Pop-ups and Toolbars and Spyware? Oh my!

Sylvr · Tue 23/10/2007 23:00:33

Today was a strange day for my computer.... for some reason, I'm getting all these popups for Adware/Spyware/Malware software to get rid of all these threats that have apparently showed up. There's also a new 'toolbar' which I sure did not ask to be put there. There = underneath the um... 'bar where you type the address', but over the row of tabs. Before it told me my security rating and had 2 buttons that tell me they will get rid of spyware, and adware/popups. I also get balloons that are attached to my start bar that tell me to click them and make stuff go away.

I ran a check with my current antivirus software and it found a few things, and I thought it would've done something. It didn't really do much, apparently.

So I'm wondering... how can I make it go away? How do I know what's legit and what's not?

Thanks...

LimpingFish · Tue 23/10/2007 23:04:01

Spybot S+D should sort you out.

space boy · Tue 23/10/2007 23:08:42

You could also try "HijackThis" available from this site.

Khris · Tue 23/10/2007 23:41:56

My computer had the same problem and it was a bitch to get rid of.
Make sure you don't only keep your anti-virus software updated but WinXP, too.

If in doubt, visit windowsupdate.microsoft.com now.

auriond · Tue 23/10/2007 23:51:54

Try Ad-Aware: http://www.lavasoftusa.com/products/ad_aware_free.php

The last time I met a situation like what you described, I installed Ad-Aware and AVG Antivirus Free. Never had a problem since.

InCreator · Wed 24/10/2007 02:57:17

Easiest -- primitive, but sure -- way to determine if you have something evil lurking around is to follow this recipe:

* Start > Run

* type 'msconfig' without quotes, press enter

* Choose last tab, 'startup'

* Now look at stuff that starts up with your windows. There's about pageful of stuff there, try to inspect those and determine what is what. Windows XP in a typical computer by default needs only about 5-10 entries, of which most are usually something to run your video and soundcard (NVidia tray/Ati tray/sound manager of some sort/installed antivirus or spyware stuff/management programs for any USB device you could own, CD write utils, agents), and everything else that has icon near computer clock.

* Find things that look suspicious or unknown to you. VERY suspicious are

1) Things that won't show a path to exe file
2) Things that come from weird folders. Like c:\random\random.exe
3) Things that are on C root. Like c:\systemhelp.exe or c:\123.exe
4) Things that filenames are strange mess of letters and don't seem to mean anything.

This is a bit hard, because almost everything is shortened anyway. But from SOMETHING.
Like, 'nwiz.exe' is 'nvidia wizard' and 'acrotray.exe' stands for 'adobe acrobat tray' etc.
What does 'Sq1ZbvMq.exe' mean? It means that you should disable this from the startup and immediately scan for viruses.

5) Suspicious things are also the strangely correct and 'important' entries. Like c:\help.exe or c:\images\image.exe

Nobody names their programs like this except for creativity-poor virus writers.

6) File path should be easiest way to determine what are you looking at, so don't just stare at .exe file name. If something's in Adobe Photoshop folder, it should be related and is needed, so move on to next one etc.

7) Toolbars, smileys, search helpers, etc. I mean, if you really want and have google or yahoo toolbar installed (god knows why), leave it there, but if there's anything else you don't know, better kill it. Windows itself doesn't need any extra toolbars or search engines installed and a healthy computer doesn't as well. While "CoolWebSearch" might sound cool and useful, it's one of the most annoying viruses around causing more trouble than I've ever had with any other virus.

* Now, since you cannot possibly know all the names, open up google and type unknown ones in. With extension.

What's a 'qttask.exe'? Type it into google or look from neuber.com and you'll know soon that this stands for Quicktime tray icon. That's how you can get info on anything going on inside the machine.

* While all this could sound complicated, as I said, you should have no more than 5-10 entries total. I would even say that if computer isn't filled with junk from end-to-end, 10 entries is maximum you could have.
* Disable everything that isn't okay or not actually installed by your free will.
* Restart and open msconfig again. Suspect heavily anything that you disabled, but has enabled itself again.
* You could also press ctrl-alt-del and check out the names of currently running processes, in 'processes' tab. But that's a bit more delicate matter, many of them are critical system processes and if you mess around, you could crash your machine. Well, no big deal here, rebooting repairs everything.

Now, you should know way better if you have something fishy going on. And take approriate steps to kill it.
All suggested spyware killers are good, I'd also recommend Ewido, since it finds so much others don't. Also, remember that a good anti-spyware or -virus tool runs in well safe mode. Most of the hyped anti-spyware tools don't and that's good excuse to avoid them. Many problems are simply unremovable without safe mode, or too difficult to do so at normal startup. I prefer safe mode always and everywhere.

Ah, and Windows Defender is made of programmer tears, baby skin and dark matter. Avoid it at all cost.

ManicMatt · Wed 24/10/2007 21:41:15

The best advise I can give you is to take their advise. Serously. Don't take your time, get it sussed immediately. My girlfriend's PC had a similiar problem, and I offered to take a look at it. She said it wasnt necessary and that her brother knows more about PCs than I do. Pfft.

Weeks pass and their problem has gotten so bad that the trojan has killed their access to the internet. I look at the problem, and advise that they need Hijackthis. I tell them to leave the pc off and wait until I come back the next week with the program. Do they listen? NO! They keep playing games on it and BOOM the computer just won't even turn on anymore. Dead computer.

