strange poopup-repost

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

last few days I have been getting a stange sort of popup. When going to
a page, often a little square box (about 1"x1") pops to the center of the
screen and says "member", "login", or "password" depending on the nature of
the page. I can't figure out what is generating it. I have run Hijack this,
Adaware 6, Spybot search and destroy, Spysubtact and Winsockfix, all to no
avail.
I do not have anykind of a password generator.
It was also suggested that I get Windows Spyware/Adware remover, but as near
as I can tell they don't have it for Win 98.
 
last few days I have been getting a stange sort of popup. When going to
a page, often a little square box (about 1"x1") pops to the center of the
screen and says "member", "login", or "password" depending on the nature of
the page. I can't figure out what is generating it. I have run Hijack this,
Adaware 6, Spybot search and destroy, Spysubtact and Winsockfix, all to no
avail.
I do not have anykind of a password generator.
It was also suggested that I get Windows Spyware/Adware remover
Click to expand...

I think there's a thread in this very group where someone is describing how
that beta software was probably the cause of some problems

so, if it was me, I'd instead determine where the connection for that little
window was going to. You can try netstat (from a DOS window)... or else a
firewall wherein you deactivate the rule allowing IE access to anything at
will. Once you find where IE is connecting to, that might very well give a
telling clue.
 
I am not sure how to run netstate. just open the dos in a different window
and watch when the little one comes up??????????? Thanks
 
I am not sure how to run netstate. just open the dos in a different window
and watch when the little one comes up??????????? Thanks
Click to expand...

netstat will take a kind of snapshot of the outgoing TCP connections that
exist at the period in time that you run it. So, open a DOS window, type in
the command:
netstat
a few times to get used to it. Then, type 'netsat' again but without hitting
the Enter key yet. Wait until you see the suspicious little window appear.
Immediately switch to the DOS window and hit Enter to start netstat running.
Hopefully you will catch the outgoing socket at some point in its life cycle
before it is closed and no longer appears on netstat.

If that's too cumbersome you might try a firewall instead. Good luck.
 
I did that twice. I got two of the same numbered addresses and one on
Adelphia and the next time one on AOL. I can't find them. All I have to use
is Google and entering them directly in the address bar.

Thanks
 
I did that twice. I got two of the same numbered addresses and one on
Adelphia and the next time one on AOL. I can't find them. All I have to use
is Google and entering them directly in the address bar.

Thanks
Click to expand...

right, it would be a bit tricky to isolate which is the host for the
suspicious little window - as opposed to which connections go to regular
websites.

Once you do isolate it, samspade.org is one place to dig up info on IP
addresses. You can also try a browser, as you've already done - making sure of
the destination port number (from netstat), since it doesn't absolutely have
to be port 80. You might even connect to any potential POP server there (same
IP, on port 110), to try to get info from the server's greeting string. Or
even smtp port 25, if you are not blocked outbound by your ISP.
 
Thanks so much. I look around and let you know.

Al said:
right, it would be a bit tricky to isolate which is the host for the
suspicious little window - as opposed to which connections go to regular
websites.

Once you do isolate it, samspade.org is one place to dig up info on IP
addresses. You can also try a browser, as you've already done - making sure of
the destination port number (from netstat), since it doesn't absolutely have
to be port 80. You might even connect to any potential POP server there (same
IP, on port 110), to try to get info from the server's greeting string. Or
even smtp port 25, if you are not blocked outbound by your ISP.
Click to expand...
 
I have tried that. It doesn't do anything. Right click tool bar and it just
says "movses". More thoughts anyone.
 
Back
Top