Some time ago i started getting adaware from sites that execute a php file which gives an ad from another site. The ip that this popup comes from appears to be from 69.50.160.100 and 69.50.160.98
The first one will open a page which is for posting ads and the second one gives access denied. The ads themselves used to be in an image format and i couldn't see the source code. After i have added the ips and domains of this ad site in my Restricted sites list, i still get the ad but this time it is full screen and i can see the code. it seems that they have the source of ads from http://xslt.alexa.com/site_stats/js/t/a?url=0cat.com
I wonder why does IE still opens those pages since they are in the Restricted sites. I've noticed that once added there the main body of the page is not displayed but it show the top section of the page. It has good use of JavaScript. I have check my browser from vulnerabilities but it passed all tests. It seems that i have something on the pc that contacts this page and i have this on my netstat 69.50.160.98-custblock.intercage.com:5556 CLOSE_WAIT Do you have any ideas of how to solve this problem? I tried 6-7 adaware/spyware software removers but they find my pc clean.

Hi Geo, thanks for posting.

The best and quickest way to find out who's responsible would be to use HijackThis. Download HijackThis from the link below and save it to your "My Documents" folder somewhere. Execute it and do a simple "Scan and Save Log" operation (first option on the list). Don't put check marks in the boxes or fix anything. Just post your log here and we'll tell you what we see.

HijackThis Download (http://tomcoyote.com/hjt/)

Bruce

Hi, I already used HijackThis but am i not sure if there is something suspicious in the file. I am pasting my log.

Logfile of HijackThis v1.98.2
Scan saved at 16:49:16, on 12/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WIN2000\System32\smss.exe
C:\WIN2000\system32\winlogon.exe
C:\WIN2000\system32\services.exe
C:\WIN2000\system32\lsass.exe
C:\WIN2000\system32\svchost.exe
C:\WIN2000\system32\spoolsv.exe
C:\WIN2000\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WIN2000\System32\pctspk.exe
C:\WIN2000\system32\regsvc.exe
C:\WIN2000\system32\MSTask.exe
C:\WIN2000\Explorer.EXE
C:\WIN2000\System32\WBEM\WinMgmt.exe
C:\WIN2000\system32\mspmspsv.exe
C:\WIN2000\system32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WIN2000\Mixer.exe
C:\WIN2000\system32\ctfmon.exe
C:\WIN2000\system32\taskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\george.NEWFLASH\My Documents\_store\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mamma.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2000\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WIN2000\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: TASKMGR.lnk = C:\WIN2000\system32\TASKMGR.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WIN2000\wweb32.dll/lookup.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0372ecc5a54b2cbc7b02/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.196.12.29/activex/AxisCamControl.ocx
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

That was quick. There is a new version of HijackThis available. It's only been out a couple of days, but you might want to update when you have time. We'll work from your current log.

There will be a couple you NEED to fix, and some you might or might not want to fix. On the latter, you'll have to look at them to decide whether you're using them or not. If you're using them, don't fix them. If you're not using them, do a fix.

Here are the entries that you need to consider. Either print this post or save a copy (wordpad for example) so you can refer to it while offline.

Start HJT, do a scan.
For each of the following which you decide to fix, put a check mark in the appropriate box.

If you do not know the entry 'http://www.mamma.com', delete it by checking this box.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mamma.com

This one Must be fixed!
Startup: TASKMGR.lnk = C:\WIN2000\system32\TASKMGR.EXE

To be fixed if the entry '&WordWeb... ' is unknown.
O8 - Extra context menu item: &WordWeb... - res://C:\WIN2000\wweb32.dll/lookup.html

Check if you know this site and fix it if you do not.
This site is:
OrgName: RealNetworks, Inc.
OrgID: REAL
Address: 2601 Elliott Ave
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0372ecc5a54b2cbc7b02/netzip/RdxIE601.cab

Check if you know this site and fix it if you do not.
This site is:
OrgName: University of Arizona
OrgID: UOAZ
Address: 1077 N Highland Ave
City: Tucson
StateProv: AZ
PostalCode: 85721
Country: US
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.196.12.29/activex/AxisCamControl.ocx

After you have checked all the boxes you need-

Make sure all open windows except HJT are closed.
Click on "Fix Checked". Complete application of the corrections.

