Websites trigger instalation wizard

[DREDIOCK]

Perhaps this is a better place to ask this.
In the O'Club someone posted a link for "snopes" and when I clicked on it
and the website came up "Microsoft office for small Buisness 2000" instalation wizard popped up.

This happens every now and again when I click on a link to a site.
Not every site, just some.

Why would it do this?
And I dont even own that software

[ALF]

Ive got a few ideas...

Spyware, Virus, Trojan, Sony cd...err I mean Rootkit

If you get similar popups from multiple different sites, your arse is infected....stay away <>

[Estes]

Originally posted by DREDIOCK
Perhaps this is a better place to ask this.
In the O'Club someone posted a link for "snopes" and when I clicked on it
and the website came up "Microsoft office for small Buisness 2000" instalation wizard popped up.

This happens every now and again when I click on a link to a site.
Not every site, just some.

Why would it do this?
And I dont even own that software

What internet browser are you using? I've never had it happen on my computer (Mozilla firefox and Windows XP) but I have had that happen on an older windows 98 computer I used once, it only had internet explorer on it. Mind you, it was a different program that it was mentioning in the pop-up, and it was a different website. But it may be related.

[DREDIOCK]

Originally posted by Estes
What internet browser are you using? I've never had it happen on my computer (Mozilla firefox and Windows XP) but I have had that happen on an older windows 98 computer I used once, it only had internet explorer on it. Mind you, it was a different program that it was mentioning in the pop-up, and it was a different website. But it may be related.

Actually now that you mention it I just doublechecked and it only does it when Im using AOHELL (which uses internet explorer) Not with Firefox

but even then with IE it only does it occasionally and not all sites.

System scans are showing me clean of Viruses,trojans etc as that was my first thought and the first thing I checked for.

[Estes]

In that case, it may have something to do with your security settings. Might double check those.

For what its worth, if at all possible stop using AOL's browser and Internet Explorer.

[Roscoroo]

do a ad aware/AV  scan ... but to kill it your gonna have to use "Hijack this "

Aolhell  / AIM< has tons of virous type bs CRAP in it and gets exploited all the time .

Mrs Roo tried to got a bug from aim/aol websites the other day .. same thing as u got .    All because her game buddies gotta chat on aim ...

[Estes]

Originally posted by Roscoroo
do a ad aware/AV  scan ... but to kill it your gonna have to use "Hijack this "

Aolhell  / AIM< has tons of virous type bs CRAP in it and gets exploited all the time .

Mrs Roo tried to got a bug from aim/aol websites the other day .. same thing as u got .    All because her game buddies gotta chat on aim ...

Which reminds me, get rid of yahoo, aim, MSN, all that crap. Get Trillian, even if just the basic version. Not only is is completely spyware clean. It's also alot handier (one program running instead of 3)

[DREDIOCK]

Originally posted by Estes
In that case, it may have something to do with your security settings. Might double check those.

For what its worth, if at all possible stop using AOL's browser and Internet Explorer.

I usually dont use AOL's browser to browse. But occasionally I get lazy or I am in an IM on AOL and dont feel like minimizing AOL to open firefox and going back and forth.

I am currently in an Email discussion with an AOL tech to see if I can substitute AOLs browser for firefox altogether.
I know you used to be able to do it with netscape.
But that was many moons ago

[DREDIOCK]

Originally posted by Roscoroo
do a ad aware/AV  scan

I did all that already and it comes up clean. unless its missing something

[DREDIOCK]

Originally posted by Roscoroo
"Hijack this "

Is that this software?

http://anti-hijack.net/download/

[Estes]

no, this is hijackthis http://www.majorgeeks.com/download3155.html

[Roscoroo]

Hijack this   is a Super Heavy duty regestry/run process scan program that can deleate anything  so be carefull what ya get rid of .. ya can post the log from it here and we'll go thru it and tell ya whats what ...

[JB66]

I've had this happen to me also...I finally gave in and put my office cd in.  I just started a new job with a Brand new computer and a very secure setup. (Hardware firewall, personal firewall, MS antispy, and Norton Corperate av software, among other things that I'm not told about such as IP tracking and reporting.).  

When I go on this site at work, the office cd thing pops up.  The site is a local news site.  http://www.wset.com   .  There are others also, but I can't remember any of them.

I guessing that it's just poor code written by the website designer.

Oh yeah, they like to use pop up ads, nothing vicious,but annoying, so it could possible be tied into that.

[DREDIOCK]

Ok heres the log from my scan.
Some stuff is obvious to me what it is, or what its from. others...
Im clueless LOL

Logfile of HijackThis v1.99.1
Scan saved at 12:34:59 AM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\Mpstudmuffinent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Common Files\AOL\1127545706\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1127545706\ee\AOLServiceHost.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1127545706\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1127545706\ee\AOLServiceHost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Aces\Hijack this\New Folder (2)\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {464EFEE1-E766-B599-42B5-E965691213DD} - blank (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127545706\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093784876711
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O21 - SSODL: System - {2800C20A-95E5-4738-A30B-44EF6E00A656} - C:\WINDOWS\system32\system32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Estes]

Alright, it's late and just a quick skim through. But this bit here caught my eye.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jpwqp.dll/sp.html#12802
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

Looks like some kind of browser hijack. Might want to wait until some else chimes in, but thats what it looks like to me. Specifcally, looks like 180 search assistant.

Have you ran spyware scans? What programs? Use Spybot search and destroy, and ad-aware. And make sure they are up to date.