Spyware ? Popup ?...annoying

scott

On my Kids computer ...She keeps getting a "Golden Casino" Pop up every time she restarts her machine. There is even a "Casino" Folder in the root of "C". I have run Adaware and spybot s&d and immunized with S&D Neither of them found anything. So I deleted the folder and removed the registry entries for "Casino" ran RegSupreme and rebooted. It downloaded it again and pop it up. Grrrr. So I ran Hijackthis found a few obvious things and removed them. Still there...The rest of what Hijackthis returned ....I have no idea what I am looking at, except the obvious Norton stuff and spybot. Do any of you see anything obvious ??

Thanks

Scott

CB

do you know what that second to last line is? it looks fishy to me...

Thrax

I agree. Looks fishy to me too, as does the fourth one up from the bottom.

ginipig

You should consider scheduling adaware/spybot runs at bootup.

Edit, also, what is the nature of the popup? Is it within your browser's window? Or is it just a plain box message?

If you're using Windows XP, you should go to www.grc.com (gibson research- frequently featured on Techtv) and download an app called Shoot-the-messenger. While you're there, you may also want to download a few of the other XP-related tweaks (UPnP,DCombobulator)

primesuspect

HKLM\....\run: C:\Windows\UpdReg.exe

spyware or trojan

HKLM\..\run: C:\windows\zmmcwqpe.exe

virus, trojan, crapware. Same with:

HKLM\..\run: C:\windows\system32\hywjdjju.exe

and what CBDroege said.

Plus, that X:\Ares\ thing looks crappy to me too.

dodo

that would be a virus. i just fixed a problem like this, i cant remember its name though. It generates a randomly named file, like "hywjdjju.exe"

~dodo

Tex

The updatereg and the hywjdjju.exe are bad mojo. You can also Google for all those run programs to see what they are or who the heck put them there.

scott

Thanks guys

I will check those as soon as she gets up ( Snow Day )
I am pretty sure the 2nd to last line is some RealPlayer nonsense.
and the 4th up is some QuickTime nonsense.
The Ares entry is a Kazaa/napster like prog...I know I know

And the offending pop up opens here browser I.E. so I do not think it is the Realplayer or Quicktime entries
I will check the update reg and ."hywjdjju.exe" entries and report back.

Thanks again


Scott

Kwitko

RealPlayer is as good as spyware, IMO. A Google on Ares brings up this from Symantec. Great, now the virii guys are working with the spam guys.

I suggest a multi-pronged attack against this crap. First, anti-virus, then SpyBot, then CWShredder. CWShredder will remove any CoolWebSearch crap (which *everyone* seems to get these days) and also fix any changes in your HOSTS file. A word of advice to everyone: make your HOSTS file read-only so that spyware/adware/malware programs can't make changes to it!

After you get rid of all the crap, download and install SpyWareBlaster which will prevent this stuff from coming back, or at least 99% of it anyway. The spyware makers come out with variants faster than the anti-spyware guys can update the definitions.

Straight_Man

Right, and update IE to latest security patches. One of the IE vulns that helped let this happen was closed with recent IE patching, at least partially.

Basicly, Yahoo feeds a lot of ads in strange ways, unfortunately a YIM install these days can come with those kinds of things added in. AND, there was a Yahoo IMITATION pfishing site set up for a while, it fed lots of junk you do NOT want and also pfished. My XP box does not Yahoo much at all these days.

Whie you are at it, clean out her Temporary Internet Files folder(I have seen a GIG worth in that folder), and her cookies. And pull any Alexa crap out of the box, it comes with ad hooks to strange places, and tracks surfing. Among other things, cleaning out the surfing caches will get rid of included web bugs....

Tech note: A web bug is a one-pixel hot-spot on a page, hyperlinked usually to an ad feed or hijck code set. Can be same color as page background, a mouse hover and in some cases passing mouse pointer over bug can cause a javscript run that results in ads popping up. If you disable popups in IE 6 with all latest security packs and go to Yahoo, you get strange results, but you can block popups by putting IE in high mode for Yahoo or put the Yahoo domain in the high security list in IE also or stick IE in default high security mode and except those sites you really want to go to that do not do this.

When done, defrag the HD, your daughter's box will be a lot happier.

John.

kanezfan

I had to deal with something similar once, with the randomly named .exe files. I ran Spybot S&D, ad-aware, norton, all numerous times but it always came back. then i tried grisoft avg anti-virus and it detected a trojan. once i cleaned that out, it was gone. give it a shot.

primesuspect

you can take as many spyware precautions as you want, but what you have is a virus, and it very likely came from opening an infected email attachment. Teach your sister not to open emails with attachments.

scott

Well, it was a trojan. and rather deeply rooted at that. It took several attempts and reboots in safe mode to rid it from the system.


Thanks guys !!

Scott

profdlp

Out of curiousity, which trojan was it and how did you kill it? :smiles:

scott

Norton AV found it. But it could not find it while running in normal mode . It did not find it until I was in safe mode? Hiding ? It was called Download.Trojan . It was quarantined and deleted. I rebooted back into safe mode and ran it again this time it found Downloader.MSCache. It to was quarantined and deleted. I then rebooted into safemode again and ran nav again and it found 2 more Downloader.MSCache. At this point I realized I never unpluged the network cable. Did that , quarantined and deleted, rebooted , safe mode , NAV......Clean Rebooted to normal desktop with network and ran NAV again. Still gone. I just ran it again about 6 hours after final purge...Still clean.

The thing that gets me is where did it keep coming from ? While I was in safe mode I choose the " Safe Mode" not "with networking" So either it was just hiding or somehow spawning itself. And Norton could not find it unless it was in safe mode. Weird

Also ... I know it did not come from an email , She does not use it, she is an AIM 'er. I checked her in and out boxes, the last thing she got was 2 months ago , and has not sent anything in 3 months.

Here is a tip someone told me a long time ago. It does not really do or stop anything it just alerts you that " you've got problems"
Make a new entry in your address book name AAAAAAAA with the email address AAAAAA@AAAAAA If anything starts sending emails to your entire address book it will be the first to go , and come back "undeliverable" when you see that in your inbox " You've got Problems "


Thanks for all your help


Scott

kanezfan

probably by installing spyware.

profdlp

As a final word of warning, if this is WinXP and you have System Restore enabled, you must disable it (this deletes all of the restore points), scan again, then re-enable System Restore and set a new restore point.

System Restore has a habit of backing up trojans and viruses along with everything else... :rolleyes2