Adware

Long time since I've been here. Slowly been moving away from HL, but I could use some help with adware.

I have the AVG monitor thingy running in the background, and yesterday while browsing The Underdogs (henceforth HOTU) it popped up a message saying that I's downloaded a trojan installer and told me to run the scanner. I ran it and it picked up two similiar .exe files. I'm not sure if they've run or not, I don't remember downloading anything like that, the only way I can think of it downloading through my actions is if I accidentally clicked Yes on the "Do you want to download and run..." box which pops up a lot at HOTU. I followed the path and found the files in C:\Documents and Settings\[username]\Local Settings\Temp and another one in a folder inside it. Both files were deleted, and while I was at it I also saw an executable called adware_installer or something similar. I deleted it (past the recycle bin). That was yesterday, and now I've found that ads keep popping up when I go to sites. I've checked other sites too and it isn't a coincidence, there must be some adware running on my PC. I've updated and run Ad-Aware, Spybot and AVG, but the only thing that turned up were a few tracking cookies in Ad-Aware. I can't see anything suspicious in Add/Remove programs, but I have a lot of programs and some I don't know the use of. While I was typing I've had several pop-ups and I recognise at least one from HOTU, but I'm not sure if they came from there. In the HOTU news page there has recently been mention of them removing self-installing ads, which could be where they are coming from. But still, surely one of the scanners would have picked up something if (assuming they are from HOTU) they are quite old? I've tried closing all browser windows and restarting, so it can't be a Javascript loop running. I'm confused about how I haven't had any adware up until yesterday, when I deleted the installer. Surely nothing would happen from deleting the installer though, unless it's some strange program that installs itself but only activates when you delete the installer. I'm really stuck now, but if anyone has a program I can use or something to try I'd be grateful.

Only thing I can think of is running msconfig and unchecking anything suspicious. I've had to do this on several machines because of people on games sites! Then, if you're on XP, run the task manager and stop any processes that look suspect.

Download adaware from....http://www.download.com/Ad-aware/3000-8022-10214379.html?tag=lst-0-2 and run that, but after it has found all the adaware and has quarentined it, make sure to delete it from the quarentine folder.

Sloth - I think I mentioned I've run Ad-Aware, but thanks for the advice.

Loco - I've looked in the task manager but I can't find anything suspect, here are the programs I am unsure of:

JAVAW.EXE (SYSTEM)
HJAVAW.EXE (SYSTEM)
NVSVC32.EXE (SYSTEM)
jconfigNT.exe (SYSTEM)
INETD32.EXE (SYSTEM)
Ctsvccda.exe (SYSTEM)
OffMan.exe (USER)
CTFMON.EXE (USER)
realsched.exe (USER)
SPOOLSV.EXE (SYSTEM)
LSASS.EXE (SYSTEM)
SERVICES.EXE (SYSTEM)
CSRSS.EXE (SYSTEM)
SMSS.EXE (SYSTEM)

What's the stuff in the Services tab of msconfig? And also will my computer run fine if I untick something from Services or Startup?

http://vil.nai.com/vil/stinger/ - useful utility for clearing some of the more common trojans/the lsass/svchost worms

nvsvc32 is a nvidia app i believe.. there is a website somewhere with a list of processes/programs you can/cant trust on xp..

let me go dig it up for you

free antivirus with updates

http://www.grisoft.com/html/us_downl.htm?session=6858ed7ef791b041a34337ad204c6659

also www.lavasoft.de < adware removal tool

also http://lockdowncorp.com/bots/downloadswatit.html < trojan removal tool

still looking for the xp processes list, dont delete any of those files - i can guarantee some are essential

Reply #3 :razz:

Bring up your task manager and check if theres more than one instance
of "svchost" running, or "svohost" as well - also, which OS are you
using?

ARGh. My dad knows a website that lists what start up programs are harmful or not (like spy ware, or even non spy ware crap that windows auto matically loads up).

Until my dad gets home, I can't give you the url... Sorry.

Two tips though: Do a search, found in your start button in windows, and search for Zupiter. If you have zupiter than well,..... I see a re installation of windows in order. No kidding. Zupiter is the king of all spy ware. I'm saying that if you remove zupiter to fast from your hardrive without checking what programs it has "latched on to", you can screwch a program, be it a game, or browser, or even a critical program windows needs.

I didn't see this next one in your task bar, so it looks like you're all set for the next one :smile: Look for LoadQM. It's not spyware, it's part of the "useless crap that windows automatically loads up". All's I heard of it is that it trys to "arrange" things in your browser for easy usage, but all it really does is eat up resources.

