pernicious pop-ups

[Guest]

I've got some kind of uber-cookie or virus or worm or
something on my system that's infected my browser. It
forces me to have res://csald.dll/index.html#44272 as my
home page, and pop-ups come up even with pop-up blocker.
Header on pop-up is always "Only the Best", icon on
bottom-menu isn't web page, just IE icon. I change home
page back to google, even in INI files, and it gets
changed back to res://csald.dll/index.html#44272
regardless.

Pop-ups mostly offer spyware removal (see
also "scam", "protection racket"). I have a pop-up
blocker, and its blocking most, but these "only the best"
pop-ups still make it through. I've done spyware scan
with Spybot (had this loaded long before this started,
isn't brand of spyware being advertized in infuriating
pop-up ads). I've scoured my drive with CyberScrub (27
passes, max lvl), and I've done the most up-to-date virus
scan with MacAfee.

Is it possible to uninstall IE? Would that help? Is
anyone else getting held hostage by these bastards?

Any hints? I'm really frustrated by this.

 

[Jan Il]

Hi (e-mail address removed)

Try the following and see if they will help.

New CWS variant that hijacks you to res://<random>.dll/sp.html#96676.

Here are some other links which may shed some extra light:
http://forums.spywareinfo.com/index.php?showtopic=7447
http://forums.spywareinfo.com/index.php?showtopic=7261
http://forums.spywareinfo.com/index.php?showtopic=7281

How you know you have it : When you start up Internet Explorer it takes a
few seconds to load and in the address bar it starts with res://<Random
..dll>

Per Merijn - http://www.spywareinfo.com/~merijn/index.html

A solution is being worked on, see this thread on the SWI forums.
http://forums.spywareinfo.com/index.php?showtopic=7447

If it's not working for you, or it's too complicated, I heard from several
people that this workaround works as well:
Open the DLL you get hijacked to in Notepad
Select all content (Ctrl-A) and delete it
Save the file and exit Notepad
Find the file in Explorer, right-click it, select Properties, put a
checkmark in 'Read-Only' and click OK.
If you can't find the DLL file, make sure your settings allow you to view
"Hidden files". Open up any explorer windows and click on "Tools", "Folder
Options", "View" and be sure to check off "Show Hidden Files and Folders".
===================================
These programs will alert you to any changes and let you know the process
that changed them. Let's track everything and get to the bottom of this.

Filemon:
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regmon:
http://www.sysinternals.com/ntw2k/source/regmon.shtml


Hope this helps.

Jan

 

[LuckyStrike]

Hey Jan -

You forgot one. ;-))
http://forums.spywareinfo.com/index.php?showtopic=8847

<paste>
In the last few days ... This infection:
res://<random>.dll/<random>.html#<random> has spread like wildfire and we
are inundated with requests to help clear it. Sometimes the fixes that have
been created work, sometimes not - Unfortunately.

There has been some reported fixes by ensuring that you have a firewall
installed like Zonealarm and having it block the calls out to the Internet.
That, with a complete scan using the latest version of Ad-aware seems to
clear it up - Somewhat.

**Ad-Aware should be file : v6.0 Build 6.181 and you should have reference
file: 01R324 22.06.2004 installed.** Please update your copy of ad-aware and
boot into safe mode and run it, before posting a request for help. (How do I
boot into "Safe" mode?)

**It appears that ad-aware is cleaning the files etc but not deleting the
registry entries associated with the clean so they may still show up in the
HijackThis log**. If you still get the entries after booting into normal
mode
and are not sure what to delete, post your log in the forum but mention what
version of ad-aware you run as well as the reference file version - This
will help in the resolution.

Also - If you request help, **DO NOT reboot your computer until you receive
a
response as the files change as soon as you reboot**. If you receive no
response and you have rebooted - Post a new HijackThis log into your current
message - DO NOT start a new message again as we cannot keep up with all the
calls.
<paste/>

 

[Jan Il]

Hey Jan -

You forgot one. ;-))
http://forums.spywareinfo.com/index.php?showtopic=8847

<paste>
In the last few days ... This infection:
res://<random>.dll/<random>.html#<random> has spread like wildfire
and we are inundated with requests to help clear it. Sometimes the
fixes that have been created work, sometimes not - Unfortunately.

There has been some reported fixes by ensuring that you have a
firewall installed like Zonealarm and having it block the calls out
to the Internet. That, with a complete scan using the latest version
of Ad-aware seems to clear it up - Somewhat.

**Ad-Aware should be file : v6.0 Build 6.181 and you should have
reference file: 01R324 22.06.2004 installed.** Please update your
copy of ad-aware and boot into safe mode and run it, before posting a
request for help. (How do I boot into "Safe" mode?)

**It appears that ad-aware is cleaning the files etc but not deleting
the registry entries associated with the clean so they may still show
up in the HijackThis log**. If you still get the entries after
booting into normal mode
and are not sure what to delete, post your log in the forum but
mention what version of ad-aware you run as well as the reference
file version - This will help in the resolution.

Also - If you request help, **DO NOT reboot your computer until you
receive a
response as the files change as soon as you reboot**. If you receive
no response and you have rebooted - Post a new HijackThis log into
your current message - DO NOT start a new message again as we cannot
keep up with all the calls.
<paste/>

Thank you! Dang! How did I miss that one? <g>

Jan

 

[LuckyStrike]

YW. Must be due to the long hours and small pay <BG>. ;-D
LS
-----------------

 

[Jan Il]

YW. Must be due to the long hours and small pay <BG>. ;-D

Pay ??? ....??? You get paid by somebody? HA! And all *I* get is the long
hours! Sheesh!

<g>

Jan

 

[LuckyStrike]

Pay ??? ....??? You get paid by somebody? HA! And all *I* get is the long
hours! Sheesh!

<g>

Jan

Yeh...pay. Yah....*Right!* <VBG> Btw, it seems I'm always one step behind
you in these threads that are replied to. *How do you **do** that?!* ;-D

 

[Jan Il]

in message

Btw, it seems I'm always one step
behind you in these threads that are replied to. *How do you **do**
that?!* ;-D

I watch the back of your ears. <vbg>

Jan

 

[LuckyStrike]

I watch the back of your ears. <vbg>

Jan

What...? Are they flappin' or somethin'? Some hidden reference to "Dumbo"?
What...? ;-D

LuckyStrike
--------

 

[Jan Il]

What...? Are they flappin' or somethin'? Some hidden reference to
"Dumbo"? What...? ;-D

Noo....just a thing my momma used to say when I used to ask her, "How did
you know I was gonna do that?" Or, the other standard, "Because, I have
eyes in the back of my head."


Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[LuckyStrike]

Noo....just a thing my momma used to say when I used to ask her, "How did
you know I was gonna do that?" Or, the other standard, "Because, I have
eyes in the back of my head."


Jan
Smiles are meant to be shared,
that's why they're so contagious.

Heh! Sharp mother...can see what's happening behind her back *before* it
even happens. That's a relief (???), I was about to make an appointment at
"nip/tuck". <bg>

 

[Jan Il]

Heh! Sharp mother...can see what's happening behind her back *before*
it even happens. That's a relief (???), I was about to make an
appointment at "nip/tuck". <bg>

Lol!


Jan
Smiles are meant to be shared,
that's why they're so contagious.

 

[LuckyStrike]

Lol!

Jan
Smiles are meant to be shared,
that's why they're so contagious.

Glad you got a chuckle Jan. <s> Ok...see you.
LS ;-)
-----------------