Last night I found on a P2P network an exe file that was supposed to be a screensaver. Well…yes I did double click! It gave me a usual “do you want to proceed with the installation?” window and I said yes! Well… that was it! It finished the installation, but I could not find any new screen saver on the control panel or anywhere else. Weird isn’t it?

Now, I downloaded a trial version of Ashampoo Uninstaller platinum to see the changes the installation made to my system. I installed Ashampoo and run the “screensaver” installer again. This time I noticed that somewhere in the text of the terms and conditions a company named “ADVERTISMEN.COM” appeared. Tried to google it but wasn’t lucky. I also did a DSN lookup of the url and found out that the domain name was registered on the 5th of April of 2006. Is it a new spyware?

Well, after the installation was finished, Ashampoo generated a log file, which showed that the install.exe had installed two files in the windows/system32 folder. The files were called pushow67.dll and pushow55.dll. I used DLL Export Viewer to find out that they exposed one interface called “Uninstall”. It also created a registry key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ called “UninstallString” with value: rundll32.exe C:\WINNT\system32\pushow55.dll Uninstall

It also created another key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows called AppInit_DLLs. The value was pushow55.dll.

All this is weird! I deleted the files and the registry entries, run ad-aware and spybot and they didn’t find anything. Finally I logged to my online banking system (didn’t enter my real credentials though) running Etheral. After inspecting the packets I didn’t find anything alarming.

Well… I am not sure if it is a new spyware, Trojan or something, but I know I should have thought twice before running that bloody exe file. Now I just hope I have cleaned my system from whatever it was!

21 thoughts on “Weird files (advertismen.com and pushowXX.dll)

  1. Froggy Legs said…

    Hi,

    Finally found someone with the same problem and more, with a glimpse of solution 🙂

    Got the same problem, but the installation did not warn me of anything, i was alarmed by my firewall which announced explorer.exe was trying to reach advertismen.com…

    The filename differs however : pushow8.dll and is the only one in my computer…
    I have executed the rundll command in order to uninstall it properly and it dit delete the registry entry … but not the dll file.

    Having reboot the system no more warning from the firewall…
    And firefox copy-paste worked again… I guess the bastard was stealing the keyboard value and send it to the website… I hope it did not reveal any sensible information… (I believe all outgoing connections were blocked but … who knows)

    Thanks for your comment on your blog ! I would have note found it otherwise …

    Sincerely,
    WCC

    Reply
  2. Thanks for the information Kyriakos!

    I found the same thing you did. In my system 32 file it read pushow11.dll but when I did a search for “pushow” in regedit I found a few entries of pushow67.dll and pushow11.dll. I deleted them and I’m hoping nothing further happens. Like you I could not find any information about ADVERTISMEN.COM and I am so glad that you posted this.

    Thanks again,

    MV

    Reply
  3. Hi froggy legs,

    Thank you for your comment. It is good to know that I am not the only (maybe first?) one who had the same problem.

    I am not sure if what I described is actually a “solution”. I just hope the procedure I followed has removed it, as just like in your case zonealarm does not complain any more. In fact I should have ran etheral before I uninstalled the dll to see what this bastard was after.

    I just know that today I had 30 hits on the blog and all of them came from google with “advertismen.com” and “spyware” as keywords.

    I have sent the file to Lavasoft and hopefully they will find out what this install.exe is about.

    Cheers,
    Cyrus

    Reply
  4. I came across same install installed it and immediately knew something is wrong.
    I read the user agreement to find advertisemen.com; I started search on google and came to your blog. Great info thanks

    Jai

    Reply
  5. Oh man thank you for the info. The occasion inoffensive ads were driving me nuts!

    It goes to show that you MUST read everything in an installer, especially ones from P2P networks.

