|
yet ANOTHER pop-up question....
Before I begin, I refer you to my previous thread on this:
http://www.tfproject.org/tfp/showthr...threadid=56135 Now, suddenly my issues have returned. I am still getting pop-ups. I've done the recursive searches, virus scans, spyware scans, etc. I've searched through the registry and found it clean of common spy programs (alchem, over, pup, etc). I can find abcolutely nothing wrong with my computer. However, whenever I open up an IE browser, I still get a pop-up, and then continue to get pop-ups at random intervals. I nab the URL of the pop-up and add it to my HOSTS file, yet the pop-ups seem to continue, even when their URL is set to the local address. Google searches have turned up nothing of any use, or nothing I haven't already tried. I am officially out of ideas. Someone....anyone.....pleazzz help! I'm about to whip out the Ghost if I don't solve this soon. *irritated* :( |
Go to add/remove programs and look for an enabler. Remove every suspect program.
|
Quote:
thanks for the help anyways! |
running XP? post a screenshot of your task manager. or use hi-jack this.
have you disabled the messenger service? i'm working on some machines now that have a bugger of a trojan installed and really tricky spyware... so tricky that it tricks spybot into "ignoring" it when it scans. you really should make sure that when you are scanning (with spybot, adaware, or anti-virus), that you make it as thorough as possible. use heuristics, scan archives, deep registry, etc. |
The answer you don't want to hear is format the drive and start clean. It is a pain, but is the guaranteed method of wiping them out.
I know it is a pain to have to backup your data (something you should be doing anyways) and then re-load all of your software. Speaking from experience, it is a sure-fire method. It also has some added benefits of weeding out all of the unused software. I recently did an upgrade and had a stack of all the old software I had been using on the old system. Instead of loading it all, I waited until I needed it. I still have about 5 CDs that I have not loaded. Looks like I wasn't using those programs. |
Quote:
Quote:
Quote:
thanks guys! |
When you get the popup, what's the location it's coming from? Like search----x.cc (dashes added on purpouse, in case someone clicked on it) is a particularly nasty one, it drops a hidden win.dll that gets marked system and hidden, so most spy sweepers don't see it, in the windows folder.
|
Ok, the HijackThis log file:
Logfile of HijackThis v1.97.7 Scan saved at 7:28:58 PM, on 5/25/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\dropzone\System Utilities\SpyWare killer_www.thespykiller.co.uk\HijackThis.exe O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/279ddf16c152275...p/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...801.4173611111 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab |
Quote:
But not only from there, there are a couple others. And I've checked and ALL of these pop-up URLS are in my HOSTS file and pointed locally. |
dammit Jim!! Just caught this trying to access the internet:
wupdt.exe Why are AVG and Norton not catching this stuff?!?Why are we paying money for this anti-virus software shite?!? //and here I thought I was virus free. S.O.B!!!!! |
http://www.pestpatrol.com/PestInfo/I/IEPlugin.asp
This looks like what you have, and it inlcudes a removal process. Ahe, cap'n, aye canna change de lews oof pisics! |
The Net Transport 2 DLL doesn't ring a legitimate bell. Checking out their website, it's a download assistant that trumpets "the fastest and most powerful downloading tools that is ever made available online for free access and distribution" blah blah blah...for free. You can disable it by turning off BHOs (Browser Helper Objects) in IE.
Tools>Internet Options>Advanced tab Scroll down a little bit and uncheck the box that says, "Enable third-party browser extensions." Restart IE, browse around a little, and see if the problem doesn't go away. There are little apps you can download that allow you to selectively disable BHOs, but I can't think of one offhand. And I assume you disabled Windows Messenger Service, if you're using XP. |
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
Part of the VX2 Transponder series of crap. If you havent already, get a trial of spysweeper and run it. Then reboot, rerun spysweeper. if twaintec is still loaded then you will need a program called VX2Finder. I had a win98 machine last week that took me a bit to figure it out, but ended up being a DLL file being called from some obscure place in the registry. PestPatrol was the only program that actually worked for me, (adaware,spybot,spysweep,2 others didnt see it) the trial of pest patrol wont remove it but will at least tell you what needs to go. Hope this helps. |
Well, last night was the final straw. I got rid of wupdt.exe, thought everything was ok, then suddenly I've got new processes running, some of which are winlogon.exe, and csrss.exe.
That convinced me..... so a ghosting we will go. 5 minutes later I've got a clean XPPro SP1a image. So now, I guess this should turn into a poll about the best anti-virus program. For now I'm running ZoneAlarm Pro, with a 30-day trial of etrust handling the antiV duties. Norton is going in the garbage, as it was the software I was running during this whole time of infection. I don't even know how long I've been infected! What a piece of shite software! |
Quote:
|
I have McAffee and have it set to where it notifies me whenever a program attempts to use the internet. Annoying at first when you first use IE, AIM, or any other program, but you can set it to ignore those. So if some other program tries to access the internet, you can disable it.
|
As far as progs for scanning spyware, it seems that you should have at least two. I have Ad-Aware and SB-S&D. One catches stuff that the other doesn't.
|
Add SpySweeper to that list Slavakion, grab the free trial. Spyware removal is one of the bigger parts of my job and from experience I say that.
|
Quote:
http://securityresponse.symantec.com...door.hale.html Winlogon.exe....also from symantec: http://securityresponse.symantec.com...or.trodal.html |
I do stand corrected...somewhat. the file csrss IS a windows file. Winlogon IS a windows file. The question then is where are the files located. In your hijack log you state:
C:\WINDOWS\system32\winlogon.exe Thats normal, and as such is not an issue. |
Quote:
Thanks brain. *Thinks to self...details man, details. Get all your details straight!!* lol |
Quote:
Silverbrain was right, it was VX2 causing your problems, FOR SURE. I am currently fucking around with my machine trying to get VX2 off of it. It is THE MOST pernicious piece of spyware I personally have ever encountered. ADAWARE AND SPYBOT S&D DO NOT GET RID OF IT!!!! YOU NEED TO FIND SOMETHING ELSE.... |
| All times are GMT -8. The time now is 01:33 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project