Login boxes pop up on loading pages

New problem has come up within the last few days.

Whenever I open ie8 and begin surfing the web, a small pop up with a
login (asking for User Name and Password) comes up.

Two of the big offenders are Facebook and New York Times.

Has anyone else noticed this kind of thing? Any ideas on how to
eliminate it?

Thank you!

Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit SP2;
Vista SP1; Vista 64-bit SP2; Win7; Win7 64-bit) as well as your IE version
when posting in an IE-specific forum or newsgroup. Please do so in your next
reply.

Do you have a multiple-tab home page and are Facebook and NYTimes two of the
tabs?

What anti-virus application or security suite is installed and is your
subscription current? What anti-spyware applications (other than Defender)?
What third-party firewall (if any)? If WinXP or Vista: Were any of these
applications running in the background when you installed IE8?

Has a(nother) Norton or McAfee application ever been installed on this
machine (e.g., a free-trial version that came preinstalled when you bought
it)?


Ol Whicker Bill wrote:
> New problem has come up within the last few days.
>
> Whenever I open ie8 and begin surfing the web, a small pop up with a
> login (asking for User Name and Password) comes up.
>
> Two of the big offenders are Facebook and New York Times.
>
> Has anyone else noticed this kind of thing? Any ideas on how to
> eliminate it?
>
> Thank you!

"Ol Whicker Bill" <ol@whicker.bill> wrote in message
news:slcfp51vpjcajs5pr0aabaf0ro0og1e23m@4ax.com...
>
> New problem has come up within the last few days.
>
> Whenever I open ie8 and begin surfing the web, a small pop up with a
> login (asking for User Name and Password) comes up.
>
> Two of the big offenders are Facebook and New York Times.
>
> Has anyone else noticed this kind of thing? Any ideas on how to
> eliminate it?
>
> Thank you!

I would recommend you scan your system for malware, it sounds like you've
managed to get something installed that is trying to intercept your login
details. Whatever you do don't put a valid login and password in that popup!

I tend to use Malwarebytes Anti-Malware and/or Spybot destroyer, and if
using both of those doesn't shift it then it's time to get a bit more
creative. I recently had to clean a system that was popping up a fake
Verified by Visa window to try to get card details, and a Lloyds TSB online
banking login injection to try to get the complete memorable information,
none of the normal tools I use found this infection and I ended up having to
use ComboFix (I would not recommend it unless you know what you're doing)
which found an infection in the boot sector which was kicking in whenever
the PC was booted and pulling down all sorts of stuff while the PC was
online.

--
Dan

On Wed, 10 Mar 2010 10:47:44 -0500, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> wrote:

>Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit SP2;
>Vista SP1; Vista 64-bit SP2; Win7; Win7 64-bit) as well as your IE version
>when posting in an IE-specific forum or newsgroup. Please do so in your next
>reply.
>
Windows XP Professional Build 2600.xpsp_sp3_gdr.091208-2036 (Service
Pack 3)

IE8 8.0.6001.18702

>Do you have a multiple-tab home page and are Facebook and NYTimes two of the
>tabs?
>
No. My startup page is Dvorak's Universal home Page
http://www.dvorak.org/home.htm
>What anti-virus application or security suite is installed and is your
>subscription current? What anti-spyware applications (other than Defender)?
>What third-party firewall (if any)? If WinXP or Vista: Were any of these
>applications running in the background when you installed IE8?
(Yes = Running in Background)
Grisoft AVG 9.0.733 (Yes)
Spybot S&D 1.6.2.46 (TeaTimer Yes)
Ad-Aware 8.2.0 (Yes)
Sygate Firewall 5.6 2808 (Yes)
I have had IE8 installed for several months, now. Started with the
Beta. No prior problem.

All of these have been running for at least 2 years before (albeit,
earlier versions) without the login popup appearing.
>
>Has a(nother) Norton or McAfee application ever been installed on this
>machine (e.g., a free-trial version that came preinstalled when you bought
>it)?
>
Yes. Norton/Symantec. Downloaded the app long ago that removes it.
Again, this is a recent problem.
>
>Ol Whicker Bill wrote:
>> New problem has come up within the last few days.
>>
>> Whenever I open ie8 and begin surfing the web, a small pop up with a
>> login (asking for User Name and Password) comes up.
>>
>> Two of the big offenders are Facebook and New York Times.
>>
>> Has anyone else noticed this kind of thing? Any ideas on how to
>> eliminate it?
>>
>> Thank you!

