Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • This topic is locked This topic is locked
13 replies to this topic

#1 Apax

Apax

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 28 February 2008 - 08:24 AM

When searching the internet, the result links do not go to the website they are supposed to. It goes to a website for "CyberStroll" or a variety of other Spyware websites. I am currently running AVG Antispyware and it is picking nothing up. I also am using Vexira Antivirus. It is an IBM computer with XP Professional, 2.4ghz intel Pentium 4 processor and 512 mb of Ram. I greatly need some help in trying to get this cleaned up. I have run Hijack this and here is the report. Thanks so much for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:42 AM, on 2/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\msiconf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apaches.k12.in.us/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {95A46130-8648-4B00-8046-E03C31DA6F13} - C:\WINDOWS\System32\cmdial3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133792364358
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boycesystems.webex.com/client/T23L/...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wabash.local
O17 - HKLM\Software\..\Telephony: DomainName = wabash.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer = 165.139.24.235,165.138.176.1,165.139.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wabash.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6152 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 28 February 2008 - 11:33 AM

Hello Apax,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 28 February 2008 - 12:18 PM

Thank you for your quick repsonse. Here are the reports you asked for. I thought I also might tell you that after I send this, I might not be able to repsond back until tomorrow morning. I really do appreciate your help. Also, would you rather me upload these reports as an attachment?

ComboFix 08-02-25.3 - smithc 2008-02-28 12:12:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\6FAVUD6V\ComboFix[1].exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msiconf.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 08:23 . 2008-02-28 08:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 18:42 . 2008-02-27 18:42 <DIR> d-------- C:\Documents and Settings\smithc.000\Application Data\Grisoft
2008-02-27 18:42 . 2008-02-27 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-27 18:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-27 17:42 . 2008-02-27 17:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-02-27 17:38 . 2008-02-27 17:38 19,279,240 --a------ C:\winprof.exe
2008-02-27 17:30 . 2008-02-27 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Active Disk
2008-02-27 10:43 . 2008-02-27 19:10 <DIR> d-------- C:\Program Files\SpyShredder
2008-02-26 11:27 . 2002-08-29 08:00 88,064 --a------ C:\WINDOWS\system32\apphel.dll
2008-02-26 11:26 . 2002-08-29 08:00 88,064 --a------ C:\WINDOWS\system32\cmdial3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 22:50 --------- d-----w C:\Program Files\Viewpoint
2008-02-27 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-27 22:44 --------- d-----w C:\Program Files\AccuWage 2005
2008-02-27 22:43 --------- d-----w C:\Program Files\Yahoo!
1998-12-09 10:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 10:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 10:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 10:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 10:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 10:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95A46130-8648-4B00-8046-E03C31DA6F13}]
2002-08-29 08:00 88064 --a------ C:\WINDOWS\System32\cmdial3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 14:45 1663248]
"MSI Configuration"="msiconf.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-03-12 20:30 286720 C:\WINDOWS\system32\atiptaxx.exe]
"BluetoothAuthenticationAgent"="irprops.cpl" [2002-11-22 17:45 111104 C:\WINDOWS\system32\irprops.cpl]
"PROMon.exe"="PROMon.exe" [2002-04-18 21:32 73728 C:\WINDOWS\system32\PROMon.exe]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 19:36 90112]
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2001-11-07 06:50 1519616]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 04:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-08-19 06:50 106551]
"UC_SMB"="" []
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" [2000-01-21 05:47 28672]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 13:37 28672 C:\WINDOWS\system32\nwtray.exe]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 19:39 147456]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 17:30 86016]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 13:55 32768]
"VBSysTray"="C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe" [2007-10-02 20:11 239000]
"AVLoginToDo"="C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe" [2007-10-02 20:32 50552]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-24 00:51:54 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-447408750-3844741995-5338384-1114\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-447408750-3844741995-5338384-1115\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder]
--a------ 2008-02-27 10:43 402944 C:\Program Files\SpyShredder\SpyShredder.exe

R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 15:36]
R2 VACompManService;Vexira Antivirus Component Manager Service;C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe [2007-10-02 20:28]
R2 VBShld;VBShld;C:\WINDOWS\System32\Drivers\VBShld.Sys [2007-10-02 18:50]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 15:36]
R3 VBEngNT;VBEngNT;C:\WINDOWS\System32\Drivers\VBEngNT.Sys [2007-10-05 16:41]
R3 VBFilter;VBFilter;C:\WINDOWS\System32\Drivers\VBFilter.Sys [2007-10-02 18:49]
R3 VBRec;VBRec;C:\WINDOWS\System32\Drivers\VBRec.Sys [2007-10-02 18:48]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2002-08-29 08:00]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 12:13:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-28 12:15:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 17:15:52


HijackThis SCan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19, on 2008-02-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apaches.k12.in.us/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {95A46130-8648-4B00-8046-E03C31DA6F13} - C:\WINDOWS\System32\cmdial3.dll
O2 - BHO: (no name) - {A06C055C-6CEA-4C6E-B488-5F49FEB14825} - C:\WINDOWS\System32\cmdial3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133792364358
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boycesystems.webex.com/client/T23L/...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wabash.local
O17 - HKLM\Software\..\Telephony: DomainName = wabash.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer = 165.139.24.235,165.138.176.1,165.139.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wabash.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6350 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 28 February 2008 - 12:31 PM

Hello,

That's all right, and posting them like you have been is just fine with me. :blink:

Looking through that log I see you have SpyShredder hanging around. :thumbsup: http://www.bleepingcomputer.com/forums/t/98791/how-to-remove-spyshredder-or-spy-shredder-removal-instructions/

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 28 February 2008 - 02:13 PM

We have tried everything to get rid of that Spy shredder. I ran the smitfraudfix and then tried to uninstall the spyshredder and it was no longer in the list of installed programs in control panel. Did running that smitfraud get rid of it or will i have to do the manual removal option. Thanks for your help. I know I won't be able to respond back until tomorrow after this one.

