[SGVLUG] Need help with clearing popups from windows system

Alex Roston tungtung at pacbell.net
Tue Sep 5 14:11:34 PDT 2006 

Tom,

Isn't Zone Alarm telling you which program is attempting to access the 
Internet? You'll need to replace that one. You also might simply try 
reinstalling Windows if you've got an install disk - make sure your 
mom's computer is off-line, and the Windows disk will replace whatever 
file has gone bad with a good version of the same file.

Alex


Emerson, Tom wrote:

>This is ironic -- I've been so engrossed in linux and such, that now
>when someone asks about a windows system I'm as much in the dark as most
>call center workers in india... ;)
>
>Seriously, though, my mother has run into a problem with an annoying
>popup.  All the off-the-shelf tools (and windows-oriented rootkit
>eradicators) "don't find a problem", yet popups are still occuring.  I
>took things a step further than these tools and tossed ethereal on the
>system and watched what happened.
>
>Turns out every minute or so the system sends a "get" to a website
>running a script called "rfe.php"; this in turn seems to give a related
>process another website to check, which is apparently
>"trafficsolutions.com", and that calls up the script /bc/ad-rotator.php
>(or similar); eventually one of these will hit the right combination of
>"event" to say "aha! Display this one!"
>
>So, figuring to "cut it's legs off", I went into zone alarm's "firewall"
>and told it to flat out BLOCK the two sites it was going to.
>
>Sure enough, no popups.
>
>Unfortunately, this also jams up her internet connection when the bugger
>can't get out to check on things back home.  NEW connections flat out
>fail UNTIL I do an "nslookup" of a site (probably could be any site, but
>I was checking the one I intended to view) from a DOS prompt --  sure,
>/I/ could do things this way, but how do you tell you mother, "OK, every
>time you want to change webpages, you have to type this at a command
>line first..."
>
>I'm not sure if it was the same one or not, but I also found ANOTHER
>process that was issuing an HTTP POST to a site, passing 120 bytes of
>binary data, and receiving 180 bytes of equally obscure binary data
>(also every minute or two.)
>
>BTW: a google search of "trafficsolutions" returns "e-trafficsolutions",
>which has this in the summary:
>
>   E-Trafficsolutions Complete Traffic Exchange System
>   Free Traffic : E-Trafficsolutions Generates Web Site Traffic using
>Surf
>   Start-pages - Banner Exchange - Exit Ads - Pop-ups - Pop-under s and
>   Linking ...
>
>   E-Trafficsolutions -The Smart Fast Search
>   E-Trafficsolution is The Smart Fast Search PPC Search Engine.
>   e-trafficsolutions.com/ - 46k - Cached - Similar pages
>
>Figuring "hey, this machine is already infected", I went to the site -
>it looks like this does mean scary shit to one's computer -- I don't
>recommend "checking" on this from a clean windows system (and even
>reluctant on a linux system, but that's just me being paranoid)
>
>I suspect my mom may have tripped onto this or a related page just doing
>normal everyday stuff (I've noticed how some ISP's and or domain
>registrars will point you to a specialized "search" page if you mistype
>a URL, this could easily have been one of them...)  
>
>My brother-in-law and I concur that the most likely situation is that "a
>system file has been compromised" such that it hides itself from most
>scanning tools.  It can't hide from ethereal since it -HAS- to go out to
>"some site somewhere" to get the current pop-up data, unfortunately,
>ethereal falls a few steps short as well (or else I simply don't know
>how to do this, but...) as I cannot tell what PROCESS initiated the
>website requests.  I do have a suspicion, though, since when I was done
>trying to "fix" things, I proceeded to shut down in a semi-orderly
>fashion -- closed all open "IE" windows, then checked the process tree
>-- there were 8 or more "IEXPLORE" processes in what I suspect was a
>"zombie" state.  I started killing these, and as I killed the 4th or 5th
>one, the system rebooted...
>
>Any suggestions on where to turn next?  My dad doesn't relish the
>thought of tracking down all the programs she HAS installed (along with
>"wherever" they place their data files) in order to do a clean install
>and recovery  (but I'm thinking "that's going to have to be done...",
>although the other suggestion we have on the table is to remove the
>drive and mount it as a secondary drive on another system and scan it
>from there or use a "liveCD" from a linux distro that has a windows AV
>scanner built into the CD...)
>
>
>
>
>  
>

More information about the SGVLUG mailing list