"upspiral" spyware!

pip_finn · May 6, 2005

Does anyone have any info on this and how to remove it?

When I go to google.com and type in a search phrase and hit enter, the first two results always refer to upspiral.com and redzip.com.

They are some type of keyword based search results pages, and appear after google has listed its results. For example, when you hit the search button from the google front page, the normal search results come up (you see it for a split second), and then they get pushed down two spots to be replaced by links to upspiral.com and redzip.com.

There is very little info available on this on the internet. Somehow, the originators have done keyword stuffing on dozens of websites, and when you do a search for the string "upspiral" on google, "Upspiral.com is an excellent search tool" keeps showing in all results. Try this yourself, and you'll see what I mean.

I have thoroghly followed http://forums.majorgeeks.com/showthread.php?t=35407P32h2r4, but this thing is not going away.

Appreciate any help I can get.

pip_finn · May 6, 2005

No one heard of this upspiral issue?

It happens on the infected pc. When I go to google.com on my web browser and type in a search string and hit enter, the top two results show upspiral.com and redzip.com.

chaslang · May 6, 2005

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

pip_finn · May 7, 2005

Here's the log.

Also, I've run popup cleaners on my laptop, but still keep getting popups while browsing. Can you see anything in the logfile for popup pgms?

Thanks a lot for your help!

chaslang · May 7, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\bzb35ul.exe
C:\WINDOWS\System32\bzb35ul.exe
C:\WINDOWS\System32\bzb35ul.exe
C:\WINDOWS\System32\bzb35ul.exe
C:\WINDOWS\System32\mtxoci.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\08rft5.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\RunOnce: [dwfiwb8.exe] C:\WINDOWS\System32\dwfiwb8.exe /k
O4 - HKCU\..\Run: [mtxoci] C:\WINDOWS\System32\mtxoci.exe
O4 - HKCU\..\RunOnce: [dwfiwb8.exe] C:\WINDOWS\System32\dwfiwb8.exe /k

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\08rft5.dll
C:\WINDOWS\System32\bzb35ul.exe
C:\WINDOWS\System32\mtxoci.exe
C:\WINDOWS\System32\dwfiwb8.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

pip_finn · May 7, 2005

Done. The upspiral and redzip thing is no longer happening on Google search.

A log file is attached. There's also a mtxoci.dll file in system32 folder, does it serve any purpose or should it be deleted too?

Thanks again for all your help!

chaslang · May 7, 2005

pip_finn said:

Done. The upspiral and redzip thing is no longer happening on Google search.

A log file is attached. There's also a mtxoci.dll file in system32 folder, does it serve any purpose or should it be deleted too?

Thanks again for all your help!
Click to expand...

You're log is clean now. I would like to get some more info on the mtxoci.dll file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

You should follow the steps in the below link to help keep you clean. The frst step in that link is Microsoft Update:

How to Protect yourself from malware!

pip_finn · May 8, 2005

There is a version tab on the dtxoci.dll file. Values:
Company: Microsoft
File ver: 2001.12.4414.42
Internal name: MTxOCI.DLL
Lang: English (US)
Legal trademarks: Microsoft legal jargon
Product name: COM Services
Product ver: 03.01.00.4414

Let me know if you need anything else. Thx.

chaslang · May 8, 2005

That file is okay! It is a valid Windows DLL.

pip_finn · May 8, 2005

Interestingly, after I installed the XP patches as outlined on Malware prevention page, now I've got sasser on my computer.

pip_finn · May 8, 2005

Been a frustrating three hours.

Everything was working fine until around 7 EST, and then another wave: aurora pop up thing, all kinds of automatic tool bars and search help web pages being installed, Task Manager disappearing thing.

Cleaned it all up thru Ad-Aware (over 210 critical objects found), but now I've got Sasser (NT System Shutdown) on the computer. I downloaded and ran a fix, but it's not helping.

Interestingly, Sasser popped up a minute after I installed XP patches as outlined on the MajorGeeks Malware Prevention page.

Just realized that Sasser is happening when I run Ad-Aware. Help me run Ad-Aware again, and see if shutdown windows comes back.

More more thing - can you recommend a good popup blocker? I'm still getting a lot of popups. They are the same half a dozen ads rotating over and over.

Thanks.

pip_finn · May 8, 2005

One question about popups: are they being generated by a malicious program on the local computer, or being bombarded from outside? How come I used to hardly get any popups, and since about the last week, the frequency has increased dramatically?

chaslang · May 8, 2005

Post a new HJT log.

If you truly have a Sasser worm, you did not get it from doing the updates. You got it because you were not updated and in the process of trying to get updated the worm found you PC on the internet. This also happens with the Blaster worm. In fact I have seen brand new PCs (right out of the box) get infected within 1 minute of connecting to the internet because they did not have all the security patches.

pip_finn · May 10, 2005

The popups were being caused by entries in the registry itself. It's all cleaned up. Things are calm now.

All this spyware and malware infection and cleanup activity somehow corrupted the socket stack on my laptop. Couldn't connect to the Internet anymore. Had to fix the socket stuff manually.

Thanks again for all your help, chaslang! It's much appreciated.

ps If you are in touch with the Ad-Aware SE developers/support, here's a feature suggestion that can come in handy:
1) Perhaps I missed it, but when you checking the items you want fixed, you have to check each one individually. Options for "Check All" and "Uncheck All" would be nice. I had over 210 entries, and had to check them all manually.

2) The box where the entries to fix are displayed is fixed sizes. It's very small. The box could be bigger or the window resizable.

Just a coupla suggestions. Do they folks take online donations? I wouldn't mind making a contribution. Thx.

chaslang · May 11, 2005

You're welcome.

If your LSP was broken HijackThis can typically show it and LSP-Fix can fix it. Also there is a WinXPSockFIx program available too.

Ad-Aware SE already has that feature. Just right click in the window that lists all the objects and you will see that option along with others. The window is resizeable too.

We do not take donations but you can send a thank you to the owners for sponsoring this site (see: http://www.majorgeeks.com/page.php?id=2) and you could buy a Majorgeeks shirt (see http://www.jinx.com/scripts/products.asp?affid=30). Also send your friends this way.

Log in or Sign up

"upspiral" spyware!

pip_finn Private E-2

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pip_finn Private E-2

pip_finn Private E-2

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

pip_finn Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member