Undocumented Adware?

[Wolfreak]

I'm not going to post the name of the software, since I don't want it showing up in a search if it turns out to be clean, or a glitch, as it didn't show up in any searches I did as being adware. If someone would like to verify my results (and hopefully add them to a definitions release) please email me.

I downloaded video repair software from several places and noticed a little while afterward that the current window I was working in would lose focus. If I hit alt-tab without clicking back on a window, there would be an IE window with an .ru address. Switching to that window, or hitting alt-tab again would make the entry disappear. My default browser is Firefox. If I typed the addresses shown in alt-tab, they usually redirected me to some other .ru site, or gave an error, though if I looked in the browser's cache, I'd find that the site had been accessed, and it existed in my IE history. One in particular pointed to a text file, which just contained a link to one of the packages of video repair software I had tried using. I remember specifically only downloading one package from an .ru site, as I was concerned about where it was coming from (Russia), but a search with google didn't turn up any suggestion of it being adware.

At this point I tried Hijack This, Ad Aware, Spybot SD, Rootkit Revealer, and sfc to remove it, but to no avail. A new account on my system didn't have the same behaviour, so I searched as thoroughly as I could through my account's directories, but except for a few suspicious javascript files couldn't find anything blatently obvious.

Finally I downloaded Total Uninstall 3 to track changes, reinstalled the offending video repair software package (which on inspection of the log contained a file named iexplorer.exe, but that didn't match the one my system was using...), then used Total Uninstall to remove it, and since then, no more entries in the IE history, and no more losing window focus. I've removed a lot of adware from people's systems, but this one really had me stumped! Usually I don't bother to report the stuff I find on other people's machines, however this one really seems worthy of reporting and investigation as a lot of people could be infecting themselves with no warnings posted whatsoever.

[md usa spybot fan]

iexplore.exe is the real program.

iexplorer.exe is a bad guy used by many Trojans, worms and adware programs.

[Wolfreak]

*smacks forehead*

Right. I've removed that typoed version from plenty of machines before so don't know why I didn't recognize it this time. Still, it doesn't negate the fact that when the file was gone, the problem remained, and before the file was gone, no program detected it, and it wasn't detected by hijack this, and according to my filemon log, it was never accessed including when the pop ups occured.

[LonnyRJones]

Hi

Mind telling me where this "video repair software package" is or where to download it ?

[LonnyRJones]

Thanks Wolfreak
best not to post that url


http://virusscan.jotti.org/
File: C:\Program Files\Video-Repairer\iexplorer.exe
Status: INFECTED/MALWARE
(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b089a5fe5317ccde2026ad0532cf0a7d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BACKDOOR.Trojan (probable variant)
F-Prot Antivirus Found unknown virus (probable variant)
Fortinet Found W32/AdClicker.B!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
==================================
File:C:\WINDOWS\system32\cfmon.exe
Status: INFECTED/MALWARE
(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b089a5fe5317ccde2026ad0532cf0a7d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BACKDOOR.Trojan (probable variant)
F-Prot Antivirus Found unknown virus (probable variant)
Fortinet Found W32/AdClicker.B!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[PATELK101]

Seems you had the same problem as me. Remove ngsh35.dll in c:\windows\system32\

[tashi]

Wolfreak if you still have the computer in question and would like someone to take a look at the system.

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.