Solved

Tiny MSIE window opens at boot, containing spam advert.

Posted on 2003-11-28
19
927 Views
Last Modified: 2013-12-04
Seems like a simple one, or should be, but it's baffled the hell out of me so far!
I have windows 98 SE will all latest updates patches.
Things I've done to try to stop this happening:

1) Checked system start-up for erroneous application launch. Can't find one, but something somewhere is launching this IE window!
2) updated & run DAILY full spybot cleanup.
3) Added entries in Internet Options under Security and Privacy to block
http://media.fastclick.net
http://www.qksrv.net
81.22.32.115
http://205.180.85.40
(I know it's the above sites, as I've found them by right clicking the unwanted window and looking at properties)
4) Updated c:\windows\hosts file with all the above, pluss all the latest spyware entires

None of these measures have any effect.
The window doesn't appear every boot, just occasionaly, and it appears just as all the desired start-up programs have finished loading.

I now have a sneaky feeling it has to be launched by one of my 'known' programs.
I have McAfee VirusScan Home Edition, and I'm wondering if they have some contract with an advertiser somewhere?

Any help with this would be gratefully received, as I really do not want this blatant spamming/unsolicited advertising.

Cheers...

Dave.

0
Comment
Question by:DaveEE
  • 9
  • 3
  • 2
  • +3
19 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 9836911
Maybe try Adaware:

www.lavasoftusa.com
0
 

Author Comment

by:DaveEE
ID: 9838466
Spybot does absolutely everything Adaware does, but in addition offers a lot more control over spam and syware and system tuning & options.
I used to use Adaware until they stopped updating their definition files, then I switched to Spybot. I understand Adaware are now updating their files again, but Spybot is still a superior option.

So that's not the answer.

I'm wondering if anyone else has even seen this problem before?

There must be some code somewhere which is initiating the internet explorer program and pointing it to this spam / advertising site. It's not like I'm starting IE myself. Something else is starting it without my consent.

Dave.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9838991
- try double click to expand

- have UI default to not reopening the same windows upon reboot (make it forget)

- use task manager to kill it (and maybe see what it is)

- this can be simply a windows_internal bug, used to happen to me a lot before upgrades

- try right click on its tab in taskbar and any resize options that are there.

- prior to shutdown, open an IE window, size it to 1/2 screen, then close it. Open IE again and see if it remembers.

- try looking for EventLog, or install firewall that blocks outgoing packets such as ZoneAlarm. ZA will tell you who is trying to get packets out if you configure to block them until they get your permission
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9839002
try task manager, or command: tasklist
0
 

Author Comment

by:DaveEE
ID: 9839578
SunBow - try double click to expand
Dave - Don't understand how this could help anything? It's a Microsoft Internet Explorer Window. I know what it is, I know the URL it is pointed at? What I need to know is HOW it is being started and by who/what?

SunBow - have UI default to not reopening the same windows upon reboot (make it forget)
Dave - Wouldn't know how to do that? and like I say it DOESN'T happen every boot. IT IS INTERMITTENT. It's not related to anything that's happening when the PC shuts down.
I can shut down every thing one by one and the last IE window might be my full size normal home page, but then I can re-boot and there is the tiny advert.

SunBow - use task manager to kill it (and maybe see what it is)
Dave - It's not a problem of killing it! and I KNOW WHAT IT IS! (an internet explorer window) Alt+F4 will kill an internet explorer window. I can kill it, what I can't do IS STOP IT FROM BEING STARTED WHEN I BOOT!

SunBow - this can be simply a windows_internal bug, used to happen to me a lot before upgrades
Dave - Like I said I have every official windows update & security patch installed. My OS does not need any upgrades. This most probably IS a bug, but not a Microsoft one. It's been very deliberately planted to intermittently run when I boot my PC.

SunBow - try right click on its tab in taskbar and any resize options that are there.
Dave - ???? What is all this about resizing? Sorry I must have explained very badly.
I don't have a problem with it's shape! I have a problem with it's EXISTENCE.
I don't want it to happen at all. It's not that I don't like the color or shape of it!

SunBow - prior to shutdown, open an IE window, size it to 1/2 screen, then close it. Open IE again and see if it remembers.
Dave - SEE ABOVE.

SunBow - try looking for EventLog, or install firewall that blocks outgoing packets such as ZoneAlarm. ZA will tell you who is trying to get packets out if you configure to block them until they get your permission
Dave - I have a cable modem, which is a far better firewall than any software program.
I'm sure there is no problem with 'people trying to get packets out' of my machine!
The problem I have is that INTERMITTENTLY when I boot my PC and instance of a perfectly acceptable program called Microsoft Internet Explorer, (IEXPLORE.EXE) is being started, and told to look at a web page.
I want to STOP this from happening, but I can't find out how it is happening, or where it is being started from.

