Pop-Up / Spyware Help!!! (1 Viewer)

[MarcoBiscotti]

I just upgraded to Quicktime 7 from the following link:

http://www.apple.com/quicktime/download/standalone.html


Immediately following installation, I noticed that I was seeing a Quicktime logo with a question mark in the centre of it appearing on strange places / websites where I hadn't ever seen it before. Such as in ads completely unrelated. MSN news links, etc. A QT logo would appear above the image or text... or off to the the side of it as thought it were acting as a sponsor even though it clearly didn't belong.


Than it happened - I started getting pop-ups with this same Quicktime logo attached every couple of minutes. It wasn't so bad at first, but every time I clicked a single link to a webpage or whatever, a new browser window would open to the following site:

http://imagecache2.allposters.com/im...ters.com/link/


Than, they started coming in more frequently. They all appear to be opening on the url I posted above!

It's getting out of hand now... I just had to struggle to shut down 6 pop-up browser windows prior to posting this message, that were all appearing at the same time!

I fear this is only going to get worse and it's making browsing the web really difficult and a hassle!


Can anyone please help me out??

I'm not sure if I should delete QuickTime or if I've somehow downloaded a virus or somebody is trying to access my computer, but I'd really appreciate any help in fixing this problem!!!

I do a lot of online shopping and transactions through Ebay and Paypal so I'm concerned and would like to resolve this ASAP!

Thanks in advance for any help you can offer!!

 

[MarcoBiscotti]

I should also probably add that I deleted some cookies this morning in my internet tools folder.

I'm running Mozilla Firefox too btw.

The reason I deleted some cookies is because I was having trouble accessing my login page on Ebay (unaware that it was simply a website issue, they were experiencing some downtime) and so I decided to see if deleting my Ebay cookies and a few others would help.

I'm not sure if this is related, but the fact that this all started almost immediately after downloading QT 7 and the fact that QuickTime logos seem to be appearing on the pop-up pages... I'm guessing the issue is with the Quicktime files I downloaded.


I'm running Spybot right now as I type this out (am I allowed to run my web browser while the program is in use?)... hopefully that will detect something - but I'm still hoping you guys could help me out since you seem to be experts on these issues!

Thanks.


PPS - Highlighting text or clicking on url links apparently fuels the pop-ups more. I just discovered this by reading over my above message and being subjected to 5 more windows!


Update: Spybot - No immediate threats were found.

 

[Scott Merryfield]

You can try running Lavasoft's Adaware anti-spyware detector. It is also free. Also, HiJack This! is a more advanced tool for looking at entries in your registry. Make sure you know what you are deleting using this tool, though. There is also a free trial spyware scanner available at www.pandasoftware.com .

I recently cleaned up my niece's PC that had over 14,000 instances of infection on it -- she had no anti-virus, firewall or anti-spyware running, and the CD-ROM drive was dead, so I couldn't just reload the operating system. It took a combination of AVG anti-virus, Spybot, Adaware, CWShredder, HiJack This and manual search/delete with regedit to clean everything.

 

[MarcoBiscotti]

Thanks Scott,

I just ran AdAware and detected 2 problems which seemed to have been minor and unrelated.

I'm running Norton Antivirus (the latest version) and running SpywareBlaster in the background.


I have HiJack This! -- but it's like Chinese to me. I have no idea what any of the log files mean or what to delete or alter.


I'm getting about 4 pop-ups a minute and they seem to be most easily activated / triggered by clicking new threads, opening new tabs, or highlighting text while scrolling through threads.

All the ads on the main HTF forum page (Wedding Crashers, etc) appear with the Quicktime logo in them!

My pc seems to be under attack.

I've got no idea what to do next...

 

[Scott Merryfield]

You may want to start by uninstalling Quicktime. If that doesn't fix the problem, run HiJack This (scan only) and post the log file in this thread. Someone here may recognize the offending entry.

Also, run Task Manager and see if there are any unusual processes running under your userid account name.

 

[MarcoBiscotti]

Thanks a lot Scott.