    Reply
  6. hi to all who had the same problem 🙂

    this happened to me too, 2 weeks ago. i installed a small program which supposed
    to be an access-exe to Jamie Oliver’s database of reciepts.

    after a reboot i wondered why my explorer asked for a connection to “advertismen.com”
    and i told my firewall to block any connection to that site.
    like in other comments above, i didn’t find anything installed,
    but ran my antivirus and ad aware, they did NOT find anything.
    the same weekend i updated Mozilla Firefox, and since then, i wasn’t able to cpoy and paste anymore.
    i de-installed, reinstalled, went back to the old version – nothing helped.
    until yesterday ..
    after updating my antivirus scanner avast!, it alarmed me that there’s a trojan
    on my pc: the “pushow67.dll” in folder system32. so i googled it, and the only link that
    showed up, was THIS page. after reading all your comments, i just had to remove that mal dll,
    and the enty in the registry.
    YAY, so NOW, finally my copy-paste-function in Firefox works again.

    THANK guys for your helpfull comments!!

    cheers from Germany,

    gubble

    Reply
  7. The exact same thing happened to me! Adaware and Microsoft Defender don’t find it, but it is DEFINATELY malware! Did deleting the files fix it? I am gong to do that. I am glad I found your site.

    Reply
  8. Thank you all for your comments. I am very happy that my post helped some people.

    UPDATE: After AVG antivirus downloaded the latest definitions today, it recognises the trojian installation program as trojian horse “Clicker.CAH”. I don’t know if it works for all pushow*.dll files or if it is able to clean them, but at least no more people should be infected from the trojian.

    Reply
  9. oh guys…

    this is a simple adware
    you could deinstall by using
    the software control panel
    for adding/removing applications

    Reply
  10. Great post. I wish I had found this earlier, but rather I found the same fix in one of the firefox forums.

    Either way, it’s VERY helpful. And I did try the uninstall, but it didn’t do anything as the advertisements were still coming in.

    Odd thing was, I couldn’t rename or delete the pushowxx.dll file on my machine. I had to pop in the XP CD and go to the recovery console to manually delete it.

    Reply
  11. hi thank you for your informations, and sory for my bad englih

    i don’t find any thing else informations

    but i’ve shure that the pushow*.dll use, or do something with ole32.dll, OLEAUT32.dll, shell32.dll, user32.dll, xernel32.dll, advapi32.dll, shlwapi.dll, wininet.dll, psapi.dll, olepro32.dll, gdi32.dll, hook1.dll
    they are microsoft dll

    I’m shure that this dll try to do internet connections, but bitdefender don’t find anything.

    advertismen is in my add/remove panel but the system juste reboot when y try to remove it, and don’t remove anything.

    I’ll follow your search

    Reply
  12. Even i had the little bastard….i take it a week ago on a p2p with the download of the files:”serissa foetida 08″,”bonsai ita 08″,”bonsai 44″.
    Even i’ve noticed that the dll disable the copy/past on fire fox.
    After updating my antivirus Avira AntiVir PersonalEdition Classic, it alarmed me that there’s a trojan: the Trojan horse TR/Click.Agent.HI

    THANK YOU Kyriakos Anastasakis and THANK YOU guys 🙂

    cheers from Italy

    Reply
  13. Thanks for all guys.
    I met the same situation. The laptop restarted when I chose uninstall in the program manager.
    I hate the software.
    But I love you all.
    Thanks again.

    Reply
  14. I copied the experiences from all of you because I want to inform my friends.
    If you disagree, let me know and I will delete.
    Thanks again.

    Reply
  15. Hi- thank you! took a little while2 remove pushow from my system32 folder dou. (mine woz pushow88). thanks again

    Reply
  16. Thanks for the info
    I have found this malware advertisemen on my computer. I have found the following file on my registry pushow11.dll. Is this part of the files which make up advertismen? Should I remove this file?
    Thanks for the help

    Reply
  17. Also I noted a comment about Zone Alarm. Is this the best Firewall? I read somewhere that it slow the computer down. Anyone has an opinion?
    Best,
    P.L.

    Reply
  18. advertisemen

    I did find an advertismen folder with the following (3): REG_S2 one of them has an exe file with an uninstall function. Is it safe to delete the whole thing?
    This is the actual path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentVersion\uninstall\advertismen\
    Since I am not an expert I do not want to delete anything that I do not understand.

    Reply

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url=""> 

required

Page last modified: 21:16 on December 22, 2007 (UTC+2)