[SGVLUG] Need help with clearing popups from windows system

nix.slayer at charter.net nix.slayer at charter.net
Mon Sep 4 12:10:53 PDT 2006 

Emerson, Tom wrote:

>This is ironic -- I've been so engrossed in linux and such, that now
>when someone asks about a windows system I'm as much in the dark as most
>call center workers in india... ;)
>
>Seriously, though, my mother has run into a problem with an annoying
>popup.  All the off-the-shelf tools (and windows-oriented rootkit
>eradicators) "don't find a problem", yet popups are still occuring.  I
>took things a step further than these tools and tossed ethereal on the
>system and watched what happened.
>
>Turns out every minute or so the system sends a "get" to a website
>running a script called "rfe.php"; this in turn seems to give a related
>process another website to check, which is apparently
>"trafficsolutions.com", and that calls up the script /bc/ad-rotator.php
>(or similar); eventually one of these will hit the right combination of
>"event" to say "aha! Display this one!"
>
>So, figuring to "cut it's legs off", I went into zone alarm's "firewall"
>and told it to flat out BLOCK the two sites it was going to.
>
>Sure enough, no popups.
>
>Unfortunately, this also jams up her internet connection when the bugger
>can't get out to check on things back home.  NEW connections flat out
>fail UNTIL I do an "nslookup" of a site (probably could be any site, but
>I was checking the one I intended to view) from a DOS prompt --  sure,
>/I/ could do things this way, but how do you tell you mother, "OK, every
>time you want to change webpages, you have to type this at a command
>line first..."
>
>I'm not sure if it was the same one or not, but I also found ANOTHER
>process that was issuing an HTTP POST to a site, passing 120 bytes of
>binary data, and receiving 180 bytes of equally obscure binary data
>(also every minute or two.)
>
>BTW: a google search of "trafficsolutions" returns "e-trafficsolutions",
>which has this in the summary:
>
>   E-Trafficsolutions Complete Traffic Exchange System
>   Free Traffic : E-Trafficsolutions Generates Web Site Traffic using
>Surf
>   Start-pages - Banner Exchange - Exit Ads - Pop-ups - Pop-under s and
>   Linking ...
>
>   E-Trafficsolutions -The Smart Fast Search
>   E-Trafficsolution is The Smart Fast Search PPC Search Engine.
>   e-trafficsolutions.com/ - 46k - Cached - Similar pages
>
>Figuring "hey, this machine is already infected", I went to the site -
>it looks like this does mean scary shit to one's computer -- I don't
>recommend "checking" on this from a clean windows system (and even
>reluctant on a linux system, but that's just me being paranoid)
>
>I suspect my mom may have tripped onto this or a related page just doing
>normal everyday stuff (I've noticed how some ISP's and or domain
>registrars will point you to a specialized "search" page if you mistype
>a URL, this could easily have been one of them...)  
>
>My brother-in-law and I concur that the most likely situation is that "a
>system file has been compromised" such that it hides itself from most
>scanning tools.  It can't hide from ethereal since it -HAS- to go out to
>"some site somewhere" to get the current pop-up data, unfortunately,
>ethereal falls a few steps short as well (or else I simply don't know
>how to do this, but...) as I cannot tell what PROCESS initiated the
>website requests.  I do have a suspicion, though, since when I was done
>trying to "fix" things, I proceeded to shut down in a semi-orderly
>fashion -- closed all open "IE" windows, then checked the process tree
>-- there were 8 or more "IEXPLORE" processes in what I suspect was a
>"zombie" state.  I started killing these, and as I killed the 4th or 5th
>one, the system rebooted...
>
>Any suggestions on where to turn next?  My dad doesn't relish the
>thought of tracking down all the programs she HAS installed (along with
>"wherever" they place their data files) in order to do a clean install
>and recovery  (but I'm thinking "that's going to have to be done...",
>although the other suggestion we have on the table is to remove the
>drive and mount it as a secondary drive on another system and scan it
>from there or use a "liveCD" from a linux distro that has a windows AV
>scanner built into the CD...)
>
>
>
>  
>
Try this: Ad-Aware SE Personal Edition 1.06
http://www.download.com/3000-2144-10045910.html

http://en.wikipedia.org/wiki/Adware

More information about the SGVLUG mailing list