I knew immediately it was crap I certainly didn't want on my PC. I found exactly what it was the next day when playing CS:S I get a freaking pop-up in Internet Explorer that boots me to desktop and crashes my game(while I was in the lead too, no less). Not only would I not have anything open while playing, I haven't used IE in weeks - Firefox is my default browser.
I ran a full scan with AVG 7.5.472(latest) with latest definition updates released yesterday the 17th and found nothing relevant.
Downloaded and ran Spyware Nuker XT and cleared a few funky cookie's and registry entries, did not find the hook
Downloaded and ran Windows Defender, completely clean.
Downloaded newest version of HiJack This(1.99) and didn't find jack except a few questionable cookies which I deleted and startup entries which I checked and are in tip top shape.
I checked my processes and there was absolutely nothing running that shouldn't have been. I keep a low background process overhead and I'm familiar with everything running on my rig.
I waited till the little bleep popped open another browser window then ran Process Explorer and found out it's launching IE as a child process under the svchost.exe for DCOM services(DCom Server Process Launcher). The command line for it is "C:\WINDOWS\system32\svchost -k DcomLaunch" and I checked under my services administrative tool and that is the real DCOM svchost, not a clone or anything - Something is hijacking it and is using it to launch IE.
I think this a new one, and a clever one at that, I don't know much about XP's svchost call's or how to tell what is calling upon svchost to spawn another process either, any help greatly appreciated. I kept the dropper/install file of the adware in a zip file in case I should send it to be analyzed and added to a database.
MORE INFO about the malicious program.
The pop-up's are not entirely random and will often display the same thing, occasionally it will point IE to a dead link which the URL look's alot like it's trying to report back to a machine regarding my information but I defiantly recognize that it's trying to send some type of information because of the URL format, also - the machine it's pointing me to doesn't have a domain - just an IP address.
The most interesting thing is, and I think this is very relevant - I say this due to the high frequency of the following pop-up and the nature of the product advertised in the pop-up as they are obviously the makers of this spyware/adware - It most commonly opens IE and try's to get me to download that fake System Tools spyware scanner bleep and ask me to scan my computer. It alway's pop's up an IE dialog first that tell's me my computer is unsecure and that I should scan now. I repeat, I DO NOT have System Tools installed on my machine and I have never pressed the scan or installed any component's for the scan or anything related to System Tools so please don't send me the link on how to remove System Tool's as I've already seen it and will not help.
It will also point me to another program called WinVirusPro 2007 or some crap like that I can't remember exactly.
bleeping bleep bleep bleeeeeeep blepp bleep bleep! So here I am now, anybody have an idea how to squash this thing or what I should do?
Edited by PancakeofMassDeliciousness, 18 June 2007 - 10:39 AM.