I think what your'e doing is wonderful. I recently downloaded v.92 modem software and opened a flood of pop ups. My concern is I use streaming data for stock research on a daily basis. I need your wisdom as to which software to download.

Thankyou !

Hi Mr Emu,

Welcome to Wilders!

I'm unsure on what type of info you are looking for. Are you looking for software to combat PopUps or are your concerns more wide-ranging?

On the PopUp side, I'm afraid I don't have much advice to offer accept to recommend Opera as a browser and set its preferences to deny popups. I don't know though if this would be feasible with your work however so I would use their software in shareware mode (which includes ads of its own) until you are sure.

If I misunderstood your question please let us know. In the meantime hopefully others will offer their own suggestions.

Regards,

Dan

Hi Dan,

Thanks for the quick response. My concern was related to blocking pop-ups and interferrence with streaming data which I use. I just downloaded Spybot and tested my streaming data and all seems to work. I just ran the immunize and the s&d after reading the tutorials. I did just get hit with another pop-up. Is this suppose to bplck pop-ups?

No that is more intended to immunize your system against unauthorized changes to your IE settings (such as through Browser Hijacks) as well as to help guard against spyware.

Just to be certain, by 'popups' you are speaking of an actual browser window popping up and not a MS Windows messagebox right?

If this is happening on sites that used to not do this then there may be a problem. If you can give a few more details I might be able to better guide you.

You indicated that the stuff started occurring after you loaded modem software? But you were on the internet before correct?

Sorry for the late response. The pop ups are not windows warning or error messages. In resopnse to your question, Yes, I have been active at my stock trading sites. These are primarily the only sites I visit. These pop ups, which all appear dead center of the screen, all started the moment I signed on with my new Broadxent V.92 PCI.

Can you please download and run HijackThis from

http://www.tomcoyote.org/hjt/hijackthis.zip

press the "scan" button and when finished do *not* try to fix anything yet as much of the stuff is necessary. Save the log and copy/paste the results here so we can see what needs to be deleted.

Thanks

Thanks for the help and direction. Here is the data you requested. If this is not right, let me know. Again I truely appreciate this.
Logfile of HijackThis v1.95.0
Scan saved at 10:31:05 PM, on 7/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\essspk.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\scott\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1101709eea8aaf7b1c02/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://members.vectorvest.com/vvonline/Install/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37684.3445486111
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Hmm, well there is not much there. Before you fox anything you should close out of all windows except HijackThis. If you do not need the speakerphone capability of your modem then you can select

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe

you should also select, in any case,

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://no/
O15 - Trusted Zone: http://free.aol.com


neither of these last two entries though would result in the behaviour you mention and the only thing present pointing to the install of modem software is the first entry. I would recommend removing all three and if you need to readd the speakerphone software you can restore it from the backup entry in HijackThis.

Either way, once you have selected and fixed do a reboot and let us know how things stand as far as recurrent popups (if any)

Thx

Dan

Hi Dan,
Let me first say thankyou for your dedicated assistance.
I checked off those 3 items mentioned in prior message. Upon start up today, I am getting slammed hard. Just a little while ago One of those terrorists snuck in and blocked my log off and when I came back I had 9-10 of those SOB's stacked upon each other. Well I could continue but you get the idea.
Speaking of ideas, do you have any?

I am sending a donation not because of anything other than I appreciate the support.

Hmm,

And you're certain that they are browser popups and not messenger popups?

If you type in the following at the command prompt you will get an example messenger popup

net send localhost This is a test popup

(If you get no response to this command then the Messenger Service is already disabled). Keep in mind that the messenger spammers can and do change the titlebar of the window. Just in case, you may want to make sure that the Messenger Service is off and disabled from automatically starting. Not sure if it is the same in XP but on Win2K you can

Right-click on My Computer

Click Manage

Click the plus sign next to Services and Applications

Click on Services

Scroll down to Messenger

Right-click and go to Properties

Set "Startup Type" to "Disabled"

and if the "Service Status" is Started, press the "Stop" button.

Once this is done the above test command should not work.

Please let me know whether or not this is a possibility. If it is not, I am going to ask Pieter to take a look at the thread to see what I might have missed.

