pop-ups on the hour

Viruses and worms
1

Hello all,

I seem to have gotten my first piece of malware in the 3.5 years of having a windows machine. Every hour on the hour I get 4 or 5 pop-ups through IE (which is never on, as I use firefox).

How it happened: Was on a streaming movie site (in firefox) and avast notified me that it detected some trojans and I moved them to the chest. Deleted them from there.

Thought I had gotten them but an hour later I got 5 or so pop-ups in IE. I ran a full scan with Avast and it caught 2 more trojans…moved them to the chest and deleted them. Otherwise my disk seemed to be clean. I tried following some of the tips that I have read here. Emptying my temp folder (though I am not sure which of these is the one that I should be emptying), and I am still getting the pop-ups every hour though.

Running XP and Avast is updated. Spyware blaster is also installed and updated (though only updated after the problem started)

Would appreciate any help. Thanks very much,

Peter

2

What version if firefox are you using ?

There was previously an exploit in older versions of firefox that could run other applications, so this is one possibility, though slim.
Are you always connected to the internet ?
Does this happen if you aren’t connected (e.g. it establishes a connection) ?

What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
3

hey thanks for the help. installed the 2 programs and ran them in safe mode.

the amount of things they detected was humbling…in the hundreds.

but i seem to have gotten them all now…and no more pop-ups.

thanks again.

-peter

4

To be sure you’re clean, I suggest you run (again) the following scheme:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
5

You’re welcome.

When you mention ‘in the hundreds’ I’m guessing that the greatest majority of these were classed as tracking cookies ?

These are a minor pain in the rear, a minor privacy issue rather than a security one. I normally disable that part of the scan preferences it is so minor and periodically clear out all cookies. I also don’t allow third party cookies, that cookies that aren’t for the actual site you are visiting.

Keep these tools and periodically update them and do a scan with them as a back-up to avast.

Tech’s note 8. is a must do as many routes of entry to your system come through security vulnerabilities/exploits in programs that are out of date.

Welcome to the forums.

6

Hi petercn :),you should also download the Spybot Search & Destroy,to protect your
System settings (control panel etc),and most importantly Host files as
well please make sure you updated it and immunize before you go on net.

7

Thanks again guys,

I got the program from Secunia and ran it. I should be all up to date now.

And yes at least 95% were tracking cookies.

-peter

8

No problem, the tracking cookies really are a minor issue made to seem a real issue by there detection and reporting.

If you want to give some common examples of the other 5%, we can have a look at them.

9

These are portions of the log files (cookies not included):

From SUPERantispyware (which I ran first)

Trojan.Unclassified
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
C:\WINDOWS\SYSTEM32\PRUNNET.EXE
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\PRUN.TMP
C:\WINDOWS\Prefetch\PRUNNET.EXE-0D905460.pf

Trojan.Unclassified/GadCom
[gadcom] C:\DOCUMENTS AND SETTINGS\PETER\APPLICATION DATA\GADCOM\GADCOM.EXE
C:\DOCUMENTS AND SETTINGS\PETER\APPLICATION DATA\GADCOM\GADCOM.EXE

Adware.WhenU
HKCR\WUSN.1
HKCR\WUSN.1#WUSN_Id
HKLM\Software\WhenUSearch
HKLM\Software\WhenUSearch#InstallTime
HKLM\Software\WhenUSearch#zip
HKLM\Software\WhenUSearch\Partners
HKLM\Software\WhenUSearch\Partners\desktop
HKLM\Software\WhenUSearch\Partners\desktop#LastPartner
HKLM\Software\WhenUSearch\Partners\desktop#SetupCmdLine
HKLM\Software\WhenUSearch\Partners\desktop#Partner
HKLM\Software\WhenUSearch\Partners\desktop#InstallTime
HKLM\Software\WhenUSearch\Partners\desktop#PartnerDesc
HKLM\Software\WhenUSearch\WHSE
HKLM\Software\WhenUSearch\WHSE#Installed_rs
HKLM\Software\WhenUSearch\WHSE#uiver_rs
HKLM\Software\WhenUSearch\WHSE#exitsurvey_url
HKLM\Software\WhenUSearch\WHSE#Partner
HKLM\Software\WhenUSearch\WHSE#LastPartner
HKLM\Software\WhenUSearch\WHSE#InstallTime
HKLM\Software\WhenUSearch\WHSE#SetupCmdLine
HKLM\Software\WhenUSearch\WHSE#showSplash
C:\Program Files\Common Files\WhenU\UControlScanAndRemove.ocx
C:\Program Files\Common Files\WhenU

