OT: Weird Pop-Up Boxes On This Site

[Mr. Hockstatter]

I just did a scan for viruses and it didn't find anything.  But, I'll still wear my little white mask if you guys want.

[ulthar]

ASHTHECAT wrote:

> Sure, I can do that....but
> Is there any way to copy & paste the running processes within
> Task Manager?
> It would take a long time to write each one down individually.

You can try it, but task manager probably won't allow you to cut and paste from the list.  There are API calls you can run (for example from a C/++ program) to enumerate the running processes, and I know Windows Management Instrumentation (WMI) can be used for this.  Those approaches, though, are probably beyond the scope of what we need to do this.

Or, take a couple of screen shots (enough to be able to see them all) like you did for the popup itself.  We can eliminate a lot of the running tasks as "normal" Windows processes without having to search them all.

[Andrew]

Also posted this to the other thread about the issue.

I am off today, just finished up having drill weekend for the Reserve Marines.

Looked into this for some time now and I cannot replicate the problem with either of my systems.  That would be XP with Sp2 running both Mozilla and IE.  Nor does the older Win98 box do this, trying with either Mozilla or IE.  I must have reloaded various pages, mostly the message board, over 100 times with each browser.

Both of my computers run software firewalls and are located behind a hardware firewall.

I looked through all of the ads running on the site and cannot find anything that references the domain that Ash pointed out.

The funny thing here is that Mr. Hockstatter rebooted and stopped getting them, like it was a process running in memory, but not in the startup for the OS.  I wonder if this is some sort of worm that uses a flaw in IE to attempt to download further code to finish compromising the computer.  That would explain why Hockstatter stopped seeing it after a reboot.

Ash, try giving me a Hijack this log:

Download Hijack This from Major Geeks

It really does appear to be something affecting the computers in question, rather than coming from the site.

[Ash]

Here's the HijackThis log from my p.c.
------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:32:52 PM, on 9/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jamey\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

[Menard]

Are you running a firewall ASH? With Windows 98 I did not have any problems with boxes like this, but when I went to Windows 2000 I started getting boxes usually suggesting that there was a problem with my computer, but on occasion for a download. I installed a firewall and the problem stopped. I did the same for a friends's computer as he was being constantly annoyed with these boxes; they stopped for him as well.

[Ash]

I broke down and installed Service Pack 2.
The firewall wasn't up before but now it is.



Post Edited (09-13-05 22:01)

[Andrew]

This is an adware program:
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

There are a couple of files on there that I do not like.  We had a problem with ITunes stuff causing weird errors on computers in Iraq.  Also, I definitely do not trust that Party Poker program.  

Unfortunately, I do not have time to check through all of these.  There are trojans and worms that will replace legitimate processes - it gets tedious checking all those.  Please continue to let me know the details it is giving you, like which sites the things are coming from.

You also might want to ensure that you have the latest version of Java installed.  I mention this because I saw the ones were .js files.

http://java.sun.com/j2se/1.5.0/download.jsp

(You want JRE 5.0 update 4.)

[ulthar]

The Pre SP2 Firewall is a well-known piece of crap.

[Ash]

Thanks for the help guys!
I downloaded and installed that Java file.

What exactly will that do for my computer?

[odinn7]

If you don't know...I'm not telling you.

[Susan]

i use ad-aware and spybot. To tell the truth i don't run them very much...hardly ever and when i do they never find anything. and i visit ALL types of sites that would normally download spyware and stuff on my pc. I use SPYWAREBLASTER (which helps prevent the download of active x spyware and browser hijackers). I i block third party cookies. I set my active x controls so they do not automatically download.

I also disabled my internet explorers INSTALL ON DEMAND (on the advanced settings..both of them) this is very important to do.

My IE is custom set,, and I never have popups anymore on my home computer. I never have have spyware. Just in case i have HijackThis (advanced program i don't recommend anyone using unless you know what you are doing) but if you tweak your IE settings that can be enough.

[Menard]

ASHTHECAT wrote:

> I downloaded and installed that Java file.
>
> What exactly will that do for my computer?


It will keep it awake at night.

[raj]

Susan wrote:

> i use ad-aware and spybot. To tell the truth i don't run them
> very much...hardly ever and when i do they never find anything.
> and i visit ALL types of sites that would normally download
> spyware and stuff on my pc.

So what's a nice lady like you doing at a site like this?

[Mr. Hockstatter]

Got another one today.  

name:  zedo468X60.js
type:  JScript Script file
from:  www.strangecosmos.com

Somebody was asking what tasks were running while these things come up.  

File Download
phorum - bad movies
inbox - outlook express
windows media player
explorer
Ccapp
Fs20
Internat
Spampal
Em.exec
systray

All looks like normal stuff except of course the File Download.

[Susan]

raj i keep asking myself that same question
night after night....after night