That's certainly quite unusual behavior.

Is AVG Linkscanner, Search-Shield, Active Surf-Shield, or Security toolbar
installed?

Have Spybot or Ad-Aware "found" anything lately?


Ol Whicker Bill wrote:
> On Wed, 10 Mar 2010 10:47:44 -0500, "PA Bear [MS MVP]"
> <PABearMVP@gmail.com> wrote:
>
>> Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit
>> SP2;
>> Vista SP1; Vista 64-bit SP2; Win7; Win7 64-bit) as well as your IE
>> version
>> when posting in an IE-specific forum or newsgroup. Please do so in your
>> next reply.
>>
> Windows XP Professional Build 2600.xpsp_sp3_gdr.091208-2036 (Service
> Pack 3)
>
> IE8 8.0.6001.18702
>
>> Do you have a multiple-tab home page and are Facebook and NYTimes two of
>> the tabs?
>>
> No. My startup page is Dvorak's Universal home Page
> http://www.dvorak.org/home.htm
>> What anti-virus application or security suite is installed and is your
>> subscription current? What anti-spyware applications (other than
>> Defender)? What third-party firewall (if any)? If WinXP or Vista: Were
>> any of these applications running in the background when you installed
>> IE8?
> (Yes = Running in Background)
> Grisoft AVG 9.0.733 (Yes)
> Spybot S&D 1.6.2.46 (TeaTimer Yes)
> Ad-Aware 8.2.0 (Yes)
> Sygate Firewall 5.6 2808 (Yes)
> I have had IE8 installed for several months, now. Started with the
> Beta. No prior problem.
>
> All of these have been running for at least 2 years before (albeit,
> earlier versions) without the login popup appearing.
>>
>> Has a(nother) Norton or McAfee application ever been installed on this
>> machine (e.g., a free-trial version that came preinstalled when you
>> bought
>> it)?
>>
> Yes. Norton/Symantec. Downloaded the app long ago that removes it.
> Again, this is a recent problem.
>>
>> Ol Whicker Bill wrote:
>>> New problem has come up within the last few days.
>>>
>>> Whenever I open ie8 and begin surfing the web, a small pop up with a
>>> login (asking for User Name and Password) comes up.
>>>
>>> Two of the big offenders are Facebook and New York Times.
>>>
>>> Has anyone else noticed this kind of thing? Any ideas on how to
>>> eliminate it?
>>>
>>> Thank you!

On Wed, 10 Mar 2010 15:07:12 -0500, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> wrote:

>That's certainly quite unusual behavior.
>
>Is AVG Linkscanner, Search-Shield, Active Surf-Shield, or Security toolbar
>installed?
>
LinkScanner is not enabled. I can find no record of the others.

>Have Spybot or Ad-Aware "found" anything lately?
>
No. I have downloaded Malwarebyte's Anti-Malware and am presently
running it. Will report its findings here when done.

