Need help about this SPyware/Adware

I just picked up a PC from one of my customer and it has this very
bizard problem:

After the system came up to normal mode, there are four about 3" X 4"
boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
Insurance. When the mouse is move over the box, it says loading and
then put an extra box of Text/link for whatever the subject title of
that box is about. For example, move the mouse over to Dating will list
links for local girls, X Rated things, ect.

I've checked system with Spybot Search & Destroy, AVG. I've also check
the system with "Hijack this" and have gone into the Registry and try to
see what is going on. When I booted the system up to Safe Mode, the
boxes DID NOT show.

Anyone has seen this before?? All helps are wlecome.

Dewaine

I've seen similar stuff before. Install Ad-Aware, update its definitions and
run. Also make sure the latest Spybot definitions are installed before running.

If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
HiJackThis. It helps to have internet access alongside the infected computer,
so you can access NAV and other anti-virus/spyware/adware info.

Finally, ask your client when this behavior started. It may sound a bit risky,
but often a careful deletion of strangely named files from the WINDOWS and
WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
key, because the strangely name files will have file dates/times coinciding with
the start of the nasties. Of course, some of the nastyware installs itself with
equally bizarre file dates like Dec 31 1979, which is before the creation of the
world, according the Gates... Ben Myers

On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
PLZZZnc.rr.com> wrote:

>
>I just picked up a PC from one of my customer and it has this very
>bizard problem:
>
>After the system came up to normal mode, there are four about 3" X 4"
>boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
>Insurance. When the mouse is move over the box, it says loading and
>then put an extra box of Text/link for whatever the subject title of
>that box is about. For example, move the mouse over to Dating will list
>links for local girls, X Rated things, ect.
>
>I've checked system with Spybot Search & Destroy, AVG. I've also check
>the system with "Hijack this" and have gone into the Registry and try to
>see what is going on. When I booted the system up to Safe Mode, the
>boxes DID NOT show.
>
>Anyone has seen this before?? All helps are wlecome.
>
>Dewaine
>
>

Dewaine:

If you really want to remove the maleware I suggest taking
the following steps:

1) Get latest Ad-Aware spyware definition file from:
http://www.lavasoft.de/support/download/
I suggest that you download this defs.zip file on an uninfected computer;
then copy it to a 1.44M floppy diskette or a CD-R.

2) Reboot your infected computer and tap F8 once per second during restart
and when the menu appears select: Safe Mode without networking.

3) Unzip and insert the downlaoded file, defs.ref, in file location:

c:\Program Files\Lavasoft\Ad-Aware SE Personal/defs.ref
This insures that a subsequent scan for malware will use the latest
spyware definition files.

4) Launch Start/Program/Files/Lavasoft Ad-Aware SE Personal/Ad-Aware SE Personal
and click the initial bullet to do a Full System Scan.
When done, right click the list of maleware found and choose: Select All
Then click Next, and finaly click OK.

This will remove the maleware that you are experiencing.

5) Restart the system in normal mode.


Skip Knoble, Penn State


On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|
-|I just picked up a PC from one of my customer and it has this very
-|bizard problem:
-|
-|After the system came up to normal mode, there are four about 3" X 4"
-|boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
-|Insurance. When the mouse is move over the box, it says loading and
-|then put an extra box of Text/link for whatever the subject title of
-|that box is about. For example, move the mouse over to Dating will list
-|links for local girls, X Rated things, ect.
-|
-|I've checked system with Spybot Search & Destroy, AVG. I've also check
-|the system with "Hijack this" and have gone into the Registry and try to
-|see what is going on. When I booted the system up to Safe Mode, the
-|boxes DID NOT show.
-|
-|Anyone has seen this before?? All helps are wlecome.
-|
-|Dewaine
-|

"Dewaine Chan" <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com> wrote in message
news:%Wtlf.2040$ m...
|
| I just picked up a PC from one of my customer and it has this very
| bizard problem:
|
| After the system came up to normal mode, there are four about 3" X 4"
| boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
| Insurance. When the mouse is move over the box, it says loading and
| then put an extra box of Text/link for whatever the subject title of
| that box is about. For example, move the mouse over to Dating will list
| links for local girls, X Rated things, ect.
|
| I've checked system with Spybot Search & Destroy, AVG. I've also check
| the system with "Hijack this" and have gone into the Registry and try to
| see what is going on. When I booted the system up to Safe Mode, the
| boxes DID NOT show.
|
| Anyone has seen this before?? All helps are wlecome.
|
| Dewaine
|

It would appear to me, that a malware web page has been set up as the
desktop.

