Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Pop-up Virus I Can't Remove


  • This topic is locked This topic is locked
6 replies to this topic

#1 kevinsmom

kevinsmom

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 20 September 2007 - 03:57 PM

These pop-up viruses are comming constantly.There are several different ones. My son said thy started after he got an IM asking him to check out a picture of him. The friend who's IM address was linked told him the virus was called "Facebook". I am adding a few of thesites that have popped up. I don't know if it will help but it can't hurt ither.

winantispyware.cm
spywarequake.com
bribaby.en/index.asp?affiliates
laughnetwork.com/.freeware/index
drivecleaner.com/freeware/index
adultfriendfinder.com
loadcash.biz.com
traffictraff.com
I have run Ad-Aware, Spybot, McAfee, CC cleaner, TrendMicro and cleaned m casche. At his point I'm at a loss over whatto do. Any help would be greatly appreciated.
Thank you.
B King

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 22 September 2007 - 10:20 PM

Hello kevinsmom,

I am SifuMike and I will be helping you. :thumbsup:

Sorry for the delay. We have many logs backed up.

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of the SmitfraudFix report into your next reply. Please do not attach any of your logs, as it is hard on my eyes.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by SifuMike, 22 September 2007 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kevinsmom

kevinsmom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 25 September 2007 - 11:32 PM

here is the scan you requested.



SmitFraudFix v2.230

Scan done at 0:30:42.90, Wed 09/26/2007
Run from C:\Documents and Settings\Barbara King\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Barbara King


C:\Documents and Settings\Barbara King\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\BARBAR~1\FAVORI~1

C:\DOCUME~1\BARBAR~1\FAVORI~1\Online Security Test.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"="XenaDot Software"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.254.254
DNS Server Search Order: 192.168.254.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254


Scanning for wininet.dll infection


End

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 26 September 2007 - 07:10 AM

Hi kevinsmom,

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 kevinsmom

kevinsmom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 26 September 2007 - 08:31 PM

Ok, I did as you reccomended but had a hard time finding the Smitfraud report after I left safemode. The option of checking wininet.dll did not come up either time I ran the program. I redid this, not in safe mode and the report follows. I have also attached the new Hijackthis report. The pop-ups have not stopped yet and everything is still running very slowly.
Thank you for your time and assistance.
B. King



SmitFraudFix v2.230

Scan done at 21:15:10.64, Wed 09/26/2007
Run from C:\Documents and Settings\Barbara King\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.254.254
DNS Server Search Order: 192.168.254.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0CDE095B-08AD-4033-B6DD-1B93CDB9E7A7}: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B60873CC-5F91-4DBD-9D56-3548F0B3C31E}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.254.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 26 September 2007 - 08:48 PM

Hello kevinsmom,

I redid this, not in safe mode and the report follows. I have also attached the new Hijackthis report.The pop-ups have not stopped yet and everything is still running very slowly.


SmitfraudFix will not work if you run it in the Normal Mode. It has to be run in the Safe Mode.
You have to go back and run SmitfraudFix again in the Safe Mode. Follow the directions and it will work.

but had a hard time finding the Smitfraud report after I left safemode

The report can be found at the root of the system drive, usually at C:\rapport.txt



Do not attach your HIjackthis log, as that makes it hard to read. Please post it.
Thanks.

Edited by SifuMike, 26 September 2007 - 08:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:14 PM

Posted 04 October 2007 - 02:36 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users