One more thing: Did you purposely capitalize those process names? Don't do that. Some spyware programs try to fool you by using a name that looks almost identical to the actual program.

Perfect example: What I have: SVChost

The spyware could go by: SVCh0st

Don't worry if you have like 4 or 5 of that program running at once... It does that to me... quit often.... (NO, I don't think those are the spyware versions :smile:

Unticking things from startup....No... You could have trouble if you untick the wrong thing. Generally, "freindly" programs are ones that will cause you trouble if you untick them. Most of them are essential to windows running. Keyword: MOST. There are some that if you untick, or delete, nothing happens :smile:

Spyware are ones that if you untick, they will try to turn themselves back on. Sometimes. If you delete them from your hardrive these things could happen:

• The spyware goes away, no harm done to your computer
• The spyware deletes, but next time you go onto a specific website (website that contains this spyware), it tries to install itself again (defeats the purpose).
• In a worse case scenario, the spyware deletes, AND deletes a program that you use frequently, such as a game. It doesn't delete the program, but if damages a critical file that the program needs.

My dad is knows more about this than I do... I think. I'll ask him about it when he gets home :biggrin:

I hope most of this information is accurate and helpful

Yippiy Ki Yay!

Guide to running tasks, and whats safe/not safe

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

to much to read, so i will post and hope it helps:

if a spyware program is in use at the time you are attempting to remove it, the program will/might fail to do so..

i suggest, if you can to allow adaware to run at the next bootup..

also i recommend you run msconfig, and disable everything non-essentual..

lastly, if adaware is proving ineffective, uninstall it and run spybot..

i prefer spybot, cause adaware sometimes confuses a real program for a spy one :sad:

I have 5 SVCHOST.EXE files, 3 in SYSTEM, one in LOCAL SERVICE and one in NETWORK SERVICE. None of the names I have listed have been changed by me, I have rewritten them in my post in the same case as the task manager.

I am running Windows XP

Stinger found nothing, SwatIt took mere seconds and found nothing.

I've noticed a few things since my last post:
-The entry on the taskbar for The Snarkpit tends to glow orange (recently updated) after about 10 seconds if the window is not selected.
-I seem to get adware at different intervals. I'm not too sure how it occurs, but I've had this window open and it hasn't sprouted adware for 10-20 minutes, but I opened a new window and got two pop-ups in thirty seconds. Maybe it slows down? I'm not sure, but I still don't want to browse when I know my PC is being scrutinized.

Sim said:
-I seem to get adware at different intervals. I'm not too sure how it occurs, but I've had this window open and it hasn't sprouted adware for 10-20 minutes, but I opened a new window and got two pop-ups in thirty seconds. Maybe it slows down? I'm not sure, but I still don't want to browse when I know my PC is being scrutinized.

Do you get popups when your comp is just sitting there doing nothing? If so, then

it sounds like you don't have your fire wall on... used to happen to me ONLY when my fire wall was off...

Webiste URL ::: What Gwil said :biggrin:

Yippiy Ki Yay!

If you want to know what a process is, you can just google the exact filename. I think using a router is the best way to avoid any kind of spyware or virus. I am behind a router and can run an unpatched system for days with no problems.

If you haven't got a router, you can make one out of a 486, even if it has no hard drive. Search for FreeSCO.

I only get pop-ups when a browser is loaded. And don't have a software firewall, but I think we have a router or something on our network which has the same effect.

I used that site to look up each process and along with googling, the only one I couldn't find was OffMan.exe (USER)

I've checked and we do have a router.

Thanks for all of the help. The ads haven't popped up recently which is quite strange, but I am doubtful that the adware has gone or got bored and removed itself. I'd rather have the pop-ups actually, at least then I know I have active spyware.

I think we have a router

What are the first two numbers of your IP address?

Get the Google toolbar.

Oh, and

Yippiy Ki Yay!

Jeff - 10.0 I believe, why do you want to know?

Cassius - Why get Google toolbar?

Cassius said:
Get the Google toolbar.

its not 100% foolproof, but it works rather well.

Cassius said:
Get the Google toolbar.

Oh, and

Yippiy Ki Yay!

-.- ::takes out a baseball bat::

Yippiy Ki Yay!

To make sure your router is working as a normal router.

When you are using Ad-Aware DON'T CHECK "Perform Smart System Scan", instead "Use custom scanning options"! then click"Customize" and check everything for a maximum security; in the "Scanning" tab and in the "Advanced" tab, check "Scan within archives" "don't skip non executable files", "Scan my IE favorites for banned url", "Scan my Hosts file" etc etc...

