Major Popups Lately

Discussion in 'Windows Applications' started by Bman, May 30, 2008.

  1. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    I have NEVER had problems with popups or ads, been using Firefox for years without problems. Even though I don't need to I install all those extensions, adblock and such.

    Untill about 3 days ago it was all fine, now I am getting random popups (new tabs) of spam crap stuff. I didn't change anything, I scanned my whole system with NOD32 and Defender and there is nothing there.

    What and how is it doing this? Firefox has not changed either...
     
  2. ming

    ming OSNN Advanced

    Messages:
    4,252
    Location:
    UK
    Probably the sites you visit.. For some reason, I always get popups using FF on some sites, but not if I use IE7.
     
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    check pc using spybot search and destroy
     
  4. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    Yea i was just going to use Spybot, and no it's not the websites, same old websites i go too, and its not even when i click on something on a site, they just pop up randomly.
     
  5. falconguard

    falconguard Carbon based lifeform Political User Folding Team

    Messages:
    3,406
    Location:
    SoCal
    Just use Opera. It seems that the coders have become much more pernicious with the popups lately.
     
  6. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    Please don't come in here talking about another browser, I can't stand that. I clearly stated I have never over years of using firefox had problems, firefox is just as good or better then opera with popups. This is some random weird thing.

    I just found a bunch of crap with Spybot, we will see if this helps.
     
  7. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    if its in red then yes you have a load of crap on your pc - if its green will just be your usual logs and stuff, makes you wonder what sites you been going to :D
     
  8. gonaads

    gonaads Beware the G-Man Political User Folding Team

    If you are using FF3 RC1 check to see if your ad blocker plug-in is compatible with RC1 and/or check for any updates to them.
     
  9. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    I am using 2.0... still, and everything is in place. I have yet to see any problems since running Spybot but it has not been that long. If it was those files that Spybot found, that is rare that anything got on my system.

    Edit just happened again.

    It's weird, it just pops up when it wants to, I could even be changing tabs and it happens. It's not like the normal kind where its when you load a page or click on something, it just happens?
     
  10. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    What are the popups? Where do they want to lead you ?
     
  11. gonaads

    gonaads Beware the G-Man Political User Folding Team

    Check to see if under "Tools" - "Options" - "Content" that the "Block Pop-up Windows" box is checked.

    Or try downloading FF3 RC1 and installing it as a completely different instance of FF. With new directory and everything. Also if when installing RC1 it asks to import your bookmarks, don't let it. Open the browser fresh and clean with nothing. Set the pop-up blocker options in it (as I mentioned above) or install an ad block plug-in (like Adblock Plus) and then go to a site that has caused the pop-ups before and see if it does it with RC1. Couldn't hurt.
     
  12. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    Can you experiment and see if you have the same problem with Internet Explorer as well?
     
  13. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    Drop some site links and I'll see if my FF V2.0.0.14 acts up on them. If it doesn't it sounds like you've picked up some malware.
     
  14. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    Some things that pop up

    Adult Friend Finder, $1000 Free Casino Cash....

    The only websites that I have up regulary are

    Facebook, Digg, Twitter, OSNN, Neowin, Deviantart, Revision3, Wegame....

    again, this is a weird new problem....
     
  15. gonaads

    gonaads Beware the G-Man Political User Folding Team

    I see the problem already, it's OSNN. Damn EP and all that pr0n he has on the frickin server.

    *runs* :p
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    wonder why its in your folder?

    edit: also check for an update for NoScript
     
    Last edited: May 31, 2008
  17. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    I'm on most of those sites frequently with FF V2 with no pop ups. It sure sounds like you've picked up some malware.

    Run hijackthis and post the results log.
     
  18. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:19:11 AM, on 5/31/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\NOD32 Antivirus\egui.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Spybot SD\SpybotSD.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    E:\My Install Files\Programs & Games\HiJackThis Install.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\Windows\system32\geBUOIXr.dll
    O2 - BHO: (no name) - {6714DE85-4886-460F-9539-79A999BF7E5C} - C:\Windows\system32\rqRLfcyw.dll (file missing)
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBUOIXr.dll,#1
    O4 - HKLM\..\Run: [a6472761] rundll32.exe "C:\Windows\system32\rphklrrm.dll",b
    O4 - HKLM\..\Run: [BMa57414fd] Rundll32.exe "C:\Windows\system32\xmuswwaq.dll",s
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

    --
    End of file - 4140 bytes

    Yes Lee, I usually have no problems just like you, it must be malware or something not related to Firefox.

    &EDIT

    Just re-ran Spybot and it found Virtumonde for a second time, I read up on what it is and what it does and it sounds like it's exactly what is going wrong. I removed it last time, so is there a proper way to get rid of it?
     
  19. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    remove this line

    O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBUOIXr.dll,#1
     
  20. Bman

    Bman OSNN Veteran Original

    Messages:
    8,799
    Location:
    Ottawa, Ontario
    I did that, also ran another NOD32 scan,

    found a related Virtumonde entry, removed it. Hopefully all this will do something. How would I have gotten it in the first place, all files I download are scanned before opening, I don't download much crap, and I know my stuff..