Pop Up Ads from nowhere

[JPLavalley]

My boss's laptop (XP Pro) was infected with some form of adware/worm. We managed to fix the problem manually so I thought I'd share our experience incase it helps someone else.
Wish I'd seen some of the other threads on this that mention using THE CLEANER to fix similar problems..

Symptoms:
IE windows would pop with ads, even after reboot with no other applications started. There was one small iexplore.exe in the process list, that seemed to spawn others. Using Google's popup blocker prevented most of the ads, but a few would get through (and block count would increase). iexplore.exe would automatically respawn after we killed it, usually in about 60 seconds.

Problem Source:
We eventually traced the source of the problem to several .exe files (named with random characters and random length) in the system32 directory. We were able to match 2 of these files with entries in the RUN key of the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n). After each reboot the key would change and new files would appear in the system32 directory. There were always 2 of these processes running. The .exes were all either 420k or 216k (one of each size was always running).
We have been unable to determine how these files were originally installed.

Attempted Resolution:
We installed SpyBot, Ad-Ware, updated Norton AntiVirus were all updated through 10/20/03.

Resolution:
Using Task Manager we killed the two random letter .exes and the iexplore.exe processes.
Next we removed the registry keys (after disabling SpyBot and Adware) that pointed to the exes in system32.
Finally we deleted all the random character .exe files in the system32 directory that had been created in the past few days (all of size 420k or 216k).
Reboot and we are set.

Unresolved questions:
1. How did this start? I see references to KaZaa and other servcies that are not used by my boss.

2. How does this not fit the definition of "virus"?


Hopefully this will help someone else in the middle of this fight. Anyone who has information that may help me prevent this from happening again, I'd love to hear it.

[fatal xception]

Opera

Downloaded it, haven't see a pop up again.

[lost-and-found]

Quote:

1. How did this start? I see references to KaZaa and other servcies that are not used by my boss.

2. How does this not fit the definition of "virus"?

Internet explorer has many holes to let stuff like that through. Let's say that you go to a web site, and the web site runs and ActiveX control (a small script) that installs the little spyware program on your computer (yes, IE holes do just that). That's how it might have started....or Kazaa, or any other program from Microsoft....Outlook, etc.

2 I think a virus by definition is destructive, and all spyware/'adware does is a pop up advertisements...so in a legal POV this is not a virus. Of course personally I do consider anything that runs without your permission a virus....but this is just a non destructive type of a virus.

[The Real Bingo]

www.google.com/toolbar Kick ass add on to IE, blocks virtually every pop up.

[JPLavalley]

The Google toolbar (which does rock) stopped most of the popups, but the processes still ran consuming system resources.

[lost-and-found]

see, but in this case the google toolbar might actually hurt you. What it does it is it hides the symptoms, like pain medication, but it doesn't fix the problem. Those pop up programs might have been sending back information to their creators, whether it be personal info or not. If you had the google toolbar blocking the popups they would still probably keep on sending info to their hosts, you just wouldn't be bothered by their physical presence.