This way Ad-aware will be at his maximum efficiency. Hope that helps

Kain said:
When you are using Ad-Aware DON'T CHECK "Perform Smart System Scan", instead "Use custom scanning options"! then click"Customize" and check everything for a maximum security; in the "Scanning" tab and in the "Advanced" tab, check "Scan within archives" "don't skip non executable files", "Scan my IE favorites for banned url", "Scan my Hosts file" etc etc...

This way Ad-aware will be at his maximum efficiency. Hope that helps

Why was i not informed :biggrin:

shakes head

/starts up adaware

Yep, I've made sure Spybot, Ad-Aware, AVG, Stinger and SwatIt are all fully updated and scanning the most they can. I thought I heard somewhere that some processes hide themselves so that they can't be seen in the task manager. Is this true? Seems like one nasty piece of adware if nothing manages to find it.
Damn, I've had 4 pop-ups while typing this post :sad:

(edit) What's this stuff with Google toolbar? I thought it was an extra search window you stick in IE, but is it something else, or does it do that and something else?

Ha, I found something

I did a Windows search for all files created yesterday and I found some suspicious ones in the C:\Windows\Prefetch folder with a .pf extention (prefetch?). These were the only dodgy files found, except for an .xml one. Examples:

ADLINSTALLWIN32.EXE-23B5AD51.pf
ISTINSTALL_ADLOGIX.EXE-02457D56.pf
TRANS.EXE-0E046614.pf
adupdmanager.xml (in c:\)

I see there are some other useful files in here from other programs too though. Could .pf files (and an xml) actually be usable for ad pop-ups? As far as I know, only the last extention of a file counts, so the .exe would be useless.

Other strange things are happening - pasting text takes a few seconds sometimes and the text appears as blank space until I move the cursor about. As I mentioned before, the browser window for the Snarkpit flashes orange (updated I believe) after about 10 seconds when the window isn't selected. I don't know if that's because the adware might be eating up memory, I searched for prefetch in Google and found that prefetch files take up a lot of RAM.

I've searched for the .exe files but I can't find the first one. I'm not sure which ones to delete/zip (to make them unusable) because I don't know if programs need them, and the 'ad' bit is confusing because it could belong to Ad-Aware too. The ISTINSTALL_ADLOGIX.EXE exists, so I think I'll try zipping that along with the .xml (some sort of script run by the ad program that automatically downloads updates?)

Bleh, my head hurts

Nope, I've zipped the xml, 2 ad-ish pfs and the istinstall_adlogix.exe to no avail, they're still popping up. Maybe there's some other program hiding? How do I find out what hidden programs are running? (Ones that don't show up in the task manager)

http://www.dslreports.com/forum/remark,10456031~mode=flat

Some guy who had ADLINSTALLWIN32.EXE, and a solution. Might be worth a go. Have you tried the mcaffee online scanner thing? It seems odd that something that is obviously adware is not being picked up by spybot or adaware :sad: Did you try running these things in safe mode? Perhaps the adware has some built in spybot protection...

It's possible to have a bunch of svchost's but be aware of slight misspellings as many viruses/trojans use similar to system file words. I believe they are there to prioritize different open windows XP and such, although I can't fully recall.

Some services you can untick, but go through the control panel -> administrative tools ->services so you get a full knowledge of what each part is before you decide to allow it or not.

I did a quick search through google and few other places, the highlighted processors are suspect, as there is not enough info or just seems "fishy" so unless you've installed them knowingly, I'd be careful.

JAVAW.EXE (SYSTEM) = Application tied to Java, not troublesome
HJAVAW.EXE (SYSTEM) = something to do with System32\Hummingbird...Don't know for sure what this is...
NVSVC32.EXE (SYSTEM) = Nvidia driver helper service
jconfigNT.exe (SYSTEM) = unknown...could be problematic
INETD32.EXE (SYSTEM) = also tied to Hummingbird
Ctsvccda.exe (SYSTEM) = CD-ROM utility services installed by a Creative program/driver.
OffMan.exe (USER) = Intense Language Office?
CTFMON.EXE (USER) = Office Language bar
realsched.exe (USER) = Realplayer horses**t
SPOOLSV.EXE (SYSTEM) = Printer Spool Service (keeps print jobs in memory)
LSASS.EXE (SYSTEM) = "Windows Local Security Authority Server" Service in charge of windows security features, authentication etc.
SERVICES.EXE (SYSTEM) = Application for NT based systems in starting/stopping/using services
CSRSS.EXE (SYSTEM) = "Client/Server Runtime Server Subsystem"
SMSS.EXE (SYSTEM) = Session Manager Subsystem, used to start/stop/manage user/client sessions under Terminal Server

Gorbachev - Thanks for the process descriptions. I do have a program called Intense Language Office installed, and the jconfigNT seems to be to do with Hummingbird I believe (which is another installed program). The svchost files all seem to be the same too.