_____________________________________________________________

SunBow: try task manager, or command: tasklist

Dave - When/Why/Where/To do what?
I can quite happily look at the list of processes running and see an instance of IEXPLORE.EXE
I can quite happily resize it, change it's appearance, delete it, find the IP address and URL of the page it is pointing at. I can quite easily kill it.
What I can't do is find out what is starting it, and so STOP it from being started.

Dave.
0
 

Author Comment

by:DaveEE
ID: 9839614
Ooops... just realised I said:
"I have a cable modem, which is a far better firewall than any software program."
What I meant to say was:
"I have a cable router (between broadband cable modem within my TV set-top box and my PC),which is a far better firewall than any software program."

Dave.
0
 

Author Comment

by:DaveEE
ID: 9844216
OK, if nobody here has any ideas, does anyone know where else in Experts Exchange I might try posting the problem?

Tonight I re-booted and this time I got a bigger IE window with web page:
http://visit.referralware.com/39/FreeOffer.jsp
in it. I am really getting incredibly frustrated with this problem now.

Before I deleted the window I got a complete process list of what was runing.
The list has Unix style Process ID's (PID) and Prent Process ID's (PPID)....
I could see the process 'IEXPLORE.EXE' and I could also see by it's PID that it was started early during the boot-up process, I could also see that it's PPID was no longer running, so whatever process starts this IEXPLORE.EXE running, terminates once it has done so, and it does it quite early in the boot sequence, that is assuming the PID's increment as they are created.

I'm upping the points for this problem. I REALLY AM DESPERATE FOR AN ANSWER FOLKS.

Cheers.

Dave.
0
 

Author Comment

by:DaveEE
ID: 9844274
More info from the task list....

I don't think the PID's are in any relevant incremental order, so I don't know when the IEXPLORE.EXE is started, but what I can say for sure is that of all the 25 programs running at that time, only 2 processes have no existing Parent Process.
One is C:\WINDOWS\SYSTEM\KERNEL32.DLL
Which you would expect with it being the main OS Kernel
The other is this damned rogue IEXPLORE.EXE

Every other process *without exception* has a parent process ID which you can trace to see where what it was started by.
Dave.
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 9848902
y don’t u run msconfig to find out what programs r running at startup . try disabling unknown programs . If u get these messages while u r working , then probably u r getting IP /net send spam messages which can be disabled in 98 by using 3rd party utils.  Since u get it on startup i don’t think it is IP spam .Do u get it when u start your computer in safe mode ??
 Try spysubtract  http://www.intermute.com/spysubtract/
 It is a trial ver , but it works fully . But I feel You can remove it by using msconfig .
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:DaveEE
ID: 9849146
Hi anupnellip.
Yes, checking what is loading at startup (using msconfig) was actually the very first thing I did.
I'm always very careful about programs that sneak into my start-up list without me putting them there, like Quick TIme player & Real player.

So the first thing I did was to check what is in that list.

You said:
"Since u get it on startup i don’t think it is IP spam ."

Not sure of your definition of SPAM, but mine is "unsolicited and unwanted advertising" which this most definitly is.

OK it's not email spam, but it IS spam nevertheless.

The idea of going through the startup list and removing programs one by one is a good one, even though I know EVERY item there, and I know that the items there now have all been there for a long time and not caused this problem before, ***BUT*** and I think people are fogetting this fact, the problem doesn't happen EVERY time I boot.
I might boot 6 times & the PC boots perfectly normally, then the 7th I get the internet window pointing to a web page where someone is trying to sell me something.
I think it has only once ever happened two boots in a row.

So because it is INTERMITTENT I wouldn't know when I remove a program from the startup list if I've cured the problem or not until I'd done probably 10 or so complete re-boots for every single change I make.

That would take forever, and I'd still not be 100% sure I'd solved the problem or which program it was that was causing the problem.

I'm not sure if this spysubtract is going to do anything different to spybot which I already have and already removes all known spyware, but I'll give it a try.

Cheers.

Dave.


0
 

Author Comment

by:DaveEE
ID: 9849319
Hi again anupnellip.
Yeah, just looked at the specifications of 'spysubtract', and there is nothing it does that isn't already done by spybot which I already have and use to it's full extent.

