Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.w32.expdwnldr / "securepccleaner.com" / "trustedantivirus.com"


  • Please log in to reply
18 replies to this topic

#1 andrewjneis

andrewjneis

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 29 February 2008 - 09:05 PM

Hi, I was hoping someone could help me. I'm getting fake security alerts in the system tray that say I might be infected with spyware, followed by a popup IE window that will go to one of these sites:
http: //intervarioclick.com/
http: //pcsupercharger.com/
http: //securepccleaner.com/
http: //trustedantivirus.com/
http: //gomyhit.com/
http: //gomyron.com/
http: //alphase.net/index.htm
http: //privacy.pcprivacytool.com/
http: //filterprogram.com/
http: //securepccleaner.com/

Once in a while I'll get the window that says "Trojan.Adware.W32.ExpDwnldr spyware detected on your computer!..."
One other time, I got a little popup window that said "time to die"

I've read all the forums on this issue and I've found other people who have the same problem as me. I haven't installed anything from any of the sites, it's just popups. I've done all the steps from other user's posts, but nothing has been able to fix the problem. I've been using Norton Internet Security 2008, McAfee SecurityCenter 2008, Spybot S&D, Adaware 2007, SpySweeper...everything. I can't get rid of it.

Can anyone please help me? Thank you.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 29 February 2008 - 10:22 PM

Hello and welcome to BC !!
Please follow the instructions in our Tutorial
How to Remove WinFixer / Virtumonde

Next Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 03 March 2008 - 08:29 PM

THANK YOU! I'm scanning with Vundo right now. We'll see what happens in a bit...

Quick questions about this virus: 1) Is it actual SPYware, or just ADware? 2) How dangerous is it? (Since I got that "time to die" message, I was assuming that someone was able to send personal windows to my computer and therefore was able to have remote access of my computer.) 3) Where does it come from, like what kind of sites or what? I never went to any of those sites so I have no idea where I got it.

Thank you. I'll post my log in a few minutes here.

:thumbsup: Thanks guys

Edited by andrewjneis, 03 March 2008 - 08:31 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 03 March 2008 - 09:48 PM

Hello,will await the logs. Also Please post the contents of C:\vundofix.txt in your next reply.

1) More spyware it's a Trojan downloader: A high risk malware at some point.
A Trojan is a piece of software that appears to be harmless but is actually harmful to your computer. This software can be disgused as a useful tool, but in reality be a virus or a tool to allow a hacker to remotely connect to your computer.
Trojan-Downloader: attempts to download and install other malware onto the affected system.
Originally it just wants you to go and buy Rogue malware tools.but..

2) If your computer is infected by Adware.W32.ExpDwnldr and hijacked to unfamiliar webpages , then your computer in trouble because it does transfer back and forth information from the infected computer which makes it a potential for application/data theft.

A closer examination reveals that the input box is an image and the cursor is an animation so of course nothing appears in the box as you type. Clicking the fix button directs you to the vendor’s Web page where you can use your newly repaired keyboard to enter your credit card details and purchase the rogue application in question.

To add a touch of authenticity, the Web sites selling misleading applications often show lists of threat names that are detected by their products or threats that have recently been detected by them in the wild. These names may appear legitimate at a quick glance, but they are usually malformed versions of real threat names or just totally fake.

http://www.symantec.com/enterprise/securit...islead_you.html
3) Could be from an infected Email attachment. Infected P2p file . Just clicking on pages of recommended malware solutions on sites or pages that are really bogus already.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 02:53 PM

Thank you for the information!

Okay, here's the reports from Vundo fix, Virtumundo, and SuperAntiSpyware. Neither of them found anything.

VundoFix V6.7.10

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 5:09:39 PM 3/3/2008

Listing files found while scanning....

No infected files were found.


