[WARNING] Do not use www.35mb.com

kannanmr on October 31st, 2004

I downloaded some songs from 35mb.com. It asked me to install an applet which does the actual download. Since, there is no other way to download w/o that applet, I clicked OK to install that applet. There started my problems!!

I started getting all kinds of popups. Ahhhhh….irritating. I decided to root cause it. I installed both Ad-Aware SE and SpyBot S&D. They found lots of common objects like DSO Exploit, Doubleclick & Alexa, but removing them didn’t solve the problem. So, it looked something new. Then, I opened the startup list (using msconfig.exe) and there I found a new entry — “C:\WINNT\IExplore.exe”. IExplore.exe is the main EXE of Internet Explorer. But, it is, by default, installed to “C:\program files\internet explorer”, so what is this file? A quick search in Google gave me the info. It could either be Backdoor.Aphex or a 35mb.com ad popper.

I searched for more info reg the 35mb.com applet. I have given some links related to this:

http://www.solid07.net/forums/index.php?act=ST&f=4&t=51143

http://www.solid07.net/forums/index.php?act=ST&f=5&t=51168

http://soompi.com/forums/index.php?showtopic=200297

and a complete list of discussions pertaining to this:

http://www.google.com/search?hl=en&lr=&safe=off&q=35mb.com+problem

The gist of the above is: 35MB.com furtively installs a program that runs in the background and produces these popups. And, if you read there policy, they hint at doing something like this !!!

How did I remove this?

I got a list of IE Objects using HijackThis! utility. There, I saw the CAB downloaded from 35mb.com still sitting in my IE download folder. I deleted it first. Then, I renamed c:\winnt\iexplore.exe to c:\winnt\111iexplore.exe (Deleting this file is preferrable. I wanted to analyze this file later. So I just kept it in my HDD. But, if you do not want to do that, just delete this file). Using MSCONFIG.EXE, I removed the startup entry for “C:\winnt\iexplore.exe” and rebooted.

NOTE: Iexplore.exe (the 35mb.com AD popper) runs in the background. So, even if u delete it using msconfig.exe it will recreate that entry. But, once you reboot, it cannot load during the startup as we have renamed iexplore.exe to 111iexplore.exe. Now, you can safely remove it from the STARTUP list.

Computers, HowTo, Technology Add to del.icio.us  Digg This Subscribe to RSS feed

Check out these related posts:

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>