A New Way to Place Pop-Ups?/NSIS Media Pop-Ups

Spaceman Spiff · Post by **Spaceman Spiff** » Tue Jul 11, 2006 7:19 pm

Hi,

does anybody know anything about a new sort of pop-ups? I did experience a lot of pop-ups lately and start to worry about security. Especially because I never had problems with pop-ups befor, thanks to FireFox. And I'm not aware of any changes to my system or my browser right now...

Post by **klauss** » Tue Jul 11, 2006 9:39 pm

I imagine you're running windows.
Try reading through HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/run
That's... with regedit.
Inspect every entry and try to identify it.
If you can't identify a (legal) subsystem it should belong to (and beware - windows update would not be there, lots of tojans mask themselves as windows update), then simply purge it (in the safe manner I purge - by appending "disabled" before in the command line - disabled is no command, so windows will just ignore the failed launch attempt).
Like:

Normal:
RoxioDragToDisc=""D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe""

After:
RoxioDragToDisc="disable "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe""

(Ok - roxio's drag-to-disc is a legal app, but I don't like it so I disable it nonetheless)

Spaceman Spiff · Post by **Spaceman Spiff** » Wed Jul 12, 2006 12:39 pm

Dunno... I'm really lousy in getting along with stuff like that... seems ok to me... Though, I don't know the three entries in the red frames. Can anybody tell me what they are?

Post by **klauss** » Wed Jul 12, 2006 3:15 pm

Yep - suspicious entries.
Try disabling them. If you computer still works... perhaps popups don't

If that works, though, you should check your firewall settings, as it would mean your system was penetrated.

Post by **jackS** » Wed Jul 12, 2006 3:59 pm

Spaceman Spiff wrote:Dunno... I'm really lousy in getting along with stuff like that... seems ok to me... Though, I don't know the three entries in the red frames. Can anybody tell me what they are?

http://www.processlibrary.com/directory ... index.html

http://www.processlibrary.com/directory ... index.html

http://www.what-process.com/process-inf ... 3.exe&r=mw

I'd say... Google can tell you what they are, probably

The above are some of the top hits thereof.

Spaceman Spiff · Post by **Spaceman Spiff** » Wed Jul 12, 2006 4:06 pm

Very nice Jack, thanks a lot!

Strange, but to google is always the last thing on my mind...

Post by **klauss** » Wed Jul 12, 2006 4:30 pm

Never imagined it would show up.
Fun - I'll try google next time.

Halleck · Post by **Halleck** » Thu Jul 13, 2006 2:45 am

For a more automatic and targeted search you can also try a spyware cleaning program... I find that Spybot Search & Destroy is pretty effective, Ad-Aware is another nice one.

Spaceman Spiff · Post by **Spaceman Spiff** » Thu Jul 13, 2006 8:03 am

I tried Spybot. It came up with seven cookies in IE, which I haven't used for decades...

Right after I shot Spybot down, there was the next Pop-Up...

And to proof, that I'm not the biggest fool in the known VS universe:

Post by **ace123** » Thu Jul 13, 2006 8:23 am

First of all, some Firefox popups can be caused by Flash, which seems to bypass the Firefox popup blocker, since it is a plugin.

You should install Flashblock ( http://flashblock.mozdev.org/ ) which will make you have to click on ads, and then you can play flash objects by clicking on them. It helps get rid of a lot of annoying ads.

Also, about the registry, if you don't know what something is, delete it -- you should pretty much only have one program (or set of related programs) for each system tray icon you want, and nothing more.
You can get rid of Java updates, TkBellExe (that is annoying) RealPlayer updates, definately the ones in red, and delete any others that you don't want starting up on boot (my registry file only has two startup items in it).

Also, you should check in that same registry path, but instead in HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE, which will have user-specific programs on startup.
Also, the "msconfig" program if you happen to have it installed can be useful.

Also, I have seen stuff embeded into explorer (as a shell "extension") -- that's really nasty as there is no indicator where it is coming from... then you have to rely on a database like AdAware to find it.

Another option is to remove internet explorer (You can't delete it, but you can deny Full Control access from the "Everyone" group in the permissions tab)
Then, most annoying spyware that calls Internet Explorer for popups won't be able to start it.

Spaceman Spiff · Post by **Spaceman Spiff** » Thu Jul 13, 2006 8:30 am

Thanks Ace

Found the problem: NSIS Media are the bad guys!

See this thread.

Halleck · Post by **Halleck** » Sun Jul 16, 2006 3:41 pm

NSIS Media eh? I hope this has nothing to do with our dear Nullsoft Scriptable Install System.

Oblivion · Post by **Oblivion** » Mon Jul 17, 2006 12:58 pm

I use spybot myself, and It's good. It flushed a lot of sewage in my PC the first time i used it. And it also stopped one virus that managed to escape detection by my norton and avg - BronTok.

I managed to cheat it by changing it's start-up path to SpyBot's blindman.exe A very nifty freeware.