Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adssite Pop Ups (plz Help)...


  • This topic is locked This topic is locked
2 replies to this topic

#1 pagalinsan

pagalinsan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 29 January 2008 - 01:24 AM

I am getting Adssite pop ups ocassionally(for some specific sites).. in my mozilla firefox browser. As by running "regiedit" there is adssite registry (HKEY_USERS > S-1-5-21-1417001333-507921405-682003330-1003 > software > microsoft > adssite(below active movie)).
I have kaspersky AV-7 installed, and done all scans in safe mode. I also scanned my system with adaware, spysweeper and trojanhunter. But to no avail, i am still getting these pop ups by adssite.Actually i got this from limewire, i have removed it. And from add/remove programs i have removed the adssite programs.

I am posting hijackthis , Combofix , smitfraudfix (before and after cleaning)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:27 AM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [ToniArts EasyCleaner] "C:\Program Files\ToniArts\EasyCleaner\EasyClea.exe" -s -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 5696 bytes


After that i have done scan with combofix.....

Start Time= Tue 01/29/2008 10:09:46.00

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2008-01-29 10:04:10 ( .D... ) "C:\Program Files\Trend Micro"
2008-01-27 23:31:00 209 ( A.... ) "C:\Documents and Settings\Om\Application Data\urlredir.cfg"
2008-01-27 10:57:38 ( .D... ) "C:\Program Files\Common Files\xing shared"
2008-01-27 10:56:58 185944 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2008-01-27 10:56:20 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2008-01-27 10:56:20 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2008-01-27 10:56:04 499712 ( A.... ) "C:\WINDOWS\system32\msvcp71.dll"
2008-01-27 10:56:04 348160 ( A.... ) "C:\WINDOWS\system32\msvcr71.dll"
2008-01-27 10:56:04 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2008-01-24 10:33:44 ( .D... ) "C:\Documents and Settings\Om\Application Data\Media Player Classic"
2008-01-24 10:32:32 ( .D... ) "C:\Program Files\K-Lite Codec Pack"
2008-01-24 06:17:14 ( .D... ) "C:\Documents and Settings\Om\Application Data\WordWeb"
2008-01-24 06:15:52 ( .D... ) "C:\Program Files\WordWeb"
2008-01-22 23:51:58 ( .D... ) "C:\Program Files\Google"
2008-01-22 23:51:58 ( .D... ) "C:\Documents and Settings\Om\Application Data\Google"
2008-01-22 08:37:14 2560 ( A.... ) "C:\WINDOWS\system32\bitcometres.dll"
2008-01-22 08:31:44 ( .D... ) "C:\Documents and Settings\Om\Application Data\LimeWire"
2008-01-22 08:30:14 ( .D... ) "C:\Program Files\Java"
2008-01-22 08:30:14 ( .D... ) "C:\Program Files\Common Files\Java"
2008-01-22 08:29:50 ( .D... ) "C:\Documents and Settings\Om\Application Data\Sun"
2008-01-21 23:34:32 ( .D... ) "C:\Program Files\DivX"
2008-01-21 01:26:02 ( .D... ) "C:\Program Files\uTorrent"
2008-01-21 01:25:56 ( .D... ) "C:\Documents and Settings\Om\Application Data\uTorrent"
2008-01-20 15:21:04 ( .D... ) "C:\Program Files\Easy Video Downloader"
2008-01-20 14:31:22 ( .D... ) "C:\Program Files\YouTube Downloader"
2008-01-20 10:54:52 ( .D... ) "C:\Documents and Settings\Om\Application Data\Orbit"
2008-01-20 10:54:50 ( .D... ) "C:\Program Files\Orbitdownloader"
2008-01-20 10:38:52 ( .D... ) "C:\Program Files\SourceTec"
2008-01-17 19:34:40 63737145 ( A.... ) "C:\WINDOWS\6Aquariu.scr"
2008-01-16 15:40:28 ( .D... ) "C:\Documents and Settings\Om\Application Data\Help"
2008-01-16 09:09:22 ( .D... ) "C:\Documents and Settings\Om\Application Data\NeroDigitalT"
2008-01-15 21:03:34 ( .D... ) "C:\Documents and Settings\Om\Application Data\Nero"
2008-01-15 21:00:58 ( .D... ) "C:\Program Files\Common Files\Nero"
