Spyware of Popup?

Hi over the last few days i have been getting hundreds of the same popup.
The popup is a You have been awarded a free polyphonic ring tone.

The html for the site is </html>
<head>
<!-- ----------Advertising.com Banner Code---------- -->
<SCRIPT LANGUAGE="JavaScript">
var bnum=new Number(Math.floor(99999999 * Math.random())+1);
document.write('<SCR'+'IPT LANGUAGE="JavaScript" ');
document.write('SRC="http://servedby.advertising.com/site=690790/bnum='+bnum
+'/pops=1"></SCR'+'IPT>');
</SCRIPT>
<!-- ----------Copyright 2000, Advertising.com---------- -->
</head>
</html>

I got this from the source.

I have run, S&D, and Adaware. Could some please tell me how to stop this,
even when there is no connection a windows still opens but the advert itself
doesnt because there is no connection

TIA

Go to the settings for Internet Explorer and disable Javascript.

--
Yours

Zebedee

(Claiming asylum in an attempt
to escape paying his debts to
Dougal and Florence)


"BA" <(E-Mail Removed)> wrote in message
news:a4DAc.786$we5.489@newsfe3-gui...
> Hi over the last few days i have been getting hundreds of the same popup.
> The popup is a You have been awarded a free polyphonic ring tone.
>
> The html for the site is </html>
> <head>
> <!-- ----------Advertising.com Banner Code---------- -->
> <SCRIPT LANGUAGE="JavaScript">
> var bnum=new Number(Math.floor(99999999 * Math.random())+1);
> document.write('<SCR'+'IPT LANGUAGE="JavaScript" ');
>
document.write('SRC="http://servedby.advertising.com/site=690790/bnum='+bnum
> +'/pops=1"></SCR'+'IPT>');
> </SCRIPT>
> <!-- ----------Copyright 2000, Advertising.com---------- -->
> </head>
> </html>
>
> I got this from the source.
>
> I have run, S&D, and Adaware. Could some please tell me how to stop this,
> even when there is no connection a windows still opens but the advert
itself
> doesnt because there is no connection
>
> TIA
>
>

"BA" <(E-Mail Removed)> wrote in message
news:a4DAc.786$we5.489@newsfe3-gui...
> Hi over the last few days i have been getting hundreds of the same popup.
> The popup is a You have been awarded a free polyphonic ring tone.
>
> The html for the site is </html>
> <head>
> <!-- ----------Advertising.com Banner Code---------- -->
> <SCRIPT LANGUAGE="JavaScript">
> var bnum=new Number(Math.floor(99999999 * Math.random())+1);
> document.write('<SCR'+'IPT LANGUAGE="JavaScript" ');
> document.write('SRC="http://servedby.advertising.com/site=690790/bnum='+bnum
> +'/pops=1"></SCR'+'IPT>');
> </SCRIPT>
> <!-- ----------Copyright 2000, Advertising.com---------- -->
> </head>
> </html>
>
> I got this from the source.
>
> I have run, S&D, and Adaware. Could some please tell me how to stop this,
> even when there is no connection a windows still opens but the advert
> itself
> doesnt because there is no connection

Well then you can rule out a popup... Sounds likd adware to me.

Make sure the adaware is updated before doing a scan.

Ben

BA wrote:
> Hi over the last few days i have been getting hundreds of the same popup.
> The popup is a You have been awarded a free polyphonic ring tone.
>
> The html for the site is </html>
> <head>
> <!-- ----------Advertising.com Banner Code---------- -->
> <SCRIPT LANGUAGE="JavaScript">
> var bnum=new Number(Math.floor(99999999 * Math.random())+1);
> document.write('<SCR'+'IPT LANGUAGE="JavaScript" ');
> document.write('SRC="http://servedby.advertising.com/site=690790/bnum='+bnum
> +'/pops=1"></SCR'+'IPT>');
> </SCRIPT>
> <!-- ----------Copyright 2000, Advertising.com---------- -->
> </head>
> </html>
>
> I got this from the source.
>
> I have run, S&D, and Adaware. Could some please tell me how to stop this,
> even when there is no connection a windows still opens but the advert itself
> doesnt because there is no connection
>
> TIA
>
>

Sounds like a new type of hijacker -- if adaware dosen't help try
"HijackThis" from http://www.spychecker.com/ or do a google search for
the download -- I recently discover there is another program with a rip
off name make sure you get the right one it is freeware not the
shareware ripp off which some ISP search engines turn up.