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\AENSCXWOMR.TMP
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\WOMSCEXRAN.TMP

Rogue.AntiSpywareMaster
HKU\S-1-5-21-602162358-1425521274-725345543-1003\Software{5222008A-DD62-49c7-A735-7BD18ECC7350}

Rogue.VirusRemover2008
HKLM\Software{5222008A-DD62-49c7-A735-7BD18ECC7350}
HKU\S-1-5-21-602162358-1425521274-725345543-1003\Software\VirusRemover2008
HKLM\Software\VirusRemover2008
HKLM\Software\VirusRemover2008#ActDomain
HKLM\Software\VirusRemover2008#CookieParams

Trojan.Fake-Alert
C:\Documents and Settings\Peter\Application Data\gadcom

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-602162358-1425521274-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run#gadcom [ “C:\Documents and Settings\Peter\Application Data\gadcom\gadcom.exe” 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 ]
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\fbk.sts

Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ “C:\WINDOWS\system32\prunnet.exe” ]
HKU\S-1-5-21-602162358-1425521274-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ “C:\WINDOWS\system32\prunnet.exe” ]

Trojan.Dropper-NET/TMP-FV
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\ORAEWMXSNC.TMP
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\SNAPSNET.TMP
C:\DOCUMENTS AND SETTINGS\PETER\LOCAL SETTINGS\TEMP\XCSMOREWNA.TMP

Trace.Known Threat Sources
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\89UFOP6V\secure_installers[2].js
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\C52JW96J\low_16[2].jpg
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\KX6N8P67\right_text_06[2].jpg
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\89UFOP6V\crypt[2].js
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\4TQJ89A7\129[1].htm
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\KX6N8P67\full_scan_top_07[2].jpg
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\C52JW96J\right_thead_14[1].gif
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\4TQJ89A7\params[2].js
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\4TQJ89A7\map_03[1].jpg
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\C52JW96J\settings[2].js
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\KX6N8P67\style[1].css
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\89UFOP6V\thead_right_14[1].gif
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\4TQJ89A7\index_new[2].js
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\4TQJ89A7\full_scan_bott_07[1].gif
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\KX6N8P67\managers[2].js

And from Malwarebytes antimalware, run subsequently:

Files Infected:
C:\Documents and Settings\Peter\Local Settings\Temp\Mirar_V77_LOG_IESC_AFF_ATD_TID_noMDNS_RPT_AVM_FLX_ADB_876984.exe (Adware.Mirar) → Quarantined and deleted successfully.
C:\System Volume Information_restore{550952DE-3E20-4B63-8FA3-B9D26D010496}\RP850\A0243093.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\System Volume Information_restore{550952DE-3E20-4B63-8FA3-B9D26D010496}\RP850\A0243094.exe (Trojan.Downloader) → Quarantined and deleted successfully.

After, I ran Secunia and secured all the apps it suggested.

-Peter

10

The first two were relatively serious and a google search on the file names will show that.

OK the adware stuff is better out than in.

The rogueware/fake alert stuff would have been popping up fake alerts and this may have been contributing to the pop-ups you mentioned, though you didn’t give any details.

All in all the detections look good and should go a long way to cleaning your system. The key thing is how is your system running now ?

Some of this may have been downloaded to your system as one of the above may have been a backdoor and a couple designated as downloaders, so what is your firewall ?

11

As far as I recall the pop-ups weren’t necessarily related to rogueware/fake alert stuff…one was ebay (or at least looked like ebay) and the others were relatively benign looking.

My system is running more or less as it always has. Seems stable. Hadn’t noticed a depreciable change in performance, and if it hadn’t been for the pop-ups I would not have assumed anything was wrong.

I am only running Windows firewall which is all I’ve ever run. Around the time that the pop-ups originated I did notice that the firewall was inexplicably off, which it never is. I imagine they could have gotten through then, though I do not believe my firewall was off for that long. Then again, I can’t be sure. Was pretty surprised to find it off as its something I rarely touch.

12

Well gadcon.exe in the list of detections I don’t think had anything to do with ebay, it could be that was a phishing attempt to get you to a site to have this established, but that is speculation on my part.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.