[03/04/2008, 11:59:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Andrew Neis\Desktop\VirtumundoBeGone.exe" )
[03/04/2008, 11:59:55] - Detected System Information:
[03/04/2008, 11:59:55] - Windows Version: 5.1.2600, Service Pack 2
[03/04/2008, 11:59:55] - Current Username: Andrew Neis (Admin)
[03/04/2008, 11:59:55] - Windows is in NORMAL mode.
[03/04/2008, 11:59:55] - Searching for Browser Helper Objects:
[03/04/2008, 11:59:55] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/04/2008, 11:59:55] - BHO 2: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} ()
[03/04/2008, 11:59:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 11:59:55] - Checking for HKLM\...\Winlogon\Notify\coIEPlg
[03/04/2008, 11:59:55] - Key not found: HKLM\...\Winlogon\Notify\coIEPlg, continuing.
[03/04/2008, 11:59:55] - BHO 3: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)
[03/04/2008, 11:59:55] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/04/2008, 11:59:55] - BHO 5: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/04/2008, 11:59:55] - BHO 6: {BCF562C8-9EC0-4233-903B-BD5BAEE3F74E} ()
[03/04/2008, 11:59:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/04/2008, 11:59:55] - Checking for HKLM\...\Winlogon\Notify\cdmode
[03/04/2008, 11:59:55] - Key not found: HKLM\...\Winlogon\Notify\cdmode, continuing.
[03/04/2008, 11:59:55] - Finished Searching Browser Helper Objects
[03/04/2008, 11:59:55] - Finishing up...
[03/04/2008, 11:59:55] - Nothing found! Exiting...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2008 at 11:26 AM

Application Version : 4.0.1154

Core Rules Database Version : 3413
Trace Rules Database Version: 1405

Scan type : Complete Scan
Total Scan Time : 03:45:08

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 5946
Registry threats detected : 0
File items scanned : 175974
File threats detected : 0

Edited by andrewjneis, 04 March 2008 - 03:00 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 04 March 2008 - 04:00 PM

It looks clean are the alerts gone?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 04:51 PM

That's the thing - everything I've tried says my system is clean. But the popups are still not gone.

I just updated Java and tried it. I still get pop-ups from those sites. I haven't seen a fake alert in a while though.

Do you think it could be a modified version of this virus? Like someone altered a few lines of code or something to make it not recognizable by scanners? Also the behavior of this virus...most people say they either have the fake security alerts and the hijacked homepage, or the constant pop-ups and a hijacked desktop. I have an odd combination of the two: Fake Security alerts and pop-ups once or twice the duration the computer is on until it's turned off and on again. I don't have any hijacked homepage or desktop. And on top of it, everything I've tried cannot find the spyware.

Smitfraudfix says my system is clean too...

Edited by andrewjneis, 04 March 2008 - 04:57 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 04 March 2008 - 06:58 PM

As I didn't give you the Smitfraud instructions did you run it like this? Step 1 from norma mode and then step 2 If needed from safe mode?
Step 1
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Step 2
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 07:17 PM

I did the smitfraud instructions from another user who posted the same problem as me. I'll do it again right now, but here was my previous rapport from the first time.
The funny thing was, like you mentioned, it DID remove my desktop background, even though my computer is infected!

Sorry this rapport is so long. It lists ALL these websites, hundreds of which I never went to. I also found those same entries in my registry when I was trying to clean it out. I was wondering if someone had somehow gotten onto my computer while I was gone and went to every porn site imagineable.
Here is a thought I had, I thought that the spyware is somehow logging these pages as its own pop-up address for when it wants to. Another interesting thing I noticed is how similar some of the site names are: "Yootube", but not "youtube". Fake websites? What do you think?

