Last night I found on a P2P network an exe file that was supposed to be a screensaver. Well…yes I did double click! It gave me a usual “do you want to proceed with the installation?” window and I said yes! Well… that was it! It finished the installation, but I could not find any new screen saver on the control panel or anywhere else. Weird isn’t it?
Now, I downloaded a trial version of Ashampoo Uninstaller platinum to see the changes the installation made to my system. I installed Ashampoo and run the “screensaver” installer again. This time I noticed that somewhere in the text of the terms and conditions a company named “ADVERTISMEN.COM” appeared. Tried to google it but wasn’t lucky. I also did a DSN lookup of the url and found out that the domain name was registered on the 5th of April of 2006. Is it a new spyware?
Well, after the installation was finished, Ashampoo generated a log file, which showed that the install.exe had installed two files in the windows/system32 folder. The files were called pushow67.dll and pushow55.dll. I used DLL Export Viewer to find out that they exposed one interface called “Uninstall”. It also created a registry key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ called “UninstallString” with value: rundll32.exe C:\WINNT\system32\pushow55.dll Uninstall
It also created another key under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows called AppInit_DLLs. The value was pushow55.dll.
All this is weird! I deleted the files and the registry entries, run ad-aware and spybot and they didn’t find anything. Finally I logged to my online banking system (didn’t enter my real credentials though) running Etheral. After inspecting the packets I didn’t find anything alarming.
Well… I am not sure if it is a new spyware, Trojan or something, but I know I should have thought twice before running that bloody exe file. Now I just hope I have cleaned my system from whatever it was!
Froggy Legs said…
Hi,
Finally found someone with the same problem and more, with a glimpse of solution 🙂
Got the same problem, but the installation did not warn me of anything, i was alarmed by my firewall which announced explorer.exe was trying to reach advertismen.com…
The filename differs however : pushow8.dll and is the only one in my computer…
I have executed the rundll command in order to uninstall it properly and it dit delete the registry entry … but not the dll file.
Having reboot the system no more warning from the firewall…
And firefox copy-paste worked again… I guess the bastard was stealing the keyboard value and send it to the website… I hope it did not reveal any sensible information… (I believe all outgoing connections were blocked but … who knows)
Thanks for your comment on your blog ! I would have note found it otherwise …
Sincerely,
WCC
Thanks for the information Kyriakos!
I found the same thing you did. In my system 32 file it read pushow11.dll but when I did a search for “pushow” in regedit I found a few entries of pushow67.dll and pushow11.dll. I deleted them and I’m hoping nothing further happens. Like you I could not find any information about ADVERTISMEN.COM and I am so glad that you posted this.
Thanks again,
MV
Hi froggy legs,
Thank you for your comment. It is good to know that I am not the only (maybe first?) one who had the same problem.
I am not sure if what I described is actually a “solution”. I just hope the procedure I followed has removed it, as just like in your case zonealarm does not complain any more. In fact I should have ran etheral before I uninstalled the dll to see what this bastard was after.
I just know that today I had 30 hits on the blog and all of them came from google with “advertismen.com” and “spyware” as keywords.
I have sent the file to Lavasoft and hopefully they will find out what this install.exe is about.
Cheers,
Cyrus
I came across same install installed it and immediately knew something is wrong.
I read the user agreement to find advertisemen.com; I started search on google and came to your blog. Great info thanks
Jai
Yay, thx man, i was about to re-install my system.
Oh man thank you for the info. The occasion inoffensive ads were driving me nuts!
It goes to show that you MUST read everything in an installer, especially ones from P2P networks.
hi to all who had the same problem 🙂
this happened to me too, 2 weeks ago. i installed a small program which supposed
to be an access-exe to Jamie Oliver’s database of reciepts.
after a reboot i wondered why my explorer asked for a connection to “advertismen.com”
and i told my firewall to block any connection to that site.
like in other comments above, i didn’t find anything installed,
but ran my antivirus and ad aware, they did NOT find anything.
the same weekend i updated Mozilla Firefox, and since then, i wasn’t able to cpoy and paste anymore.
i de-installed, reinstalled, went back to the old version – nothing helped.
until yesterday ..
after updating my antivirus scanner avast!, it alarmed me that there’s a trojan
on my pc: the “pushow67.dll” in folder system32. so i googled it, and the only link that
showed up, was THIS page. after reading all your comments, i just had to remove that mal dll,
and the enty in the registry.
