Irritating adware problem

Discussion in 'TechTalk' started by LegalAlien, Oct 19, 2004.

  1. LegalAlien

    LegalAlien Perch

    I have a problem I've not encountered before and can't find a solution. I'm hoping someone out there can help...

    There is some irritating program on my system that opens pop-up browser ads at random intervals. These ads are not being initiated from websites. For example, I have my homepage set to aboutblank. When I open Internet Explorer, I'll get a popup. Then, it seems that every so many clicks the same happens. I also know it's not the websites since it happens when I browse my own websites...

    I run the microsoft recommended adaware and also spybot search and destroy. Neither seem to be able to fix this problem...

    Any ideas?
  2. yogesh

    yogesh Perch

    i thing that page name "about.htm" anyway, you search these links in registery and delete them, may be this will solve your problem.
    This happens due to worms.

    thanx
  3. devorem

    devorem Perch

  4. Good Oyster

    Good Oyster Perch

    Yes, devorem is right. Use HijackThis. It will show you all the suspicious registry entries. The only trick is that YOU have to know which ones need to be removed. It will show all BHOs (browser helper objects) such as Yahoo or Google toolbars, download managers, iTunes, etc.

    If you run HijackThis and are not sure what to delete, post a copy of the results here and maybe we can help you. There are also several forums that specialize in helping with it.

    I just got done removing the same kind of pop-ups from my daughter's computer a couple of days ago. Somewhere along the line something you think is harmless gets downloaded and it installs this browser-hijacking crap. The folks who build this kind of software should be tortured publicly in the worst way imaginable. They should be sentenced to life with only a 386 computer, 14K modem, and AOL. And no local access number. But that's just my opinion.

    Gary
  5. LegalAlien

    LegalAlien Perch

    Thanks guys - I'm going to give this a shot.
  6. davef139

    davef139 Guppy

    If you just post your Hijackthis log i can probably tell you whats ad/spyware crap
  7. LegalAlien

    LegalAlien Perch

    I ran Hijackthis and deleted the ones I could definately identify as rouge - it seems to have cured my problem... for now! Thanks guys! If it comes back, I'll definately post the results...
  8. Stephen

    Stephen US Operations Staff Member

    Just one other tip, Yahoo Toolbar now has "yahoo anti-spy" which is pestpatrol. It find a LOT of items and in my experience rmoves better than adaware and spybot, however using all 3 is my recommendation.


    oh but the yahoo one seems to dig deeper in registry to remove root problems.
  9. LegalAlien

    LegalAlien Perch

    I'm a bit sceptical about these add-on toolbars... I wouldn't be suprised if they had their own little spyware programs included... whatcha think?
  10. bambam1469

    bambam1469 Perch

    Another thing to consider is if you are using a windows xp or above os you may want to kill the system restore function while cleaning the system off. This will call all removed files to be restored at next reboot if it thinks they are system files.
  11. Stephen

    Stephen US Operations Staff Member

    as far as toolbars, I only trust the google or yahoo. Or the firefox ones since they are open source and I can see what they do, others, very VERY skeptical of.
  12. enuf_alrdy

    enuf_alrdy Guppy

    I have the same adware problem that LegalAlien had experienced, and (as recommended) ran Hijackthis in an effort to eradicate this evil little program. However, I'm not quite as savvy as LegalAlien in identifying what appears to me as a needle in a haystack. Could someone please review my output and help me to identify what (all) needs to go?
    Thanks!

    Attached Files:

  13. LegalAlien

    LegalAlien Perch

    not that i don't trust you, but please paste the contents of that output file?
  14. enuf_alrdy

    enuf_alrdy Guppy

    I totally understand... here it is:
    Logfile of HijackThis v1.99.0
    Scan saved at 9:06:42 PM, on 1/15/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\ScsiAccess.EXE
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\System32\PD6000SM.EXE
    C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
    C:\Documents and Settings\Administrator\Application Data\sits.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\My Documents\My Downloads\hijackthis\HijackThis.exe
    C:\WINNT\system32\?ttrib.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9E741062-A2A5-A129-D13F-8A4D82D372C6} - C:\WINNT\system32\nlnbb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINNT\System32\PD6000SM.EXE
    O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [Sper] C:\Documents and Settings\Administrator\Application Data\sits.exe
    O4 - HKCU\..\Run: [Exzbdt] C:\WINNT\system32\?ttrib.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://play.hoylegames.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    O23 - Service: ScsiAccess - Unknown - C:\WINNT\System32\ScsiAccess.EXE
    O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
  15. SubSpace

    SubSpace Bass

    OMG ph34r the l33t textfile virus? :p
  16. devorem

    devorem Perch

    I can fix this. I charge $45/hr. :D
  17. LegalAlien

    LegalAlien Perch

    That's not very nice ;) hmm - apparently I'm not as savy as you though 'enuf'.

    I would probably hazard a guess or two and fix it, but I'm not going to speculate and mess up your machine further. Maybe you should take devorem up on his offer?
  18. enuf_alrdy

    enuf_alrdy Guppy

    Well, maybe I'll just back everything up that I care about, and start tinkering. Worst case is that I jack the whole thing up and am forced to re-format and start over. Sometimes a reset is good. In fact, you could just look at my HighjackThis output and see all of the crap that has accumulated on my system. And if I'm able to fix it... then I could offer to fix some other person's system for $45/hr. :]
    Thanks for the input, and devorem, I haven't totally ruled out your offer yet...
  19. Stephen

    Stephen US Operations Staff Member

    sits.exe is a major problem, nothing needs to run out of that folder.

    Go to my computer, first make sure your my cmoputer is set to show hidden files, (tools, options if I am not mistaken) (oh and while you are there set it to show file extensions for known file types)

    Then click your address bar and paste this in:
    C:\Documents and Settings\Administrator\Application Data\

    find the sits.exe, rename it sits.exebad

    use hijack this to remove it from your auto startup and reboot. That will fix a lot of your problem right there, nothing legit runs in that folder, NOTHING.

    (I have removed over 170k spyware infections in the last 10 weeks or so, some PCs with 2000+ infections, I became a pro at manual removal since even the best anti-spyware apps didn't get them)

    I am trying to work with webroot software now becasue I found a site hosting many spyware apps that auto downloaders would download and install. I am hoping webroot will work to stop all of these malicous spyware apps.

    They are a bigger concern to me than the worst of viruses. I have seen numerous spyware apps that are keyloggers and log your KB input to send to ad agencies. These companies are already using unethical means to advertise, what will prevent them from using info you type against you.

    Edit: And for the curious, that was prior to the new year, and at an educational institution. Just to clarify :)
  20. enuf_alrdy

    enuf_alrdy Guppy

    Wow! Thanks for the heads-up Stephen. I actually always have my systems configured so that I can see both hidden files and extensions but I still couldn't see sits.exe. However, your suggestion caused me to look at other possible viewing options, and I spotted the option to disable hiding protected operating system files. With this option, I not only was able to see sits.exe but also imsu.exe, which is something Sygate has been blocking for me. I think imsu.exe is related to that evil clickspring spyware. I kept going to this directory path with hidden files enabled but could never spot it. Thanks again.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services