Ad Ware or Virus holding down ctrl/shift buttons?

Discussion in 'Security Software' started by Mark Neglay, Dec 7, 2003.

  1. Mark Neglay

    Mark Neglay Guest

    I have contracted some nasty adware or virus that I cannot root out.
    I have three computers all using a router to connect to a cable modem.
    A few weeks ago, I was hit with typical signs of adware: homepage
    changed, popups on sites that don't have popups, porn and various
    scumy "search engines" added to my favorites, etc.

    I checked the other two computers and all three had similar problems.

    Since then, I have installed Spybot and Ad Aware, both of which
    detected various files, registry entries, cookies, etc,... However
    they didn't get it all out. I found everything from Gator to ISTBar
    to Memorywatcher. I have also run several thorough virus checks with
    Norton AV as well as Tau something-or-other trojan detector. Nothing.

    Yet every day, I get new scumware on my computer. Every time I run Ad
    Aware or Spybot, they find several new programs or browser addons
    installed. Do I have a trojan or what?

    Here's one of the most annoying problems: No matter whether I have
    just rooted out various spyware programs or not, I cannot stop this
    from happening. If Internet Explorer is open, something is running in
    the background that will randomly hold down the shift and ctrl keys, I
    assume as a way to override popup blockers, since the one I
    had--google, will allow popups if you hold down the ctrl key. I use
    Google to post on Usenet, so I have to type everything you are reading
    here in to notepad first, then copy it in to a browser window. If I
    try to compose in a browser, the computer will start randomly
    "shifting" and "ctrling", creating various problems. (ctrl-n is a new
    window. Ctrl-up-or-down-mousewheel goes forward and backward through
    browser histroy, etc)

    No, I do not have a keyboard problem.

    Anyone else in my boat? Any suggestions?

    I *really* don't want to have to f-disk this problem away.
     
    Mark Neglay, Dec 7, 2003
    #1
    1. Advertisements

  2. Mark Neglay

    siljaline Guest


    Run "Hijack This" - info and download:
    http://mvps.org/winhelp2002/unwanted.htm

    Run SpyBot and Ad-aware *often*, just like you would your
    pre-installed A-V scanner.

    HTH

    --
    siljaline

    MS - MVP Windows IE/OE
    ______________________

    (Reply to group, as return address
    is invalid - that we may all benefit)
     
    siljaline, Dec 7, 2003
    #2
    1. Advertisements

  3. Mark Neglay

    Karen Guest

    Hi, I was looking around on the microsoft website for
    clues in how to solve this EXACT same problem. I'm glad
    to have stumbled upon your post, as I was beginning to
    worry that this issue was unique to my computer! I have
    the exact same thing happening, homepage change, porn
    sites in my favorites, and pop ups on sites that never
    used to have popups. Like you, I also installed ADAWARE
    and SPYBOT, and I've run both of them *often*. They keep
    finding problems, I keep erasing the problems, but IT
    KEEPS HAPPENING! I don't know how to permanently fix the
    problem. You mentioned something about not wanting to
    "f-disk" Can you explain what you mean by this? Are you
    just referring to wiping your harddrive? Or is this
    another way to deal with the problem? I'm willing to try
    almost anything at this point! :) Thanks to anyone who
    can help!!!
     
    Karen, Dec 7, 2003
    #3
  4. Mark Neglay

    siljaline Guest


    There is help, "Hijack This" is a unique Spyware detection and
    removal tool that is used is special cases as yours.

    All of the below details are available here:
    http://www.mvps.org/winhelp2002/unwanted.htm
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    **The Details** > >
    Go to: http://mjc1.com/mirror/hjt/

    Then > *Download* "Hijack This!" [freeware] or download direct (below):
    http://www.merijn.org/files/hijackthis.zip
    Unzip, double-click "HijackThis.exe" and Press "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log"
    button.
    Click: "Save Log" (generates: "hijackthis.log")

    Next > Go to the below location:
    http://forums.spywareinfo.com/

    Sign in, (or) post as a guest > Go to the "Spyware and Hijackware Removal"
    section.
    Press "New Topic", copy and paste hijackthis.log into your new message.
    The experts there will analyze your files and advise you what corrective action
    to take.


    Hope this helps.

    --
    siljaline

    MS - MVP Windows IE/OE
    ______________________

    (Reply to group, as return address
    is invalid - that we may all benefit)
     
    siljaline, Dec 7, 2003
    #4
  5. Mark Neglay

    Mark Neglay Guest

    Fdisk is the program you would run in 9x to repartition. So yes, I
    just meant wiping and starting over.

