PartyPoker Trojan/Spyware Opens New Browser Window

[muskyx1]

Never installed software from those MF's at PartyPoker or joined any other online gambling sites. Despite this, some trojan/Spyware keeps opening up a new browser window. When that happens, all other browser windows stop functioning properly. Text boxes in these windows stop working.

Typically what happens is, I'll be performing a web search and when I start typing something in the Yahoo search box (or any other box like a message box or shopping search page ) the text cursor would vanish. The page would start scrolling down or go to the previous page depending on what key I push. When I put the cursor back into the text box and start typing again, the cursor vanishes again and the same thing happens.

When I look to the tabs at the bottom of the screen, like clockwork, I see partypoker.com. When I close it, then things go back to normal.

Did full system scan using AVG, Avast, Spybot, Ad-aware and Spyware Terminator and it found nothing. Ran SDfix.exe following the instructions I found here and it failed to resolve this.

Would appreciate any help.

Here's the Hi-jack log (I deliberately changed Hijack filename to Eatme) :

Logfile of HijackThis v1.99.1
Scan saved at 3:11:32 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\eatme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=33568
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\Ai Booster\OverClk.exe" 1
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/wi...site.cab?1160872420623
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

[PurdueRy]

Run cwshredder its free for download. I recommend running it in safe mode so that the processes it may be running will not allow it to "regenerate" itself.

 

[muskyx1]

Originally posted by: PurdueRy
Run cwshredder its free for download. I recommend running it in safe mode so that the processes it may be running will not allow it to "regenerate" itself.

Thanks for the tip, unfortunately I just ran cwshredder and it didn't detect CWS.

 

[PurdueRy]

Originally posted by: muskyx1
<div class="FTQUOTE"><begin quote>Originally posted by: PurdueRy
Run cwshredder its free for download. I recommend running it in safe mode so that the processes it may be running will not allow it to "regenerate" itself.</end quote></div>

Thanks for the tip, unfortunately I just ran cwshredder and it didn't detect CWS.

try a program called "A-squared" it occasionally catches things the others don't.

 

[montag451]

Log seems fine

apart from 'eatme' ;-)

 

[muskyx1]

Originally posted by: montag451
Log seems fine

apart from 'eatme' ;-)

One of the posts I read here mentioned some malware will mess up Hijack This results. Renaming the program will prevent this. So I decided to use the first word that popped into my head whenever I thought of PartyPoker.

 

[montag451]

Seems ok.

Most av give a trial period - If i were you I'd download either Kaspersky or AVK as a trial (thats right, not AVG).
Those two give very good detection rates for virii/worms etc.
BUT also download Spysweeper trial - that is also a very good one and one I was tempted to pay good money for.

 

[redbeard1]

As stated previously, a-squared is a good anti spyware program, and another I've started using is Superantispyware. You can also go to Kaspersky.com and Pandasoftware.com to run online AV scans. They may not remove it, but it will show where it is.

 

[Blefuscu]

the AVG and Avast! virus libraries don't seem to be the best.

http://www.av-comparatives.org...rgebnisse/report13.pdf

maybe try Kaspersky? i haven't had spyware that i know of, since i switched to it 3 years ago. as Redbeard1 mentioned, they have a free online scan. there's also a free version (with reduced features but full virus library) http://www.activevirusshield.c...virus/freeav/index.adp

also if you use the firefox browser, there's an add-on called "noscript" which is great. it blocks all scripts from running and prevents cross-scripting between sites. you tell it which sites you want to allow scripts on and it remembers.

 

[Schadenfroh]

F-Secure Online Scanner ran in Safe Mode with networking (be sure you are behind a firewall) is a nice way to check if you are infected. John pointed me to it and it scans your PC with the following engines:

Without a doubt F-Secure has the most thorough detection since it uses multiple scan engines: AVP (Kaspersky) + Libra (modded F-Prot) + Pegasus (Norman) + Draco (Ad-Aware) + Orion (in-house heuristics) + Blacklight (in-house rootkit)

 

[muskyx1]

Just a quick update, I ran A-squared and it removed a bunch of stuff. I thought it fixed the problem but that freaking poker homepage opened another window just a few minutes ago. With it came the text box problems forcing me to close the poker web page.

I'll download the other programs that were recommended and try them. I'll update with the results.

Thanks again for all the suggestions.

 

[Noema]

Are you running the scans in safe mode like the others mentioned?

 

[muskyx1]

A-Squared, Super-Anti-Spyware and cwshredder were all run in Safe-Mode.

Spybot and Ad-aware were re-scanned in Safe-Mode last night. Both failed to detect anything.
Interesting to note, after re-booting back into normal mode, a new browser window opened up again to PartyPoker homepage within 5 minutes of the re-start.

Here's the page that the new browser window opens to:

http://www.partypoker.com/mark...ex3.htm?wm=2854590&p=1

Manually opening this page also produces the same results using Mozilla firefox but NOT windows IE.