Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer Security Risk Pop Ups


  • Please log in to reply
7 replies to this topic

#1 becka202

becka202

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 18 September 2007 - 11:12 AM

i am runnng windows xp home edition. i have been getting many pop ups looking like they re coming from internet explorer saying my system is at risk. my pop up blocker is on. how can i stop getting these? It happens when i am searching on the web, but seems to have no partiular time when they appear. My son had recently downloaded some games. One was from Starware, Grimms hatchery which i am having trouble removing and this may be when the problem started.

Thank you
Rebecca

BC AdBot (Login to Remove)

 


m

#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:53 PM

Posted 18 September 2007 - 12:48 PM

Hello and welcome to BC. A better place to post would be the malware section. Go to the main forum page and scroll down a little further
Mark
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Edited by garmanma, 18 September 2007 - 12:51 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:53 PM

Posted 18 September 2007 - 02:46 PM

Run a scan with Smitfraudfix using option #1. If it finds anything, run option #2. Read the directions carefully.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Please let us know the results of the scans.

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 Bonneville

Bonneville

  • Members
  • 233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Yorkshire UK
  • Local time:03:53 AM

Posted 18 September 2007 - 05:40 PM

:thumbsup:

Hiya,

IMHI, look no further than starware for spyware.

Regards,

Tony.
Is all that we see or seem, but a dream within a dream ?

#5 becka202

becka202
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 19 September 2007 - 05:24 PM

Iam still getting pop ups and warnings about spyware and my computer being infected. I ran bit defender and smitfraud fix. I could not run antispyware defender. i received a message that the administrator would not allow it. These were the reports. thank you for your help

SmitFraudFix v2.225

Scan done at 16:10:06.84, Wed 09/19/2007
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe

BitDefender Online Scanner



Scan report generated at: Wed, Sep 19, 2007 - 17:39:05





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;







Statistics

Time
01:07:41

Files
377135

Folders
9852

Boot Sectors
3

Archives
32275

Packed Files
23352




Results

Identified Viruses
2

Infected Files
2

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
820973

Engine build
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP536\A0044475.DLL
Detected with: Adware.Mywebsearch.G

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP536\A0044475.DLL
Disinfection failed

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP536\A0044475.DLL
Deleted

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP538\A0044853.exe=>(CAB Sfx r)=>nickarcade.dll
Infected with: Trojan.Delf.EZ

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP538\A0044853.exe=>(CAB Sfx r)=>nickarcade.dll
Disinfection failed

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP538\A0044853.exe=>(CAB Sfx r)=>nickarcade.dll
Deleted

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP538\A0044853.exe=>(CAB Sfx r)
Update failed














C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
c:\windows\system32\afixps.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\HP_Administrator


C:\Documents and Settings\HP_Administrator\Application Data


Start Menu


C:\DOCUME~1\HP_ADM~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254


Scanning for wininet.dll infection


End

#6 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:53 PM

Posted 19 September 2007 - 06:26 PM

Smitfraudfix report says the "fix" was run in normal mode. Rerun option one in smitfraudfix. If more malware is identified, run the fix in "safe mode".
Is Super Antispyware installed on your computer? If so, did you go into safe mode before attempting to run a scan? Is there more than one account on your computer?

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 becka202

becka202
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 20 September 2007 - 08:55 AM

I ran suuper antispyware and I ran smitfraud clean again in safe mode. I dont know why it showed as normal mode because I did it in safe mode the first time also. I am still getting the security threat pop ups.
SmitFraudFix v2.225

Scan done at 20:27:11.84, Wed 09/19/2007
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7CDA8B1C-6AFD-4202-93F6-15C3D76D72EB}: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End
Again thanks for your help. Hope you have some more advice

Rebecca

#8 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:53 PM

Posted 20 September 2007 - 10:39 AM

Super Antispyware updated with more Smitfraud definitions yesterday at approximately 8pm. If you scanned before that, update and run the SAS scan again in safe mode.
If that doesn't remove the popups, post a Hijack This Log in the Hijack This Forum.
Post a Hijack This Log in the Hijack This Forum by following the directions in the link below. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users