Annoying Adware I cant get rid of

[Dermen]

It just started today. When I visit a website I get a prompt to enter a username and password for "" at altfarm.mediaplex.com or ad.doubleclick.net. I have to hit cancel a couple times and it will go away until I click a link. Its insanely annoying in forums. Here is a SS

[img=http://img306.imageshack.us/img306/6775/adware4cl.th.jpg]

I ran Ad-Aware, SpySweeper, Spybot S&D, and Kaspersky AV and they all came up with nothing.

 

[bchur83]

That doesnt sound like an adware problem to me. Probably a setting for FF or just a bad piece of code.

 

[Dermen]

I don't know what it is really. I ran hijack this and everything looked normal. It happens in IE and FF. I don't know why this started today. It wasn't happening yesterday and all I used my comp for yesterday was to browse forums, play counter-strike, burn a dvd, and defrag my HD.

 

[NeoSpawn]

In spybot, take a look at all the processes that run when that comes up, and see what is booting up as well. Can you also see what program are accessing the net? I have Sygate (sadly they are no more *sniffles*) but I can see each program sending in and out data. Might be a code embedded somewhere that is doing it.

 

[Dermen]

This is what Spybot shows under system startup.

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi
2005-12-16 Includes\Dialer.sbi
2005-12-16 Includes\Hijackers.sbi
2005-12-16 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-16 Includes\Malware.sbi
2005-12-16 Includes\PUPS.sbi
2005-12-16 Includes\Revision.sbi
2005-12-16 Includes\Security.sbi
2005-12-16 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
file: C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (disabled), Adobe Gamma (DISABLED)
command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
file: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll

All the System.ini items are bold and new.

These are the processes, they are the same weather the username and password prompt is diplayed or not.

--- Process list ---
PID: 0 ( 0) [System]
PID: 716 ( 4) \SystemRoot\System32\smss.exe
PID: 788 ( 716) \??\C:\WINDOWS\system32\csrss.exe
PID: 824 ( 716) \??\C:\WINDOWS\system32\winlogon.exe
PID: 872 ( 824) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 884 ( 824) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1036 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1096 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1184 ( 872) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1312 ( 872) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1400 ( 872) C:\Program Files\Executive Software\Diskeeper\DkService.exe
size: 606316
MD5: 34F77ADF4F11D304911BF01BB03FA172
PID: 1440 ( 872) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15872
MD5: 74B9FA2AFAF60B7F4E2A952E77B9DC6C
PID: 1544 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1636 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1668 ( 872) C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
size: 2159104
MD5: C813A0A21424532D39131618336AD44C
PID: 1788 (1716) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 352 ( 872) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 440 ( 668) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3404800
MD5: 65E9D29C826517F1EA0DCDD9112895FE
PID: 1320 ( 668) C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
size: 517632
MD5: 107AF2DE3AF10D6D09C1B36FE9EF9156
PID: 888 ( 668) C:\Program Files\Motherboard Monitor 5\MBM5.exe
size: 594944
MD5: 64134B9862D779467BF8FC75C643DCD8
PID: 1028 ( 668) C:\Program Files\ATITool\ATITool.exe
size: 2225152
MD5: 559E92205C58873DFDCFD41EF947BE74
PID: 3952 (1788) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7162979
MD5: F375D4684A1F72D279A7CFA7A5DE1A9C
PID: 2988 (1788) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
PID: 764 ( 668) kav.exe
PID: 676 ( 872) kavsvc.ex

 

[Xoligy]

Yea i had something like that once, i kept getting asked to log into the hosting company i use totally random and i couldnt get rid of it i ended up contacting them and the didnt know why i just ended up re-installing lol its the answer to everything imo :|

Edit try clearing all your temp internet files and cookies everything! maybe that will help?

 

[El<(')>Maxi]

Might be a possibility.

http://securityresponse.symantec.com/avcenter/venc/data/spyware.xpcspy.html

 

[Dreamstalker]

It sounds to me like an ad site is badly configured and is asking for a password before it loads (mediaplex and doubleclick are two very common adware culprits). Try placing altfarm.mediaplex.com and ad.doubleclick.net in your hosts file, and see if the password request still happens.

 

[Lobotomy Jack]

Try putting altfarm.mediaplex.com and ad.doubleclick.net into your hosts file pointing to 127.0.0.1 (becuase really why would you want to access those addresses under any circumstances?).

EDIT: I swear I read all the posts in this thread before I submitted that...

 

[Dermen]

Adding them to the host file didn't fix it.

 

[Dermen]

I installed the adblock extension for FF and it is no longer happening. However, it still happens in IE, so its only a temp fix till I figure out how to fix it.

 

[gorilly]

the other day i had someone come to me with some spyware called spy axe... it resisted EVERYTHING... adaware, ms antispyware, spybot, spyware blaster, even after disabling it with hijack this it was still coming back

my final attempt killed it when i used something called edwido spyware... try it

 

[Dermen]

I don't think it is adware, I think it is just a setting somewhere. Once I installed Adblock when I came here it reports blocking inetinteractive.com. If you look at the top of the forums here you will see a little inet interactive ad bar at the top (unless you have it blocked). It never bothered me before, I think some setting on my computer was changed and it made the prompt start appearing. I added some stuff to IE restricted sites and it doesnt show up in IE anymore and a bunch of other stuff and now the bar doesn't load and I no longer get the logon prompts.