Jump to content


Photo

changes legit banner ads into bogus ads


  • This topic is locked This topic is locked
4 replies to this topic

#1 anticavity

anticavity

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 09:18 PM

Here's what happens when I use MSIE: image-based hyperlinks on legit sites are being turned into ads for crap like botox, tanning towels, phony spyware "nukers," dvd to cd converters, and privacy protectors. They link to the following domains (there might be more):

messagebroadcaster.net/bannerfarm/link/800p/sv.htm (with various other endings after "800p")
online-med.ws.com
qksrv.net
computercashcow.com/money (I made the mistake of following this link, which is for a pyramid scheme)

I think it only hijacks images that are certain dimensions typical of banner ads. I've seen these bogus ads on website such as magazines like nro.com and tnr.com, blogs such as aldaily.com, and even slashdot.com. The worst victim of this is cnet--when I view a list of product reviews, the preview product images are all phony ads. All legitimate online content providers and sponsors should be mondo pissed about this type of malware.

I run AdAware and Spybot at least weekly and check for updates before each scan. They say my PC is clean. Here's my HijackThis log file:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HP CD-DVD\UMBRELLA\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\USB STORAGE DEVICE\SHWICON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldaily.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - (no file)
O3 - Toolbar: (no name) - {b9f00e39-d75c-4eed-9f20-fead50decfa1} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-AA8E-8E1CA787AD2D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [HP CD-DVD] C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
O4 - HKLM\..\Run: [HPCDRW Reminder] "C:\Program Files\HP CD-DVD\Webreg\Navbrowser.exe" /r /i "C:\Program Files\HP CD-DVD\Webreg\NavLoad.ini"
O4 - HKLM\..\Run: [Microsoft Tray] C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\GRAND THEFT AUTO VICE CITY SETUP LAUNCHER.EXE
O4 - HKLM\..\Run: [ufkizpid] C:\WINDOWS\SYSTEM\ufkizpid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShowIcon_The Company_USB Storage Device v1.14e035] "C:\Program Files\USB Storage Device\shwicon.exe" -t"The Company\USB Storage Device v1.14e035"
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [HP Product Reminder] "C:\PROGRAM FILES\HP CD-DVD\WEBREG\NAVBROWSER.EXE" /r /i "C:\Program Files\HP CD-DVD\Webreg\NavLoad.ini"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8051.6254513889
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab

Thanks in advance for any help you can offer.

#2 jack5962

jack5962

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 03:11 PM

I'm having same issue. I used Allure's Spyware Eliminator, but was not able to remove this malware virus.

#3 anticavity

anticavity

    Member

  • New Member
  • Pip
  • 3 posts

Posted 05 December 2004 - 03:07 PM

In case anyone stumbles upon this old string, I think I found my own solution.....

I believe the cause of my problem was this item:

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL

If anyone happens to know maker of this slimeware, please let me know. They have been a nuisance for the last 7 months, and I would like to report them to the FCC and the FTC. Providers of legitimate content & sites which earn income from hosting legitimate banner ads are being screwed by these people. I know that they are probably shielded from liability because I somehow accepted their slimeware or didn't have proper security settings or firewall to refuse it, but the govt should add this to the list of ways malware disrupts legitimate e-commerce and e-communications.

#4 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 08 December 2004 - 08:43 PM

Hi anticavity :)

Welcome to SWI. I am so sorry that a helper did not get to your post before now; we get a huge number of posts per day here and I guess your log was somehow lost in the shuffle. If you are still having problems or concerns, please feel free to post a new HijackThis log here and I would be happy to take a look at it for you. I will be watching this thread :D

Edit:
Incidentally, that particular O2 entry:

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\SYSTEM\MSKHHE.DLL

is indeed malicious; it is related to the ClientMan parasite. See this page for more information:
http://www.doxdesk.c.../ClientMan.html

However, that was not the only malware entry I see in your original log, so please post a new log here for review, if you would like. :D

Edited by Swandog46, 08 December 2004 - 08:46 PM.


#5 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 December 2004 - 06:25 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button