2008-01-15 06:46:42 ( .D... ) "C:\Program Files\Common Files\Adobe"
2008-01-15 06:46:42 ( .D... ) "C:\Program Files\Adobe"
2008-01-02 23:51:36 17642616 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2008-01-02 08:04:04 ( .D... ) "C:\Documents and Settings\Om\Application Data\dvdcss"
2008-01-02 07:05:06 ( .D... ) "C:\Program Files\WinMPG Video Convert"
2008-01-01 19:26:16 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2007-12-31 01:31:36 ( .D... ) "C:\Documents and Settings\Om\Application Data\TrojanHunter"
2007-12-31 01:02:00 ( .D... ) "C:\Program Files\ToniArts"
2007-12-31 00:59:18 59392 ( ....R ) "C:\WINDOWS\system32\streamhlp.dll"
2007-12-31 00:58:56 ( .D... ) "C:\Program Files\TrojanHunter 5.0"
2007-12-30 11:22:30 ( .D... ) "C:\Program Files\Lavasoft"
2007-12-29 11:02:40 ( .D... ) "C:\Documents and Settings\Om\Application Data\FarStone"
2007-12-28 09:00:46 ( .D... ) "C:\Program Files\monopoly"
2007-12-28 08:41:16 ( .D... ) "C:\Program Files\2BrightSparks"
2007-12-28 03:05:28 ( .D.HR ) "C:\Documents and Settings\Om\Application Data\SecuROM"
2007-12-28 03:05:18 107888 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2007-12-27 14:03:58 ( .D... ) "C:\Program Files\AVI MPEG WMV RM to MP3 Converter"
2007-12-27 00:36:46 ( .D... ) "C:\Program Files\PowerISO"
2007-12-26 23:35:50 ( .D... ) "C:\Program Files\File Shredder"
2007-12-26 17:54:02 ( .D... ) "C:\Program Files\Kaspersky Lab"
2007-12-26 17:34:10 ( .D... ) "C:\Program Files\Spyware Terminator"
2007-12-26 09:00:30 ( .D... ) "C:\Program Files\MSXML 4.0"
2007-12-25 18:52:30 ( .D... ) "C:\Program Files\BitComet"
2007-12-24 20:08:08 ( .D... ) "C:\Program Files\Fastlane Carnage"
2007-12-24 15:47:32 ( .D... ) "C:\Program Files\directx"
2007-12-24 15:47:32 ( .D... ) "C:\Program Files\Core Design"
2007-12-24 13:03:34 ( .D... ) "C:\Program Files\GameSpy Arcade"
2007-12-24 12:59:24 ( .D... ) "C:\Program Files\Microsoft Games"
2007-12-14 22:13:08 ( .D... ) "C:\Documents and Settings\Om\Application Data\Macromedia"
2007-12-14 22:12:32 ( .D... ) "C:\Program Files\Common Files\ODBC"
2007-12-14 22:12:28 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2007-12-14 22:12:28 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2007-12-14 22:12:28 ( .D... ) "C:\Program Files\Common Files"
2007-12-14 22:12:00 62 ( A.SH. ) "C:\Documents and Settings\Om\Application Data\desktop.ini"
2007-12-14 19:52:52 ( .D... ) "C:\Documents and Settings\Om\Application Data\Microsoft Games"
2007-12-14 19:40:50 ( .D... ) "C:\Documents and Settings\Om\Application Data\vlc"
2007-12-14 19:34:18 ( .D... ) "C:\Program Files\CCleaner"
2007-12-14 18:24:22 ( .D... ) "C:\Documents and Settings\Om\Application Data\CyberLink"
2007-12-14 17:52:10 ( .D... ) "C:\Documents and Settings\Om\Application Data\Talkback"
2007-12-14 17:51:54 ( .D... ) "C:\Documents and Settings\Om\Application Data\Mozilla"
2007-12-14 17:39:44 ( .D... ) "C:\Program Files\Common Files\L&H"
2007-12-14 17:39:34 ( .D... ) "C:\Program Files\Microsoft.NET"
2007-12-14 17:39:26 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2007-12-14 17:38:58 ( .D... ) "C:\Program Files\Common Files\DESIGNER"
2007-12-14 17:38:54 ( .D... ) "C:\Program Files\Microsoft Works"
2007-12-14 17:38:48 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2007-12-14 17:37:32 ( .D... ) "C:\Program Files\Microsoft Office"
2007-12-14 17:24:00 ( .D... ) "C:\Program Files\Mozilla Firefox"
2007-12-14 17:23:20 ( .D... ) "C:\Program Files\Kundli"
2007-12-14 17:18:46 ( .D... ) "C:\Program Files\Jiao System, Ltd"
2007-12-14 17:17:48 ( .D... ) "C:\Program Files\Real"
2007-12-14 17:17:48 ( .D... ) "C:\Program Files\Common Files\Real"
2007-12-14 17:17:40 ( .D... ) "C:\Documents and Settings\Om\Application Data\Real"
