Results 1 to 13 of 13

Thread: buycheapadvertising popup

  1. #1
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts

    buycheapadvertising popup

    Hi, I keep geting a http://www.buycheapadvertising.com/ pop up on our fileserver (running win2kAS).
    - Ive run all my (uptodate) anti virus gunk, as i usally do but i still dont find anything, and it still keeps coming. What can i do next?

    I've got sygate PFSpro and the hardware FW in my Voyager205
    - I've an scan with AVG, A-squared, Adaware (full scan and ADS) Ive run SpyBot S&D, I've also got all the windows updates avalable. - All as per usual.
    I then got desparated a had a go with the MS anti thingy beta thing, which only managed to find VNC, Doh

    But still i get these stupid popups every twenty minutes, even when im not doing anything, AHHhhh!


    Daniel, slightly stressed out now
    - Goes to switch server off and go to bed in discust as MS.

  2. #2
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    385 times in 314 posts
    have you got hijack this ?

    if so , print a log up here
    I'd say use msconfig , but 2k server dont have that as standard...
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  3. #3
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    Quote Originally Posted by Moby-Dick
    have you got hijack this ?

    if so , print a log up here
    I'd say use msconfig , but 2k server dont have that as standard...
    No, i havnt.
    - Bt i can DLed it now.

    (and i dont have msconfig)

    Thanks, Daniel

  4. #4
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    There, hows that look?

    Logfile of HijackThis v1.99.1
    Scan saved at 17:30:01, on 11/06/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ismserv.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmsvc.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\ntfrs.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\oodag.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\locator.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\Program Files\RealVNC\WinVNC\winvnc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\dns.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\epswad3.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    D:\UserData\shared\Downloads & Programs etc\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
    O4 - HKLM\..\Run: [AdPopup] C:\WINNT\epswad3.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O15 - Trusted Zone: *.boxsearch.net
    O15 - Trusted Zone: *.brdatahost.com
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B9CC488-AEB7-4BF9-AF0E-93C7A3413BE1}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe" -service (file missing)


    Daniel

  5. #5
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    anyone?

    - Its still doing it ever 20mins whenever im loged in.

  6. #6
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    These don't sound good to me....
    Quote Originally Posted by oshta
    C:\WINNT\epswad3.exe
    ...
    O4 - HKLM\..\Run: [AdPopup] C:\WINNT\epswad3.exe
    EPSWAD3

    Quote Originally Posted by oshta
    O15 - Trusted Zone: *.boxsearch.net
    O15 - Trusted Zone: *.brdatahost.com
    Sounds like some sites have been added as trusted zones which you may not want and should delete from IE?

    Quote Originally Posted by oshta
    O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
    Managed to run something which installed a pr0n dialler too possibly?

    Personally I'd clean those up, then create another admin account, log on as that and delete the other user profile too.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  7. #7
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    Thanks.

    - There, hows that look!

    Logfile of HijackThis v1.99.1
    Scan saved at 00:32:37, on 20/06/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ismserv.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmsvc.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\ntfrs.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\oodag.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\locator.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\Program Files\RealVNC\WinVNC\winvnc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\dns.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    D:\UserData\shared\Downloads & Programs etc\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B9CC488-AEB7-4BF9-AF0E-93C7A3413BE1}: NameServer = 192.168.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = laburnum.spurstow.com
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe" -service (file missing)


    I havent done the creating a new admin acound, and removing the old one, but i'll to that tomorrow. Assumin it all still works then (the pc's being a bit flakey lately, and today we had a few powercuts!)

    - Also, it it better not to leave it with somone signed in for ages, would i be better loggin out in between using it?

    Daniel

  8. #8
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    which web browser has said machine been running?

  9. #9
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    Opera 7.23 (and its still got IE on there, which ive used, once, for natwests crapy site)


    Daniel

  10. #10
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Looks better, how has the popup behaviour been?
    Logged out & back in again yet?

    Quote Originally Posted by oshta
    Also, it it better not to leave it with somone signed in for ages, would i be better loggin out in between using it?
    Every logged-in session, be it a Terminal Services or console logon, uses up resources - if they aren't being used then they are being wasted so servers should have users logged out when not needed (also a security issue).

    My personal recommendations/preferences:
    Workstations:
    - log in as users without admin rights
    - install software through group policy, or having an admin use RunAs
    - enable password-protected screensavers kicking in after 5 or 10 minutes
    Servers:
    - do NOT grant domain users admin rights, use the local administrator account*
    - rename the local administrator account and give it a strong password (13+ characters, consisting of upper & lower case, numbers and non-alphanumeric)
    - change the password regularly, recording in a secure document
    - log out when you are done with administration
    - enable password-protected screensavers kicking in after 5 minutes

    * You may wish to create 1 specific domain account with admin rights and use the same account on every server but leave the account disabled, to be used in case the admin password is lost/forgotten - though with a decent change control policy this should not be required


    Quote Originally Posted by oshta
    Opera 7.23 (and its still got IE on there, which ive used, once, for natwests crapy site)
    You might want to upgrade Opera:
    http://www.theregister.co.uk/2005/06...curity_update/
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  11. #11
    Senior Member oshta's Avatar
    Join Date
    Nov 2003
    Location
    Uttoxeter
    Posts
    1,405
    Thanks
    0
    Thanked
    0 times in 0 posts
    Quote Originally Posted by Paul Adams
    Looks better, how has the popup behaviour been?
    Logged out & back in again yet?

    You might want to upgrade Opera:
    http://www.theregister.co.uk/2005/06...curity_update/
    The popups havnt come up once since, so touch wood.. (ive rebooted since)

    - Also, about oprea, it there an easy way to migrate the settings/skins/favs/etc across and get 8 to look just like my 7.23?


    Daniel

  12. #12
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Quote Originally Posted by oshta
    - Also, about oprea, it there an easy way to migrate the settings/skins/favs/etc across and get 8 to look just like my 7.23?
    No clue sorry, I only played with Opera a few years ago, these days I just pay attention to the security bulletins for all browsers.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  13. #13
    Senior Member
    Join Date
    Mar 2005
    Posts
    4,825
    Thanks
    161
    Thanked
    358 times in 288 posts
    • badass's system
      • Motherboard:
      • ASUS P8Z77-m pro
      • CPU:
      • Core i5 3570K
      • Memory:
      • 32GB
      • Storage:
      • 1TB Samsung 850 EVO, 2TB WD Green
      • Graphics card(s):
      • Radeon RX 580
      • PSU:
      • Corsair HX520W
      • Case:
      • Silverstone SG02-F
      • Operating System:
      • Windows 10 X64
      • Monitor(s):
      • Del U2311, LG226WTQ
      • Internet:
      • 80/20 FTTC
    Just out of curiosity, why do you have sygate personal firewall running on a server? Opera and VNC aswell?
    Introducing programs like this to a server is a recipe for disaster. W2k server terminal services in admin mode is many, many times better than VNC and you should not run personal firewalls on servers. The only place for non standard browsers is desktops as servers should not be used for general browsing.
    "In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Irritating information popup bubble when printing
    By Howard in forum PC Hardware and Components
    Replies: 2
    Last Post: 23-05-2005, 09:24 PM
  2. removing winamp2 upgrade popup on winamp startup
    By |{££|" in forum Software
    Replies: 0
    Last Post: 01-01-2005, 09:55 PM
  3. Replies: 16
    Last Post: 30-12-2004, 09:10 PM
  4. multiple popup windows in flash
    By jsterling in forum Software
    Replies: 0
    Last Post: 30-07-2004, 12:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •