Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Superiorads Problem


  • Please log in to reply
7 replies to this topic

#1 kingjeff

kingjeff

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 10 February 2008 - 04:30 PM

Hi, first timer here. My computer has been infected with the Superiorads virus, trojan whatever. I am running Windows XP Pro.

I have tried Spybot and have Norton running but can't seem to get rid of this nasty problem. Any help would be greatly appreciated.

Thanks, Kingjeff

Edit: Moved topic to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:19 AM

Posted 10 February 2008 - 07:50 PM

Welcome to the forum, please do the following and post bck the can log so we can see some things.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode:
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.


Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how your PC in running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kingjeff

kingjeff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 February 2008 - 02:18 AM

Hi Boopme, thanks so much for the reply, I did as you said and here is the log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/10/2008 at 11:03 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 03:18:55

Memory items scanned : 170
Memory threats detected : 0
Registry items scanned : 4502
Registry threats detected : 32
File items scanned : 56508
File threats detected : 9

Unknown BHO (HELPER100.DLL)
HKLM\Software\Classes\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}
HKCR\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}
HKCR\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}
HKCR\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}\InprocServer32
HKCR\CLSID\{017C20C1-F86F-11D8-9B25-000ACD002AE3}\InprocServer32#ThreadingModel
C:\WINDOWS\HELPER101.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{017C20C1-F86F-11D8-9B25-000ACD002AE3}

Adware.ClearSearch
HKLM\Software\Classes\CLSID\{0FC79301-E615-439B-B822-078ED2E75E93}
HKCR\CLSID\{0FC79301-E615-439B-B822-078ED2E75E93}
HKCR\CLSID\{0FC79301-E615-439B-B822-078ED2E75E93}\InprocServer32
HKCR\CLSID\{0FC79301-E615-439B-B822-078ED2E75E93}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\CSBB\CSBB.DLL
C:\PROGRAM FILES\MQJYJQJT\JPK0YC71.DLL
C:\PROGRAM FILES\MQJYJQJT\NY7H4FRB.DLL
C:\PROGRAM FILES\MQJYJQJT\XSA0HPUC.DLL

Adware.RsyncMon
HKLM\Software\Classes\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\InprocServer32
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\InprocServer32#ThreadingModel
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\ProgID
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\Programmable
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\TypeLib
HKCR\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\RSYNCMON.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}

Adware.SprtAds/AdRotator
HKLM\Software\Classes\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\InprocServer32
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\InprocServer32#ThreadingModel
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\ProgID
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\Programmable
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\TypeLib
HKCR\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\SPRT_ADS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4AD44D3E-7316-4251-B754-9B10EC96AF92}

Search Bar BHO
HKU\S-1-5-21-1993962763-1409082233-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D}

Adware.IEPlugin
HKCR\Remove

Trojan.Security Toolbar
C:\Documents and Settings\jeff\Favorites\Antivirus Test Online.url

Adware.ShopAtHomeAgent
C:\WINDOWS\BUNDLES\SAHAGENT-SEEDCORN1002.EXE



Still seems to be quite sluggish, let me know what you think. Thanks again for the time!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 AM

Posted 11 February 2008 - 03:21 PM

Download RVAXO.exe and save to your Desktop.
  • Double-click on RVAXO.exe, then click "Installeren" to install the program. ("Bladeren" = Browse for Folder and "Annuleren" = Cancel)
  • This will install a folder called Rvaxo.
  • Open the Rvaxo folder and double-click on RVAXO.cmd.
    • You will see a small window pop up, some lines will run quickly and then the window will close by itself. This is normal behavior.
    • It may also start an uninstaller of a rogue scanner -- do not close this -- but follow all prompts there, and let it run its course.
  • When done the computer will reboot...press any key to reboot.
  • After reboot, RVAXO will run again. If not, double click on RVAXO.cmd to run the program and let it finish.
  • A log file called RVAXO-results.log will be created in C:\RVAXO-results.log
  • Copy and paste the contents of that log in your next reply.
  • You can use Uninstall.cmd to remove everything from RVAXO. It can be found in the Rvaxo folder on your desktop.
Note: Vista users will need to right-click on RVAXO.cmd and choose "Run as an Administrator".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kingjeff

kingjeff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 11 February 2008 - 05:14 PM

Hi Quietman, here are the results:

---RVAXO.exe Updated: 2008-02-11---first run---
Files found:

Uninstallers:


Folders Found:


Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------

Thanks for you time & effort

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 AM

Posted 12 February 2008 - 08:06 AM

Usually RVAXO.exe finds more files related to superiorads and dsads but in your case, the logs looks ok. Any more signs/symptoms of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kingjeff

kingjeff
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 12 February 2008 - 11:38 PM

I think I did it correctly, yeah it is running super slow, although I haven't seen the Superiorads pop up lately. Something is wrong though.

Thanks again, any hints are greatly appreciated

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 AM

Posted 13 February 2008 - 08:39 AM

Are you finding any suspicious processes in Task Manager? When you experience or encounter strange behavior, always check for new, unknown or suspicious processes that may be running on your system.

Anytime you come across a suspicious file, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

If your computer seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
Note: If you are not on a local area network (LAN), disable the Workstation Service which creates and maintains client network connections to remote servers and that should also help to speed up your boot time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users