2007-12-14 17:16:50 ( .D... ) "C:\Program Files\Winamp"
2007-12-14 17:14:08 ( .D... ) "C:\Documents and Settings\Om\Application Data\Ahead"
2007-12-14 17:13:18 ( .D... ) "C:\Program Files\Nero"
2007-12-14 17:13:18 ( .D... ) "C:\Program Files\Common Files\Ahead"
2007-12-14 17:11:52 ( .D... ) "C:\Program Files\CyberLink"
2007-12-14 17:11:26 ( .D... ) "C:\Documents and Settings\Om\Application Data\Adobe"
2007-12-14 17:10:06 ( .D... ) "C:\Program Files\WinZip"
2007-12-14 17:09:52 ( .D... ) "C:\Program Files\WinRAR"
2007-12-14 17:05:50 ( .D... ) "C:\Program Files\CONEXANT"
2007-12-14 17:05:14 ( .D... ) "C:\Program Files\Realtek"
2007-12-14 17:05:04 ( .D... ) "C:\Documents and Settings\Om\Application Data\InstallShield"
2007-12-14 17:04:14 ( .D... ) "C:\Program Files\Analog Devices"
2007-12-14 17:03:18 ( .D... ) "C:\Program Files\sisagp"
2007-12-14 17:03:16 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2007-12-14 17:01:14 ( .D... ) "C:\Program Files\SiS VGA Utilities V3.80"
2007-12-14 17:01:08 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2007-12-14 16:57:42 502272 ( A.... ) "C:\WINDOWS\system32\winlogon.exe"
2007-12-14 16:55:02 ( .D.H. ) "C:\Program Files\Uninstall Information"
2007-12-14 16:55:02 ( .D... ) "C:\Documents and Settings\Om\Application Data\Identities"
2007-12-14 16:54:56 ( .DS.. ) "C:\Documents and Settings\Om\Application Data\Microsoft"
2007-12-14 16:51:24 ( .D... ) "C:\Program Files\xerox"
2007-12-14 16:51:24 ( .D... ) "C:\Program Files\microsoft frontpage"
2007-12-14 16:51:00 0 ( A.... ) "C:\AUTOEXEC.BAT"
2007-12-14 16:49:56 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2007-12-14 16:49:00 ( .D... ) "C:\Program Files\Common Files\Services"
2007-12-14 16:48:54 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2007-12-14 16:48:40 ( .D... ) "C:\Program Files\Movie Maker"
2007-12-14 16:48:26 ( .D... ) "C:\Program Files\NetMeeting"
2007-12-14 16:48:22 ( .D... ) "C:\Program Files\Outlook Express"
2007-12-14 16:48:14 ( .D... ) "C:\Program Files\Common Files\System"
2007-12-14 16:48:12 ( .D... ) "C:\Program Files\Internet Explorer"
2007-12-14 16:47:34 ( .D... ) "C:\Program Files\Online Services"
2007-12-14 16:47:32 ( .D... ) "C:\Program Files\Windows Media Player"
2007-12-14 16:47:28 ( .D... ) "C:\Program Files\Messenger"
2007-12-14 16:47:24 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2007-12-14 16:46:42 ( .D... ) "C:\Program Files\MSN"
2007-12-14 16:46:40 ( .D... ) "C:\Program Files\Windows NT"
2007-12-13 19:09:06 972072 ( A.... ) "C:\WINDOWS\UNNeroMediaHome.exe"
2007-12-04 09:59:22 972072 ( A.... ) "C:\WINDOWS\UNRecode.exe"
2007-12-03 18:04:12 95600 ( A.... ) "C:\WINDOWS\system32\NeroCo.dll"
2007-11-30 04:00:16 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2007-11-30 04:00:16 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2007-11-13 17:01:12 60416 ( ..... ) "C:\WINDOWS\system32\tzchange.exe"
2007-11-07 14:56:56 721920 ( A.... ) "C:\WINDOWS\system32\lsasrv.dll"
2007-10-31 05:12:30 3590656 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2007-10-30 04:13:04 1287680 ( A.... ) "C:\WINDOWS\system32\quartz.dll"
2007-10-29 15:34:04 350720 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSPower"="\"Rundll32.exe\" SiSPower.dll,ModeAgent"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe\""
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe\""
"PWRISOVM.EXE"="\"C:\\Program Files\\PowerISO\\PWRISOVM.EXE\""
"ToniArts EasyCleaner"="\"C:\\Program Files\\ToniArts\\EasyCleaner\\EasyClea.exe\" -s -startup"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe\""
"NBKeyScan"="\"C:\\Program Files\\Nero\\Nero8\\Nero BackItUp\\NBKeyScan.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:00000100