Right-click the desktop outside of the boxes and select Properties.

Does the Display Properties window pop-up?

(If no, go to Control Panel and select Display.)

Click the Desktop tab and click the "Customize Desktop..." button.

Select the Web tab, if anything is selected there, unselect it.
And delete anything but "My Current Home Page", but make sure it too is
unselected.

If Lock Desktop Items is seleced, unselect it.

Click OK till all Windows are closed.


JaF

Well:

Spent a bit more time on this and here is what I found:

It created the following files in the C:\Windows\system32 folder:

C:\WINDOWS\system32\insurance.bmp
C:\WINDOWS\system32\close.bmp
C:\WINDOWS\system32\spyware.bmp
C:\WINDOWS\system32\xxx.bmp
C:\WINDOWS\system32\pharmacy.bmp
C:\WINDOWS\system32\gambling.bmp
C:\WINDOWS\system32\dating.bmp
C:\WINDOWS\system32\idesk.conf

It also created a file rdt.ini in the C:\WINDOWS directory.
Renaming the rdt.ini did not do anything. I removed the above files from the
C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
the Popup Boxes but after rebooted again, all the above files got recreated and
appeared in the C:\WINDOWS\SYSTEM32 directory.

I did a google search and a couple places suggested to look for:
ie2cltr.dll
rdt.ini

or
C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts


I couldn't find the files except rdt.ini file.

I have removed basically everything that shows in Hijack This and system registry's
Run area. I suspect the Spyware is loaded as a system service that I just need to
find the dll file.

BTW, Adaware SE doesn't detect it either.

Thanks for all the helps.

Dewaine

Ben Myers wrote:

> I've seen similar stuff before. Install Ad-Aware, update its definitions and
> run. Also make sure the latest Spybot definitions are installed before running.
>
> If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
> HiJackThis. It helps to have internet access alongside the infected computer,
> so you can access NAV and other anti-virus/spyware/adware info.
>
> Finally, ask your client when this behavior started. It may sound a bit risky,
> but often a careful deletion of strangely named files from the WINDOWS and
> WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
> key, because the strangely name files will have file dates/times coinciding with
> the start of the nasties. Of course, some of the nastyware installs itself with
> equally bizarre file dates like Dec 31 1979, which is before the creation of the
> world, according the Gates... Ben Myers
>
> On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
> PLZZZnc.rr.com> wrote:

Herman:

Thanks. Still no goes. Back in the hunt again.

Dewaine

"Herman D. Knoble" wrote:

> Dewaine:
>
> If you really want to remove the maleware I suggest taking
> the following steps:
>
> 1) Get latest Ad-Aware spyware definition file from:
> http://www.lavasoft.de/support/download/
> I suggest that you download this defs.zip file on an uninfected computer;
> then copy it to a 1.44M floppy diskette or a CD-R.
>
> 2) Reboot your infected computer and tap F8 once per second during restart
> and when the menu appears select: Safe Mode without networking.
>
> 3) Unzip and insert the downlaoded file, defs.ref, in file location:

Checked that already. It wasn't it. Please see the update I posted under Ben
Meyer's posting for follow up info. It is weird. I'm going out to get a copy
of Spysweeper tomorrow and check the system later.

Thanks.

Dewaine

Just a Friend wrote:

> It would appear to me, that a malware web page has been set up as the
> desktop.
>
> Right-click the desktop outside of the boxes and select Properties.
>
> Does the Display Properties window pop-up?
>
> (If no, go to Control Panel and select Display.)
>
> Click the Desktop tab and click the "Customize Desktop..." button.
>
> Select the Web tab, if anything is selected there, unselect it.
> And delete anything but "My Current Home Page", but make sure it too is
> unselected.
>
> If Lock Desktop Items is seleced, unselect it.
>
> Click OK till all Windows are closed.
>
> JaF

Dewaine,

You're right. This varmint starts up as a system service and/or a program NOT
in the startup folder. It could also be a visual basic script or a CMD file.
That's how it keeps replenishing itself, even after repeated attempts to delete
the files.

