PDA

View Full Version : F'ing sites uploading adware



UWPoolGod
05-18-2004, 10:05 AM
There should be a law about sites uploading adware programs to your computer without your conscent. I have no idea where I got one yesterday (since I didn't sign up for anything), but I showed up this morning with aout 30 ad pages open. And more pop up whenever I switch sites. I have deleted whatever programs look fishy out of my computer but to no avail. Lame. Whoever invented that crap should be shot.

highsea
05-18-2004, 10:49 AM
Todd, I can help you get rid of this junk if you need me to. It can be a real PITA to clean up.

-CM

Nightstalker
05-18-2004, 11:43 AM
Lawsuits might clean it up for good, that or a new law! Hello, congress? /ccboard/images/graemlins/confused.gif

UWPoolGod
05-18-2004, 01:03 PM
Yeah I think it is www.trafficmarketplace.com (http://www.trafficmarketplace.com) crap. dumb dumb dumb. Yeah if anyone has some ideas of where these files get stored so I can get rid of them. I did the Add/Remove Programs already and don't see anything on there that I do not need.

highsea
05-18-2004, 01:31 PM
Okay, first thing you need to do is to run Spybot S&D or Adaware. (either one) Choose to fix all the problems they find.

http://www.lavasoftusa.com/software/adaware

http://ct7support.com/downloads/spybot/1.3/spybotsd13.exe

then download hijack this.

http://www.wilderssecurity.com/attachments/hijackthis1977.zip

Run Hijack this and post the log and I will review it.

-CM

UWPoolGod
05-18-2004, 04:01 PM
You asked for it... /ccboard/images/graemlins/cool.gif

Logfile of HijackThis v1.97.7
Scan saved at 3:15:20 PM, on 5/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\todd.redmond\local settings\temp\u8npR4Apa.exe
C:\WINNT\system32\iexat32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINNT\system32\pcs\pcsvc.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\todd.REDMOND\Application Data\enns.exe
C:\WINNT\system32\wtscc.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\DvmmV4.exe
C:\WINNT\system32\Fia6w21X.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\TODD~1.RED\LOCALS~1\Temp\HijackThis.ex e

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AutoLogon] rundll32 setupapi,InstallHinfSection NoLogon.Only 128 \appl.zip\scripts\redwood\cpqsetup.inf
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [u8npR4Apa] C:\documents and settings\todd.redmond\local settings\temp\u8npR4Apa.exe
O4 - HKLM\..\Run: [2LCC6MH525LE@J] C:\WINNT\system32\Tfq1.exe
O4 - HKLM\..\Run: [t79i3nl] iexat32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hela] C:\Documents and Settings\todd.REDMOND\Application Data\enns.exe
O4 - HKCU\..\Run: [WAPI] C:\WINNT\system32\wtscc.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = redmond.dunkinandbush.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B809FD17-BB98-4747-B998-FE2AA6FF1D80}: NameServer = 10.0.1.2,10.0.2.2,216.99.241.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = redmond.dunkinandbush.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = redmond.dunkinandbush.com

highsea
05-18-2004, 04:35 PM
Ok, Todd. Don't try to fix anything yet.

If you installed hijack this to a temp directory, please create a new folder to unzip the app and install it there, as we will need to run it when we are done, and it will overwrite some files.

You have a CWS variant. I will do a little research and get back to you. Hang tough. These are a bitch to kill.

-CM

UWPoolGod
05-18-2004, 04:42 PM
Well for right now I installed those two adware links you gave me and I haven't had any popups since so that is a good sign. had a bunch of "errors" be accesses when I ran the that I had fixed. There were quite a few portions of different ad programs so I got rid of them. Thanks man.

highsea
05-18-2004, 04:54 PM
Todd,
You're going to neeed a couple more utilities, so you might as well go ahead and download them now. Don't run any yet. We need to edit your registry first.

http://tools.zerosrealm.com/dllfix.exe

http://download.broadbandmedic.com/VbStuff/KillBox.zip

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

-CM

highsea
05-18-2004, 05:17 PM
Todd,
Let's go ahead and run the first utility dllfix.

