Game load provokes adware/spyware pop-ups??

Y

yangsta

Guest
Every hl2 based game I play online, after each game loads, I get a pop-up ad from some hidden spyware crap in my computer almost everytime. Now I am very aware that my computer has adware/spyware hiding around and never seeming to die off like weeds. The thing is.. THIS ONLY happens with hl2 based games. Any other game ex. bf2/joint ops/blizzard games/doom3/splintercels/ ect ect ect.. this NEVER accures. Yes, I try syp bot and adaware and all the other jazzz.. but I can;t get rid of this problem. I notice that internet explorer runs in the background and keeps reloading after I end the process which is prolly a dead give away to some spyware crap. I've been using firefox for sometime now and the "leftovers" from internet explorer is killing me.. namely the spyware.

Any help? Any1 experiance similar problems?
 
Did you get a trojan?
(People will say, 'Oh download this, it will blablabla' which then it also puts spyware\adware on your computer).

Did you try running microsofts own anti-spyware\adware program?
 
the_lone_wolf said:
http://216.180.233.162/~merijn/files/HijackThis.exe

run a steam game and quit it, but don't end any processes other than the game itself, then run the above process and post the results back here, you can export the results as a text file, copy and paste it into the reply box:)
Click to expand...

Logfile of HijackThis v1.99.1
Scan saved at 1:45:19 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Documents and Settings\D2 Account.BRIANS-COMPUTER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eeicdfvsswgeeqi.uk/3371DvFvX1ZLvDHzk8HTQ/PF1yQrze7FA0JqARsmYP2fwxAziJB1d98KqfWoL2nc.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BC5A7628-56B7-F225-501B-BE41B3936B14} - C:\DOCUME~1\D2ACCO~1.BRI\APPLIC~1\SETTIN~1\flag peak.exe
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O2 - BHO: (no name) - {E799838E-CB69-F67D-0622-A5A77746F3D8} - C:\DOCUME~1\D2ACCO~1.BRI\APPLIC~1\SETTIN~1\flag peak.exe
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: V3 - {9E3849D6-41EF-4B2F-86B7-632EF90758E4} - C:\Program Files\Ahnlab\V3\V3Bar.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Taskmon driver] Taskmon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /S
O4 - HKLM\..\Run: [Deaf warn active part] C:\Documents and Settings\All Users\Application Data\Junk2DeafWarn\onceinternet.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [WINDOW WAY INTER PART] C:\Documents and Settings\All Users\Application Data\Hide great window way\boob support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [meow active] C:\DOCUME~1\D2ACCO~1.BRI\APPLIC~1\FRAGMA~1\loveinfoheck.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble.net/game/nmstarter/NMStarter16.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123880192109
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O20 - AppInit_DLLs: C:\DOCUME~1\D2ACCO~1\LOCALS~1\Temp\drv3.tmp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Groove Games Licensing Service - Groove Games - C:\Program Files\Common Files\Groove Games Shared\Service\ggameslicsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MonSvcNT - Ahnlab, Inc. - C:\Program Files\Ahnlab\V3\MonSvcNT.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

ok I did it, next step? :naughty:
 
hmm, you certainly have a few strange items on there:

all your running processes check out, it's when we see your IE settings that things go odd:

these ones i'm worried about, i'm not saying that they're spyware or virii but that they don't sit right with me and you ought to do some investigation:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eeicdfvsswgeeqi.uk/3371Dv...8KqfWoL2nc.asp
O2 - BHO: (no name) - {BC5A7628-56B7-F225-501B-BE41B3936B14} - C:\DOCUME~1\D2ACCO~1.BRI\APPLIC~1\SETTIN~1\flag peak.exe
O2 - BHO: (no name) - {E799838E-CB69-F67D-0622-A5A77746F3D8} -
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
Click to expand...
googling "flag peak.exe" brings up no results, which would suggest to me it;s a spoof name for a malicious program

information on "viewbar.dll" can be seen here: http://forum.iamnotageek.com/t-803415.html

you have a lot of toolbars which look like you've tried to remove them but the regitry entries are still there, they won't bother you now but it shows that you've had problems with toolbars before, the weird link for your search page also suggests to me that your browser was hijacked...

OK, moving onto processes instructed to run when you start your computer there are more problems, again these are the worrysome ones for me:
O4 - HKLM\..\Run: [Taskmon driver] Taskmon.exe
O4 - HKLM\..\Run: [Deaf warn active part] C:\Documents and Settings\All Users\Application Data\Junk2DeafWarn\onceinternet.exe
O4 - HKLM\..\Run: [WINDOW WAY INTER PART] C:\Documents and Settings\All Users\Application Data\Hide great window way\boob support.exe
O4 - HKCU\..\Run: [meow active] C:\DOCUME~1\D2ACCO~1.BRI\APPLIC~1\FRAGMA~1\loveinfoheck.exe
Click to expand...
taskmon.exe is part of the "MyDoom" Trojan (link), which is extremely worrying for me, if such a nasty thing has slipped through your security net then i don't knwo what else may have got in undetected

all the other .exe's are flagged cause they have unusual names, and are in unusual locations, they all scream malware to me, which is renforced by some of the other things on your computer.

TBH i'm over my head here, it looks like you have a MASSIVE infection problem, and in cases like this it's often easier to just save as much important data (which cannot ever be recreated) like your documents as you can to disk and format the hard drive. don't save anything like restore points or settings that could harbour traces of malware, unless they are 100% vital to you starting a new computer.

once you reinstall windows, before you connect to the net, get the best security software you can installed, at an absolute minimum you have to have a firewall and AV software, i consider my PC pretty bulletproof, i haven't had an infection for months and the last one i had was picked up as it installed and got iced. i use:

Norton AV (AVG is a free alternative - www.grisoft.com)
ZoneAlarm Firewall (free)
MS antispyware (beta, free and surprisingly effective for an MS program)
SpyBot - Search and Destroy (free)

a few other small programs i can't remember the names of now

my advice would be to format and start over, and be careful when installing new software, expecially if the source is at all questionable (downloaded via p2p or from porn sites;))

good luck:cheers:
 
You must log in or register to reply here.

Similar threads

B
Community Interviews: Tony Newton, co-creator of Redemption
Replies
0
Views
5K
Barnz
B
Emporius
Computer went POP, stopped working.
Replies
26
Views
4K
StarBob
StarBob
delusional
I hate people who make spyware.
2
Replies
43
Views
2K
FireStarter
FireStarter
Hectic Glenn
Chet on CS:GO Interview Part 1 - We won't change the rules of CS
Replies
17
Views
5K
DEATHMASTER
DEATHMASTER
Saturos
Suspected spyware pop-ups/URLs on mom's favorite site
Replies
16
Views
2K
No Limit
No Limit
Back
Top