|
05-25-2004, 05:43 AM
|
#1 (permalink) |
|
Psycho
Location: the hills of aquafina.
|
yet ANOTHER pop-up question....
Before I begin, I refer you to my previous thread on this:
http://www.tfproject.org/tfp/showthr...threadid=56135 Now, suddenly my issues have returned. I am still getting pop-ups. I've done the recursive searches, virus scans, spyware scans, etc. I've searched through the registry and found it clean of common spy programs (alchem, over, pup, etc). I can find abcolutely nothing wrong with my computer. However, whenever I open up an IE browser, I still get a pop-up, and then continue to get pop-ups at random intervals. I nab the URL of the pop-up and add it to my HOSTS file, yet the pop-ups seem to continue, even when their URL is set to the local address. Google searches have turned up nothing of any use, or nothing I haven't already tried. I am officially out of ideas. Someone....anyone.....pleazzz help! I'm about to whip out the Ghost if I don't solve this soon. *irritated* 
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
05-25-2004, 05:52 AM
|
#3 (permalink) | |
|
Psycho
Location: the hills of aquafina.
|
Quote:
thanks for the help anyways!
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
|
05-25-2004, 06:10 AM
|
#4 (permalink) |
|
Psycho
Location: ask your mom
|
running XP? post a screenshot of your task manager. or use hi-jack this.
have you disabled the messenger service? i'm working on some machines now that have a bugger of a trojan installed and really tricky spyware... so tricky that it tricks spybot into "ignoring" it when it scans. you really should make sure that when you are scanning (with spybot, adaware, or anti-virus), that you make it as thorough as possible. use heuristics, scan archives, deep registry, etc.
__________________
aaarrrrrgggghhhh!!!! |
|
|
|
05-25-2004, 06:27 AM
|
#5 (permalink) |
|
Talk nerdy to me
Location: Flint, MI
|
The answer you don't want to hear is format the drive and start clean. It is a pain, but is the guaranteed method of wiping them out.
I know it is a pain to have to backup your data (something you should be doing anyways) and then re-load all of your software. Speaking from experience, it is a sure-fire method. It also has some added benefits of weeding out all of the unused software. I recently did an upgrade and had a stack of all the old software I had been using on the old system. Instead of loading it all, I waited until I needed it. I still have about 5 CDs that I have not loaded. Looks like I wasn't using those programs.
__________________
I reject your reality, and substitute my own -- Adam Savage |
|
|
|
05-25-2004, 07:14 AM
|
#6 (permalink) | |||
|
Psycho
Location: the hills of aquafina.
|
Quote:
Quote:
Quote:
thanks guys!
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|||
|
|
|
05-25-2004, 02:39 PM
|
#7 (permalink) |
|
Psycho
Location: Boston, MAss., USA
|
When you get the popup, what's the location it's coming from? Like search----x.cc (dashes added on purpouse, in case someone clicked on it) is a particularly nasty one, it drops a hidden win.dll that gets marked system and hidden, so most spy sweepers don't see it, in the windows folder.
__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet. |
|
|
|
05-25-2004, 04:35 PM
|
#8 (permalink) |
|
Psycho
Location: the hills of aquafina.
|
Ok, the HijackThis log file:
Logfile of HijackThis v1.97.7 Scan saved at 7:28:58 PM, on 5/25/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\dropzone\System Utilities\SpyWare killer_www.thespykiller.co.uk\HijackThis.exe O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub...ctor/swdir.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/279ddf16c152275...p/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...801.4173611111 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
05-25-2004, 04:41 PM
|
#9 (permalink) | |
|
Psycho
Location: the hills of aquafina.
|
Quote:
But not only from there, there are a couple others. And I've checked and ALL of these pop-up URLS are in my HOSTS file and pointed locally.
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
|
05-25-2004, 06:29 PM
|
#10 (permalink) |
|
Psycho
Location: the hills of aquafina.
|
dammit Jim!! Just caught this trying to access the internet:
wupdt.exe Why are AVG and Norton not catching this stuff?!?Why are we paying money for this anti-virus software shite?!? //and here I thought I was virus free. S.O.B!!!!!
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
05-25-2004, 07:28 PM
|
#11 (permalink) |
|
Psycho
Location: Boston, MAss., USA
|
http://www.pestpatrol.com/PestInfo/I/IEPlugin.asp
This looks like what you have, and it inlcudes a removal process. Ahe, cap'n, aye canna change de lews oof pisics!