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder

Completion time: Tue 01/29/2008 10:10:16.28
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

And then with smitfraudfix, so there it is....



SmitFraudFix v2.277

Scan done at 10:42:06.87, Tue 01/29/2008
Run from C:\Documents and Settings\Om\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ToniArts\EasyCleaner\EasyClea.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Om


C:\Documents and Settings\Om\Application Data


Start Menu


C:\DOCUME~1\Om\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 202.62.224.2
DNS Server Search Order: 202.62.224.5
DNS Server Search Order: 202.56.250.5
DNS Server Search Order: 202.56.250.6

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2BBF97A6-E217-4BB1-8B0A-56B188DABAA7}: DhcpNameServer=202.62.224.2 202.62.224.5 202.56.250.5 202.56.250.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2BBF97A6-E217-4BB1-8B0A-56B188DABAA7}: DhcpNameServer=202.62.224.2 202.62.224.5 202.56.250.5 202.56.250.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.62.224.2 202.62.224.5 202.56.250.5 202.56.250.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.62.224.2 202.62.224.5 202.56.250.5 202.56.250.6


Scanning for wininet.dll infection


End

Then i have done cleaning by smit fraudfix in safe mode log is....

SmitFraudFix v2.277

Scan done at 10:33:51.68, Tue 01/29/2008
Run from C:\Documents and Settings\Om\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix.exe by S!Ri


DNS



Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

But till now registry of adssite remains same and i am getting pop ups, PLZ help.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:34 AM

Posted 11 February 2008 - 09:29 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:34 AM

Posted 12 March 2008 - 06:54 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users