Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invalid Popups


  • This topic is locked This topic is locked
3 replies to this topic

#1 rhyme

rhyme

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 25 October 2005 - 08:49 PM

Symptom:

In IE, or in Firefox, i get false popups - i.e. search for "antivirus" on google.com, and i get a popup with ads. If I go to symantec.com, I get the webpage but popups offering other (probably fake) products come up. This happens in both ie and firefox, but in firefox, it opens up an IE window, not a firefox window. I've tried microsoft spyware clean, adaware, trendmicro virus scan, no dice. I've monitored my task manager and nothing seems to spawn, so I suspected it was part of IE as some kind of obj, but it happens in firefox too so i suspect its something embeded a bit deeper. I also tried spybot, ewido, trojan hunter, cwshredder and vx2cleaner. None worked. I've disabled system restore. I've also tried doing the virus scan from housecall rather from my local install, again nothing found.

Here's the hijack this ... anything from ledune.net should be safe and not a reason for concern.


Logfile of HijackThis v1.99.1
Scan saved at 11:50:12 AM, on 10/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\TEMP\VXD502.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_2
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://av01.ledune.net/officescan/cons...nNTChk.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://av01.ledune.net/officescan/cons...tupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://av01.ledune.net/officescan/cons.../setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://av01.ledune.net/officescan/console/html/AtxEnc.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://av01.ledune.net/officescan/cons...veCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...4156547132
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/s...mEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://ledune.net/Remote/msrdp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.ledune.net/webview/msxml/msxml4.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://themeetingson.webex.com/client/...eatgpc.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - file://C:\Program Files\Support.com\bin\IBMAccessSupport\common\install\AcpControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.ledune.net
O17 - HKLM\Software\..\Telephony: DomainName = domain.ledune.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8B5DB7A-A03A-4995-8548-74F9F92B5F42}: Domain = domain.ledune.net domain.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8B5DB7A-A03A-4995-8548-74F9F92B5F42}: NameServer = 192.168.111.83,192.168.111.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.ledune.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ledune.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ledune.net
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Phaser 3500 Status Monitor Service (SM_3500_FUService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

BC AdBot (Login to Remove)

 


#2 rhyme

rhyme
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 27 October 2005 - 08:40 AM

Did some additional digging...

First, here's a screenshot of the kind of popup I'm getting:

http://picapic.net/media/67Z3XPP84Q8GV4

Occasionally, I'll get more than one.

http://picapic.net/media/59Q9D34

In both cases, you can download the full size version by clicking on the download link (just click it, don't right click it).

Here's what I've been able to figure out. In either IE or firefox, certain google searches spawn a rogue process with a TCP connections to 64.127.103.41. Best I can tell, this downloads ads to a temporary internet file which then is somehow launched to my screen by the rogue process through, what appears to be, a valid call to IE file://

The process name reported by TCPView is: C:\PROGRAM FILES\MICOADER\QPRCACLS.EXE

See screenshot: http://picapic.net/media/2QW568S84Q8GV4

No such directory exists and I cannot find ANY reference to the above file name on google or yahoo. This leads me to believe I may have a new variant of something. Now here's whats really wierd.

If I go to start->run and type in, WITH quotation marks

"C:\PROGRAM FILES\MICOADER\QPRCACLS.EXE"

I get an error saying no such file exists.

If I type it in WITHOUT quotation marks ( C:\PROGRAM FILES\MICOADER\QPRCACLS.EXE )

No error pops up, and it looks like someting runs.

Now, if I type in, without quotation marks

C:\PROGRAM FILES\MICOADER\

Things get REALLY odd.

I get the error "The file does not have a program associated with it for performing this action."

If I put it in quotes ("C:\PROGRAM FILES\MICOADER\")

I get an error saying it refers to a location that is unavaliable.

Ok enough about that.

Moving on.

Not always, but sometimes, there is a background UDP process listed as "C:\WINDOWS\SYSTEM32\PINDRAMP.EXE" (also from tcpview). Again, no such file exists. Sometimes there is a background UDP process C:\PROGRAM FILES\MICOADER\QPRCACLS.EXE. Either way, that spawns whenever I search google. My hosts file appears clean.

It's only happened once that I've noticed, but I've seen multiple rogue connections to rr-grp1.yyz1.cl1.setupahost.net. It happened quickly and I couldnt get the process name that spawned this.

A little more digging revealed:

rr-grp1.yyz1.cl1.setupahost.net has address 66.244.254.63
rr-grp1.yyz1.cl1.setupahost.net has address 66.244.254.64

www.winfixer.com has address 66.244.254.64
www.winfixer.com has address 66.244.254.63

Leading me to believe this may be a mix of winfixer and something else, but all references to supposed winfixer files (searching through other people's posts on the subject) do not appear to exist on my machine.

Those of you who are paying attention may have noticed that 64.127.103.41 is download.contextplus.net. The only viral reference I was able to locate on this subject was here: http://www3.ca.com/securityadvisor/virusin...s.aspx?id=43002

Again, i am unable to locate any of those files or references in the registry. I've also tried running the ca.com virus scan, with no results. This now means that I've tried ewido, trendmicro, spybot, trojan hunter, cwshredder, vx2cleaner, trendmicro house, ca virus scan - absolutely no dice.

As I type this, I am running RootKitRevealer. So far, nothings come up.

Edited by rhyme, 27 October 2005 - 09:03 AM.


#3 rhyme

rhyme
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 27 October 2005 - 11:43 AM

RESOLVED

Looks like a new variant.

To clean:

Boot to safe mode

Locate files mentioned in my posts

Delete

Easy to fix, once you figure out where the heck they are.

Hides from windows API.

Dont bother with spybot or anything else. None of them find it.

There may be some hidden registry keys as well, working on finding those.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:14 PM

Posted 01 November 2005 - 09:22 AM

If you have any of the files from this infection, please zip them and submit them here:

http://www.bleepingcomputer.com/submit-malware.php

I have closed this topic as it was resolved. Thanks for letting us know the fix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users