View Full Version : New malware - pushowxx.dll

name already taken
2006-05-10, 00:03
I couldn't find any entries on the forums here for pushow, so I figured I would post this so you guys can get this into the scan files.

From Mozillazine (http://forums.mozillazine.org/viewtopic.php?t=409816):

In the last day its also been found that a .dll file pushowxx.dll (where xx=variable number) is causing the problem, and once removed firefox works normally.

What I've been unable to find through 'google' or searching the data-bases at Symantec/McAfee for 'pushshowxx.dll' is any information on what this file is related to programs wise. Its been suggested that its related to Shareeza. I've seen one post that its related to M$ Virtual Desktop.

I was able to ID 32 unique users with the copy/paste issue, and have a list if anyone wants to see. The 'guest' posts were not counted as its impossible to ID who they are, or are the one in the same.

Therefore, 32 unique users with the problem, out of 40 million plus updates/downloads combined, I'd have to say that there is no problem with the build.

I would request that everyone not 'pile-on' this with 'me-toos', but rather you post any information related to pushowxx.dll or maybe other fixes that you the users have found, but not posted, or I may have missed.

Recapping: The only two items found to affect Firefox are: new.net & pushowxx.dll as of 4/26/2006

Note: I understand that renaming the .exe file fixes this issue, but this should be considered as
only a workaround.

EDIT: Was just informed of a bug being filed against some malware of somesort:

See thread: http://forums.mozillazine.org/viewtopic.php?t=409866
Advertisemen.com , more info in the bug.

EDIT: The bad dll pushowxx.dll on windows is usually found in C:\Windows\system32\
Its also been noted that some people are finding files like popupshow.dll not just pushow

When searching for the file make sure that you have: Show hidden files/folders 'enabled' and use the search argument: pushow* , this will assure you find any 'random number' and not just one specific number, of the bad dll.

Update 05/04/06:
Posted by user: craigevil

Here's a support thread in a tech forum concerning the pushxx.dll thing.

A brand new malware(Defender doesn't recognize it yet) advertismen - Security Home Users

Found another one on a microsoft site but no matter what browser I tried using it kept saying your browse does not support script.

Just do a Google and Yahoo search for pushxx.dll there are a few links.

See also: Bug 334500 - Right click copy/paste & ctrl+c/ctrl+v don't work (with pushow*.dll malware) (https://bugzilla.mozilla.org/show_bug.cgi?id=334500)

2006-05-10, 01:05
Hi there.
Thank you for the information. :)

If you come across any files please send them zipped to:detections(AT)spybot.info

Put the name of the file/infection into subject matter.


name already taken
2006-05-10, 05:41
If you come across any files please send them zipped to:detections(AT)spybot.info
I grabbed some of the files posted in the bug, zipped em, and sent them to the email address provided. Hopefully you can make more of them than I can :)

2006-05-10, 07:54
Thank you. :bigthumb: