A brand new malware(Defender doesn't recognize it yet) advertismen

Discussion in 'Computer Security' started by =?Utf-8?B?Z2VvcmdpYWJpa2Vy?=, Apr 29, 2006.

  1. Ok, after stupidly downloading an exe that I thought was legitimate, I ran it
    and (again, stupidly) clicked right on through the lisence screen. Then I
    lost all copy and paste functions in Firefox and started getting popups on
    sites that I know don't advertise. I ran Windows Defender and Adaware and no
    one picked it up. After googling the issue, I found this page, which offered
    the following solution:
    <a
    href="http://cyrusanas.blogspot.com/2006/04/weird-files-advertismencom-and.html#links">Kyriakos'
    Personal Blog: Weird files (advertismen.com and pushowXX.dll)</a>

    This time I noticed that somewhere in the text of the terms and conditions a
    company named "ADVERTISMEN.COM" appeared. Tried to google it but wasn't
    lucky. I also did a DSN lookup of the url and found out that the domain name
    was registered on the 5th of April of 2006. Is it a new spyware?
    .... the install.exe had installed two files in the windows/system32 folder.
    The files were called pushow67.dll and pushow55.dll. I used DLL Export Viewer
    to find out that they exposed one interface called "Uninstall". It also
    created a registry key under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
    called "UninstallString" with value: rundll32.exe
    C:\WINNT\system32\pushow55.dll Uninstall

    It also created another key under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    called AppInit_DLLs. The value was pushow55.dll.

    Hope this helps anyone else with this problem.
     
    =?Utf-8?B?Z2VvcmdpYWJpa2Vy?=, Apr 29, 2006
    #1
    1. Advertisements

  2. My reply is at the bottom of your message :



    Goto Control Panel -> Internet Options and delete all temporary i-net files
    , cookies and history


    Scan your computer with :

    Kaspersky Labs free online scanner
    http://www.kaspersky.com/virusscanner

    Panda Software free Active scan
    http://www.activescan.com

    Both these scanners generate a log file when they are ready. Please , save
    this log file on your Desktop, for example and then post it here so we'll
    understand what you have on your computer.

    You may also download HijackThis v1.99.1
    http://aumha.net/downloads/hijackthis.zip

    Scan with it *but do not remove anything*
    Post your log to http://aumha.net/viewforum.php?f=30,
    for analysis, not here. Give more info there .



    Panda_man
     
    =?Utf-8?B?UGFuZGFfbWFu?=, Apr 29, 2006
    #2
    1. Advertisements

  3. And ,please , never again include malware links in your posts because someone
    else may accidentically click on it so he/she will also become infected.Thanks


    Panda_man
     
    =?Utf-8?B?UGFuZGFfbWFu?=, Apr 29, 2006
    #3
  4. I didn't in the post you are replying to- what are you talking about? I
    mean, I JUST NOW THIS SECOND did post a link for anyone who wanted to see the
    zip files for testing purposes. How do I submit this to the Defender folks
    who don't know about it, then?
    Back off, Mr. Hall Monitor.
     
    =?Utf-8?B?Z2VvcmdpYWJpa2Vy?=, Apr 29, 2006
    #4
  5. =?Utf-8?B?Z2VvcmdpYWJpa2Vy?=

    Elendil Guest

    After downloading the Kasperksy trial version, posting a HijackThis log on
    the forum Panda_man gave you, and scanning with Panda's Activescan, go to
    the Safety Tips page on my website: www.stopmalware.tk to learn how to
    prevent moderate-serious malware attacks/infections on your computer. If the
    malware still persists after following panda_man's advice (it shouldn't but
    if it does), go to the Comprehensive Malware Removal Instrucitons on the
    Detailed Malware Removal page of my website and follow the instructions.
     
