Minor Ad-Ware problem that's driving me batty!
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Minor Ad-Ware problem that's driving me batty!

  1. #1
    Member
    Join Date
    Feb 2005
    Posts
    60

    Minor Ad-Ware problem that's driving me batty!

    Hi y'all - i hope someone can help me out with soemthing fishy that's been going on.

    For the last couple of weeks (i think since I downloaded Java for Dell training) i've been having Browser relevancy issues liek this:

    1. Find driving me nuts
    Your relevant result is a click away!
    www.upspiral.com/

    2. Look for driving me nuts
    Find driving me nuts at one of the best sites the Internet has to offer!
    www.redzip.com/

    with variations - usually upspiral and redzip, and also ezanga keep popping up. Also i've noticed a marked decrease in overall quality of hits returned.

    I have run HJT - and deleted anything sketchy, run spybot, run adaware, run spysubtract - googled for any info possible, gone through my registry, and through the usual C drive areas where these types of things linger - and I can't make it go away.

    The relevancy ads are the only issue. No popups or anything like that. Has anyone else had this problem, or have a solution?

    please help!

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Are they browser ads, or maybe net send ads? I would suggest maybe downloading the Microsoft Antispyware program and giving that a shot. Also, might want to post a HJT log on the site so we can take a look at it. Have you scanned for viruses also?

  3. #3
    Member
    Join Date
    Feb 2005
    Posts
    60
    Hi zENGER - here's my HJT log - bear in mind i've already cleaned it as best i could:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:48:28 PM, on 5/4/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINDOWS\icmsca.exe
    C:\Program Files\InterMute\icmssp\icmssp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\FaxSrCli\Notify.exe
    C:\FaxSrPTM\FaxSrPTM.exe
    C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\system32\mstsc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\mspmspsv.exe
    C:\Documents and Settings\TinaD\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.atlantaregional.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.atlantaregional.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Atlanta Regional Commission
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKCU\..\Run: [mspmspsv] C:\WINDOWS\System32\mspmspsv.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Fax Sr. Notify.lnk = C:\FaxSrCli\Notify.exe
    O4 - Global Startup: Fax Sr. Print to Mail.lnk = C:\FaxSrPTM\FaxSrPTM.exe
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://intranet.atlantaregional.com
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlantaregion.com
    O17 - HKLM\Software\..\Telephony: DomainName = atlantaregion.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE56CABD-EE1B-4697-A5F8-79789499283C}: NameServer = 192.168.1.14,192.168.1.140
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlantaregion.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlantaregion.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: InterMute Client Agent - InterMute, Inc. - C:\WINDOWS\icmsca.exe
    O23 - Service: InterMute SpySubtract Agent - InterMute, Inc. - C:\Program Files\InterMute\icmssp\icmssp.exe
    O23 - Service: Sweep for Windows NT Network (SWEEPNET) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
    O23 - Service: Sweep for Windows NT Update (SWEEPUPDATE) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Sophos has been acting up for me so i'm actually reinstalling it now, but I'm running a trendmicro scan since i'm not quite sure when sophos quit. TrendMicro's beta 6.0 is looking kind of cool witht he built in spyware scan - let's see how it does. I will try MS Spyware scan next if TrendMicor doesn't find anything.


    Oh as far as the ads - attached is a screen capture. it seems like what happens is that i will put in my search text (in this case - Trend Micro) and it will run the search, return the results, and then the first 2 or 3 entries will be changed to whatever ad-listing is applicable - in this case i believe it's stop-sign.com. If i use quotation makrs in my search it is upsprial and redzip and i think ezanga comes up when i use AND in my search.

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = atlantaregion.com
    O17 - HKLM\Software\..\Telephony: DomainName = atlantaregion.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE56CABD-EE1B-4697-A5F8-79789499283C}: NameServer = 192.168.1.14,192.168.1.140
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = atlantaregion.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = atlantaregion.com


    Did you setup those servers as your DNS servers? This looks like a browser redirection type problem, that maybe its redirecting your home page somewhere bogus, yet still shows the URL that you think it is. I can't be positive this is what is going on, but I would be very leary of those lines.