Open it and install in folder of choice but on the root drive, C:\

1.Run start.bat and press option 1. A search will start.

'output.txt' will be created in the folder

Copypaste the contents of output.txt here please.

-CM

Nightstalker
05-18-2004, 09:19 PM
I like to use Webroot Spysweeper! /ccboard/images/graemlins/cool.gif

highsea
05-18-2004, 10:57 PM
That's nice, Nightstalker, but I doubt it will fix UWPG's computer.

These CWS variants morph to each user, usually with a randomly named, hidden .dll, that is called up on each restart.

It takes some manual detection and cleanup, and some pretty careful chasing to catch and kill the hidden .dll.

As of right now, there is no automated program that will get the morphing variety of CWS.

-CM

Cueless Joey
05-18-2004, 11:20 PM
That's why I have my computers on Deep Freeze.
I freeze the C drive and just have a logical drive to store data.
On Deep Freeze, nothing gets changed in the C drive unless I unfreeze it. All changes while the C drive is frozen, gets erased and the c drive goes back to original settings after rebooting.

highsea
05-18-2004, 11:21 PM
Todd, there are a couple of active processes on your computer that I am not sure of. I am doing a bit of research to be sure that they are safe to kill. I should have a fix today.

It may turn out that CWS Shredder will get your variant, I am just waiting on confirmation.

Please post the output.txt from dllfix, as that will identify any hidden dll files.

-CM

highsea
05-18-2004, 11:33 PM
OK, guys, no more chit chat here, till we're done, please?

I left this thread public so everyone can see the troubleshooting steps.

If it turns into a discussion I will withdraw to PM between me and UWPG.

I will be happy to discuss it after we have fixed UWPG's computer, but not before.

-CM

highsea
05-19-2004, 01:43 AM
There is one more utility you will need.

http://homepage.ntlworld.com/dvk01uk/files/uninst.exe

Download and run this first. You need to be connected to the Internet when you do this.

Then reboot and follow this:

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder or get scattered all over the desktop

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="file://C:\WINNT\system32\SearchBar.htm" target="_blank">file://C:\WINNT\system32\SearchBar.htm</a>
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [u8npR4Apa] C:\documents and settings\todd.redmond\local settings\temp\u8npR4Apa.exe
O4 - HKLM\..\Run: [2LCC6MH525LE@J] C:\WINNT\system32\Tfq1.exe
O4 - HKLM\..\Run: [t79i3nl] iexat32.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [Hela] C:\Documents and Settings\todd.REDMOND\Application Data\enns.exe
O4 - HKCU\..\Run: [WAPI] C:\WINNT\system32\wtscc.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} (FastBid1 Class) - http://www.bxwa.com/fastbid/fastbidx1.cab
O16 - DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} (FastBid2 Class) - http://www.bxwa.com/fastbid/fastbidx2.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup144.cab

NOTE: If this isn't something that you have installed deliberately and know what it is, then fix this also:
O4 - HKLM\..\Run: [AutoLogon] rundll32 setupapi,InstallHinfSection NoLogon.Only 128 \appl.zip\scripts\redwood\cpqsetup.inf

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINNT\system32\SearchBar.htm
C:\WINNT\system32\Tfq1.exe
C:\Documents and Settings\todd.REDMOND\Application Data\enns.exe
C:\WINNT\system32\wtscc.exe


and Delete these folders

C:\PROGRAm files\INCREDifind
C:\Program Files\ClearSearch
C:\Program Files\AutoUpdate
C:\Program Files\Common Files\Dpi
C:\WINNT\system32\pcs


then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

then
1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

After you have done this, run Spybot and/or adaware again, clean up whatever it finds, and run Hijack This and repost the logfile. We will see what's left.

-CM~~~if you get this far, we are almost done /ccboard/images/graemlins/smile.gif