Solved

spy sites

Posted on 2006-07-09
27
548 Views
Last Modified: 2013-12-04
Hello

I have  a computer with Windows XP  SP1 installed.

In addition the follwing softwares are installed:

Spyware Balster

Zone-Alarm Pro

Norton Anti virus  2005

Spybot S&D  Tea Timer

Web Washer Classic

Ad-Aware SE Personal

HijackThis 1.99.1

lately  pop up windows appear when I visit any site .  For example as I was visiting "Experts-exchange" and writing this question a pop up window appeared and in the address bar I think was written:
www.win-antivrus.com

Another pop up window has I think the www.adultfinder.com address, it usually appear when I visit adult sites.

At other times at the address bar of the pop up window would appear the spy site address and the name of the site I am visiting at that moment such as www.yahoo.com

In addition, at each computer session "Zone- alarm Pro" would display a warning that it blocked a contact with a spy site such as www.imagesrvr.com

How can prevent these pop up windows
0
Comment
Question by:Eaglek1
  • 10
  • 7
  • 4
  • +3
27 Comments
 
LVL 97

Assisted Solution

by:war1
war1 earned 20 total points
ID: 17068380
Greetings, Eaglek1 !

1. Since your have HijackThis, Spy Blaster, Spybot S&D, and Adaware, did you check if you have mailware?

2. The popups are likely coming from the websites.  If the Internet Explorer popup blocker is not stopping the popups, Popup Stopper will block the popups. There is a free version in the lower left of this webpage

http://www.panicware.com/


Best wishes!
0
 
LVL 32

Expert Comment

by:r-k
ID: 17068675
Please post your HJT log as follows:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 30 total points
ID: 17068825
Turn off system restore, scan and clean your system. Turn system restore back on if you wish, I recommend leaving it off.
http://www.xinn.org/annoyance_spy-ware.html
Try using alternate browsers, and by all means begin using best practices: http://xinn.org/win_bestpractices.html It's actually how M$ plans to keep you safe with it's next OS... they really aren't fixing anything, other than running IE in lower privliged mode... activeX is still present in Vista!
Interview with IE lead Program Manager: http://www.matasano.com/log/332/matasano-interviews-ie-lead-pm-christopher-vaughan
http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx
I've also been saying it for years... http://www.macobserver.com/article/2005/07/21.14.shtml
-rich
0
 

Author Comment

by:Eaglek1
ID: 17071934
Here is the analysis link from  http://www.hijackthis.de

http://www.hijackthis.de/logfiles/09e441fd17074d6ee5fbefbab10902bb.html


I would like to add that as I was writing my response to your comments "Zone-Alarm Pro" displayed a warning that it blocked a contact with a spy site www.imagesrvr.com

Then a pop window appeared, I copied its address:
http://www.winantivirus.com/pages/scanner/index.phpaid=nm_go_wav_kw&lid=hijack&ax=2&ex=1
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 30 total points
ID: 17073828
You should run SP2, and also use windowsupdate to get a current system. I don't think your old version of IE already has a popup blocker, but the updated version has that builtin.

I'd also use a better browser, like firefox from http://mozilla.org which doesn't use activeX controlls which can also compromise your system.
0
 
LVL 97

Expert Comment

by:war1
ID: 17074385
Eaglek1,

Looking at your HijackThis log, check if the IP address belongs to you or your network

O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7C917B-39BE-48CF-A583-ED4842ADB571}: NameServer = 213.189.89.2 213.189.89.4

Otherwise, your HJT log looks clean.  Did you use the Popup Stopper that I proposed above?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17077631
Eaglek1,

Please rename Hijackthis.exe to "analyse.exe or "HJT.exe".
After you renamed it, run a scan with the renamed hijackthis and post a new link to the log so we can see the result.
The nasties in your pc is hiding from hijackthis.exe process that's why you need to rename hijackthis to something else before running a scan.

Once you renamed hijackthis, the nasties won't be able to hide from the scan.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 100 total points
ID: 17077978
Eaglek1,
I'm 99% sure(could be wrong of course, lol) that vundo trojan is what's hiding from hijackthis.exe but we can't see it until you renamed hijackthis.exe to something else.

Eventhough Vundo can hide from hijackthis.exe, it can not hide from VundoFix.exe so your other option is to follow my hunch and use vundofix.exe

Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
0
 

Author Comment

by:Eaglek1
ID: 17081050
I can not perform a renaming of  Hijackthis.exe to "analyse.exe or "HJT.exe".
If there is a step by step instruction I will follow it.

Therefore I choose to download  VundoFix.exe and I ran it.
In Windows XP "Normal Mode", after the scaning is finished and many files are removed a dialog box appear stating that:

C:Windows\system32\mlljh.dll

C:Windows\system32\hjllm.ini

"could no be deleted

VundoFix will attempt to delete it on reboot"

But after reboot and a second scaning the same dialogue box appear.