>
>Ol Whicker Bill wrote:
>> On Wed, 10 Mar 2010 10:47:44 -0500, "PA Bear [MS MVP]"
>> <PABearMVP@gmail.com> wrote:
>>
>>> Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit
>>> SP2;
>>> Vista SP1; Vista 64-bit SP2; Win7; Win7 64-bit) as well as your IE
>>> version
>>> when posting in an IE-specific forum or newsgroup. Please do so in your
>>> next reply.
>>>
>> Windows XP Professional Build 2600.xpsp_sp3_gdr.091208-2036 (Service
>> Pack 3)
>>
>> IE8 8.0.6001.18702
>>
>>> Do you have a multiple-tab home page and are Facebook and NYTimes two of
>>> the tabs?
>>>
>> No. My startup page is Dvorak's Universal home Page
>> http://www.dvorak.org/home.htm
>>> What anti-virus application or security suite is installed and is your
>>> subscription current? What anti-spyware applications (other than
>>> Defender)? What third-party firewall (if any)? If WinXP or Vista: Were
>>> any of these applications running in the background when you installed
>>> IE8?
>> (Yes = Running in Background)
>> Grisoft AVG 9.0.733 (Yes)
>> Spybot S&D 1.6.2.46 (TeaTimer Yes)
>> Ad-Aware 8.2.0 (Yes)
>> Sygate Firewall 5.6 2808 (Yes)
>> I have had IE8 installed for several months, now. Started with the
>> Beta. No prior problem.
>>
>> All of these have been running for at least 2 years before (albeit,
>> earlier versions) without the login popup appearing.
>>>
>>> Has a(nother) Norton or McAfee application ever been installed on this
>>> machine (e.g., a free-trial version that came preinstalled when you
>>> bought
>>> it)?
>>>
>> Yes. Norton/Symantec. Downloaded the app long ago that removes it.
>> Again, this is a recent problem.
>>>
>>> Ol Whicker Bill wrote:
>>>> New problem has come up within the last few days.
>>>>
>>>> Whenever I open ie8 and begin surfing the web, a small pop up with a
>>>> login (asking for User Name and Password) comes up.
>>>>
>>>> Two of the big offenders are Facebook and New York Times.
>>>>
>>>> Has anyone else noticed this kind of thing? Any ideas on how to
>>>> eliminate it?
>>>>
>>>> Thank you!

MALWAREBYTE'S REPORT

Malwarebytes' Anti-Malware 1.44
Database version: 3849
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/10/2010 10:32:13 PM
mbam-log-2010-03-10 (22-32-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 391476
Time elapsed: 7 hour(s), 47 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df}
(Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action
taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss
(Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User One\Application Data\AD ON
Multimedia\eBay Shortcuts\eBayShortcuts.exe (Adware.ADON) -> No action
taken.
C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll
(Adware.MyWebSearch) -> No action taken.
C:\System Volume
Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1046\A0246206.dll
(Trojan.FakeAlert) -> No action taken.

> C:\System Volume
> Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1046\A0246206.dll
> (Trojan.FakeAlert) -> No action taken.

Note: While the above isn't a threat to your computer (unless you use System
Restore), it's a pretty good indication that there's more Bad Guys still on
your computer! That being said...

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/de...prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/ma...e/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

Checking for/Help with Hijackware:
.. http://mvps.org/winhelp2002/unwanted.htm
.. http://inetexplorer.mvps.org/tshoot.html
.. http://www.mvps.org/sramesh2k/Malware_Defence.htm
.. http://www.elephantboycomputers.com/...moving_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachi...php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.


Ol Whicker Bill wrote:
> MALWAREBYTE'S REPORT
>
> Malwarebytes' Anti-Malware 1.44
> Database version: 3849
> Windows 5.1.2600 Service Pack 3
> Internet Explorer 8.0.6001.18702
>
> 3/10/2010 10:32:13 PM
> mbam-log-2010-03-10 (22-32-10).txt
>
> Scan type: Full Scan (C:\|D:\|)
> Objects scanned: 391476
> Time elapsed: 7 hour(s), 47 minute(s), 56 second(s)
>
> Memory Processes Infected: 0
> Memory Modules Infected: 0
> Registry Keys Infected: 13
> Registry Values Infected: 0
> Registry Data Items Infected: 0
> Folders Infected: 0
> Files Infected: 3
>
> Memory Processes Infected:
> (No malicious items detected)
>
> Memory Modules Infected:
> (No malicious items detected)
>
> Registry Keys Infected:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df}
> (Adware.MyWebSearch) -> No action taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
> Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action
> taken.
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss
> (Adware.MyWebSearch) -> No action taken.
>
> Registry Values Infected:
> (No malicious items detected)
>
> Registry Data Items Infected:
> (No malicious items detected)
>
> Folders Infected:
> (No malicious items detected)
>
> Files Infected:
> C:\Documents and Settings\User One\Application Data\AD ON
> Multimedia\eBay Shortcuts\eBayShortcuts.exe (Adware.ADON) -> No action
> taken.
> C:\Program Files\Netscape\Netscape Browser\plugins\NPMyWebS.dll
> (Adware.MyWebSearch) -> No action taken.
> C:\System Volume
> Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1046\A0246206.dll
> (Trojan.FakeAlert) -> No action taken.

Thanks. I'm on my way.