Pop-Up / Spyware Help!!!

Discussion in 'Computers' started by MarcoBiscotti, Dec 19, 2005.

  1. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    I just upgraded to Quicktime 7 from the following link:

    http://www.apple.com/quicktime/download/standalone.html


    Immediately following installation, I noticed that I was seeing a Quicktime logo with a question mark in the centre of it appearing on strange places / websites where I hadn't ever seen it before. Such as in ads completely unrelated. MSN news links, etc. A QT logo would appear above the image or text... or off to the the side of it as thought it were acting as a sponsor even though it clearly didn't belong.


    Than it happened - I started getting pop-ups with this same Quicktime logo attached every couple of minutes. It wasn't so bad at first, but every time I clicked a single link to a webpage or whatever, a new browser window would open to the following site:

    http://imagecache2.allposters.com/im...ters.com/link/


    Than, they started coming in more frequently. They all appear to be opening on the url I posted above!

    It's getting out of hand now... I just had to struggle to shut down 6 pop-up browser windows prior to posting this message, that were all appearing at the same time!

    I fear this is only going to get worse and it's making browsing the web really difficult and a hassle!


    Can anyone please help me out??

    I'm not sure if I should delete QuickTime or if I've somehow downloaded a virus or somebody is trying to access my computer, but I'd really appreciate any help in fixing this problem!!!

    I do a lot of online shopping and transactions through Ebay and Paypal so I'm concerned and would like to resolve this ASAP!

    Thanks in advance for any help you can offer!!
     
  2. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    I should also probably add that I deleted some cookies this morning in my internet tools folder.

    I'm running Mozilla Firefox too btw.

    The reason I deleted some cookies is because I was having trouble accessing my login page on Ebay (unaware that it was simply a website issue, they were experiencing some downtime) and so I decided to see if deleting my Ebay cookies and a few others would help.

    I'm not sure if this is related, but the fact that this all started almost immediately after downloading QT 7 and the fact that QuickTime logos seem to be appearing on the pop-up pages... I'm guessing the issue is with the Quicktime files I downloaded.


    I'm running Spybot right now as I type this out (am I allowed to run my web browser while the program is in use?)... hopefully that will detect something - but I'm still hoping you guys could help me out since you seem to be experts on these issues!

    Thanks.


    PPS - Highlighting text or clicking on url links apparently fuels the pop-ups more. I just discovered this by reading over my above message and being subjected to 5 more windows!


    Update: Spybot - No immediate threats were found.
     
  3. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan
    You can try running Lavasoft's Adaware anti-spyware detector. It is also free. Also, HiJack This! is a more advanced tool for looking at entries in your registry. Make sure you know what you are deleting using this tool, though. There is also a free trial spyware scanner available at www.pandasoftware.com .

    I recently cleaned up my niece's PC that had over 14,000 instances of infection on it -- she had no anti-virus, firewall or anti-spyware running, and the CD-ROM drive was dead, so I couldn't just reload the operating system. It took a combination of AVG anti-virus, Spybot, Adaware, CWShredder, HiJack This and manual search/delete with regedit to clean everything.
     
  4. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Thanks Scott,

    I just ran AdAware and detected 2 problems which seemed to have been minor and unrelated.

    I'm running Norton Antivirus (the latest version) and running SpywareBlaster in the background.


    I have HiJack This! -- but it's like Chinese to me. I have no idea what any of the log files mean or what to delete or alter.


    I'm getting about 4 pop-ups a minute and they seem to be most easily activated / triggered by clicking new threads, opening new tabs, or highlighting text while scrolling through threads.

    All the ads on the main HTF forum page (Wedding Crashers, etc) appear with the Quicktime logo in them!

    My pc seems to be under attack. [​IMG]

    I've got no idea what to do next...
     
  5. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan
    You may want to start by uninstalling Quicktime. If that doesn't fix the problem, run HiJack This (scan only) and post the log file in this thread. Someone here may recognize the offending entry.

    Also, run Task Manager and see if there are any unusual processes running under your userid account name.
     
  6. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Thanks a lot Scott.

    Here's the details of my Log File:



    Logfile of HijackThis v1.97.7
    Scan saved at 1:28:21 PM, on 12/19/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSExplorer.EXE
    C:WINDOWSsystem32spoolsv.exe
    C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
    C:Program FilesCommon FilesSymantec SharedccApp.exe
    C:WINDOWSMixer.exe
    C:Program FilesJavajre1.5.0_02binjusched.exe
    C:WINDOWSSystem32vrstytj.exe
    C:Program FilesJavajre1.5.0_02binjucheck.exe
    C:Program FilesMUSICMATCHMUSICMATCH Jukeboxmm_tray.exe
    C:WINDOWSSystem32spoolDRIVERSW32X863E_FATI9 EA.EXE
    C:Program Filesohcanbdl.exe
    C:PROGRA~1MUSICM~1MUSICM~1MMDiag.exe
    C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
    C:Program FilesNorton SystemWorksNorton CleanSweepcsinsmnt.exe
    C:Program FilesLogitechSetPointkem.exe
    C:Program FilesWinZipWZQKPICK.EXE
    C:PROGRAM FILESLOGITECHSETPOINTKHALMNPR.EXE
    C:Program FilesMUSICMATCHMUSICMATCH Jukeboxmim.exe
    C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
    C:Program FilesNorton SystemWorksNorton AntiVirusnavapsvc.exe
    C:Program FilesNorton SystemWorksNorton UtilitiesNPROTECT.EXE
    C:WINDOWSSystem32pctspk.exe
    C:PROGRA~1NORTON~1SPEEDD~1nopdb.exe
    C:WINDOWSSystem32svchost.exe
    C:PROGRA~1WIDCOMMBLUETO~1BTSTAC~1.EXE
    C:WINDOWSsystem32ntvdm.exe
    C:WINDOWSSystem32wuauclt.exe
    C:WINDOWSsystem32notepad.exe
    C:Program FilesQuickTimeqttask.exe
    C:Program FilesMozilla Firefoxfirefox.exe
    C:WINDOWSsystem32notepad.exe
    C:Documents and SettingsOliverDesktopSystem SecurityHijack This!HijackThis.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = about:blank
    R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
    R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
    O2 - BHO: (no name) - {6BA36735-F3F5-8D21-D3BC-F50A7B59A6BD} - C:WINDOWSSystem32ttmcleg.dll
    O2 - BHO: (no name) - {AD5B06EF-CC24-BE8D-7835-96ECDC921AB0} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
    O4 - HKLM..Run: [CountrySelection] pctptt.exe
    O4 - HKLM..Run: [ccRegVfy] "C:Program FilesCommon FilesSymantec SharedccRegVfy.exe"
    O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
    O4 - HKLM..Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_02binjusched.exe
    O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
    O4 - HKLM..Run: [gwaghtcelkldo] C:WINDOWSSystem32vrstytj.exe
    O4 - HKLM..Run: [Symantec NetDriver Monitor] C:PROGRA~1SYMNET~1SNDMon.exe /Consumer
    O4 - HKLM..Run: [SSC_UserPrompt] C:Program FilesCommon FilesSymantec SharedSecurity CenterUsrPrmpt.exe
    O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM..Run: [MMTray] "C:Program FilesMUSICMATCHMUSICMATCH Jukeboxmm_tray.exe"
    O4 - HKLM..Run: [QD FastAndSafe] C:Program FilesNorton SystemWorksNorton CleanSweepQDCSFS.exe /startup
    O4 - HKLM..Run: [EPSON Stylus CX6600 Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATI9 EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
    O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
    O4 - HKLM..Run: [MimBoot] C:PROGRA~1MUSICM~1MUSICM~1mimboot.exe
    O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
    O4 - HKCU..Run: [Yahoo! Pager] C:Program FilesYahoo!Messengerypager.exe -quiet
    O4 - HKCU..Run: [AIM] C:Program FilesAIMaim.exe -cnetwait.odl
    O4 - HKCU..Run: [MsnMsgr] "C:Program FilesMSN MessengerMsnMsgr.Exe" /background
    O4 - HKCU..Run: [Zvhbmoqe] C:WINDOWSSystem32d?xplore.exe
    O4 - HKCU..Run: [LDM] C:Program FilesLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
    O4 - HKCU..Run: [Ssai] C:Program Filesohcanbdl.exe
    O4 - HKLM..RunOnce: [InstallShieldSetup] C:PROGRA~1COMMON~1INSTAL~1Driver11INTEL3~1I Driver.exe /reboot{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /z
    O4 - Startup: Norton Disk Doctor.LNK = C:Program FilesNorton SystemWorksNorton UtilitiesNDD32.EXE
    O4 - Startup: Norton System Doctor.LNK = C:Program FilesNorton SystemWorksNorton UtilitiesSYSDOC32.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:Program FilesNorton SystemWorksNorton CleanSweepcsinsmnt.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
    O8 - Extra context menu item: Send To &Bluetooth - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...1F/wmvadvd.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...?37741.4428125
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab



    Also, while I wouldn't have known because I don't use IE, I just ran Browser Hijacker and got 4 or 5 pop-ups that my default homepage had been changed and other such indications of a problem...
     
  7. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Anyone have any ideas of what to do with that above information?
     
  8. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan
    Things that look suspicious to me:

    1. d?explore.exe -- see this

    2. vrstytj.exe -- a google search doesn't show anything for this one

    3. nbdl.exe -- a google search doesn't show anything for this one, either.
     
  9. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Thank you Scott, should I go ahead and delete these?

    I guess the first one is a sure bet!


    Thank you very much!!
     
  10. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    For some reason, I can no longer find "d?explore.exe" in my HijackThis! program?

    I can't locate it to delete..



    Edit: I'm downloading Registry Toolkit as suggested in your link so hopefully that will fix these problems (or at least some of them)!
     