A program called "Startup" also called "WinStartup" might help can't
give you a download site as the author site has moved.

Another one I use to identify running process is "Karen's Window
Watcher" one of "Karen's Power Tools" again free ware and very very
good -- most freware sites carry it.

Good site for advice is computercops if you post ther Hijackthis log
the crowd will look at it for you. You can download "Proxomitron " from
coputer cops very useful for blocking more normal popups.

IE Privacy cleaner is also good for stopping home page hijackers.

Another must have freeware is Kerio Personal Firewall.

Hi,
Downloading and installing the hosts file from:
http://www.mvps.org/winhelp2002/
will block the site, and many other annoyances.

I have been using it for months without problems.
And don't forget to check regularly for any updated hosts file.

BA wrote:

> Hi over the last few days i have been getting hundreds of the same popup.
> The popup is a You have been awarded a free polyphonic ring tone.
>
> The html for the site is </html>
> <head>
> <!-- ----------Advertising.com Banner Code---------- -->
> <SCRIPT LANGUAGE="JavaScript">
> var bnum=new Number(Math.floor(99999999 * Math.random())+1);
> document.write('<SCR'+'IPT LANGUAGE="JavaScript" ');
>
document.write('SRC="http://servedby.advertising.com/site=690790/bnum='+bnum
> +'/pops=1"></SCR'+'IPT>');
> </SCRIPT>
> <!-- ----------Copyright 2000, Advertising.com---------- -->
> </head>
> </html>
>
> I got this from the source.
>
> I have run, S&D, and Adaware. Could some please tell me how to stop this,
> even when there is no connection a windows still opens but the advert
> itself doesnt because there is no connection

Ditto. Seems my better half's machine has recently been hit by this.
Disturbingly it has infected the Administrator IE account on that machine
as well as her own account so (imo) is tantamount to being a virus. Thus
I've been watching it with "Process Explorer" (sysinternals.com). It would
appear to be making use of %WINDOWS%\system32\retpdat32.xml and google on
that file reveals this link may be of interest...

http://www.computercops.us/print-1-45617.html

Read it *carefully*. Not all information there is relevent. It is important
to be properly rid however because there is executable code being run.
Executable code run by IE is pretty much free to run amok. My squid logs on
the unix box show (failed) attempts to go elsewhere. I'll need physical
access to that machine to proceed further (doing it remotely over VNC atm
and its painful). Be suspicious of names such as "adupdate" and IeEnhancer
(also in system32 it would appear).


--
Guy Harrison

Guy Harrison wrote:

[replying to self]

[snip]
> http://www.computercops.us/print-1-45617.html
>
> Read it *carefully*. Not all information there is relevent. It is
> important to be properly rid however because there is executable code
> being run.

The instructions there will remove it (just done it). In addition be wary of
*.xml files in system32 folder (ones with no whitespace at all are more
suspect). Seems this doofrey can mutate: you might find the startup program
is named automove.exe rather than the names listed at the above url. You
must kill this with task manager before attempting to remove anything else
(or it'll replace itself). You'll need to be Administrator so either use a
non IE browser to load above url or log into a less sensitive account then
print/save details somewhere. Don't be online as Administrator. You might
want to review your ActiveX settings and check the...

"%WINDOWS%\DownloadProgram Files"

.... folder for suspect components.

Hope that helps!


--
Guy Harrison