  5. #5
    Member
    Join Date
    Feb 2005
    Posts
    60
    yeah those are all fine and supposed to be there. this is puzzling the heck out of me.


    just finished the trendmicro scan too - no viruses, a couple of tracking cookies which i deleted but other than that - clean.

  6. #6
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    It might worth running Microsoft AntiSpyware Beta (until a AO Senior can take a look at your log). Quite a few people have had some luck with it.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  7. #7
    Member
    Join Date
    Dec 2004
    Posts
    81
    You said your antivirus has been acting up? How about your firewall?

    I know automated scans give mixed results, but I ran your HighjackThis file through HijackThis, but am unable to post the results. You would have to post your log there yourself, if you haven't done so already.

    But I got 11 unknown applications and the five possible nasty hits that zENGER mentioned. I tried to search the 11 unknowns in different combinations, but was unsuccessful in turning up any solid hits on those items in question exept this one:

    O4 - Global Startup: Fax Sr. Notify.lnk = C:\FaxSrCli\Notify.exe

    When I ran Notify.exe through google I got a hit from symantec about a Backdoor.Armageddon.B found here. . Though it is not the exact same extension as the one found on your logs, it was using a Notify.exe

    Backdoor.Armageddon.B is a variant of a zoo Trojan. It is a server that is accessed through any number of known clients.

    When it runs, the executable moves itself to %windir%\System\Notify.exe.

    It modifies the %windir%\System.ini file so that it will run when you restart Windows. In the [boot] section of the file, it appends %windir%\system\Notify.exe to the shell= line. Typically this line is shell=explorer.exe, although some systems have additional boot shells loaded.
    NOTES:

    * %windir% is a variable that refers to the folder in which Windows is installed. By default this is C:\Windows or C:\Winnt..
    * The modification to the System.ini file is effective only on Windows 95/98/Me-based computers.
    I am far from an expert, so it could be nothing. I was about to just move on until after reading this thread about 3 or 4 times when I noticed that you mentioned that your AV was acting up and that you were reinstalling it this last time I looked the thread back over (actually, I did notice that the first time, but never made a connection till last) and remembered seeing this there, as well, at the very top on what a Backdoor.Armageddon.B does:

    Backdoor.Armageddon.B allows unauthorized access to the infected computer. When it is run, it disables antivirus and firewall software.
    And this, also under "Notes":

    When the infected computer is started, the Trojan notifies the hacker. This Trojan uses port 6969. It also searches for major antivirus and firewall packages, and disables them if they are running.
    So that is why I was asking you about your AV and firewall, because I recalled you mentioning that, and that is what lead me to post after all. Again, I am not an expert in this matter, but I just wanted to see if I could find anything out for you. I'm just trying to help find a solution, so, don't kill the messenger Hope this is of some use to you.

    Cheers!
    \"Champagne for my real friends, real pain for my sham friends\"-Ed Norton/25th Hour

  8. #8
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Might want to run "netstat -ao" on the machine and find out what ports its listening on.

    Also, might want to use msconfig and turn EVERYTHING off, and give it a go that way. You can then easily turn everything back on. Identify what processes run even after everything is turn off after a reboot.

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Zenger, those are legit (as Tryska said) check this out:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Atlanta Regional Commission
    Also, 192.168.1.14 & 192.168.1.140 are probably the IP addresses of the primary and secondary DNS servers for atlantaregion.com.

    I only have one other piece of info to add to this thread in regards to Igfxtray.exe and Hkcmd.exe
    From AnswersThatWork:
    Recommendation :
    Although great in theory, on some PCs we have found that whenever IGFXTRAY and HKCMD are running, Windows Explorer is prone to hanging and showing as "not responding" in the Task List. Our recommendation, therefore, is that you should not have this tray icon running, and that you should also not use the hotkey facility that comes with it.
    This is more or less a personal judgement call as neither process is malicious in nature.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Member
    Join Date
    Feb 2005
    Posts
    60
    i should prolly have mentioned this is a corporate machine - behind a firewall that's not acting up, faxsr notify is a legit program and i got sophos back up and running. for soem reason on my machine it stops updating and uninstalls itself every few days. I have a feeling it might be because i restart my machine each night, and it's pending an actual login before starting and maybe gets locked up. I'm not really sure, but i will test it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides