Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.PopAdStop

Adware.PopAdStop

Updated:
February 13, 2007
Risk Impact:
High
File Names:
popadstop.exe,ginstall.exe
Systems Affected:
Windows

Behavior


Adware.PopAdStop is a program that claims to block advertisements sent using Microsoft's net.exe messaging utility. It will scan for computers on the network and attempt to send them advertisements using the Net Send command.

Symptoms


The files are detected as Adware.PopAdStop on the system.

Behavior


This adware must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version December 05, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date December 10, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.PopAdStop is executed, it performs the following actions:
  1. Copies the file, %Windir%\GPinstall.exe.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Adds the value:

    "PopAdStop"="<install path>\popadstop.exe s"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  3. Obtains the local IP address, A.B.C.D, where A.B.C.D is the current computer's IP address.

  4. Scans for computers on the 255.255.255.0 subnet.

  5. Uses Microsoft's net.exe utility to send Net Send messages to all the computers it finds. The message says that the computer receiving the message is vulnerable to Net Send advertisements and suggests buying the program to stop such ads.

  6. Randomly changes the C value in the IP address mentioned in step 3, and then repeats steps 4-5.




The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.PopAdStop.
  3. Delete the value that was added to the registry.
  4. Remove the remaining files installed by the adware.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Adware.PopAdStop, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file names. Then use Windows Explorer to locate and delete the file.

3. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "PopAdStop"="<install path>\popadstop.exe s"

  5. Exit the Registry Editor.


4. Removing the remaining files that the adware installed
Open Windows Explorer and delete the C:\Program Files\PopAdStop folder and the %Windir%\GPinstall.exe file.