Here's the details of my Log File:



Logfile of HijackThis v1.97.7
Scan saved at 1:28:21 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
Crogram FilesCommon FilesSymantec SharedccApp.exe
C:WINDOWSMixer.exe
Crogram FilesJavajre1.5.0_02binjusched.exe
C:WINDOWSSystem32vrstytj.exe
Crogram FilesJavajre1.5.0_02binjucheck.exe
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmm_tray.exe
C:WINDOWSSystem32spoolDRIVERSW32X863E_FATI9 EA.EXE
Crogram Filesohcanbdl.exe
CROGRA~1MUSICM~1MUSICM~1MMDiag.exe
Crogram FilesWIDCOMMBluetooth SoftwareBTTray.exe
Crogram FilesNorton SystemWorksNorton CleanSweepcsinsmnt.exe
Crogram FilesLogitechSetPointkem.exe
Crogram FilesWinZipWZQKPICK.EXE
CROGRAM FILESLOGITECHSETPOINTKHALMNPR.EXE
Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmim.exe
Crogram FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
Crogram FilesNorton SystemWorksNorton AntiVirusnavapsvc.exe
Crogram FilesNorton SystemWorksNorton UtilitiesNPROTECT.EXE
C:WINDOWSSystem32pctspk.exe
CROGRA~1NORTON~1SPEEDD~1nopdb.exe
C:WINDOWSSystem32svchost.exe
CROGRA~1WIDCOMMBLUETO~1BTSTAC~1.EXE
C:WINDOWSsystem32ntvdm.exe
C:WINDOWSSystem32wuauclt.exe
C:WINDOWSsystem32notepad.exe
Crogram FilesQuickTimeqttask.exe
Crogram FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32notepad.exe
Cocuments and SettingsOliverDesktopSystem SecurityHijack This!HijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = about:blank
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {6BA36735-F3F5-8D21-D3BC-F50A7B59A6BD} - C:WINDOWSSystem32ttmcleg.dll
O2 - BHO: (no name) - {AD5B06EF-CC24-BE8D-7835-96ECDC921AB0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - Crogram FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Crogram FilesNorton SystemWorksNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [CountrySelection] pctptt.exe
O4 - HKLM..Run: [ccRegVfy] "Crogram FilesCommon FilesSymantec SharedccRegVfy.exe"
O4 - HKLM..Run: [ccApp] "Crogram FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..Run: [SunJavaUpdateSched] Crogram FilesJavajre1.5.0_02binjusched.exe
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [gwaghtcelkldo] C:WINDOWSSystem32vrstytj.exe
O4 - HKLM..Run: [Symantec NetDriver Monitor] CROGRA~1SYMNET~1SNDMon.exe /Consumer
O4 - HKLM..Run: [SSC_UserPrompt] Crogram FilesCommon FilesSymantec SharedSecurity CenterUsrPrmpt.exe
O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [MMTray] "Crogram FilesMUSICMATCHMUSICMATCH Jukeboxmm_tray.exe"
O4 - HKLM..Run: [QD FastAndSafe] Crogram FilesNorton SystemWorksNorton CleanSweepQDCSFS.exe /startup
O4 - HKLM..Run: [EPSON Stylus CX6600 Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATI9 EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [MimBoot] CROGRA~1MUSICM~1MUSICM~1mimboot.exe
O4 - HKLM..Run: [QuickTime Task] "Crogram FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [Yahoo! Pager] Crogram FilesYahoo!Messengerypager.exe -quiet
O4 - HKCU..Run: [AIM] Crogram FilesAIMaim.exe -cnetwait.odl
O4 - HKCU..Run: [MsnMsgr] "Crogram FilesMSN MessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [Zvhbmoqe] C:WINDOWSSystem32d?xplore.exe
O4 - HKCU..Run: [LDM] Crogram FilesLogitechDesktop Messenger8876480ProgramBackWeb-8876480.exe
O4 - HKCU..Run: [Ssai] Crogram Filesohcanbdl.exe
O4 - HKLM..RunOnce: [InstallShieldSetup] CROGRA~1COMMON~1INSTAL~1Driver11INTEL3~1I Driver.exe /reboot{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /z
O4 - Startup: Norton Disk Doctor.LNK = Crogram FilesNorton SystemWorksNorton UtilitiesNDD32.EXE
O4 - Startup: Norton System Doctor.LNK = Crogram FilesNorton SystemWorksNorton UtilitiesSYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = Crogram FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = Crogram FilesNorton SystemWorksNorton CleanSweepcsinsmnt.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = Crogram FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = Crogram FilesMicrosoft OfficeOfficeOSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = Crogram FilesWinZipWZQKPICK.EXE
O8 - Extra context menu item: Send To &Bluetooth - Crogram FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...1F/wmvadvd.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...?37741.4428125
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab



Also, while I wouldn't have known because I don't use IE, I just ran Browser Hijacker and got 4 or 5 pop-ups that my default homepage had been changed and other such indications of a problem...

 

[MarcoBiscotti]

Anyone have any ideas of what to do with that above information?

 

[Scott Merryfield]

Things that look suspicious to me:

1. d?explore.exe -- see this

2. vrstytj.exe -- a google search doesn't show anything for this one

3. nbdl.exe -- a google search doesn't show anything for this one, either.

 

[MarcoBiscotti]

Thank you Scott, should I go ahead and delete these?

I guess the first one is a sure bet!