So I tried runing VundoFix  on Windows XP "Safe Mode"

the same dialogue box appear although it list only
C:Windows\system32\mlljh.dll
as the one that could not be deleted.


Here is the latest analysis from http://www.hijackthis.de  after runing VundoFix

http://www.hijackthis.de/logfiles/ed5aab51987e1df18f14b2aa57501c34.html


With regard to :
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7C917B-39BE-48CF-A583-ED4842ADB571}: NameServer = 213.189.89.2 213.189.89.4

It does not belong to me or my network.




Is an early version of Netscape browser such as the 4.8 edition a good alternative to Internet Explorer.  Or shall I use firefox.  Or Windows 98.

I will download http://www.panicware.com/

Finally is there a direct link to download Windows XP (SP2).  At present I must go through the "Windows Updates" page which I find hard to navigate and could not find the (SP2) download there.

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17081084
You can usually right-click the exe and select rename. Windows 98 will get infected more than anything, I'd stear clear of it, everyone is an administrator on 98. FireFox or Opera are great browsers to use.
-rich
0
 
LVL 87

Expert Comment

by:rindi
ID: 17081152
You can't directly download XP, but you can download sp2:

http://www.microsoft.com/windowsxp/sp2/default.mspx

Select "Download and deploy SP2 to multiple computers", and then you get to the download site. After installing SP2 make sure you run all windowsupdates after that.

I'd use firefox, it is the best browser around by lengths... Don't use an old netscape browser, it wouldn't be able to show many newer sites properly.

If you want to delete those files above you should try that in safe mode, but I wouldn't delete them but rather rename them in case they are needed. The hijack log doesn't ring any alarm bells except that everything is out of date, and that in itself is alarms enough...
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17081399
Please run VundoFix in Safe mode and let's see if those files will be deleted, if not let's try another way.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17081513
Okay, I didn't see that you already tried safe mode, let's use Avenger.

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy ALL the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):

-----------------------------------------------------------------------------------------------------
Files to delete:
C:Windows\system32\mlljh.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlljh

------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Then run Hijackthis and fix these entries:(02 entry display name slightly different)
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll


5. Please post the content of c:\avenger.txt into your reply.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17081635
BTW, an out of date Sun Java is the main cause of vundo infection, an older version of java is very vulnerable to Vundo, so make sure your version is NOT this one -->j2re1.4.2_03

if you have the above version you can get re-infected almost immediately. Make sure you have the later version "jre1.5.0_06" or jre1.5.0_07.
0
 

Author Comment

by:Eaglek1
ID: 17090161
(1) I have "Java 2 Runtime Environment, SE v1.4.2_01" when I bought the computer but I just downloaded  Java Runtime Environment Version 5.0 Update 7
I hope that is good.

(2) I did run the "Avenger' as recommended, and then the "HijackThis"

Here is the latest analysis link:

http://www.hijackthis.de/logfiles/ed9282bfec1f187f2f16f4c89e8e23a2.html



The c:\avenger.txt  content:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qxclcgkn

*******************

Script file located at: \??\C:\Documents and Settings\jdykyxvr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:Windows\system32\mlljh.dll for deletion
Deletion of file C:Windows\system32\mlljh.dll failed!

Could not process line:
C:Windows\system32\mlljh.dll
Status: 0xc000003a

Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlljh deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17090545
Oh my stars!!!!!!!!
No wonder Avenger failed to delete the file, I messed up, sorry about that, I just copied it from your post and it is lacking the backward slash "\" after the C:


Please run Avenger again and this time do this:(the registry entry is already deleted so only the file left.
2. Copy ALL the text contained between the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):

-----------------------------------------------------------------------------------------------------

Files to delete:
C:\Windows\system32\mlljh.dll

-----------------------------------------------------------------------------------------------------
you already know what to do next right?

After Avenger reboots, run hijackthis and fix these entries:
Put a check next to these entries and click "Fix Checked":
O2 - BHO: (no name) - {08074DDA-B99C-4BB2-827A-1A820F8C6ABC} - (no file)    
O2 - BHO: (no name) - {10361A8C-171D-478F-ADE0-57E27822E0E4} - (no file)    
O2 - BHO: (no name) - {1208E0D4-F4B3-4D3C-93A7-051E2FCA8BE9} - (no file)    
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)    
O2 - BHO: (no name) - {5EB020A5-5247-4E34-B616-07A42BA527CC} - (no file)    
O2 - BHO: (no name) - {72DC91A5-67F6-4303-870E-0431B36EC4BF} - (no file)
O2 - BHO: (no name) - {786E237C-A367-4D9B-9A37-690F0714EB98} - (no file)    
O2 - BHO: (no name) - {97BA73D3-ABCD-4B7C-A4C3-944085FDA7C5} - (no file)    
O2 - BHO: (no name) - {AD7EBC02-430D-4033-8CDD-3A8EC0DAE724} - (no file)    
O2 - BHO: (no name) - {DB4A26CF-E977-467D-9C63-92C026BD3E7A} - (no file)    
O2 - BHO: (no name) - {FDC13E24-CD66-4584-BF71-C52CBCD0F747} - (no file)  
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\

0
 

Author Comment

by:Eaglek1
ID: 17098550
Hello

After runing "Avenger" at restart of the computer there was no the usual automatic appearance of the "Avenger" "NotePad" log file instead a "Notepad" dialouge box appeared and it gave me three choices "Yes" "No" and "Cancel".  I choose "Yes" but the "NotePad" it produced was blank.

