Something screwy - Firefox self-starts etc

[d000hg]

Here are my symptoms...

1)On my C:\ .exes with names like radzy.exe, redpy.exe & drsmartload1.exe keep appearing, if I delete them then they'll come back a bit later.
2)At startup I always have an applciation called mudes2 running, which tries to access the internet. Sometimes FaxMonitor also starts up for no obvious reason.
3)If I view the properties for my open dialup connection, I see it is constantly sending and receiving data as fast as it can. In the past, it sits idle unless I'm actively browsing.

Then today I installed the Firefox Ad-blocker plugin. Now I get these too:
4)Firefox keeps opening new tabs for ad-sites - it didn't before but blocked popup windows as I'd want it too.
5)If I close FF it opens itself shortly later.
6)I keep getting an URL called "spy-ware blocker" or similar appearing on my desktop.



I have Ad-Aware SE and Spyware: Search and destroy which cleared a bunch of stuff. But it seems they missed something...

[cash_site]

Definitely sounds like spyware or virus! Yeah, i read some russian sites use radzy.exe for trojans...

try doing an online scan http://housecall.trendmicro.com/ also check out our spyware removal thread

[d000hg]

Will do. I re-ran a full scan with Ad-aware and it found a bunch of things with a TAC (I think) of 10. It couldn't remove one which was in the windows\system folder as a dll.
It didn't pick up any of those random .exes on c:\. Is it likely I have something on my PC which isn't being detected, or that my PC is being targetted while online and re-infected? I'm on dialup and my IP isn't the same each session so this seems unlikely...

That online scanner - how is it better than installing some software? Surely the online thing doesn't have as much system access as an installed application?

Oh and I'll also try that Bazooka tool - didn't have that one.

[rik]

Might also try the demo of Trojan Hunter.

[d000hg]

The Bazooka app didn't find anything. Both spyware: search & destroy and Ad-aware find some coolwwwsearch type things still (after removing other things) but they can't remove the dlls 'cos they're always in use - even in safe mode.
I think there was a specific tool mentioned in the spyware removal thread...

Anyway, how am I getting spyware so quickly? Since switching to FF I've got loads of new ones, is it possible the one which I can't remove is installing other spyware? Otherwise where is it coming from, if I only visit reputable sites? My PC still trys to access internet whnever I turn it on, this seems to be the fault of an app called mudes2 or project1. I couldn't find anything relevant about them on the net though.
Is a firewall something I should consider - does this stop malware getting onto my system? I don't really want a background app always running but maybe if it'll help - what's the best free one I can find?

[egghead]

install security task manager and see if it will remove the dll from running
http://www.neuber.com/taskmanager/

use start/run and type
msconfig

and look at the start up

remove anything that looks wrong or related to the spyware

i do not know of any spyware removal programs other than webroot spysweeper. spysweeper now only scans and reports and will not remove bad files unless you buy it.

ad-aware and spysweeper never find anything but cookies and I suspect the spyware makers are using stealth tactics from exploits and mucking up your system

[rik]

Another good app is CWShredder. It's great for removing the "millions" of Cool Web Search annoyances.

http://www.softpedia.com/progDownloa...load-8114.html

[d000hg]

Well I've followed all advice now I think. And still no joy. Shut down lots of processes with that task-manager thing. FireFox can launch itself when not running, and launch new tabs. Urls appear on my desktop and popups to places to help fix my computer (I previously turned off some windows eservices which did the same thing). .exes appear on my c: and although Iscanned a week ago my Bitdefender scan has found another 8 viruses and is 4% done. How are these things getting in? I don't download random apps etc.
It definitely got a lot worse the same day I installed the adblock plugin to FF!

I ask again - is a Firewall a good option and which one?

[rik]

Definitely run a Firewall program. Personally I run Sygate Personal FW. At this point even though you seem to be fighting the good fight...kinda sounds like it's time to wipe it out and reinstall the OS.

[d000hg]

It's only been on a couple of months...
BitDefender got rid of those random .exes on c:\ and the rest seems to have gone for now, but popups still occur.
I's like one bad thing is not getting detected and is inviting its friends - but malware/viruses aren't cooperative are they like that? For isntance how do .exes just turn up on my PC?

If Ad-aware only detects minor things how does it pick up .dllls - these aren't just something trivial like a cookie?

By the way I tried the other one of those online scanners - haven't run it after it took ages to install the ActiveX thing, but I was highly amused somethig aimed at making your PC more secure forced me to use IE, saying in FF that it required IE 5 or greater!

Oh, msconfig isn't present in Win2K, how can I view the processes etc loaded at startup?

[Kane]

Try StartupList by merijn.

[d000hg]

Sounds cool, has anyone else used this? That guy sounds fairly prolific, loads of tools!

[egghead]

merjin is the original creator of cwshredder

all his tools are must have'

[d000hg]

Cool, I shall look at it then.

I got the sygate free firewall after a bit of searching - they have discontinued it but it was still on download.com et al. It immediately told me that RunDll32.exe in windows\system32 was trying to access www.ad-a-w-a-r-e.com or something similar. something with a name like winlogon.exe also in that folder seemed to be doing something suspicious too. So I blocked them which seems to have stopped new browser windows. But how can I fix it? RunDLL32 is a system file so I assume it's been replaced with a dodgy version - can I get the original without re-installing Windows?

I also have a process called Tmas.exe trying to access the internet (a site with a name like spyware.update) - is this one of my anti-spyware apps trying to auto-update, or something bad? I've had lots of popups about 'anti'-spyware things I 'must download'!

Looks like I'm getting there - the firewall is sweet as is that TaskManager app which tells me everytime something alters something.

[Curio]

There are loads of different spywares and virii and there is always new ones coming out so maybe you are infected with a new one. The original trojan 'SmartLoad' certainly isn't new. Some adwares do download more adwares and trojans and IRC bots and SMTP relays etc..etc..

To remove a dodgy .dll you can use HijackThis or Pocket KillBox but be sure it IS a dodgy one before you do it and make sure you unregister the dll or windows file protection may try to keep it. to aid removal you should use the dummy file option and then reboot - after which you can clean up any remaining mess.

Process manager from sysinternals can be used to spot processes with the dodgy dll if needs be but it is very unusual to have to go that far (and a royal pain in the ass). If you are going to try STM then be warned that it will highlight lots of legitimate programs as well as possibly dodgy ones.

If you need help then post a HijackThis Log and I will look at it for you but the quickest and most likely to succeed method is if you download MWAV.exe from MWTI.net and run it, if it finds anything post back and I will tell you a secret.
;-)