SmitFraudFix v2.298

Scan done at 14:07:37.96, 2008-02-28
Run from C:\Documents and Settings\smithc.000\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE

hosts


\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\smithc.000


C:\Documents and Settings\smithc.000\Application Data


Start Menu


C:\DOCUME~1\smithc.000\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 165.139.24.235
DNS Server Search Order: 165.138.176.1
DNS Server Search Order: 165.139.1.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer=165.139.24.235,165.138.176.1,165.139.1.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer=165.139.24.235,165.138.176.1,165.139.1.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer=165.139.24.235,165.138.176.1,165.139.1.10


Scanning for wininet.dll infection


End

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 28 February 2008 - 02:40 PM

Hello,

Blasted thing huh? :blink:

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

Now go and delete the folder, if it's still there : C:\Program Files\SpyShredder

Delete SmitfraudFix. Not sure why it didn't see it, but nonetheless there we are.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run a scan with AVG AntiSpyware now, and post the report from it in your reply, along with a new HijackThis log. How is it running now? :thumbsup:

Thanks, and see you tomorrow,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 29 February 2008 - 08:06 AM

I was still getting the pop ups this moring when I got on the internet. My antivirus software picked something up this morning. It didn't know if it was malicious or not. Here is where is was -

Suspicious file,WCSBOOKKEEPER,WABASH\smithc,Shield,2008.02.29. 07:44:59,C:\Program Files\Microsoft Office\Clipart\standard\stddir1\BD05625_.WMF: suspicious file. Not removed. Access to file: Denied.,Incident information:

Location: C:\Program Files\Microsoft Office\Clipart\standard\stddir1\BD05625_.WMF file
Killing method: Not removed
File access: Denied
Trigger user: WABASH\smithc
Proposed operation: open file
Date: 2008.02.29. 07:44:59


Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:34, on 2008-02-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apaches.k12.in.us/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {95A46130-8648-4B00-8046-E03C31DA6F13} - C:\WINDOWS\System32\cmdial3.dll
O2 - BHO: (no name) - {A06C055C-6CEA-4C6E-B488-5F49FEB14825} - C:\WINDOWS\System32\cmdial3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133792364358
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boycesystems.webex.com/client/T23L/...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wabash.local
O17 - HKLM\Software\..\Telephony: DomainName = wabash.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA253CAC-9D3F-46A1-A972-2C2C3C5017F4}: NameServer = 165.139.24.235,165.138.176.1,165.139.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wabash.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Vexira Antivirus Component Manager Service (VACompManService) - Central Command, Inc. - C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 6228 bytes


AVG Spyware
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 08:01 2008-02-29

+ Scan result:



Nothing found.



::Report end

#8 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 29 February 2008 - 09:48 AM

I have been using the computer for awhile and I am still getting pop ups for Cyberstroll.

#9 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 29 February 2008 - 10:47 AM

I am also getting the following message " A script on this page is causing internet explorer to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort the script? Out of memory at line 56'"

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 29 February 2008 - 10:17 PM

Hello,

We're not out of options yet :

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 03 March 2008 - 07:50 AM

Good Morning. I am sorry this is taking so long. I really appreciate your help. Here is the BitDefender report. I hope your having a good day.



BitDefender Online Scanner

Scan report generated at: Mon, Mar 03, 2008 - 07:49:15

Scan path: A:\;C:\;D:\;E:\;

Statistics

Time
00:31:32

Files
184562

Folders
3355

Boot Sectors
3

Archives
7223

Packed Files
6647

Results

Identified Viruses
2

Infected Files
7

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
7


Engines Info

Virus Definitions
985004

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\6FAVUD6V\data[1]
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\6FAVUD6V\data[1]
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\6FAVUD6V\data[1]
Deleted

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\EJEPO34X\CAWHMVC1.php
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\EJEPO34X\CAWHMVC1.php
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\EJEPO34X\CAWHMVC1.php
Deleted

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\KD0DQNO5\CA7ES3RX.php
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\KD0DQNO5\CA7ES3RX.php
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\KD0DQNO5\CA7ES3RX.php
Deleted

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\S5GFGVSZ\data[1]
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\S5GFGVSZ\data[1]
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\S5GFGVSZ\data[1]
Deleted

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\UVAV6TOB\data[1]
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\UVAV6TOB\data[1]
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\UVAV6TOB\data[1]
Deleted

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\YL5YRYXG\CA63SZVS.php
Detected with: Adware.AVSystemCare.B

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\YL5YRYXG\CA63SZVS.php
Disinfection failed

C:\Documents and Settings\smithc.000\Local Settings\Temporary Internet Files\Content.IE5\YL5YRYXG\CA63SZVS.php
Deleted

C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP3\A0000426.exe
Infected with: Trojan.Peed.Gen

C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP3\A0000426.exe
Disinfection failed

C:\System Volume Information\_restore{E7276E57-4F79-409F-B1A4-3D382C476E72}\RP3\A0000426.exe
Deleted

#12 Apax

Apax
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 03 March 2008 - 11:43 AM

Side note here. Since running that last scan, I have not been receiving any popups or line 56 errors. It seems to be running fine at this moment.

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 03 March 2008 - 02:01 PM

Hello,

That's great to know! :blink: No need to be sorry. We've actually done quite well, given how stubborn this has been for you. Go ahead and delete SmitfraudFix.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, and SP2, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. Your current versions are outdated. I cannot stress enough how important this is.

Please let me know how this went, and we'll finish up here. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:59 PM

Posted 13 March 2008 - 03:33 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users