Reboot your computer. See how it goes.

Just a note. There are a few in your log for which corrections are optional, but I'm pretty sure they are not a problem.

If you need more help, let us know and post a new log.

If things are going well and you need no more help, let us know and we'll close this thread.

Bruce

My HijackThis Version is 1.98.0.2
I know all the IPs appeared there and they do not come from any advertising sites. The first one is from Real Player; never had problems with that page giving me adds. The others are from my Univ. , www.mamma.com is my search engine, I am starting TaskManager when i start windows because i use it often, WordWeb is a dictionary i have but it was never giving me problems. So, there is nothing suspicious in those entries. I know all those sites.

OK, someone in your computer is initiating the connection. Copy your log, click on the link below, paste your log into the box, and click on "analyze". You'll see what I'm looking at.

<a target="_blank" href=http://hijackthis.de/index.php?langselect=english>HJT Log Analyzer</a>

Bruce

Everything is SAFE except the things that you pointed out but i know that all those things do not cause any ad popups because i had them for a long time. I started getting the oneclick/popup2 ads ever since i installed some video processing s/w which was not good and i uninstalled them. When i checked later my mplayer2.exe was loading itself in memory all the times and didn't play any movies. I managed to overcome that problem after finding some malware (possibly installed by one of those video processing software). I guess it added some code in some system DLL and this causes the problem. I do not have any s/w that might give this problem.

If you're sure everything in the HJT log is safe, The next bet would be Adware/Spyware/Malware removers. You said:

"I tried 6-7 adaware/spyware software removers but they find my pc clean."

Did you run (in deep scan mode):

AdAware SE Personal?
Spybot Search & Destroy?
What others?

Bruce

yes, i used both of them in addition to Spyware Doctor, EMCO Malware Bouncer and 2-3 others which were not very good and i removed them. I am running now Adaware SE Personal deep scan again but i don't think it will find anything. Just finds some cookies and the fact that i have about:black as my home page.

I don't know what else to do yet. If HJT is clean, and two of the best adware/spyware removers come up clean, maybe you don't have a problem.

Are you using the about:blank home page by choice, or is it something that happened? There are some bad guys running around known by this name.

I've gone over your log from top to bottom, and nothing seems out of place except the things you say are OK. Ocassionally, a bad guy will masquerade as a legitimate file to escape detection, but I don't think that is the case here.

The two IPs you mentioned in your first post belong to:

OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US

You might search your C drive for either the IPs, or the string "atriv" to see if you can make a connection.

I'll think on it. If I come up with an idea, I'll let you know.

Bruce

ok, i will have to do some more check. So far i haven't received any ad. I will change by home page to something else in case that might cause a problem and let's hope that it won't show ad popups again. Is there a chance that an other person on my local LAN might have something and then goes through the local network onto my computer?

If you chose the about:blank page, it is probably not a problem.

Sorry, I can't help you any more. I've just retired again.

Maybe someone else will jump in here.

Bruce

hi again. do you have any idea what the DSO exploit is? I got it from Spybot. Here's the results

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1957994488-436374069-1708537768-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2004-11-29 Includes\Cookies.sbi
2004-12-15 Includes\Dialer.sbi
2004-12-16 Includes\Hijackers.sbi
2004-12-15 Includes\Keyloggers.sbi
2004-12-15 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-16 Includes\Spybots.sbi
2004-12-15 Includes\Trojans.sbi
2004-11-29 Includes\Tracks.uti

I have the same problem. (Geoworldz ... I sent you a private message.) I had the same DSO Exploit issue, and I found that it is a bug in Spybot S&D Version 1.3 - It detects the DSO Exploit security gap in IE, but it doesn't fix it right. You can download the free patch to bring it to 1.3.1 at http://www.majorgeeks.com/download4392.html Then run SpyBot again, and this time it will fix the problem.

Unfortunately, it only fixes the IE security gap. It doesn't fix the .../oneclick/popup2.php problem:-(

Good luck!

Jeff

here's what i did to fix this really annoying problem. I booted into safe mode, did a search for shnlog.exe which was located in the system32 folder and deleted it. I then did a search for *.tmp and deleted all of those files. i then used hijack this to remove all references to oneclick then and only then was i able to remove it completely. i think the shnlog.exe file and the tmp files are the main culprits here.