Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jesus Christ, "New Offer for You!" PopUp


  • This topic is locked This topic is locked
8 replies to this topic

#1 waznboi04

waznboi04

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 12 May 2005 - 10:41 AM

I've run spybot S&D, ad aware, and turned on all spyware blaster protection, but this garbage popup keeps on coming. After I ran S&D, i found c:\windows\system32\adCache filled with a lot of bleep, says it was part of CyDoor. Not sure if this is related but this is always poppin up every few days. Heres my hijackThis log. I can't seem to find anything that stands out though:

Logfile of HijackThis v1.99.1
Scan saved at 8:35:10 AM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_01\bin\javaw.exe
C:\Documents and Settings\Chris\Desktop\EPSXE\ePSXe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\cmd.exe
C:\PROGRA~1\FlashGet\flashget.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC37A80-A38D-4C6F-AD7F-7E93025AE6CE}: NameServer = 204.127.202.4,216.148.227.68
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Any advice is greatly appreciated. Thanks.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 12 May 2005 - 08:24 PM

Hi waznboi04 and welcome to the BC forums. There are no signs of malware in your log so let's look for some hidden files.

Download PFind.zip and unzip the contents to its own folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat and double-click on it to run the program. When it is finished Notepad will open up. Save the document to a location where you can find it later and then reboot your computer normally.

Post the contents of the pfind.bat scan back here and I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 waznboi04

waznboi04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 12 May 2005 - 09:27 PM

Thanks for replying. Heres my pfind log:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\daemon.dll: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Thu May 12 2005 7:18:40p A.S.. 2,048 2.00 K
qtfont.qfn Mon May 9 2005 7:29:44p A..H. 54,156 52.89 K
window~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Wed Apr 13 2005 11:04:04p ...H. 65 0.06 K

C:\WINDOWS\FONTS\
desktop.ini Wed Apr 13 2005 11:04:30p A.SH. 67 0.06 K

C:\WINDOWS\INF\
oem6.inf Fri Apr 15 2005 8:55:32a ...H. 0 0.00 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Wed Apr 13 2005 11:04:04p ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Wed Apr 13 2005 11:04:50p A..H. 233,472 228.00 K

C:\WINDOWS\SYSTEM32\
cdplay~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K
logonu~1.man Wed Apr 13 2005 11:04:04p A..HR 488 0.48 K
ncpacp~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K
nwccpl~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K
sapicp~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K
window~1.man Wed Apr 13 2005 11:04:04p A..HR 488 0.48 K
wuaucp~1.man Wed Apr 13 2005 11:04:00p A..HR 749 0.73 K

C:\WINDOWS\TASKS\
sa.dat Thu May 12 2005 7:17:40p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Thu May 12 2005 7:18:34p A..H. 8,192 8.00 K
sam.log Thu May 12 2005 7:18:48p A..H. 1,024 1.00 K
security.log Thu May 12 2005 7:18:40p A..H. 12,288 12.00 K
software.log Thu May 12 2005 7:19:48p A..H. 102,400 100.00 K
system.log Thu May 12 2005 7:18:42p A..H. 860,160 840.00 K
tempkey.log Wed Apr 13 2005 3:54:00p A..H. 1,024 1.00 K
userdiff.log Wed Apr 13 2005 3:54:00p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\RESTORE\
filelist.xml Fri Apr 15 2005 8:55:34a ..SHR 13,698 13.38 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pab9c9~1.cab Fri Apr 15 2005 2:30:40a ..SHR 70,111 68.46 K
pabdc9~1.cab Fri Apr 15 2005 2:30:40a ..SHR 27,774 27.12 K
packag~1.cab Wed Apr 13 2005 11:04:16p ..SHR 242,478 236.79 K
packag~2.cab Wed Apr 13 2005 11:04:16p ..SHR 19,959 19.49 K
packag~3.cab Wed Apr 13 2005 11:04:16p ..SHR 727 0.71 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb890859.cat Sat Mar 19 2005 10:27:20p ..S.. 18,199 17.77 K
kb8909~1.cat Tue Mar 29 2005 11:45:54a ..S.. 16,853 16.46 K
kb892944.cat Wed Mar 23 2005 10:50:58a ..S.. 12,324 12.04 K
kb893066.cat Fri Mar 18 2005 5:49:46p ..S.. 10,786 10.53 K
kb893086.cat Fri Mar 18 2005 7:39:48p ..S.. 13,574 13.25 K
kb8938~1.cat Mon Mar 21 2005 3:00:24p ..S.. 29,491 28.80 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Thu Apr 21 2005 1:52:42a A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Wed Apr 13 2005 3:56:00p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Wed Apr 13 2005 3:56:00p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Wed Apr 13 2005 11:04:06p A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Wed Apr 13 2005 3:56:00p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Wed Apr 13 2005 11:04:48p A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
2c3b9e~1 Wed Apr 13 2005 11:22:24p A.SH. 388 0.38 K
prefer~1 Wed Apr 13 2005 11:22:24p A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Wed Apr 13 2005 11:04:48p A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Wed Apr 13 2005 11:04:48p A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0B8RE52L\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4VOPCRAF\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\Q9AH49OP\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\UD0XKL8D\
desktop.ini Wed Apr 13 2005 11:04:16p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Wed Apr 13 2005 11:04:48p A.SH. 348 0.34 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Wed Apr 13 2005 11:04:48p A.SH. 84 0.08 K

