Results 1 to 9 of 9

Thread: Weird: Adware comming directly from PC

  1. #1

    Question Weird: Adware comming directly from PC

    Hey guys:

    Just wanted to ask. Everytime I boot my PC (and at random intervals while it's on) a pop-up window, as in an ad, apears on the desktop. It happens always, even if I'm not connected. One can only assume that this is comming from some Ad-ware installed in the PC.

    I ran Ad-Aware, and even though I remove some things, I can never remove whatever is causing the pop-up, because it keeps happening. I suspect one of two things:

    1) It's very clever Ad-Ware with an elusive name to evade Ad-Aware.
    2) It might actually be "integrated" in the code for something already running.


    Either way, I need to ask if any of you have had this happen to them. Is there any way I can check where the code for the window is running from? I have checked the Task Manager, everything running is normal.

    It's not really that bothersome, but I would think it interesting to find a way to get rid of it, cuz it is kinda' anoying (interrupts my Battle.net games, grrrrrr).
    \"I ONLY DRINK THE BLOOD OF MY ENEMIES....and maybe a strawberry yoohoo....and a...Pina Co-la-da!...
    If you like pina coladas....ugh!, gettin\' caught in the rain....ugh!\"
    -Sarge

  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Could we have a peek at your HijackThis log?

  3. #3
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Hi MR.CD:\

    Hi

    Yes Seems like you definately have a Adware.. Try Spybot and PestPatrol Too or do a online Scan with Pestpetrol. You never know which one might work. Well sometimes it happnes that the other is able to detect it. ......

    Hey and as said therenegade give us your hijakThis log . Download hijakThis if you don't have it. Copy it to a permenant Directory. Run a Scan And Post the Log here.....Let us see if we can find something in it......

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    MR.CD,
    Could you elaborate a little more about what your OS is, and if you're on dial-up or cable/DSL.
    If you're on cable, you're always connected to the internet even if your browser isn't open.
    With this in mind, there are scum/spamware programs that can exploit the Messenger Service (don't confuse this with MSN Messenger) depending on if your OS has the Messenger Service.
    You can go here to see how to disable Messenger Service and see if that maybe fixes your problem.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    As therenegade said, it would be great to have a peek at your HijackThis log.

    Please do this.
    Download Hijack This. Unzip to a convenient permanent folder, double click HijackThis.exe, and hit "Scan".
    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

  6. #6
    Ok, here it is:
    \"I ONLY DRINK THE BLOOD OF MY ENEMIES....and maybe a strawberry yoohoo....and a...Pina Co-la-da!...
    If you like pina coladas....ugh!, gettin\' caught in the rain....ugh!\"
    -Sarge

  7. #7
    I dont like these. Maybe investigate those further. Dont forget to update Adaware, spybot, and run them in safe mode. They are no good without the latest definitions. Even a week makes a difference in the definitions.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {11F36258-4EF2-4A83-BEFD-C4627C4BD849} - C:\WINDOWS\SYSTEM\MSVLS31.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\APROPOSCLIENT\APROPOSPLUGIN.DLL (file missing)
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    Not sure about those, investigate them further (google). Don't delete anything you actually use. I pretty much just copy pasted the BHO's. Those typically are screwy, but make sure you investigate them thoroughly.

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Please close all windows (including this one!) and fix the following with HijackThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {11F36258-4EF2-4A83-BEFD-C4627C4BD849} - C:\WINDOWS\SYSTEM\MSVLS31.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\APROPOSCLIENT\APROPOSPLUGIN.DLL (file missing)
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013635.exe
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/w...wdinstFull.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab


    Then reboot, download, UPDATE & run Spybot & Adaware to clean up the rest of the leftovers, reboot again, and post a fresh log. Try an online virus scanner too:

    http://housecall.trendmicro.com/
    http://www.bitdefender.com/scan/licence.php
    http://www.ravantivirus.com/scan/
    http://us.mcafee.com/root/mfs/default.asp?affid=294

    How on earth did you even browse on this thing??



    Edit: Here are some things to do/read to help keep yourself clean:
    Here's some recommended reading for you: So how did I get infected in the first place?

    Also, take this pc through Windows Update and make sure youhave all CRITICAL updates.


  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Download Hijack This. Unzip to a convenient permanent folder, double click HijackThis.exe, and hit "Scan".
    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
    It's like deja-vu

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •