Ad for spyware opens CD-ROM drive

[qwer9182]

Hi,

I recently was browsing the web when I came across a popup advertisement that was advertising a spyware program and at the same time opened the CD-ROM drive and started Notepad with a text advertisement in it. Has anyone else seen this? I have also experienced my start page being changed silently.

I am now trying to scan and rid my system of any unauthorized programs. I am using the latest version of AVG Anti-Virus and Spybot Search & Destroy. I was unable to find any viruses or any spyware, and I had not previously agreed to install/run any scripts from within Internet Explorer.

Could this be a known security hole in Windows or Internet Explorer? This happened yesterday to myself (running Windows ME and Internet Explorer 5.5. Interestingly enough, it also happened to someone else here today, using Windows XP Home SP1 and running Norton AntiVirus.

Any information would be appreciated.
Thanks

[dammit]

Hi..Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
Don't make any changes until someone checks it out.

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

[qwer9182]

Quote:

Originally Posted by dammit

Hi..Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
Don't make any changes until someone checks it out.

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Ugh--it happened once again! It seems to happen the first time I start my browser after I restart my computer, but it does not happen every time. I am also concerned to why a seperate computer is experiencing this same issue. Are there any known Windows or Internet Explorer security holes that may have been exploited by website scripts in order to change my homepage? Also, is it possible for a website script alone to open a CD-ROM drive and Notepad? Also, I am getting advertisements for pornography sites and this page is the only Internet window I have open.

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 1:17:10 AM, on 11/23/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~1\InkWatch.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

[Steven.Bentley]

The CD opening is an ActiveX control, if you reset your security options in Tools>internet options>security to prompt before running Activex you can avoid that one.

The notepad thing can be done through Activex, so increasing the security may well prevent that as well.

[qwer9182]

Since my browser settings were set to 'custom' after I had recently re-imaged my hard drive from the PC manufacturer's restore CDs, I changed the security to the 'default' level for the zone (which is medium), the level of security that I am used to working with. If I continue to encouter problems I'll fine-tune the settings by lowering the permissions granted to sites. If things continue I'll also post back here. So, after looking at my Hijack This report, do you agree that there are no unauthorized processes running on my computer?

[Junky]

This happened on one of my computers yesterday. I don't know how, but the "home page" URL was changed in Explorer so that when it was first opened, it would go to a certain web site and that's when the CD would open and the add would pop up. I simply changed the "home page" URL to "blank" and there has been no more problems. *shrug* I'm also gonna up the security level.

[AnnMarie]

There is a new variant of CoolWebSearch that overwrites notepad with it's own version. Just to be on the safe side, go here and download and run CWShredder. Reboot afterwards and let us know if anything was found.