Brf
09-17-2004, 07:24 PM
A couple weeks ago my computer was attacked severely by malware.
I was browsing a webpage that I visit every few hours for a game.... a webpage that has ads. This time it was different. I started hearing my computer's "Exit program" sound over-and-over, along with a semi-busy hourglass-with-arrow cursor.
I hit ctrl-alt-del to bring up my Windows-ME taskmanager (no snickers from the peanut gallery) and noticed several weird processes which I didnt recognize and stop-task-ed immediately.
Recognizing Gator-install as one of the processes, I ran my copy of Adaware and it removed a half-dozen adware programs, a downloader and a [censored]-dialer. I scanned my recent \temp files and discover a file containing the code to several hundred click-ads, which I assume got clicked. I also discovered an FTP-download script on my desktop.
I downloaded Spybot, which removed three more malware programs and spywhere-doctor which claimed to find a couple more, which it refused to removed until I paid.
That was two weeks ago and as of a half-hour ago I was still getting popups on webpages which I knew had none, including my own custom homepage.
I found a file called QPLGEHX.exe in my system folder that was running at startup. When I used msconfig to remove it from the startup, it put itself back under a different name. Finally I end-tasked it, renamed it, and used msconfig to remove its startup. Supposedly it is from callinghome.biz.... a website notorious for trojan-downloader programs. This program is not identified as malware by adaware, spybot, spywarekiller, or norton-antivirus.
I was still getting popups.....
Finally, I downloaded HijackThis. One of the plugins it identified was called LOCALNRD.DLL in my windows folder. A quick google search revealed it as a popup plugin. Using hijackthis, I "fix"ed it...
So far, 20-minutes and no popups. Wish me luck :D
I was browsing a webpage that I visit every few hours for a game.... a webpage that has ads. This time it was different. I started hearing my computer's "Exit program" sound over-and-over, along with a semi-busy hourglass-with-arrow cursor.
I hit ctrl-alt-del to bring up my Windows-ME taskmanager (no snickers from the peanut gallery) and noticed several weird processes which I didnt recognize and stop-task-ed immediately.
Recognizing Gator-install as one of the processes, I ran my copy of Adaware and it removed a half-dozen adware programs, a downloader and a [censored]-dialer. I scanned my recent \temp files and discover a file containing the code to several hundred click-ads, which I assume got clicked. I also discovered an FTP-download script on my desktop.
I downloaded Spybot, which removed three more malware programs and spywhere-doctor which claimed to find a couple more, which it refused to removed until I paid.
That was two weeks ago and as of a half-hour ago I was still getting popups on webpages which I knew had none, including my own custom homepage.
I found a file called QPLGEHX.exe in my system folder that was running at startup. When I used msconfig to remove it from the startup, it put itself back under a different name. Finally I end-tasked it, renamed it, and used msconfig to remove its startup. Supposedly it is from callinghome.biz.... a website notorious for trojan-downloader programs. This program is not identified as malware by adaware, spybot, spywarekiller, or norton-antivirus.
I was still getting popups.....
Finally, I downloaded HijackThis. One of the plugins it identified was called LOCALNRD.DLL in my windows folder. A quick google search revealed it as a popup plugin. Using hijackthis, I "fix"ed it...
So far, 20-minutes and no popups. Wish me luck :D