Dave.
0
 
LVL 21

Expert Comment

by:jvuz
ID: 9849345
This is an interesting site:

http://www.spychecker.com/
0
 
LVL 10

Assisted Solution

by:anupnellip
anupnellip earned 250 total points
ID: 9849489
ok Dave
- so it is not a startup program !
- It is not IP spam as u get it only on startup ( IP spam are messages send to you through the internet using your IP address , not through e-mails . I dont think a spammer knows when you r rebooting your m/c )
- It is not a Spyware as u have already got a good anti-spyware & pop-up blocker( I presume it is good )and you dont want to try anythig new.
- I am also sure you have the latest anti-virus update and your m/c is not infected .
- You have the latest IE patch .
- you do regular cleanup of cookies and cache
 
 Well that brings us to the end of the road as far as I am concerned . i would love to know how you solved this problem .

all the best

0
 

Author Comment

by:DaveEE
ID: 9849620
Weird isn't it!
Actually I still think it most likely could still be start up program....
I guess what I was hoping to find out here is a better and foolproof way of determining the exact process which initiates the IEPLORE.EXE during boot other than trial and error (because of the intermittent factor) with removing start-up programs.

Seems there isn't one....

Does anyone know how I get my system to create a detailed bootlog EVERY time I boot?
And would this bootlog show me exactly which process is doing what on boot up?

I managed to create a bootlog.txt by starting the system 'manually' and answering 'Y' to every single start up procedure, this took ages, and did create a log, but on this particular boot, the problem didn't happen!

What I need is a log that is created on a normal boot.

As soon as I see the rogue internet explorer window, then I could interrogate the log to see what started it.

Anyone know if this is possible?

BTW anupnellip, your other assumptions were/are correct about virus protection and latest patches etc.

I am pretty well informed about general PC protection and basic usage and maintenance and I only come here to experts exchange when I've exhausted all the obvious routes open to me.

It's not that "I don't want to try anything new" I just know that the particular product you mentioned does the same things as a product I already use.

My machine is almost as busy when I'm asleep as during the day when I'm using it, as I run all sorts of housekeeping processes every night, including a complete virus scan of every single file on my PC's, plus a complete scan for all spyware, plus removal of unnecessary temporary internet files, cookies, cache etc.

I think my next line of attack will be to see which of the programs I run at startup have been upgraded or updated recently, as I'm fairly certain the ones I'm starting now are ones I've started for a long long time and haven't caused the problem before, but I also am convinced something in the startup is responsible for this rogue IEXPLORE.EXE

I will let you know if/when I find the solution!

Cheers.

Dave.

0
 
LVL 1

Expert Comment

by:tatoon
ID: 9857920
I dont have a solution to your problem, it's really weird.
But to create the bootlog, I dont know how you did it, but it's created automatically by windows at startup, it doesnt need hours.
Restart Windows. Press the Ctrl key as your computer starts up, holding it until the Boot Menu appears and choose option 2, to create a boot log. So the next time you restart you will have a bootlog.txt in C:

You can try this freeware util, Bootlog analyser: http://www.vision4.dial.pipex.com/   I've never used it, but it should work fine for what you do, maybe it's better than the bootlog.txt option.

For what you say about the pop up window, I think you will find a line such as: "iexplore http://....." , but the real problem I think it's likely to exist a .com or .exe (or some other executable extension) small program that randomly decides every startup whether to annoy you or not and to which page to connect everytime, so if you can find in the log file the line that calls to "iexplore", the "virus/trojan/..." should be executed right before that or a few lines before.

Good luck!
0
 

Accepted Solution

by:
scnrfrq earned 250 total points
ID: 10139250
I had this exact problem, and determined it was Netturbo causding it. I uninstalled it and solved the problem.
0
 

Author Comment

by:DaveEE
ID: 10139909
Hi, Yes Sorry, I should have come back here and closed this problem as I did eventually discover it was netturbo. It didn't help that when I contacted them & directly asked them, they lies and said it definitley wasn't their software.
Now I know it IS, and I'm actually quite infuriated that there doesn't seem to be any course of action I can take against them.
None of the advertising for the netturbo product mentions that when it boots it will start internet explorer windows with unsolicited content.
This is blatant spamming, and should be illegal, or at least there should be an optional switch to turn it off.

The other thing that pisses me off is that netturbo is a pretty good program, and it does improve my network throughput/speed. I paid good money for it, and I don't expect to but spamming.

Anyway I'll award half the points to anupnellip (who put in a lot of effort and was onto the answer too) and scnrfrq (who hit the nail on the head)

Cheers...

Dave.
0
 
LVL 10

Expert Comment

by:anupnellip
ID: 10139918
thanks DaveEE :-)
0
 

Expert Comment

by:scnrfrq
ID: 10139935
Yes, thank you DavEE!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now