SmitFraudFix v2.290

Scan done at 0:03:51.12, Mon 02/18/2008
Run from G:\Program Files\Program installers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
(deleted entries between here since post was too long)
127.0.0.1 180solutions.com
127.0.0.1 www.181.365soft.info
127.0.0.1 181.365soft.info
127.0.0.1 www.adult777search.info
127.0.0.1 adult777search.info
127.0.0.1 www.adultan.com
127.0.0.1 adultan.com
127.0.0.1 www.adult-engine-search.com
127.0.0.1 adult-engine-search.com
127.0.0.1 www.adult-erotic-guide.net
127.0.0.1 adult-erotic-guide.net
127.0.0.1 www.adultfilmsite.com
127.0.0.1 adultfilmsite.com
127.0.0.1 www.adult-friends-finder.net
127.0.0.1 www.adult-mpg.net
127.0.0.1 adult-mpg.net
127.0.0.1 adult-personal.us
127.0.0.1 adultsonlyvids.com
127.0.0.1 www.adultsper.com
127.0.0.1 adultsper.com
127.0.0.1 www.advertising-money.info
127.0.0.1 advertising-money.info
127.0.0.1 ad-ware.cc
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 www.a-d-w-a-r-e.com
127.0.0.1 a-d-w-a-r-e.com
127.0.0.1 www.adwarebazooka.com
127.0.0.1 adwarebazooka.com
127.0.0.1 www.adwarecommander.com
127.0.0.1 antispylab.com
127.0.0.1 www.antispysolutions.com
127.0.0.1 antispysolutions.com
127.0.0.1 www.antispyware.com
127.0.0.1 antispyware.com
127.0.0.1 www.antispywareboot.com
127.0.0.1 antispywareboot.com
127.0.0.1 www.antispywarebot.com
127.0.0.1 antispywarebot.com
127.0.0.1 www.antispywarebox.com
127.0.0.1 biz.biz
127.0.0.1 www.bkvcompany.com
127.0.0.1 bkvcompany.com
127.0.0.1 www.blackblues00.com
127.0.0.1 blackblues00.com
127.0.0.1 www.blackcodec.net
127.0.0.1 blackcodec.net
127.0.0.1 www.blackhats.tc
(deleted entries between here since post was too long)
127.0.0.1 www.spycrush.com
127.0.0.1 spycrush.com
127.0.0.1 www.SpyCut.com
127.0.0.1 SpyCut.com
127.0.0.1 www.spydawn.com
127.0.0.1 spydawn.com
127.0.0.1 www.spydeface.com
127.0.0.1 spydeface.com
127.0.0.1 www.spydefence.com
127.0.0.1 spydefence.com
127.0.0.1 www.spydefenderpro.com
127.0.0.1 spydefenderpro.com
127.0.0.1 www.spyfalcon.com
127.0.0.1 spyfalcon.com
127.0.0.1 www.spyfalconupdate.com
127.0.0.1 spyfalconupdate.com
127.0.0.1 www.spyheal.com
127.0.0.1 spyheal.com
127.0.0.1 www.spyiblock.com
127.0.0.1 spyiblock.com
127.0.0.1 www.spylocked.com
127.0.0.1 spylocked.com
127.0.0.1 www.spylog.com
(Deleted entries between here since post was too long)
127.0.0.1 www1.beruijindegunhadesun.com
127.0.0.1 www2.p0rt2.com
127.0.0.1 www.www2.p0rt2.com
127.0.0.1 www224.paypopup.com
127.0.0.1 wwwadobe-download-now.com
127.0.0.1 www-audacity.com
127.0.0.1 wwwCrazygirls-world.com
127.0.0.1 wwwdownloadwizard.com
127.0.0.1 www-spyboot.com
127.0.0.1 www.www-spyboot.com
127.0.0.1 www.www-Spybot.net
127.0.0.1 xcomics4u.com
127.0.0.1 www.xcorriere.it
127.0.0.1 xcorriere.it
127.0.0.1 www.xerocodec.com
127.0.0.1 www.xpasswordmanager.com
127.0.0.1 www.x-porngalleries.com
127.0.0.1 x-porngalleries.com
127.0.0.1 www.x-pornmoviez.com
127.0.0.1 x-pornmoviez.com
127.0.0.1 www.x-pornmovz.com
127.0.0.1 x-pornmovz.com
127.0.0.1 www.x-prnmoviez.com
127.0.0.1 x-prnmoviez.com
127.0.0.1 xp-vista.com
127.0.0.1 www.xp-vista.com
127.0.0.1 x-ratedclips.com
127.0.0.1 www.x-ratedclips.com
127.0.0.1 www.xrdenterprise.com
127.0.0.1 xsex.ws
127.0.0.1 xsremover.com
127.0.0.1 www.xsremover.com
127.0.0.1 xtipp.de
127.0.0.1 xxxallvideo.com
127.0.0.1 www.xxxallvideo.com
127.0.0.1 xxxcategories.com
127.0.0.1 xxxemailxxx.com
127.0.0.1 xxxmovietour.com
127.0.0.1 www.xxxmovietour.com
127.0.0.1 www.xxxpornmovs.com
127.0.0.1 xxxpornmovs.com
127.0.0.1 xxxteenfilm.com
127.0.0.1 www.xxxteenfilm.com
127.0.0.1 xxxtoolbar.com
127.0.0.1 xxxzonevideo.com
127.0.0.1 www.xxxzonevideo.com
127.0.0.1 www.xyzlimited.com
127.0.0.1 yahoo.downloadznow.net
127.0.0.1 yahoo.panet.org
127.0.0.1 y-e-l-l-o-w.com
127.0.0.1 yellow500.com
127.0.0.1 www.ygoogle.it
127.0.0.1 ygoogle.it
127.0.0.1 yoogee.com
127.0.0.1 www.yoogle.it
127.0.0.1 yoogle.it
127.0.0.1 yootube.info
(You get the idea of what kinds of websites were here. There were hundreds.)