    Elendil, Apr 29, 2006
    #5
  6. From: "georgiabiker" <>

    |
    | I didn't in the post you are replying to- what are you talking about? I
    | mean, I JUST NOW THIS SECOND did post a link for anyone who wanted to see the
    | zip files for testing purposes. How do I submit this to the Defender folks
    | who don't know about it, then?
    | Back off, Mr. Hall Monitor.

    Submission email addresses and URLs can be found here...
    http://www.ik-cs.com/suspicious-files.htm

    Specifically in the case of adware/spyware...
    mailto:

    ZIP the suspect files into a password protected ZIP file with the password; infected { pwd
    = infected } and email the ZIP to Microsoft.


    Panda_man is 100% correct !

    Do NOT distribute malware. If an anti malware engineer asks you for teh file, and you can
    determine that the requester is reputable, then that is one thing. Hosting the malware and
    pulishing its URL is another !

    I have submitted the "install.exe" file to all anti malware vendors, who don't recognize
    this infector, for their examination.

    Result on "install.exe" from Virus Total.
    --
    Avast 4.6.695.0 04.28.2006 Win32:Trojano-CE
    AVG 386 04.28.2006 Clicker.CAH
    DrWeb 4.33 04.29.2006 Adware.Advert
    eTrust-InoculateIT 23.71.142 04.29.2006 no virus found
    Ewido 3.5 04.29.2006 Hijacker.Agent.hi
    Fortinet 2.71.0.0 04.29.2006 suspicious
    Kaspersky 4.0.2.24 04.29.2006 not-a-virus:AdWare.Win32.AdvertMen.a
    UNA 1.83 04.28.2006 TrojanClicker.Win32.Agent
    VBA32 3.11.0 04.28.2006 Trojan-Clicker.Win32.Agent.hi

    *The following is a False Positive result due to an Ikarus engine problem on Virus Total
    Ikarus 0.2.59.0 04.29.2006 P2P-Worm.Win32.Polipos.a

    Verified by an Ikarus email scan...
    CLEAN email-->mailbody
    CLEAN email-->mailbody(html)
    CLEAN email-->mailbody
    CLEAN email-->advertismen.zip-->install.exe
    CLEAN email-->advertismen.zip-->main.idx
    CLEAN email-->advertismen.zip
    CLEAN email


    /*PLEASE*/ remove the references to that malware and remove the malware from the University
    of Georgia server ASAP !!

    If it remains and the URL still works, the University of Georgia, Computer Services
    department, will contacted and a formal complaint will be filed.

    Thank you for your cooperation.

    *The Ikarus engine problem should be fixed by Virus Total and Ikarus during the first week
    of May '06.
     
    David H. Lipman, Apr 29, 2006
    #6
  7. Hello Georgiabiker,

    Submit it via the process noted in Windows Defender Help, or here:
    Report a possible spyware problem to Microsoft
    http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx

    Good luck
     
    =?Utf-8?B?RW5nZWw=?=, Apr 29, 2006
    #7
  8. I also have this problem, I tried all the suggestions below, I found pushow
    dll files but not with the same numbers, I couldn't trace anything else, any
    other solutions please.
     
    =?Utf-8?B?QmFzaHk=?=, Apr 30, 2006
    #8


  9. Thank you for the support , Dave ! ;-)


    Panda_man
     
    =?Utf-8?B?UGFuZGFfbWFu?=, Apr 30, 2006
    #9
  10. =?Utf-8?B?Z2VvcmdpYWJpa2Vy?=

    jasta70 Guest

    In response to ADVERTISMEN.EXE I had nothing but a head ache dealing
    with it. So to get rid of it I downloaded the 15 day free trial of
    TENEBRIL uninstaller. When you open it chouse the uninstaller option
    find the pesky ADVERTISMEN and you will be able to uninstall it. You
    will get an error message but just continue. Reboot and you will
    notice that you computer will be faster for a start then have a look in
    the Add/Remove Programs just to see if its gone.

    Good luck and let me know

    Jasta70
     
    jasta70, Jun 7, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.