  11. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan
    I think you'll be safe deleting the first two. I'm not sure about the 3rd one, though. At best, it's part of some other application that you've installed yourself and you could always reinstall. At worst, it's spyware and needs to be removed. You could always look in the C:Program FilesOHCA folder to see what's in there.
     
  12. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan

    It should be d?xplore.exe. Sorry about the typo in my previous response.
     
  13. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Thanks Scott - and wow... I'm running Registry Toolkit and at 85% into the system scan, it's already detected 140 errors!!!

    I'm betting that this program will be able to delete these problems that you noticed from my Hijack log.

    Hopefully this will fix and clean everything up... I wonder how the hell my computer got turned into such a mess?!?
     
  14. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Grand Total: 512 Problems!
     
  15. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    what a load of crap...

    It will only repair 21 of the errors and I'll need to purchase the full version to fix the other 491!! [​IMG]


    I wonder how much this is gonna run me now...
     
  16. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    Trophy Points:
    0
    Rename them instead of deleting at first. Rename something.exe to something.exe.old - that will keep them from running, but give you the option to put them back.

    Otherwise I agree that those three are suspect, the ndbl.exe file seems less so since it is actually installed under program files like any other application.

    Find these files in windows explorer and right-click on them and look at the Properties. That will often show you more about what these exe files are and where they came from.

    For instance, if I look at a file on my own system that is named "FLAC frontend.exe" (I already know what this is, obviously) under the Version tag it tells me it is version 1.7.0.1 of this exe file, the description says Frontend for FLAC and the Copyright field reads Free for all (since this is open source.)

    Most windows executables will give you more information in that tab. That may help you in determining what is and is not legit. Sure, the program authors may lie here too, but if it clearly states what the program is, who made it etc it may help you determine whether or not the program is benign.
     
  17. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    Trophy Points:
    0
    Registry cleaners usually just remove stuff that is left over from old program installations. Worthwhile to do, but hardly crucial, what is crucial is what is running on your machine and what tampering has been done to your browser.
     
  18. Scott Merryfield

    Scott Merryfield Executive Producer

    Joined:
    Dec 16, 1998
    Messages:
    12,325
    Likes Received:
    1,073
    Trophy Points:
    9,110
    Location:
    Michigan
    Marco,

    Try booting your PC into Windows safe mode and deleting those two items, either via HiJack This or using regedit (as a last resort). There is a "find" search function in regedit that you can use to scan the registry for all instances of d?explore.exe and vrstytj.exe. You can also try Kimmo's suggestion of renaming them first, just to be safe (although I'm sure the first two I've listed should not be running). To boot into safe mode, press F8 while Windows is initially loading.

    I was able to clean 14,000 instances of infection on my niece's PC using only freeware, regedit and a little patience. I'm sure you can do the same.
     
  19. Paul Padilla

    Paul Padilla Supporting Actor

    Joined:
    Jan 15, 2002
    Messages:
    767
    Likes Received:
    0
    Trophy Points:
    0
    Marco is already a little uncomfortable with Hijack This, Kimmo...I'm not sure that I'd throw renaming EXE's at him just yet.



    I use Spybot S&D and AdAware in tandem all the time. I've found that one will find things the other misses, and visa versa. It may take several passes including rebooting to get everything. Occasionally there are registry entries that need to be changed manually, but you can blow up that bridge when you come to it. [​IMG] Be extremely careful with Hijack This. It doesn't descriminate what it displays...legit and bogus entries all get lumped together. The warning when you run the program says basically that.

    A few things I didn't see mentioned above:

    1. Make sure Spybot and Adaware are updated. Just like your anti-virus program they need to be updated regularly so they know all of the newest threats to search for.

    2. For Spybot, make sure you're running the most recent version...ver 1.4. You can get it here. If you have 1.3 or earlier, when you try to update it will lead you to believe there are no updates available.

    3. Run Spybot and AdAware from safe mode, but only after you're sure they've been updated.
     
  20. MarcoBiscotti

    MarcoBiscotti Producer

    Joined:
    Sep 2, 2003
    Messages:
    4,799
    Likes Received:
    1
    Trophy Points:
    0
    Thanks Kimmo!

    The registry cleaner was only $24 so I did it and cleaned up my drives.


    But for some reason, I ran a search of my entire C drive for "d?xplore.exe" and I turned out not a single result?

    I can't even find these listings in the Hijack This! log above... maybe I'm not doing something right?

    I'm gonna run another Hijack This! scan and post the results again just to verify.

    If you guys could please take a look at it one more time and let me know, it would be a humongous help!

    I'll leave the program running this time also so that if there's any problems, I can take care of them than and there...

    If you guys could list the number associated with the file (ie. R1, 04, 016, etc) it would also be great because I can't find a single one of those errors you guys posted... [​IMG]

    The good news is that I haven't gotten a single pop-up since this morning, but now I'm running about half a dozen adware blockers and spy checkers and anti virus programs in the background!

    I just want to make 100% sure that my pc is cleaned and not at any risk...
     

Share This Page