Re: Careless User = New Popup Issue

[James Tucker <jftucker () gmail com>]

On Thu, 16 Sep 2004 18:52:49 -0400, James Patterson Wicks
<pwicks () oxygen com> wrote:
> One of our users went to a vacation web site and decided to download a
> "new" video viewer to look at the beach.  She immediately started

Administrator rights?

> getting pop-up ads.  The user knew that this download caused the issue,

as they always do with "free" stuff that users love

> but she did not tell the help desk about it for two weeks.

She knew she had fiddled.

> The user has a Windows XP Pro system using IE 6.0.2.

Almost a given, man pages don't make sense to people of such expertise. 
 
> When the popup became unbearable, the help desk was eventually called.
> The help desk team did the usual stuff to try to eliminate the popups:
> - Made sure all of the latest patches were installed (Service Pack 2 has
> not been approved for the enterprise yet, so it was the only patch not
> installed).
> - Ran anti-virus scan with latest definitions
> - Ran Ad-Aware and Spybot

In safe mode (command prompt - no explorer extensions) perhaps?, or
could something have been protecting itself?

> - Cleaned out the object in IE
> - Removed all strange entries in the RUN folder of the registry
> - Ran MSCONFIG and removed unknown entries from the Startup folder
> - Looked in task manager and identified all running applications

what about "tasklist /m" and check the modules loaded too.

> - Looked through the history to find the site but the history had been
> erased by the user
>
> Everything looked clean, but the popups kept coming.  I was called in

disabled 3rd party browser extensions?

> since the senior desktop support dude was out sick. I noticed that there
> was a brief period between browser activation and when the popup
> appeared.  I looked at the network connections and noticed connections
> to 'akamaitechnologies.com'.  Tried to look up 'akamaitechnologies.com'
> and encountered the message " IP Address 216.21.228.13 - Maximum Daily
> connection limit reached.  Lookup refused."
>
> I created a host entry to send 'akamaitechnologies.com' traffic to
> 127.0.0.1 and it stopped the popups.  That seemed strange since creating
> the same sort of records for companies like 'adclick.com' usually
> results in a popup with a "Cannot find server or DNS Error" message in
> the popup window.

makes me suspect it is launched by an application which fails a dns
lookup first, and in failing does not open the browser.
 
> I finished the host entry around 5:00, so I typed up a report and sent
> it to senior desktop dude to finish up in the morning.  I recommended
> that he remove the host entry and run a Regmon and Filemon to find the
> application(s) creating the popups.

sfc /scannow should maybe be added to the tasklist.
 
> Has anyone encountered this type of problem?  Don't know if it's new,
> but I have never encountered it before.  I understand that since the
> user voluntarily installed the application, finding the exact
> application might be a tedious process.  Thanks in advance.

Yes, typically the systems are recovered by using your anti spyware
and anti virus tools in safe mode command prompt, where no explorer
modules are loaded. Better yet would be a PE bootdisk. I would
recommend running a chkdsk on each drive afterwards too; it is likely
to find errors.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html