Dang Adware...

Capm · Post by **Capm** » Mon Mar 14, 2005 11:35 pm

I've got a machine here, I've been through it pretty thoroughly, adaware, hijack this, spybot etc..

I've still got a piece of adware in there, every few minutes, a couple of internet explorer windows popup with ads, and I can't seem to track it down, I've been through all the startup configs etc... Anyone got any ideas where to look for this blasted thing?

Krom · Post by **Krom** » Mon Mar 14, 2005 11:41 pm

Find out what rundll32 is up to, what you are looking for is probably a DLL attached to some other program not a program by itself.

Grendel · Post by **Grendel** » Tue Mar 15, 2005 12:09 am

Came along some really clever adware lately -- had to find a program that would at least tell me what it is so I could lookup what it's dll's where. Hooked up in three places -- startup registry entries, shell extensions and IE dll's. Each one would reinstall the other one of course. Two processes running at realtime level monitoring each other where just the front end. That sucker even came up in safe mode. M$ AntiSpy told me what its name was, I then found some info where that beast usually is located. Used sysinternals (http://www.sysinternals.com) process explorer to suspend (not kill) the watchdogs, autoruns to kill every suspect registry entry. Then I unregistered the dll's, killed the dogs and booted into safe mode, deleting the leftovers.. Pain in the arse.

Xamindar · Post by **Xamindar** » Tue Mar 15, 2005 1:24 am

ack, have you looked in msconfig?

I always disable that rundll32 anyway.

Asrale · Post by **Asrale** » Tue Mar 15, 2005 10:10 am

Download Rootkit Revealer and post a screenshot of its results.

MD-2389 · Post by **MD-2389** » Tue Mar 15, 2005 8:12 pm

Could you also post the log generated by Hijack This?

edit: A newer version of Hijack This! was released on Feb 16th. download.

Krom · Post by **Krom** » Tue Mar 15, 2005 8:58 pm

Xamindar wrote:ack, have you looked in msconfig?

I always disable that rundll32 anyway.

Uhmm, rundll32 does have a purpose in windows, if it is running odds are it needs to be running, for instance I use nview desktop manager and it runs from rundll.

Xamindar · Post by **Xamindar** » Wed Mar 16, 2005 2:48 pm

Krom wrote:
Xamindar wrote:ack, have you looked in msconfig?

I always disable that rundll32 anyway.
Uhmm, rundll32 does have a purpose in windows, if it is running odds are it needs to be running, for instance I use nview desktop manager and it runs from rundll.

eh, I've never had any problems with it disabled.

Krom · Post by **Krom** » Wed Mar 16, 2005 8:23 pm

Try bringing up display properties, rundll32 will be running if you do.

Capm · Post by **Capm** » Wed Mar 16, 2005 9:17 pm

I'll see to posting the log next time I get in the office.

World War Woodi · Post by **World War Woodi** » Fri Mar 18, 2005 3:43 am

Um, how bout ditching IE and running mozilla firefox ?
I have nearly 0 ad hits when I run my adaware and spybot since switching.

When I was running IE with my 3 kids using the computer I would average 30 to 150 ad hits and hijacks.

Iam VERY happy with firefox.

DCrazy · Post by **DCrazy** » Fri Mar 18, 2005 5:12 am

woodi: Adware that's already on the machine has a tendency to launch its ads in IE, regardless of your preferred browser setting.

BUBBALOU · Post by **BUBBALOU** » Fri Mar 18, 2005 6:04 am

ignorance is bliss

My box is Tight , I know of no such things

Admiral LSD · Post by **Admiral LSD** » Fri Mar 18, 2005 11:15 am

woodi wrote:Um, how bout ditching IE and running mozilla firefox ?
I have nearly 0 ad hits when I run my adaware and spybot since switching.

When I was running IE with my 3 kids using the computer I would average 30 to 150 ad hits and hijacks.

Iam VERY happy with firefox.

Firefox isn't immune to adware either:

http://www.vitalsecurity.org/2005/03/fi ... ts-ie.html