help with ad.firstadsolution

[Banex]

If someone could help me get rid of this I would appreciate it.
Here is the source code for the pop-up which was exe from a download I got recently.

.HTML.
.BODY style="margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px;".
.!-- Tag for size prepopped for site NT - MB-U Direct: Run-of-site - DO NOT MODIFY --.
.SCRIPT TYPE="text/javascript" SRC="http://ad.firstadsolution.com/rmtag2.js"../SCRIPT.
.SCRIPT language="JavaScript".
var rm_host = "http://ad.firstadsolution.com";
var rm_section_id = 3926;
var rm_banned_pop_types = 23;
var rm_pop_frequency = 0;

rmShowPop();
./SCRIPT.
./BODY.
./HTML.
.!-- END TAG --.


Here are the some of the sites that it brings to.

realrealities(dot)com, locatebest and goodrumor.

Here are some html pages it attaches to the above. Which only show up in the temp inet folder after it's done exe them.

m12071071(dot)html, m226581101 and a few more.. I have it captured on filmon if someone needs a peak at it let me know.

ad.firstadsolution goes to "rightmedia" which they are claiming innocent.

sites w content on pulled up pages..
ad-w-a-r-e
ad.yieldmanager
mpmediaholdings
statcounter
and mobilesidewalk

Any help would be GREATLY appreciated! I've spent HOURS trying to remove this.

Spybot does not work.
I think this is fairly new adware from what I gathered.

[brokencrow]

Try this:

http://www.bleepingcomputer.com/foru...hp/t40739.html

[Banex]

Didn't work.
Here is a HijackThis log. I cleared almost everything out I could so it's nice and clean but I am STILL having this ad.firstadsolution problem. After Brute force, ATF cleaner and Spybot S&D. The "Ewido anti-malware" I couldn't install because I have win98.


Logfile of HijackThis v1.99.1
Scan saved at 12:41:23 AM, on 8/1/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

[nihil]

Hi,

Unfortunately EWIDO does not support Win 98. This one does:

http://www.emsisoft.com/en/software/free/

It is called A-Squared. Usual drill................download, install, update and reboot into SAFE MODE

Spybot S&D has an option to start in "advanced mode" I generally recommend that you turn this on. Then use the "tools" section to check out what you have in your BHO's and other "out of sight" places. Please let me know if you find something that you don't recognise and don't feel happy with deleting.

Try getting CrapCleaner and running that in safe mode. It is more a housekeeping and stability tool, but it can get rid of some malware in the process. I like it as a tool anyway (from the housekeeping angle)

http://www.ccleaner.com/

Check your Java folders in IE and clear out the cache and history.

Good luck

[dalek]

Hi


That particular nasty is part of the LOP family and most probably came with Messenger Plus 3, do you use MS Plus 3, if so, you will need to uninstall and re-install without the 3rd party extras..(C2Media)

How to remove MS Plus 3

Messenger Plus Bundling Lop.com

Many of you may have heard of a program called Patchou's "Messenger Plus". I used it myself once, before I discovered Trillian. Similar to the many front end programs for Internet Explorer (Avant browser, MyIE2, etc), Messenger Plus adds a user interface to Microsoft's MSN Messenger that contains extra features.

Patchou has brought in C2Media as a sponsor and is now bundling their lop.com software into Messenger Plus. For those of you who have never heard of it, lop.com software is classified as a trojan by antivirus vendors and as a browser hijacker by antispyware vendors. You can find plenty of information about it by doing a Google search for lop.com. Just be warned - some of the language used by lop victims will melt your monitor.

No single parasite has caused as many support threads at our message boards as lop.com (although Xupiter comes close). Ad-aware, Spybot, and all other spyware removal programs target several older variants of lop.com. It now comes in a version that is nearly impossible to detect automatically. It uses randomly named files, randomly generated CLSID identifiers, and uses activex installation methods that let them update all of their installers at once.

Before this change, the number of lop.com complaints actually had gone down because it was so easy to remove and could even be blocked beforehand. Since C2Media introduced these new versions that mutate randomly, the number of infections has become larger than ever. The only sure way to be rid of it is to ask for help at the SWI support forums.

Patchou, the developer of Messenger Plus, has issued a statement regarding the complaints he's been receiving due to his new "sponsor". To all of the people who are saying that they won't use his program because of lop.com, he has this to say, "I don't want to be rude but if you boycot version 2.10.36, you're an idiot."


Whether it makes you an idiot or not, I strongly recommend that everyone stay as far away from Patchou's Messenger Plus as possible. If you have installed it already and now have lop.com's software all over your system, uninstalling Messenger Plus supposedly will also remove lop. If that doesn't work, then please read this FAQ and follow the instructions. We are very experienced at removing this thing and can easily walk you through it.

Guide

This is assuming you have Messenger Plus 3 installed, your log was cut-off so was unable to determine if you had it or not.....

msgplus - msgplus.exe - Process Information

Process File: msgplus or msgplus.exe
Process Name: MSN MessengerPlus

Run a Free System Scan for msgplus.exe Related Errors

Description:
msgplus.exe is distributed as a third party MSN extension. However is also spyware if installed with the sponsor program it offers to install. If this optional sponsor program was installed, this process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. Please see additional details regarding this process.

http://www.liutilities.com/products/...brary/msgplus/

[Banex]

Nope don't use the msgplus.

The 'emsisoft' locks up on me.

and I can't get into safe mode. reads I believe "error 021" stuck key. That's when I hold the CTRL key down.. F8 does the same.

Here is HJT log


Logfile of HijackThis v1.99.1
Scan saved at 10:38:18 AM, on 8/1/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.antionline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab

[Banex]

OK I got safemode running. Ran about 6 different antiwares while in safemode.. NONE of them helped.

If anyone knows HOW to fix this PLEASE let me know.. This is VERY frustrating. I've installed around 10 antware programs and NONE work. I've read about 40 posts on different message boards on this. Some people even claim there problems were fixed. Mine do not however despite folling things to the letter on most. Maybe it's the OS difference I don't know.

So if anyone knows FOR SURE how to resolve this problem PLEASE PLEASE let me know.

Thanx!

[brokencrow]

When did it start? A week ago? Two weeks ago? Do a search for any .exe's, .dll's, .tmp's and .~ (null) files that are timestamped from the period. I wrote a tutorial on manually removing rogue apps, might take a look at it (if you read it though, don't rush to start deleting files willy-nilly).

Did you install and run Ccleaner as suggested by nihil?

May I also suggest another web browser on your computer? Opera and/or Firefox should work fine and you'll have something that doesn't drive you crazy in the meantime.

That HJT log is as thin as I've ever seen one. Is your HJT log generated from safe mode? If it is, try posting an HJT log from a normal startup.

[dalek]

Your running Win 98 SE, do you still have the CD, you can try a format and re-install http://www.hardwarehell.com/fdisk.htm

What's your specs for your PC, can you upgrade to XP, support for Win 98 SE is over for security patches

Microsoft has already pulled the plug on Windows 98, Windows 98 SE and Windows ME with the June security update ! They have issued this statement:

"The Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Windows Explorer architecture is much less robust than the more recent Windows architectures. Due to these fundamental differences, after extensive investigation, Microsoft has found that it is not feasible to make the extensive changes necessary to Windows Explorer on Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) to eliminate the vulnerability. To do so would require reengineer a significant amount of a critical core component of the operating system. After such a reengineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate on the updated system."

Microsoft Life Cycle Support

Termination of Support effect on Security

[Banex]

It's not that much of a annoyance to go thru all that. But it is a pain.. So any other suggestions?