posted
I have AdAware on my system, and I just did a scan. I also have Zone Alarm and Avast!. And yet, starting this morning, I've been getting ads popping up on my screen. Borderless (chromeless) ads. They stay up for about 15 seconds and then close.
Has anyone else run into a problem like this? Is there something I can do?
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
First thing I do when I presented with this kind of thing is run process explorer and see what processes are running and if any look suspicious (for example, aren't digitally signed by a company I know I have a product for ATI, MS, etc).
I also open autoruns and specifically look at the Logon tab and the win logon tab (and then later the IE tab and the services tab). Usually it's there that I find a process running (with a randomly generated name and pointing to a randomly named dll). After making sure it's not supposed to be there, I test a few things. I'll uncheck the process, then refresh autoruns. If it comes back, it is exhibiting malware behaviors. I note where, in the registry, all the files it uses are. Usually it will try to put stuff in IE startup and services too.
I'll try to shut down the process in process explorer. If that works, then remove the autoruns entry (which actually removes it from the registry), delete the dll and any other registry entries, reboot and do a rescan. If it keeps coming back, or won't let you do a delete (because the process with a handle on the DLL won't let it), I'll reboot with another OS on disk (like BartPE or Linux Mepis) and then delete the offending dll from the actual drive. (Still haven't figured out to get into the hard drive's registry when running an OS like BartPE on CD, otherwise, I'd remove the entry there.) Once I've deleted the offending DLL, I reboot in normal mode. Since the registry entry for logon is pointing to a dll that doesn't exist, the process is not run. I then remove all traces of the program in explorer, services, and the registry.
All this comes from helping more than a few people with a similar problem- basically malware that won't go quietly because they've attached themselves to the explorer process. Process Explorer and Autoruns are pretty much my most used tools and it always seems to work- only thing that I'll do a reformat on is if I have a rootkit (happened only once several years ago) because you can't trust your system even when it says it's clean- a rootkit replaces higher level procedure call with their own calls that don't report on what they find. So that file explorer may not show anything in a directory because the procedure call to read that directory has been redirected to one that shows only what it wants you to see. But there's a rootkit revealer at sysinternals that helps to ID that kind of stuff by doing high level and low level scans and looking for anomalies. Usually there are a few false positives (like exchange or sql server logs), so you have to check it carefully.
posted
Ian, will Process Explorer show more than Task Manager? And the ads are only up for a very short time, so will I be able to check in PE before they disappear?
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
Process Explorer is like task manager on steroids. Literally has scores of functions. The process that is causing the popups will be running regardless of the timing of the popups. Or if the process IS starting and stopping, you will see it appear in the window highlighted alternately in green (as it opens) and then red (as it closes). There's also a 'target bullseye' in the tool bar that you can drag onto any window (like the popup) and see which process owns it. You can also search which process has a handle on a DLL or file. I would open PE and then autoruns. The process will be listed there, somewhere- logon tab or winlogon tab, or services. Find the autorun entry for an item that looks suspicious. Then find it in PE. Close the process. If it comes back, then you may have your culprit (this is all with the caveat that you make sure you know which processes and apps should be running. I run 'synergy' to tie 2 computers to one keyboard and mouse. It has no publisher, but I know what it is, so I don't mess with it.) Basically, if a suspicious process doesn't allow you to close it or delete and entry related to it, or keeps putting it back, these 2 will help find them. Then you just have to remove the source DLL using another OS disk (like Bart PE or mepis).
Posts: 1346 | Registered: Jun 1999
| IP: Logged |
posted
Ian, you're a genius. It was called udftpbljhvumjd.dll and it was sitting in my system32 folder. I actually didn't see it in PE, but it was in the autoruns.
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
Thanks, but I didnt write those tools. This is only experience from of frustration as nothing I did could keep this process from coming back. (in the past, we have had some users who aren't that careful, so this happens more than it should.)
So next step is to uncheck it. Also, in PE, 'Find DLL handle' with that file's name and see which process owns it. Then you can shut down that process and see if it comes back. Check your Winlogon tab. If its there, you cant remove the dll while windows is runnng, so use a disk based OS boot and delete the dll. Then remove all traces of it on your computer.
Posts: 1346 | Registered: Jun 1999
| IP: Logged |