__________________
I'm gonna be rich and famous, as soon I invent a device that lets you stab people in the face over the internet. |
|
|
|
05-25-2004, 08:54 PM
|
#12 (permalink) |
|
lost and found
Location: Berkeley
|
The Net Transport 2 DLL doesn't ring a legitimate bell. Checking out their website, it's a download assistant that trumpets "the fastest and most powerful downloading tools that is ever made available online for free access and distribution" blah blah blah...for free. You can disable it by turning off BHOs (Browser Helper Objects) in IE.
Tools>Internet Options>Advanced tab Scroll down a little bit and uncheck the box that says, "Enable third-party browser extensions." Restart IE, browse around a little, and see if the problem doesn't go away. There are little apps you can download that allow you to selectively disable BHOs, but I can't think of one offhand. And I assume you disabled Windows Messenger Service, if you're using XP.
__________________
"The idea that money doesn't buy you happiness is a lie put about by the rich, to stop the poor from killing them." -- Michael Caine |
|
|
|
05-25-2004, 11:02 PM
|
#13 (permalink) |
|
Addict
Location: Nor Cal
|
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
Part of the VX2 Transponder series of crap. If you havent already, get a trial of spysweeper and run it. Then reboot, rerun spysweeper. if twaintec is still loaded then you will need a program called VX2Finder. I had a win98 machine last week that took me a bit to figure it out, but ended up being a DLL file being called from some obscure place in the registry. PestPatrol was the only program that actually worked for me, (adaware,spybot,spysweep,2 others didnt see it) the trial of pest patrol wont remove it but will at least tell you what needs to go. Hope this helps.
__________________
Over Thinking, Over Analyzing Seperates the Body from the Mind - MJK |
|
|
|
05-27-2004, 04:56 AM
|
#14 (permalink) |
|
Psycho
Location: the hills of aquafina.
|
Well, last night was the final straw. I got rid of wupdt.exe, thought everything was ok, then suddenly I've got new processes running, some of which are winlogon.exe, and csrss.exe.
That convinced me..... so a ghosting we will go. 5 minutes later I've got a clean XPPro SP1a image. So now, I guess this should turn into a poll about the best anti-virus program. For now I'm running ZoneAlarm Pro, with a 30-day trial of etrust handling the antiV duties. Norton is going in the garbage, as it was the software I was running during this whole time of infection. I don't even know how long I've been infected! What a piece of shite software!
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell Last edited by cartmen34; 05-27-2004 at 04:59 AM.. |
|
|
|
05-27-2004, 06:43 AM
|
#15 (permalink) | |
|
Addict
Location: Nor Cal
|
Quote:
__________________
Over Thinking, Over Analyzing Seperates the Body from the Mind - MJK |
|
|
|
|
05-27-2004, 09:02 AM
|
#16 (permalink) |
|
Go Cardinals
Location: St. Louis/Cincinnati
|
I have McAffee and have it set to where it notifies me whenever a program attempts to use the internet. Annoying at first when you first use IE, AIM, or any other program, but you can set it to ignore those. So if some other program tries to access the internet, you can disable it.
__________________
Brian Griffin: Ah, if my memory serves me, this is the physics department. Chris Griffin: That would explain all the gravity. |
|
|
|
05-28-2004, 04:58 AM
|
#19 (permalink) | |
|
Psycho
Location: the hills of aquafina.
|
Quote:
http://securityresponse.symantec.com...door.hale.html Winlogon.exe....also from symantec: http://securityresponse.symantec.com...or.trodal.html
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
|
05-28-2004, 11:27 AM
|
#20 (permalink) |
|
Addict
Location: Nor Cal
|
I do stand corrected...somewhat. the file csrss IS a windows file. Winlogon IS a windows file. The question then is where are the files located. In your hijack log you state:
C:\WINDOWS\system32\winlogon.exe Thats normal, and as such is not an issue.
__________________
Over Thinking, Over Analyzing Seperates the Body from the Mind - MJK |
|
|
|
05-28-2004, 01:23 PM
|
#21 (permalink) | |
|
Psycho
Location: the hills of aquafina.
|
Quote:
Thanks brain. *Thinks to self...details man, details. Get all your details straight!!* lol
__________________
"The problem with quick and dirty, as some people have said, is that the dirty remains long after the quick has been forgotten" - Steve McConnell |
|
|
|
|
08-01-2004, 12:30 AM
|
#22 (permalink) | |
|
Crazy
Location: in the midst of a dissociative fugue
|
Quote:
Silverbrain was right, it was VX2 causing your problems, FOR SURE. I am currently fucking around with my machine trying to get VX2 off of it. It is THE MOST pernicious piece of spyware I personally have ever encountered. ADAWARE AND SPYBOT S&D DO NOT GET RID OF IT!!!! YOU NEED TO FIND SOMETHING ELSE.... |
|
|
|
| Tags |
| popup, question |
|
|