    Incidentally, do you get the shift/ctrl problem I described? This is
    by far the most annoying to me.
     
    Mark Neglay, Dec 7, 2003
    #5
  6. You mention Spybot and Adaware. These tools only help after you get
    infected. You should take steps to block infections.

    1) install a personal firewall or enable your XP firewall
    2) install and update your anti-virus software, enable background
    scanning
    3) catch up on all critical Windows updates and enable automatic updates

    There are some browser protection tools that are useful. I like
    SpywareGuard and a popup blocker like the Google toolbar or Deskbar.

    Only then would I get concerned about removing difficult spyware and
    trojans.
     
    Kent W. England [MVP], Dec 7, 2003
    #6
  7. Are you running any peer-to-peer sharing programs that might provide a way
    into your system?

    I'd advise doing what siljaline and Kent W. England say--use HijackThis for
    diagnostic/repair purposes, and get a firewall up. Even on XP which has a
    built-in firewall that ALL XP users should be using, you may wish to put up
    a third-party firewall that blocks outgoing traffic, so that you can vet
    that traffic--if there's a suspicion of a trojan in place, looking at
    outgoing traffic can be helpful.
     
    Bill Sanderson, Dec 8, 2003
    #7
  8. Mark Neglay

    Mark Neglay Guest

    This is the second response I have composed to your post. My first
    was lost when my browser began holding down the shift or ctrl key and
    I hit the wrong button, causing it to close the browser.
    Google worked some of the time. But not always. And anyway, I am
    getting popups when visiting non-spamming site, even google itself.
    One of the techniques that I am convinced this scumware is using to
    override the Google Bar and others is to cause the shift and ctrl keys
    to 'depress'. With Google, the default to allow a popup is ctrl.
     
    Mark Neglay, Dec 8, 2003
    #8
  9. Mark Neglay

    siljaline Guest

    A "P2P" (peer-to-peer) *like* Kazaa has a device which holds you whole O/S
    in a grip, waiting for third-party file requests.

    IMO, XP firewall offers no end user rules to create or maintain other than what
    to
    let "in". A third-party software firewall like Kerio begins with a basic rule
    set,
    that is to say, it doesn't "know" what applications have permission to "phone
    out"
    or to receive data from the Net.

    This can and is troublesome for most "but" once the user has created a rule set
    for legitimate applications to access and receive, much benefit is added with
    the
    presence of the firewall application.

    Running the onboard firewall and a third-party firewall does cause problems.
    Both cannot be run in parallel.

    Regards,

    --
    siljaline

    MS - MVP Windows IE/OE
    ______________________

    (Reply to group, as return address
    is invalid - that we may all benefit)
     
    siljaline, Dec 9, 2003
    #9
  10. Yep - I replied to the wrong person in this thread!
     
    Bill Sanderson, Dec 9, 2003
    #10
  11. Here's a URL for HijackThis, if you haven't found it already:

    http://www.spywareinfo.com/~merijn/

    What we're interested in is what startup items you find that aren't in the
    realm of the obviously genuine installed stuff-you-expect.
     
    Bill Sanderson, Dec 9, 2003
    #11
  12. Mark Neglay

    Mike Burgess Guest

    Bill,
    HijackThis and CWShredder (Merijn) has moved over the weekend .........
    http://www.merijn.org/

    Even the Startuplist that HijackThis can generate, I now use to
    check the "Services" running on XP (bottom of below page ;)
    http://www.mvps.org/winhelp2002/services.htm
    ____________________________________________________________
    Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
    Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
    http://www.mvps.org/winhelp2002/hosts.htm [updated 12-08-03]
    Please post replies to this Newsgroup, email address is invalid
     
    Mike Burgess, Dec 9, 2003
    #12
  13. Mark Neglay

    siljaline Guest

    And I'll fix my word wrap ;)

    Cheers,


    --
    siljaline

    MS - MVP Windows IE/OE
    ______________________

    (Reply to group, as return address
    is invalid - that we may all benefit)
     
    siljaline, Dec 9, 2003
    #13
  14. Thanks - I'm behind the times.

    I usually use msinfo32 for running services, I think--I'll have to compare
    what HijackThis generates.

