For those who don't want third party stuff, your own pc's built-in
> host file:
> http://www.mvps.org/winhelp2002/hosts.htm and
> http://www.accs-net.com/hosts/
>
>
> Here is a review of 61 popup killers, not all of them are free:
> http://www.popup-killer-review.com/index.htm";
>
> NOTE that this site also contains a good, comprehensive series of popup
> killer tests. Some good additional tests are also available here:
> http://www.webknacks.com/aptest.htm
>
>
> There's another popup test page here:
> http://www.kephyr.com/popupkillertest/index.html
>
>
> Another good test page and lists of both free and cost popup blockers is
> here: http://www.popuptest.com/ Recommended
>
> An excellent test site here: http://www.popupcheck.com/ Highly
> Recommended.
>
> Another list of some popup blockers:
> http://www.messaging-software.net/popup-killer-software.htm
>
> If you install and keep UPDATED a good HOSTS file, it can help you avoid
> most adware/malware. See here: <http://www.mvps.org/winhelp2002/hosts.htm>
> (Be sure it's named/renamed HOSTS - all caps, no extension)
>
>
>
> You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster
> and SpywareGuard here to help prevent getting this kind of adware/malware
> in
> the future:
>
> IESpyads - https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD
> adds
> a long list of sites and domains associated with known advertisers,
> marketers, and crapware pushers to the Restricted sites zone of Internet
> Explorer. Once you merge this list of sites and domains into the Registry,
> the web sites for these companies will not be able to use cookies, ActiveX
> controls, Java applets, or scripting to compromise your privacy or your PC
> while you surf the Net. Nor will they be able to use your browser to push
> unwanted pop-ups, cookies, or auto-installing programs on your PC." Read
> carefully.
>
> http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware
> Active
> X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or
> memory
> load - but keep it UPDATED) The latest version as of this writing will
> prevent installation or prevent the malware from running if it is already
> installed, and it provides information and fixit-links for a variety of
> parasites.
>
> http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts
> to
> install malware) Keep it UPDATED. All three Very Highly Recommended
>
> Perhaps these will help.
>
> --
> Regards, Jim Byrd, MS-MVP
>
> "Donna in Idaho" <daawra3553@xxxxxxxxxxxxx (remove spam)> wrote in
> message news:3ctlbvF6orp10U1@xxxxxxxxxxxxxx
>> Thank you to everyone who answered!
>>
>> Donna
>>
>>
>> "yep" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:18ed01c5479b$dc086d90$a601280a@xxxxxxxxxx
>>> spybot safer-networking.org 1.3 and soon to be 1.4
>>> ad-aware lavasoftusa.com se1.05 (both free)
>>> firefox browser mozilla.org plus many extensions and no
>>> hijacks.
>>>
>>>> -----Original Message-----
>>>> Several months ago someone here posted a great list of spyware
>>>> cleaning programs.
>>>>
>>>> Now, I need to know a good pop up stopper? Any suggestions?
>>>>
>>>> Thanks!
>>>>
>>>> --
>>>> Donna Aten, Coordinator
>>>> Project Linus - Boise/SW Idaho Chapter
>>>> Website: www.LinusIdaho.org
>>>>
>>>>
>>>> .
>
>


.