To find some of these files, you need to change some of the options in the Files
icon of the control panel. Allow the system to display known file extensions,
which is the "old way" of doing things. The "new" way, obscures useful info.
Also, enable the display of hidden files AND system files.

Other areas to look for these files include the %TEMP% folder and other areas in
the primary user's Documents and Settings.

I usually fine hijackthis to be an indispensible tool for removing rogue
software not removed somewhat automatically by other software.

Doesn't all this make you want to shoot the bastards who perpetrate this stuff?

.... Ben Myers

On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
PLZZZnc.rr.com> wrote:

>Well:
>
>Spent a bit more time on this and here is what I found:
>
>It created the following files in the C:\Windows\system32 folder:
>
>C:\WINDOWS\system32\insurance.bmp
>C:\WINDOWS\system32\close.bmp
>C:\WINDOWS\system32\spyware.bmp
>C:\WINDOWS\system32\xxx.bmp
>C:\WINDOWS\system32\pharmacy.bmp
>C:\WINDOWS\system32\gambling.bmp
>C:\WINDOWS\system32\dating.bmp
>C:\WINDOWS\system32\idesk.conf
>
>It also created a file rdt.ini in the C:\WINDOWS directory.
>Renaming the rdt.ini did not do anything. I removed the above files from the
>C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
>the Popup Boxes but after rebooted again, all the above files got recreated and
>appeared in the C:\WINDOWS\SYSTEM32 directory.
>
>I did a google search and a couple places suggested to look for:
>ie2cltr.dll
>rdt.ini
>
>or
>C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
>C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts
>
>
>I couldn't find the files except rdt.ini file.
>
>I have removed basically everything that shows in Hijack This and system registry's
>Run area. I suspect the Spyware is loaded as a system service that I just need to
>find the dll file.
>
>BTW, Adaware SE doesn't detect it either.
>
>Thanks for all the helps.
>
>Dewaine
>
>Ben Myers wrote:
>
>> I've seen similar stuff before. Install Ad-Aware, update its definitions and
>> run. Also make sure the latest Spybot definitions are installed before running.
>>
>> If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
>> HiJackThis. It helps to have internet access alongside the infected computer,
>> so you can access NAV and other anti-virus/spyware/adware info.
>>
>> Finally, ask your client when this behavior started. It may sound a bit risky,
>> but often a careful deletion of strangely named files from the WINDOWS and
>> WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
>> key, because the strangely name files will have file dates/times coinciding with
>> the start of the nasties. Of course, some of the nastyware installs itself with
>> equally bizarre file dates like Dec 31 1979, which is before the creation of the
>> world, according the Gates... Ben Myers
>>
>> On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
>> PLZZZnc.rr.com> wrote:
>

Dewaine: Did you do an up-to-date scan while in SAFE MODE?
Did you do a Full System Scan with Ad-Aware?

When starting in Safe Mode only basic services are started,
and no startup modules (e.g.,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
are not started.

Skip

On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|Herman:
-|
-|Thanks. Still no goes. Back in the hunt again.
-|
-|Dewaine
-|
-|"Herman D. Knoble" wrote:
-|
-|> Dewaine:
-|>
-|> If you really want to remove the maleware I suggest taking
-|> the following steps:
-|>
-|> 1) Get latest Ad-Aware spyware definition file from:
-|> http://www.lavasoft.de/support/download/
-|> I suggest that you download this defs.zip file on an uninfected computer;
-|> then copy it to a 1.44M floppy diskette or a CD-R.
-|>
-|> 2) Reboot your infected computer and tap F8 once per second during restart
-|> and when the menu appears select: Safe Mode without networking.
-|>
-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:

Doing a Google search on rdt.ini shows
that you may have the TR/Dldr.Agent.tc.4 - Trojan
See: http://www.avira.com/en/threats/TR_D...4_details.html
and http://www3.ca.com/securityadvisor/p...x?id=453096275

Skip

On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|rdt.ini