AfterDawn Forums

Very well hidden adware

This discussion thread has 14 messages.

#1
For a few days now Firefox (17.0.1) has been popping up once (and only once) per day leading me to an obvious scam ad site. Interestingly enough the site is localized into Finnish. So far I've only been getting these sites:
fi.yurmobile .com
fiiq.moboo .me

This site is where it leads me first and it then redirects me to the sites above.
aff.ringtonepartner com/geo/preset/1706/4/?subid=1793

I have Windows 7 Pro 64bit (I do keep the system up to date), I use COMODO Firewall, and avast. Neither has been doing anything out of the ordinary lately. No clues as to where I caught the adware. I referred to the stickies on this forum and did the necessary scans. With little results.

avast! Pro Antivirus: nothing
Malwarebytes Anti-Malware: nothing
Spybot Search & Destroy: nothing
Ad Aware Free Antivirus: Backdoor.Win32.Hupigon.nqr + a couple of trojans (cleaned but ads still appear)

Panda Clouds Cleaner:

Suspicious Policy. POLICY: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[ENABLELUA] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWRECENTDOCS] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWMYMUSIC] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWMYPICS] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWMYDOCS] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[SHOWSUPERHIDDEN] to be changed to: 1

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[START_SHOWHELP] to be changed to: 1


(fixed these, still getting ads)

Trend Micro HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:47:12, on 07.12.2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\ProgramData\DatacardService\DCSHelper.exe
P:\WhatPulse\WhatPulse.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
P:\Avast\AvastUI.exe
P:\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
G:\Steam\Steam.exe
P:\Winamp\winamp.exe
P:\Mozilla Firefox\firefox.exe
P:\Notepad++\notepad++.exe
P:\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:/(can't post links)/go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:/(can't post links)/go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:/(can't post links)/go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:/(can't post links)/go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/(can't post links)/go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - P:\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: AMD SteadyVideo BHO - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - P:\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - P:\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - P:\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - P:\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [avast] "P:\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [PlusService] P:\Messenger Plus!\PlusService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MessengerPlusForSkypeService] "C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe"
O4 - HKCU\..\Run: [Steam] "G:\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WhatPulse] P:\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Demian\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User LOCAL SERVICE)
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User LOCAL SERVICE)
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User NETWORK SERVICE)
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User NETWORK SERVICE)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://P:\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - P:\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra Tools menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - P:\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - P:\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra Tools menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - P:\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E04F592-1CF0-424E-AE1B-93374C9C82A6}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A6CEA0-5F00-46BE-BA00-1C8DA6305864}: NameServer = 62.241.198.245 62.241.198.246
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E04F592-1CF0-424E-AE1B-93374C9C82A6}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E04F592-1CF0-424E-AE1B-93374C9C82A6}: NameServer = 8.8.8.8,8.8.4.4
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O18 - Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll
O18 - Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: ASUS System Control Service (AsSysCtrlService) - ASUSTeK Computer Inc. - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: avast! Antivirus - AVAST Software - P:\Avast\AvastSvc.exe
O23 - Service: @%systemroot%\system32\CISVC.EXE,-1 (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdagent) - COMODO - P:\COMODO\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HWDeviceService64.exe - Unknown owner - C:\ProgramData\DatacardService\HWDeviceService64.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Messenger Plus! Service (MsgPlusService) - Yuna Software - C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: WTService - Unknown owner - C:\Windows\system32\atwtusb.exe (file missing)

--
End of file - 10977 bytes

This message has been edited since its posting. Latest edit was made on 08 Dec 2012 @ 15:01
▼▼ This topic has 13 answers - they are below this advertisement ▼▼
AfterDawn Advertisement
#2
you have Messenger Plus which is a really bad guy....

O4 - HKLM\..\Run: [PlusService] P:\Messenger Plus!\PlusService.exe


if Malwarebytes was unable to find and fix it then try this:

Download Emsisoft Emergency Kit from this page: http://www.emsisoft.com/en/software/eek/

Once it's finished downloading, extract the contents from the zip file. Then double click on the file called "start" and open the "Emergency Kit Scanner". When prompted allow it to update the database. Once it's updated select the option to go "Back To Security Status". Then go to "Scan now" and select the option to perform a "Deep Scan". Once the scan is complete remove all detected items. Restart whenever required.

My bad, I said Smart scan at first but, meant "Deep Scan" cause you have files on more than one drive or partitions. That may take a while so, don't hold your breath.....
This message has been edited since its posting. Latest edit was made on 07 Dec 2012 @ 21:45



There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
#3
Done, cleaned, and didn't help. Here are the results.

Emsisoft Emergency Kit:
Tracking cookies
Trace.File:IamBigBrother (in Windows fonts folder)
Few trojans

Still getting ads but interestingly enough it always directs me to this site first before it redirects me to the ad.
aff.ringtonepartner com/geo/preset/1706/4/?subid=1793

"Subid" seems to be "subscriber id" and that has stayed the same every time I get an ad. I'm starting to think Messenger Plus sneaked in some adware even though I was very careful when installing it. I think I actually read the EULA too and I don't remember anything shady.
#4
try a system restore to before the problem showed up then update & run your anti-spyware\malware programs.
#5
DataNalle,

If EEK wasn't able to clean it and if you are unable to restore back far enough,
please post a new HJT Log and maybe can find a cure..

2oG



There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
#6
One BIG question....
Have you tried running these scans on "SAFE MODE"?!?!
Because sometimes they will only be found / deleted on Safe Mode.
Try that and see what happens.
#7
Originally posted by Vato:
One BIG question....
Have you tried running these scans on "SAFE MODE"?!?!
Because sometimes they will only be found / deleted on Safe Mode.
Try that and see what happens.
It really depends on the program you are using and what you are looking for…

Some antivirus and antimalware programs depend on the processes that do not run in safe mode in order to work properly.

Some malware, like rootkits, hide and need to be running in normal mode in order to be tracked down.

If you get a good helper they should know the best method.


2oG



There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
#8
Check this out! You probably can't get rid of it. Only a format will surely remove it. I am now using a sacrificial user with limited right with addblock and am running sandboxed. The user will be destroyed when I am done browsing. I will be doing this for any site that displays adds.


[ http://forums.afterdawn.com/t.cfm/f-166...attack-951181/] A new form of malware attack[/url]
#9
oh mez come on now.thats just a little paranoid isnt it?ive surfed these sites for years and some others that were questionable to say the least and ive had on infection i had to get help on.thanks 2old.im not out to denegrate you in any way but how the heck do you get any browsing done at all?tracking cookies and ads are not as evil as you are making them out to be.chill man.
#10
I think it's safe to say I found the culprit. I uninstalled Messenger Plus! a few days ago using it's own uninstaller and I haven't had a single ad since. There has to be some some hidden adware in the program because I am 100% I didn't install any of toolbars or other "goodies" that came with it.
#11
Originally posted by 2oldGeek:
you have Messenger Plus which is a really bad guy....

O4 - HKLM\..\Run: [PlusService] P:\Messenger Plus!\PlusService.exe
Something told me that you would eventually find it.... :)

2oG
This message has been edited since its posting. Latest edit was made on 15 Dec 2012 @ 17:15



There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
#12
Reading is hard!


#13
Originally posted by Ripper:
Reading is hard!
then pee on the dam fence, like always.... LOL



There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...
#14
or get glasses so reading is not hard to read.
This discussion thread has been automatically closed, as it hasn't received any new posts during the last 180 days. This means that you can't post replies or new questions to this discussion thread.

If you have something to add to this topic, use this page to post your question or comments to a new discussion thread.