55 items found: 55 files, 0 directories.
Total of file sizes: 1,761,070 bytes 1.68 M

Good luck.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 13 May 2005 - 01:42 AM

Hi waznboi04. There is nothing in either log file to indicate any problems at this time. What exactly do the popups say?

Let's try this. Download and install ewido security suite. Update the program and then click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.

Post back with the results of the scan and the exact details of the messages you are receiving.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 waznboi04

waznboi04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 13 May 2005 - 02:59 AM

Yea thats the funny thing, I couldn't find where this damn pop up is coming from. I use firefox and this pop up has an IE Icon. It says NEW OFFER FOR YOU and the ad generally has some sort of Registry Cleaner. Something like that. Anyhow I'll try the program. I think what might be happening is I go to a certain site, and CyDoor is stored in c:\windows\system32\AdCache and the new offer keeps popping up until I get rid of CyDoor. But even right when I get rid of it, the pop up still goes for a bit. Thanks for the links.

#6 waznboi04

waznboi04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 13 May 2005 - 04:39 AM

I believe I know where the popups are coming from. They seem to a) be coming from Flashget, or :thumbsup: My firefox Download window. Dunno how that works but im leaning more towards a). Apparently the unpaid version of flashget is adware supported? Not sure though. Heres my log of ewido.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:03:59 AM, 5/13/2005
+ Report-Checksum: FF3931EB

+ Date of database: 5/13/2005
+ Version of scan engine: v3.0

+ Duration: 13 min
+ Scanned Files: 67431
+ Speed: 85.00 Files/Second
+ Infected files: 3
+ Removed files: 3
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Chris\Cookies\chris@guide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Chris\Cookies\chris@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\Chris\Cookies\chris@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup


::Report End

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 13 May 2005 - 11:14 AM

Hi waznboi04. Flashget's website has no privacy statement that I could find but there was a comment in their faq section regarding a missing advert.dll. That file is used for popup advertizing and if it is missing flahsget will not work so I guess there is your answer. If you want to get rid of the popups get rid of Flashget. Alot of free software includes advertizing of some sort or another. That's what keeps it free. It depends on the individual to determine how annoying the advertizing is and whether they want to keep it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 waznboi04

waznboi04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 13 May 2005 - 04:45 PM

Yep, thanks for your time. Its definitely flashget. I'mma see about getting some sort of crack to register it. Thats when the adcache folder stops.

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:38 PM

Posted 13 May 2005 - 10:11 PM

Hey waznboi04. Well, we won't get into that. Since your issue is resolved I will close this topic.

Take care and have a great computing day :thumbsup:

OT :flowers:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users