Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am Having Spyware Troubles


  • Please log in to reply
4 replies to this topic

#1 greg donovan

greg donovan

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fargo, ND
  • Local time:10:47 AM

Posted 31 July 2007 - 03:35 PM

the other day i started getting my IE browser interrupted with notification from some place called ANTISPYSOLUTIONS . COM telling me that my laptop is infected with spyware and that i need to download their antispyware software.

anyone heard of them before?

they are the ones that seem like the spyware to me.

what happens is that when i open IE instead of going to my homepage (hotmail) it turns the title into an about: blank and says gives one line of text saying that i have spyware and to "click here" to get more info. if i click on the "X" to close that it goes to the antispysolutions site. if i just ignore that message and select hotmail (or anyother site) from my favorites it will then go to the site i want but the "warning" will interrupt every now and then.

another new problem is that when i click on a link to another site the new window opens but wont do anything and refuses to be shut down unless i use ctrl+alt+delete to shut it down. if i copy and paste the link it will open just fine.

i have run ad-aware and spybot search and destroy a couple times and they keep finding a couple things.

my antivirus (F-Secure) has also detected a trojan system 32 thing that it couldnt disinfect but would delete.

some friends told me to come here for help.

i am about to download Highjack this.

i think i will switch to firefox. should i download firefox before i start trying to fix this problem?

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:47 AM

Posted 31 July 2007 - 03:56 PM

Sounds like you have a vundo/smitfraud variant, otherwise known as ripoffware. try these two programs:

Rogue Remover Free and Superantispyware

I just googled them, and all the top links were to removal sites

Make sure that you check for updates and download updates for both programs.

follow this for super anti spyware:Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by oldf@rt, 31 July 2007 - 03:57 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 greg donovan

greg donovan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fargo, ND
  • Local time:10:47 AM

Posted 31 July 2007 - 07:06 PM

Sounds like you have a vundo/smitfraud variant, otherwise known as ripoffware. try these two programs:

Rogue Remover Free and Superantispyware

I just googled them, and all the top links were to removal sites

Make sure that you check for updates and download updates for both programs.

follow this for super anti spyware:Download and scan with SUPERAntiSpyware Free for Home Users

  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


i just finished running SUPERAntispyware. it took 2 and a half hours. found 50 things.

here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2007 at 06:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3276
Trace Rules Database Version: 1287

Scan type : Complete Scan
Total Scan Time : 02:16:15

Memory items scanned : 437
Memory threats detected : 1
Registry items scanned : 4893
Registry threats detected : 14
File items scanned : 82960
File threats detected : 35

Trojan.Downloader-PFE
C:\WINDOWS\SYSTEM32\TMRSRV32.EXE
C:\WINDOWS\SYSTEM32\TMRSRV32.EXE
C:\WINDOWS\Prefetch\TMRSRV32.EXE-08C858E3.pf

Trojan.Downloader-FakeRX
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\Implemented Categories
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\InprocServer32
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\InprocServer32#ThreadingModel
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\ProgID
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\Programmable
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\TypeLib
HKCR\CLSID\{19D3A5DB-A5A3-4F95-9713-833AE4B950A4}\VERSION
C:\WINDOWS\SYSTEM32\MSDN_LIB.DLL

Adware.Lycos/SideSearch
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

Adware.Tracking Cookie
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@advertising[1].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@adrevolver[3].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@tribalfusion[2].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@atdmt[2].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@doubleclick[2].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@mediaplex[2].txt
C:\Documents and Settings\Mindy Donovan\Cookies\mindy donovan@adrevolver[2].txt
C:\Documents and Settings\Mindy Donovan\Local Settings\Temp\Cookies\mindy donovan@partner2profit[1].txt

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP425\A0052412.EXE
C:\WINDOWS\NDNUNINSTALL6_72.EXE

Trojan.Downloader-AgentDQ
C:\21CB.TMP
C:\WINDOWS\SYSTEM32\CHKDSK.DLL
C:\WINDOWS\Prefetch\21CB.TMP-1506252B.pf

Adware.WildMedia/Midaddle
C:\DOCUMENTS AND SETTINGS\MINDY DONOVAN\LOCAL SETTINGS\TEMP\HYFBXYK.EXE

Adware.WildMedia/WinFetcher
C:\DOCUMENTS AND SETTINGS\MINDY DONOVAN\LOCAL SETTINGS\TEMP\RXR3Q.EXE

Trojan.NewDotNet-Installer
C:\PROGRAM FILES\FILESUBMIT\SNOWY CURSOR SET\NNEZTA388.EXE

MyQuickSearch Toolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP425\A0052411.DLL

Trojan.FakeDrop-BJam
C:\WINDOWS\BJAM.DLL

Adware.Second Thought
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Trojan.FakeDrop-FLT
C:\WINDOWS\FLT.DLL

Trojan.FakeDrop-MSPPHE
C:\WINDOWS\MSPPHE.DLL

Trojan.Downloader-WUSS/Loader
C:\WINDOWS\SETUP.EXE
C:\WINDOWS\Prefetch\SETUP.EXE-1A1F8291.pf

Trojan.FakeDrop-SWin32
C:\WINDOWS\SWIN32.DLL

Trojan.FakeDrop-180AX
C:\WINDOWS\SYSTEM32\180AX.EXE

Trojan.FakeDrop-BI
C:\WINDOWS\SYSTEM32\BI.DLL

Trojan.MSOrcl32
C:\WINDOWS\SYSTEM32\MSORCL32.EXE
C:\WINDOWS\Prefetch\MSORCL32.EXE-0E374130.pf

Trojan.Downloader-Gen/RSVP
C:\WINDOWS\SYSTEM32\RSVP322.DLL

Trojan.SUSP/Transponder
C:\WINDOWS\SYSTEM32\SUSP.EXE

Trojan.FakeDrop-VoiceIP
C:\WINDOWS\VOICEIP.DLL



#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:47 AM

Posted 31 July 2007 - 07:30 PM

Holy Hannah Post a hijack this log immediately

Please download the installer for Hijack this, and save it to your desktop. Double click on the HJTinstall to run the installer. Agree to install, Agree to the license agreement. Hijack this will then open. Click on the do a system scan and save a logfile notepad will open with your log.
Post the log in this forum: Hijack this forum
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:47 AM

Posted 31 July 2007 - 10:28 PM

Great to see that you got the Hijack this log posted

Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users