Sylvr · Wed 24/10/2007 23:52:50

Quote from: auriond on Tue 23/10/2007 23:51:54
Try Ad-Aware: http://www.lavasoftusa.com/products/ad_aware_free.php

The last time I met a situation like what you described, I installed Ad-Aware and AVG Antivirus Free. Never had a problem since.

I started trying methods as I went down the list, and this one seems to have worked, no more popups! Thanks for everyone's advice, and InCreator, sorry I didn't get to try yours, since you typed so much out. $:-\$ Perhaps it will come in useful for someone (me again? haha) one day.

Thanks again, everyone

auriond · Thu 25/10/2007 03:30:33

Ad-Aware has been a lifesaver for many people. Glad it worked for you too, SilverTrumpet!

(And no, I don't work for them

)

Sylvr · Sat 08/12/2007 18:17:59

Hey guys.. sorry to dig this up again, but I think I've screwed compy here up worse. Today I awoke to find 27 internet pages (accursed pop-ups!) that had apparently sprung up in the night. When I tried Ctrl-Alt-Del to bring up Task Manager so I could get rid of them all, it came back with "Task Manager has been disabled by your administrator." which can't be right.

Anyone know how to re-enable it? What I ended up doing last time to fix the problem (and the incessant freezing that was also happening, if I forgot to mention it) was going through Task Manager and deleting stuff I didn't recognize. Oh yes, and InCreator, I just tried your method too.

Thanks again...

LimpingFish · Sat 08/12/2007 19:14:00

Nasty.

Before you can try anything, you need to log on with administrator rights. So...

Start > Log Off > Switch User > and click on whichever profile says "Administrator" under it.

If you can't do this, or are already logged on as admin, you could try this:

1. Go to Start > Run > type "taskmgr" > Click "Okay".

That might launch the Task Manager for you.

Once you regain control of your system, we can start talking protection.

Sylvr · Sat 08/12/2007 19:27:12

Didn't work. I got the same message $:-\$

And I am the only account on this computer

LimpingFish · Sat 08/12/2007 19:35:54

Hmm.

Okay. Download Kill Process. This will let you see what's running on your system at the moment, and will allow you to kill, as it were, anything you don't like the look of.

The taskmanager problem could probably be fixed with a registry edit, but Kill Process will allow you to shut down any nasty stuff you have running without having to open the TM.

Sylvr · Sat 08/12/2007 19:49:40

---------------------------
NSIS Error
---------------------------
The installer you are trying to use is corrupted or incomplete.
This could be the result of a damaged disk, a failed download or a virus.

You may want to contact the author of this installer to obtain a new copy.

It may be possible to skip this check using the /NCRC command line switch
(NOT RECOMMENDED).
---------------------------
OK
---------------------------

^ result of download. Also, none of my other downloads seem to work either. Not stupid downloads either, like Adobe updates

LimpingFish · Sat 08/12/2007 19:55:32

Argh!

Righto, try this:

How to fix the Task Manager in the registry:

Warning! Tampering with your registry is dangerous! Be careful! And...um...don't blame me.

Start > Run > Regedit.exe

In regedit, go to the following entry:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

Over in the right window, delete the value named DisableTaskMgr.

If the entry isn't there, see if it's in HKEY_LOCAL_MACHINE\...

That may get the TM up and running again.

Sylvr · Sat 08/12/2007 19:59:36

Well I'll follow the instructions.. I don't think I have much choice either way, do I?

Edit: YES!!!!! It worked! Thank you thank you thank you!!!!! I have my task manager back!

Now to get rid of most of those 44 processes :|

LimpingFish · Sat 08/12/2007 20:17:26

Hooray! \o/

If your downloads work again, I'd recommend a complete clean with SpyBot or AdAware, download any Windows updates you may have missed, have ZoneAlarm (or a similar firewall) running when you're connected to the internet, and use Firefox - the plugin Adblock Plus is awesome - (or Opera) over IE.

A good idea would also be to check what's running at start up.

CCleaner has a simple function that lets you check your startup list, and it also allows you to disable malicious processes that may be listed.

Sylvr · Sat 08/12/2007 21:19:06

Hmmm I thought I had it figured out, but I think I killed it... I was going through task manager deleting stuff (I really didn't know what I was deleting, but it worked just fine for me last time...), when I got a message saying that a critical process had been terminated without warning and the computer would shut down in a minute. I figured it would restart normally (as was mentioned in I think InCreator's post), but nooo it didn't. I can't remember exactly what it said when it was restarted, but the effect now is that my 'sound device' won't work, and I have no internet connection. Oh, and it doesn't even look like an XP anymore, the start menu and taskbar have gone back to Win98 style (the option to change it back isn't there on the properties menu)... Gah! Looks like I'll be taking my compy home over the Christmas break...

(Thanks for all your help, LF!)

P.S. I'm using my next-room neighbour's laptop.. :\

LimpingFish · Sat 08/12/2007 22:51:50

Oh well.

Sorry to hear that. Like all things, though, prevention is usually better than cure. Especially when it involves Windows.

Last thing you could try is booting to Safe Mode, and rolling back to a System Restore point.

Good luck with fixing it, anyway.

Domino · Sun 09/12/2007 00:22:56

If all else fails, you may have to reformat your HD and reinstall Windows.

It sucks, but will let you start fresh.