Possible new parasite

  • Thread starter Alexandru Petrisor
  • Start date
A

Alexandru Petrisor

Dear Peer User/ Technical Specialist:

I am trying to describe you a parasite problem that I am
encountering, hoping that you might help me and possibly
help other people getting infected. I caught some parasite,
which no program could detect (I am running SpyBot,
LavaSoft Ad-Aware and the new Microsoft AntiSpyware tools
to detect and eliminate them, and PanicWare Pop-Up Stopper
and Spyware Blaster to prevent their action). This program
acts as a "mother ship" and keeps downloading and
installing parasite programs; these are removed, but keep
being reinstalled even after restarting the computer, no
matter how often this happens and how in-depth it is
scanned. Most of the times, these parasites are:

(Detected mostly by SpyBot)
Avenue A, Inc.
DoubleClick
HitBox
MediaPlex

(Detected mostly by Microsoft AntiSpyware)
WindUpdates

(Detected mostly by Lavasoft Ad-Aware)
Different tracking cookies,

but occasionally there are more parasites coming.

I am not an experienced programmer and I am not familiar
with networking, but I am an experienced user and I want to
provide you as much info to help you assisting me and other
potential victims. I was able to find out a program
installed in:

C:\Program Files\spos2p66

This application could not be removed even manually and
even after un-registering it. There is a file remaining,
called spos2p66.dll, and if I edit it with the Notepad I
can see things like:

GetLastActivePopup
InternetOpenA q InternetOpenUrlA WININET.dll LZCopy LZClose
LZOpenFileA LZ32.dll
http://sds.qckads.com/contextsidebar/ver3/csie_tsb_rules.dat

http://sds.qckads.com/contextsidebar/ver3/csie_tsb_patterns.bin
http://sds.qckads.com/contextsidebar/ver3/csie_tsb_campaigns.bin

and such, which make me think that is at least part of the
problem. I performed a Google search and could not find any
info about this program.

Most of the advertisement triggers the following URLs (for
which I could not find any info on Google either):

http://fad-1109.nyc1.targetnet.com/ad/...
http://fad-1111.nyc1.targetnet.com/ad/...

This address is the beginning- it turns into:
http://download.funwebproducts.com/
http://heavylite.heavy.com/
http://download.abetterinternet.com/
http://www.starpulse.com/Television/Beyblade/
http://apps.deskwizz.com/pubanrs.html
http://www.searchingbooth.com/AdvPop.html
http://69.28.210.175/media
http://www.heavy.com/heavy.php?channel=pickyRadioLauncher

I stopped using Internet Explorer and started using
Netscape. For some reason, which might be related to the
problem described above, the "download" function does not
work (a error function saying that the temporary file could
not be found), but any download or attempt to save a file
triggers the action of parasites in cascade. Download is
possible with Internet Explorer, but any opening of this
program attracts the action of parasites. No removal tool
was able to solve the problem with Netscape.

I am sending this message to al the producers of
anti-parasite programs, hoping to get some help and also
helping the community. If you need any additional
information, please do not hesitate to contact me at the
current address.

Thank you for your efforts of helping the user community.

Sincerely,

Dr. Alexandru I. Petrisor, Research Associate
Microbial Interactions Laboratory
Department of Environmental Health Sciences
University of South Carolina
 
R

Ron Chamberlin

Hi Alexander,
Thanks for a great report! If the machine is still 'infected' would it be
possible for you to send a 'Suspected Spyware Report?' It is available under
the Tools menu in the MWAS program. If you aren't able to send the report,
please save it in it's native XML format and let me know.

Ron Chamberlin
MS-MVP
 
B

BobA5835

I ran into Winupdates while doing routine maint.
yesterday. I usually run SpyBot S&D first ...it was
clean. Winupdates was detected with my AdAware SE. I
left the entries untouched and then ran my MSAS. MSAS
didn't see them but neither did the SBS&D. I know that
AdAware and SpyBot were current. I'm not sure if I've
got 5695 or previous Def on the MSAS. Went back and re-
ran the SE and removed the entries. These popped up out
of no place...I've only been to known sites lately...MS,
Aumha, MgjGeeks, TmCoyote, etc....? Dwnldd Spyware
Blaster after all this just in case. And am going to
check for the "spos" he mentioned. I see where Dr.
Petrisor caught Winupdates with MSAS, Ron do you know
what Def # he used?

BobA5835
 
R

Ron Chamberlin

Hi Bob,
The good Dr.'s message was dated 3/04, so that would likely be about two
updates ago for def files.


Ron Chamberlin
MS-MVP
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top