     
    Bill Sanderson, Dec 9, 2003
    #14
  15. Mark Neglay

    Mark Neglay Guest

    I did this after the last post to this thread and may have solved it.
    My log follows this post for anyone interested. I deleted the
    following:
    smartbotpro
    seekseek
    KxrVfD1.exe--Did not delete registry entry. I had deleted this file
    earlier. It doesnt exist so I assume no harm can come if the registry
    still refers to it. I did this because I couldnt find info on it. I
    didnt want to cause permanent damage if it was a "good" file...
    Anyone know what it is?

    ----------
    Logfile of HijackThis v1.97.7
    Scan saved at 3:55:23 PM, on 12/8/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec
    AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client
    Firewall\NISUM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec
    AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client
    Firewall\SymPxSvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec Client
    Firewall\NISSERV.EXE
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec_Client_Security\Symantec
    AntiVirus\vptray.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mark.MARK-8W7MQQ3ZG8\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://server224.smartbotpro.net/7search/?001-nhp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://server224.smartbotpro.net/7search/?002-nhp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://server224.smartbotpro.net/7search/?003-nhp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://www.seekseek.com/quicksearch.asp?session=3CF30DDB-E26E-424D-B596-4FA8A002AC00&version_id=18
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet
    Explorer\setup.exe /LASTSCAN
    O4 - HKLM\..\Run: [Tau Monitor]
    C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    O4 - HKLM\..\Run: [vptray] C:\Program
    Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [3X@EGD45#@X5B7] C:\WINDOWS\System32\KxrVfD1.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
    C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O12 - Plugin for .pdf: C:\Program Files\Internet
    Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting)
    - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37701.8207407407
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
    - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) -
    http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
    Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
    http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4305/mcfscan.cab
     
    Mark Neglay, Dec 9, 2003
    #15
  16. Mark Neglay

    Mike Burgess Guest

    Mark,
    Run HT again and have it "Fix" the below:
    Note: make *sure* you are using the lastest version!
    http://www.merijn.org/
    http://www.merijn.org/files/hijackthis.zip

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://server224.smartbotpro.net/7search/?001-nhp

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://server224.smartbotpro.net/7search/?002-nhp

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = http://server224.smartbotpro.net/7search/?003-nhp

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    =
    http://www.seekseek.com/quicksearch.asp?session=3CF30DDB-E26E-424D-B596-4FA8A002AC00&version_id=18

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [3X@EGD45#@X5B7] C:\WINDOWS\System32\KxrVfD1.exe

    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) -
    http://www.spyblast.com/download/SBFullSInst.cab

    --
    Then restart, go to Add Remove and uninstall "SpyBlast" {if exists}
    If a reg entry exists for "KxrVfD1.exe" = remove it too, as NO legit
    program uses "[3X@EGD45#@X5B7]" ..........

    ____________________________________________________________
    Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
    Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
    http://www.mvps.org/winhelp2002/hosts.htm [updated 12-08-03]
    Please post replies to this Newsgroup, email address is invalid
    --

    <snip>
     
    Mike Burgess, Dec 9, 2003
    #16
  17. Thanks - I was gonna suggest that last one myself. In my experience that
    kind of naming structure is a tip-off. Probably I'll get bit by that
    eventually, but so far, so good. (a blank google search (except in the virus
    groups) is usually a good additional safeguard!)
     
    Bill Sanderson, Dec 9, 2003
    #17
  18. Mark Neglay

    Mike Burgess Guest

    Bill,
    LOL ..... well HT automatically creates a backup of all it removes,
    and saves it to the same folder as where HT exists.
    ____________________________________________________________
    Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
    Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
    http://www.mvps.org/winhelp2002/hosts.htm [updated 12-08-03]
    Please post replies to this Newsgroup, email address is invalid
    --
     
    Mike Burgess, Dec 10, 2003
    #18
  19. Good point. On my 15 year-old son's machine, I moved such things which were
    found set hidden in \windows\system32 to a folder. Haven't heard any
    complaints--'course it doesn't hurt that he's behind a firewall, and is at
    least running the lite version of Kazaa, rather than the full-blown critter.
    "covers head to avoid detritus thrown by all and sundry!"

    Next time I'll use HijackThis!

     
    Bill Sanderson, Dec 10, 2003
    #19
  20. Mark Neglay

    siljaline Guest

    Bill,
    Sorry to barge in on the chat ;)
    One for the bookmarks if your son runs into trouble with a Kazaa related
    P2P - http://www.merijn.org/files/kazaabegone.zip

    Regards,

    --
    siljaline

    MS - MVP Windows IE/OE
    ______________________

    (Reply to group, as return address
    is invalid - that we may all benefit)
     
    siljaline, Dec 10, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.