[SGVLUG] Need help with clearing popups from windows system

Emerson, Tom Tom.Emerson at wbconsultant.com
Mon Sep 4 10:17:57 PDT 2006 

This is ironic -- I've been so engrossed in linux and such, that now
when someone asks about a windows system I'm as much in the dark as most
call center workers in india... ;)

Seriously, though, my mother has run into a problem with an annoying
popup.  All the off-the-shelf tools (and windows-oriented rootkit
eradicators) "don't find a problem", yet popups are still occuring.  I
took things a step further than these tools and tossed ethereal on the
system and watched what happened.

Turns out every minute or so the system sends a "get" to a website
running a script called "rfe.php"; this in turn seems to give a related
process another website to check, which is apparently
"trafficsolutions.com", and that calls up the script /bc/ad-rotator.php
(or similar); eventually one of these will hit the right combination of
"event" to say "aha! Display this one!"

So, figuring to "cut it's legs off", I went into zone alarm's "firewall"
and told it to flat out BLOCK the two sites it was going to.

Sure enough, no popups.

Unfortunately, this also jams up her internet connection when the bugger
can't get out to check on things back home.  NEW connections flat out
fail UNTIL I do an "nslookup" of a site (probably could be any site, but
I was checking the one I intended to view) from a DOS prompt --  sure,
/I/ could do things this way, but how do you tell you mother, "OK, every
time you want to change webpages, you have to type this at a command
line first..."

I'm not sure if it was the same one or not, but I also found ANOTHER
process that was issuing an HTTP POST to a site, passing 120 bytes of
binary data, and receiving 180 bytes of equally obscure binary data
(also every minute or two.)

BTW: a google search of "trafficsolutions" returns "e-trafficsolutions",
which has this in the summary:

   E-Trafficsolutions Complete Traffic Exchange System
   Free Traffic : E-Trafficsolutions Generates Web Site Traffic using
Surf
   Start-pages - Banner Exchange - Exit Ads - Pop-ups - Pop-under s and
   Linking ...

   E-Trafficsolutions -The Smart Fast Search
   E-Trafficsolution is The Smart Fast Search PPC Search Engine.
   e-trafficsolutions.com/ - 46k - Cached - Similar pages

Figuring "hey, this machine is already infected", I went to the site -
it looks like this does mean scary shit to one's computer -- I don't
recommend "checking" on this from a clean windows system (and even
reluctant on a linux system, but that's just me being paranoid)

I suspect my mom may have tripped onto this or a related page just doing
normal everyday stuff (I've noticed how some ISP's and or domain
registrars will point you to a specialized "search" page if you mistype
a URL, this could easily have been one of them...)  

My brother-in-law and I concur that the most likely situation is that "a
system file has been compromised" such that it hides itself from most
scanning tools.  It can't hide from ethereal since it -HAS- to go out to
"some site somewhere" to get the current pop-up data, unfortunately,
ethereal falls a few steps short as well (or else I simply don't know
how to do this, but...) as I cannot tell what PROCESS initiated the
website requests.  I do have a suspicion, though, since when I was done
trying to "fix" things, I proceeded to shut down in a semi-orderly
fashion -- closed all open "IE" windows, then checked the process tree
-- there were 8 or more "IEXPLORE" processes in what I suspect was a
"zombie" state.  I started killing these, and as I killed the 4th or 5th
one, the system rebooted...

Any suggestions on where to turn next?  My dad doesn't relish the
thought of tracking down all the programs she HAS installed (along with
"wherever" they place their data files) in order to do a clean install
and recovery  (but I'm thinking "that's going to have to be done...",
although the other suggestion we have on the table is to remove the
drive and mount it as a secondary drive on another system and scan it
from there or use a "liveCD" from a linux distro that has a windows AV
scanner built into the CD...)

More information about the SGVLUG mailing list