Thank you very much!!

 

[MarcoBiscotti]

For some reason, I can no longer find "d?explore.exe" in my HijackThis! program?

I can't locate it to delete..



Edit: I'm downloading Registry Toolkit as suggested in your link so hopefully that will fix these problems (or at least some of them)!

 

[Scott Merryfield]

I think you'll be safe deleting the first two. I'm not sure about the 3rd one, though. At best, it's part of some other application that you've installed yourself and you could always reinstall. At worst, it's spyware and needs to be removed. You could always look in the Crogram FilesOHCA folder to see what's in there.

 

[Scott Merryfield]

It should be d?xplore.exe. Sorry about the typo in my previous response.

 

[MarcoBiscotti]

Thanks Scott - and wow... I'm running Registry Toolkit and at 85% into the system scan, it's already detected 140 errors!!!

I'm betting that this program will be able to delete these problems that you noticed from my Hijack log.

Hopefully this will fix and clean everything up... I wonder how the hell my computer got turned into such a mess?!?

 

[MarcoBiscotti]

Grand Total: 512 Problems!

 

[MarcoBiscotti]

what a load of crap...

It will only repair 21 of the errors and I'll need to purchase the full version to fix the other 491!!


I wonder how much this is gonna run me now...

 

[Kimmo Jaskari]

Rename them instead of deleting at first. Rename something.exe to something.exe.old - that will keep them from running, but give you the option to put them back.

Otherwise I agree that those three are suspect, the ndbl.exe file seems less so since it is actually installed under program files like any other application.

Find these files in windows explorer and right-click on them and look at the Properties. That will often show you more about what these exe files are and where they came from.

For instance, if I look at a file on my own system that is named "FLAC frontend.exe" (I already know what this is, obviously) under the Version tag it tells me it is version 1.7.0.1 of this exe file, the description says Frontend for FLAC and the Copyright field reads Free for all (since this is open source.)

Most windows executables will give you more information in that tab. That may help you in determining what is and is not legit. Sure, the program authors may lie here too, but if it clearly states what the program is, who made it etc it may help you determine whether or not the program is benign.

 

[Kimmo Jaskari]

Registry cleaners usually just remove stuff that is left over from old program installations. Worthwhile to do, but hardly crucial, what is crucial is what is running on your machine and what tampering has been done to your browser.

 

[Scott Merryfield]

Marco,

Try booting your PC into Windows safe mode and deleting those two items, either via HiJack This or using regedit (as a last resort). There is a "find" search function in regedit that you can use to scan the registry for all instances of d?explore.exe and vrstytj.exe. You can also try Kimmo's suggestion of renaming them first, just to be safe (although I'm sure the first two I've listed should not be running). To boot into safe mode, press F8 while Windows is initially loading.

I was able to clean 14,000 instances of infection on my niece's PC using only freeware, regedit and a little patience. I'm sure you can do the same.

 

[Paul Padilla]

Marco is already a little uncomfortable with Hijack This, Kimmo...I'm not sure that I'd throw renaming EXE's at him just yet.



I use Spybot S&D and AdAware in tandem all the time. I've found that one will find things the other misses, and visa versa. It may take several passes including rebooting to get everything. Occasionally there are registry entries that need to be changed manually, but you can blow up that bridge when you come to it. Be extremely careful with Hijack This. It doesn't descriminate what it displays...legit and bogus entries all get lumped together. The warning when you run the program says basically that.

A few things I didn't see mentioned above:

1. Make sure Spybot and Adaware are updated. Just like your anti-virus program they need to be updated regularly so they know all of the newest threats to search for.

2. For Spybot, make sure you're running the most recent version...ver 1.4. You can get it here. If you have 1.3 or earlier, when you try to update it will lead you to believe there are no updates available.

3. Run Spybot and AdAware from safe mode, but only after you're sure they've been updated.

 

[MarcoBiscotti]

Thanks Kimmo!

The registry cleaner was only $24 so I did it and cleaned up my drives.


But for some reason, I ran a search of my entire C drive for "d?xplore.exe" and I turned out not a single result?

I can't even find these listings in the Hijack This! log above... maybe I'm not doing something right?

I'm gonna run another Hijack This! scan and post the results again just to verify.

If you guys could please take a look at it one more time and let me know, it would be a humongous help!

I'll leave the program running this time also so that if there's any problems, I can take care of them than and there...

If you guys could list the number associated with the file (ie. R1, 04, 016, etc) it would also be great because I can't find a single one of those errors you guys posted...

The good news is that I haven't gotten a single pop-up since this morning, but now I'm running about half a dozen adware blockers and spy checkers and anti virus programs in the background!

I just want to make 100% sure that my pc is cleaned and not at any risk...