Then I ran "HijackThis". Here is the result of "HijackThis" after fixing the entries:

Logfile of HijackThis v1.99.1
{Log removed by rindi, PE Storage}

And here is the latest analysis link :
http://www.hijackthis.de/logfiles/b26a97e121585e636a3585dff7eb6b11.html



I am wondering why we did not fix entry:
 O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7C917B-39BE-48CF-A583-ED4842ADB571}: NameServer = 213.189.89.2 213.189.89.4

0
 
LVL 87

Expert Comment

by:rindi
ID: 17098750
>> I am wondering why we did not fix entry:
 O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7C917B-39BE-48CF-A583-ED4842ADB571}: NameServer = 213.189.89.2 213.189.89.4 <<

I don't think this is really a threat, although you can of course fix it, there should be no harm done.

Your system still is out of data, you should first update it with SP2 and the windows updates, and then use the popup blocker of the more secure newer version of the internet explorer.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17099668
Not sure why Avenger didn't produce a log file.
You can check in the C:\Avenger.txt if it creates a log file.

Vundo is no longer showing in your hijackthis log so that is good.
You can check and make sure that this file -->C:\Windows\system32\mlljh.dll
is no longer in your system.

this 017 entry below you can fix if it doesn't belong to your domain/ISP, but I don't see it as a threat, not listed in the IP blacklist. The IP is located somewhere in Kuwait, belongs to Qualitynet.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7C917B-39BE-48CF-A583-ED4842ADB571}: NameServer = 213.189.89.2 213.189.89.4
0
 

Author Comment

by:Eaglek1
ID: 17101913
In "Local Disk C" in the "Avenger" folder there is Zipped folder with today date and the time I ran the avenger.  If I click on it another "Avenger" folder appear, if I click on it there are two icons one for a text file titled "Avenger" the other not a text file titled "backup"

Here is the content of the text file:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qxclcgkn

*******************

Script file located at: \??\C:\Documents and Settings\jdykyxvr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:Windows\system32\mlljh.dll for deletion
Deletion of file C:Windows\system32\mlljh.dll failed!

Could not process line:
C:Windows\system32\mlljh.dll
Status: 0xc000003a

Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlljh deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17104842
You can just delete those avengers folders and start again if you like. Avenger does not delete or overwrites backup, it just renames the first one.

>>Could not open file C:Windows\system32\mlljh.dll for deletion
Deletion of file C:Windows\system32\mlljh.dll failed!<<

this was the result of the first one right?
failed to delete because of the typo, not having the backward slash "\" after the C:
Avenger couldn't perform the request because of the wrong path. Do you see what I mean?

I then asked you to run Avenger again using the correct path as in below:(with the "\" included)
-----------------------------------
Files to delete:
C:\Windows\system32\mlljh.dll
0
 

Author Comment

by:Eaglek1
ID: 17107294
I ran the " Avenger" in Windows XP "Safe Mode" and it restarted and produced
a "NotePad" log file in the "Normal Mode" of Windows XP.

Then in Windows XP "Safe Mode"  I ran "HijackThis" which fixed errors and produced log file  in the "Safe Mode" of Windows XP.

Here is the latest analysis:
http://www.hijackthis.de/logfiles/144d1d46ee7c9a063504905def8a60b4.html


Here is the latest "Avenger"  log file

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uvrgjxgy

*******************

Script file located at: \??\C:\Documents and Settings\wbbsfmyk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\system32\mlljh.dll not found!
Deletion of file C:\Windows\system32\mlljh.dll failed!

Could not process line:
C:\Windows\system32\mlljh.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17107703
>>File C:\Windows\system32\mlljh.dll not found!
Deletion of file C:\Windows\system32\mlljh.dll failed!<<

Well, Avenger did not find the file so that means it's no longer there otherwise Avenger would've found it because the path is correct.

I don't see any malware entries in your Hijackthis log.
Hows your pc going, no more popups?
0
 

Author Comment

by:Eaglek1
ID: 17110022
The computer is runing fine, no more popup windows.
Thanks to all of you
0
 
LVL 87

Expert Comment

by:rindi
ID: 17110064
your welcome
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17112455
No problem, :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now