Thanks!

Dan

Thanks Dan. I am not all that adepth at some terminology. The pop ups do have windows messenger on them. I guess this is what you meant. I have disabled the messenger svc. ( yes it is the same with xp) and stopped the service status.

I sent an e-mail to the web-meister. Let me know.

My apologies, I should have contrived to make the question clearer earlier, especially as this is such a common issue. I believe this will take care of the problem, but I will keep an eye out on this thread in case you get any return "visits"

Regards,

Dan

No appologies necessary. I sometimes allow myself to be a little intimidated because of my limited years on a computer. Ah but the old German who once stated "we get too soon old and too late smart" missed it again. I just found a smart man.

Hey just out of curiosity I checked in there on my own "messenger service" which I have never looked at before but I've enever had a msg yet... Wondered before (think I asked Spy1) if I could actually just be that lucky.. Mine is on automatic but I left it there so far since Sygate must be blocking any such attempts on me or something.

Hi Detox,

Yes, as long as the firewall is blocking the requisite NetBIOS ports you don't need to stop the service but as most people don't really need it and as there are too many firewall differences to easily explain how to address the issue that way the disabling of the service works well :)

The main port that the messenger spammers use is UDP 135 but they have been known to use some of the other NetBIOS ports

Regards,

Dan

Yes, most of the Messenger based advertising spam is going out as UDP port 135, though NET SEND can function using NetBIOS UDP port 137 and TCP port 139. There is a good analysis of this over at myNetWatchman (http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm).

Detox, unless you lowered your Sygate firewall, or allowed Generic Host Process for Win32 Services permission to act as a server, you'd be protected. Most firewalls in default configuration protect against this. Heck, even the built-in XP ICF blocks this.

In fact, the people who are probably the safest, and least likely to mess up a configuration to allow these messages through, are those who are on a NAT router in a standard "out of the box" configuration.

This success of this Messenger stuff just goes to show how many people have no firewall or router based protection in place.

hey Dan. Now that I have disabled the messenger, Will this affect the modem-on-hold announcement when calls come in.

Hi mr. emu

No that is completely different. The only legitimate use for the messenger service is for sending and receiving impromptu notices across the network (for example, a domain admin might announce via messenger that one of the servers is due to go down at a certain time for maintenance).

You should see no adverse impact from disabling the service.

Regards,

Dan

Hi Dan, Mixed reviews. The pop-ups are gone Thank You. The modem-on-hold is down. Any sugestions?

okay, the

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe

entry we removed from the registry earlier may be needed for that function. If you could close out of all programs and then launch (but do not yet scan) HijackThis. Then

Press on the "Config" button

Goto "Backups" tab

Highlight the above-mentioned entry

Press "Restore"

Once this is done please do a reboot and let us know how things are.

Thx

Dan

Hey Dan,
I went ahead and r/reloaded the v.92 software. My not so simple but effective means to remedy the situation.

Thanks for all the help.
Plz send link for donations!

Hi mr. emu,

While I am very glad we were able to assist you in this matter we do not accept donations at this time. However, you might consider passing the word to some of your friends and colleagues regarding this forum.

I hope to see you around here in the future (not that I am willing any bad karma on your machine, you understand ;D )

Warm Regards,

Dan

Thank you kindly! You can count on my referals!

Hey Dan,
I'm pop up free and damn proud of it. That was a lot of effort.

In the FYI department. In my effort to resolve the issue, I had downloaded ad aware. There was a definite interruption in the streaming data. Just thought you might be interested.

interesting, mr. emu, can you elaborate on that a little?

Was it just having AdAware installed that caused the interruption, or scanning with it , or was it only while the AdWatch component was running?

TIA,

Dan

I had run a scan after downloading, closed the program (not running in the background). I was back on my research site and was having a hell of a time getting the data to properly fill. I could refresh and utilize the streaming data, but it was laborous. Being a logical sort, I removed the program from my system and all is well. And still no pop ups :D ;D :D

Glad the popus are gone :)

Many thanks for the tip on your issue with AdAware, that will help us when we encounter a similar complaint. For your contribution you get a yummy karma cookie!