Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Thanks to all who are reading this. I believe that I have become victim of some sort of malware or advertisting trojen. Here is whats going on:
Every now and then, when I open a new explorer window or close explorer, a group of 6-8 ad windows popup, all in one big group, spawning at once. They are usually the "download 15600 smilies" or "RATE YOUR FAVORITE CELEB" or "MY PC ANYWARE!!!" type of ads. I did some reasearch/exploration on this, and noticed my notepad was replaced by a small .exe file that seemed to do 'nothing' when opened. I also noticed over.exe and winpup.exe were in my program files folder. Assuming these files all had something to do with it, I removed winpup.exe and over.exe, and replaced the faulty notepad.exe with a legitamate one from a previous windows install. I also ran hijack this and fixed everything I didn't recoginze. I also ran spybot search and destroy AND adware 6.0, and repaired everything that was found. Over.exe was no longer one of the running processes, so I had assumed I had fixed this. I was wrong. The popups still come, in the same manner, in large groups, when I close or open exporer. I am at a total loss, I thought I fixed this, but it is persitant malicious piece of adware and I need help.
Below is the most recent hiJack this log:
--Begin log---
Logfile of HijackThis v1.97.7
Scan saved at 7:16:16 PM, on 1/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Handheld\HOTSYNC.exe
C:\Program Files\Sony Handheld\USBSwt.exe
C:\WINDOWS\System32\mviewd.exe
C:\WINDOWS\System32\osxd.exe
C:\WINDOWS\System32\owfaxuiw.exe
C:\WINDOWS\System32\ngfiltp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitPim\bitpim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris Koenig\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Chris Koenig\Application Data\iefeatsl\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mviewd] C:\WINDOWS\System32\mviewd.exe
O4 - HKLM\..\Run: [osxd] C:\WINDOWS\System32\osxd.exe
O4 - HKLM\..\Run: [owfaxuiw] C:\WINDOWS\System32\owfaxuiw.exe
O4 - HKLM\..\Run: [ngfiltp] C:\WINDOWS\System32\ngfiltp.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\Documents and Settings\Chris Koenig\Local Settings\Temp\ins1.tmp\dlgli.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.exe
O4 - Global Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .viv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npviv32.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.0725347222
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab--- End Log ---
It seems that the ads are spawning from the domains undergroundlair.net and illtemperedguppies.com. Maybe some others, they spawn a bit fast, so its hard to tell.
PLEASE someone help me, because I am so frustrated i'm about to reformat my hard drive to remove this malware.
thanks again
-Chris
Good lord Chris you have enough spyware and viruses to make a man cry.
I would just go with the format and reload if I was you. The amout of damage that has been done to the system it would be best to just start fresh if you do not have anything important on the hard drive.
I'm could tell you how to clean it up but you might have problems after it regardless.
KTTD
0 
Is it really that bad??! WTF? how did this happen? is it really past the point of no return? is a fresh re-install the only option? I want a second opinion :-(
damn internet, damn forcful advertising, i'm gonna go cry in the dark like a little emo kid....
0
Others might touch it but I am not going to, not because I can't but because there is a lot that needs to be fixed.
I'm sure you will get someone that will tell ya what to fix but if that was a clients system I would just start over.
KTTD
0
You could try this first:
Download Ad-aware Build 6.181 (free version) from
here
This link will tell you how to update your ref files (which you should do after installation and before each scan because they are updated frequently).This link will tell you how to configure AAW for a full custom scan:
Post your logfile at the
Lavasoft Forums
0
ok, I updated ad-aware, loading the new ref file and re-scanned. It found 39 new objects that my old ad-aware didn't find, however, they were all tracking cookies, and what is plauging my system seems to be more then just a tracking cookie. Needless to say, the pop-ups are still coming. I'll try posting my ad-aware log to the forums, as suggested. Also, Can anyone tell me if there is anything suspicious in my HiJack this log I posted earlier in this thread?
Thanks....
0
I also just discovered that the pop-ups are spawning from this website: www.borderwiththedutch.net
the exact URL being called at each pop-up is:
http://www. borderwiththedutch. net/go.php
there is also a variable definition after the php extension, (such as ?I=3), probably having something to do with what or how many pop-ups are spawned.
HELP ME I'M DYING HERE
0
The same exact thing was happening to my PC. I read all that you did to try and correct the problem -- looks like a LOT of work!
I have a little trick that I use for occasions like these:
Go to your system folder and do a sort by date -- you may have to go into a few subfolders as well.
Look for files that were created on the day that the problem started -- I found one called "fman32s.exe" in my System32 folder. At first I couldn't move it to the Trash because the process was running. So I ended the process with the Task Manager and the dragged it to the Trash -- PROBLEM GONE!
- hope this helps
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