YAY, so NOW, finally my copy-paste-function in Firefox works again.
THANK guys for your helpfull comments!!
cheers from Germany,
gubble
The exact same thing happened to me! Adaware and Microsoft Defender don’t find it, but it is DEFINATELY malware! Did deleting the files fix it? I am gong to do that. I am glad I found your site.
Thank you all for your comments. I am very happy that my post helped some people.
UPDATE: After AVG antivirus downloaded the latest definitions today, it recognises the trojian installation program as trojian horse “Clicker.CAH”. I don’t know if it works for all pushow*.dll files or if it is able to clean them, but at least no more people should be infected from the trojian.
And.. yes.. There is no “i” in the word “trojan”! I wish we could edit comments!
oh guys…
this is a simple adware
you could deinstall by using
the software control panel
for adding/removing applications
Great post. I wish I had found this earlier, but rather I found the same fix in one of the firefox forums.
Either way, it’s VERY helpful. And I did try the uninstall, but it didn’t do anything as the advertisements were still coming in.
Odd thing was, I couldn’t rename or delete the pushowxx.dll file on my machine. I had to pop in the XP CD and go to the recovery console to manually delete it.
hi thank you for your informations, and sory for my bad englih
i don’t find any thing else informations
but i’ve shure that the pushow*.dll use, or do something with ole32.dll, OLEAUT32.dll, shell32.dll, user32.dll, xernel32.dll, advapi32.dll, shlwapi.dll, wininet.dll, psapi.dll, olepro32.dll, gdi32.dll, hook1.dll
they are microsoft dll
I’m shure that this dll try to do internet connections, but bitdefender don’t find anything.
advertismen is in my add/remove panel but the system juste reboot when y try to remove it, and don’t remove anything.
I’ll follow your search
I’ve found that the dll disable the copy/past on fire fox (made by crosoft ??)
The pushow*.dll go to url http://advertismen.com/getlist.php?id=%id&lang=%lang
It should be to get url for popup windows…
This dll is maybe a data miner, I’m not shure.
Delete the dll seem fixe the probleme for fire fox.
If some one have some informations… ?
Bye
Even i had the little bastard….i take it a week ago on a p2p with the download of the files:”serissa foetida 08″,”bonsai ita 08″,”bonsai 44″.
Even i’ve noticed that the dll disable the copy/past on fire fox.
After updating my antivirus Avira AntiVir PersonalEdition Classic, it alarmed me that there’s a trojan: the Trojan horse TR/Click.Agent.HI
THANK YOU Kyriakos Anastasakis and THANK YOU guys 🙂
cheers from Italy
Thanks for all guys.
I met the same situation. The laptop restarted when I chose uninstall in the program manager.
I hate the software.
But I love you all.
Thanks again.
I copied the experiences from all of you because I want to inform my friends.
If you disagree, let me know and I will delete.
Thanks again.
Hi- thank you! took a little while2 remove pushow from my system32 folder dou. (mine woz pushow88). thanks again
Thanks for the info
I have found this malware advertisemen on my computer. I have found the following file on my registry pushow11.dll. Is this part of the files which make up advertismen? Should I remove this file?
Thanks for the help
Also I noted a comment about Zone Alarm. Is this the best Firewall? I read somewhere that it slow the computer down. Anyone has an opinion?
Best,
P.L.
advertisemen
I did find an advertismen folder with the following (3): REG_S2 one of them has an exe file with an uninstall function. Is it safe to delete the whole thing?
This is the actual path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentVersion\uninstall\advertismen\
Since I am not an expert I do not want to delete anything that I do not understand.