Jeff - Thanks for the link, it's brought up some useful threads for me to follow.

Another topic www.lavasoftsupport.com/index.php?showtopic=31815 has AdLogix problems (I believe that's the one I have). The file adupdmanager.xml has also been popping up around my C drive too. I've deleted the xmls and password-zipped the exe. The user from the mentioned topic ran a custom Ad-Aware scan and found his problem, but I customised mine to be the same as that and it still turns up just tracking cookies. A Windows search hasn't found any more adlogix, adupdmanager or istinstall files, so I'm hoping I've got rid of it.

What is also mentioned is this topic is the automove.exe file which seems to be a source of Adware. Similarly, I also have an automove.exe in my Windows\System32 folder. I moved it to another partition and zipped it, and also removed it from the Startup tab in msconfig.

Hopefully my adware has gone now, I'll just reboot and see how it goes. Again, thanks for all of the help.

i know this was mentioned, but its important enuff to post once more for good measure..

Adaware, and Spybot, do not like each other, run one or the other, but don't install both, unless you are positive of your actions.. Spybot, or Adaware one, will remove parts of the other during cleansing :sad:

I just ran both of them, adaware while spybot was installing then running. No problems occured. Perhaps your adaware or spybot installation had been infected by some rouge spyware.

read my red words again Jeff..

also, although i have seen the warning message myself, i cannot guarantee that everyone will.. each pc is unique after all.

My Ad-Aware and Spybot installations don't seem to conflict each other. I think you mentioned it before and I have kept an eye out for any conflict but they seem fine. Thanks for the advice anyway.
Oh, and Happy Birthday!

The adware is still there though. I've deleted some adware-related files but they seem to also be located elsewhere, yet the Windows search feature isn't finding them. Bit of a dead end now, I seem to have used up most of the ideas I have. If I really come to a brick wall then I'll try posting at the Lavasoft (Ad-Aware people) forum.

I read your post properly the first time. You said that adaware or spybot "will remove parts of the other during cleansing" - All I did was say that this didn't happen to me when I was using spybot and adaware at the same time, and gave a possilbe cause for it happening to you.

scary_jeff said:
I read your post properly the first time. You said that adaware or spybot "will remove parts of the other during cleansing" - All I did was say that this didn't happen to me when I was using spybot and adaware at the same time, and gave a possilbe cause for it happening to you.

both my programs were installed at the time, before i ran either..

don't remember which it was, but i think adaware attempted to remove some spybot stuff.. i had a warning message none the less about it.

anywho's i prefer spybot, it finds things adaware misses.. as i said though, each PC is unique, maybe i have stuff no one else has or would have :/

i got that message that orph mentioned once but that was on older
versions of both Adaware and Spybot S&D, it doesnt seem to be a
problem with the newer versions.

Rumple said:
i got that message that orph mentioned once but that was on older versions of both Adaware and Spybot S&D, it doesnt seem to be a problem with the newer versions.

wipes brow

jeff had me wondering.. thanx rumple :biggrin:

All clear!

The problem was highlighted when I ran HijackThis, and several spyware entries were found. Deleting any old files can cause damage though so I checked with a security message board and they gave me instructions. There was also a dll in the C:\Windows\System32 directory called SWin32.dll that I think was related to it, and that file was deleted.

Here's the HijackThis log if you want to see (now removed processes shown in red, ignore the yellow text, they're links):

Logfile of HijackThis v1.97.7
Scan saved at 17:21:00, on 23/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\AVG\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\United Devices\UD.exe
D:\Intense Language Office\Common\OffMan.exe
C:\Program Files\United Devices\ud_7174683.exe
D:\AVG\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
[color=red]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
[/color]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hermes:3128
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SpyBot\SDHelper.dll
[color=red]O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll
[/color]O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WheelMouse] C:\WHEELM~1\wh_exec.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_CC] D:\AVG\avgcc32.exe /STARTUP
[color=red]O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
[/color]O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - Global Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.exe
O8 - Extra context menu item: Download with GetRight - D:\Getright\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Getright\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E156C0D7-EC1D-4C75-860F-24066892535B}: Domain = btinternet.com