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: AT&T Plug&Share 108Mbps Wireless PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 206.13.28.12
DNS Server Search Order: 63.203.35.55

Description: AT&T Plug&Share 108Mbps Wireless PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=206.13.28.12 63.203.35.55


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by andrewjneis, 04 March 2008 - 07:53 PM.


#10 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 07:25 PM

Here is my second try at SmitFraudFix. Here is the post for Step 1:

SmitFraudFix v2.300

Scan done at 16:22:12.91, Tue 03/04/2008
Run from C:\Documents and Settings\Andrew Neis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Realtek\Realtek Wireless LAN Utility\RtlWake.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft Office\Office\Winword.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andrew Neis


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andrew Neis\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ANDREW~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: AT&T Plug&Share 108Mbps Wireless PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 206.13.28.12
DNS Server Search Order: 63.203.35.55

Description: AT&T Plug&Share 108Mbps Wireless PCI Adapter #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=192.168.17.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=206.13.28.12 63.203.35.55
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.17.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#11 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 07:44 PM

Here is my post for step 2.

SmitFraudFix v2.300

Scan done at 16:31:03.11, Tue 03/04/2008
Run from C:\Documents and Settings\Andrew Neis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
(And on and on with the websites here...)
»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2B6DA277-DF39-4406-9A88-C6EEC61639A9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B0DBD404-B2DD-4F9B-B8DB-865B39A9C16E}: DhcpNameServer=192.168.17.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.17.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 04 March 2008 - 08:06 PM

Amazing ,I'll be back to you shortly.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 March 2008 - 08:49 PM

I know, it is amazing, huh? Never seen anything like this before.
Thank you so much for your help. I'll await your reply.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:09 PM

Posted 04 March 2008 - 08:50 PM

Let's do 2 more things here. Perhaps the Teatimer function of SpyBot is causing interference. Let's tempoarily disable it. Then you can run scans again.

You can disable TeaTimer 2 ways

To disable TeaTimer and remove its startup entry:
Go into Spybot > Mode > Advanced Mode > Tools > Resident
Uncheck (if checked) the following:
Resident "TeaTimer" (Protection of over-all system settings) Active.

To temporarally close TeaTimer and restart it later:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Reboot is NOT necessary for the change to take effect.

http://forums.spybot.info/showthread.php?t=2827


Run this new scan.
Please download ATF Cleanerby Atribune and Dr.Web CureIt save them your desktop. DO NOT perform a scan yet.

Reboot your computer in Safe Mode.
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now scan with Dr.Web CureIt *Double-click on Cureit.exe to start the program. (ignore any prompts to update or check for a new version)
*When the Dr.Web opens, an Express Scan of your PC notice will appear.
*Under Start the Express Scan Now, Click OK to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
*Once the short scan has finished, Click Options > Change settings
*Choose the Scan tab and UNcheck "Heuristic analysis"
*Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
*Then click the Start/Stop Scanning button (green arrow on the right) and the scan will start.
*When done, a message will be displayed at the bottom advising if any viruses were found.
*Click Yes to all if it asks if you want to cure/move the file.
*When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
*Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
*Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
*Exit Dr.Web Cureit when done.
*Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
*After reboot, post the contents of the log from Dr.Web in your next reply.
Again tell us how the machine is doing.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 andrewjneis

andrewjneis
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 06 March 2008 - 06:33 PM

DR. Web Cure it log:

Process.exe;C:\Documents and Settings\Andrew Neis\Desktop\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\Andrew Neis\Desktop\SmitfraudFix;Tool.ShutDown.11;Moved.;
A0000046.exe;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP1;Trojan.Virtumod;Deleted.;
A0000047.exe;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP1;Trojan.DownLoader.26881;Deleted.;
A0008874.exe;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP29;Trojan.Fakealert;Deleted.;
A0009738.dll;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP31;Trojan.DownLoader.origin;Incurable.Moved.;
A0016402.reg;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP50;Trojan.StartPage.1505;Deleted.;
A0005530.dll;C:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP9;Adware.Comet;Moved.;
A0009755.exe;G:\System Volume Information\_restore{2F363FB9-2305-4EA5-B6A1-ACC1A5A63B42}\RP31;Tool.ShutDown.11;Moved.;

I still have popups, I'm getting two pop-ups a session now. The first one goes to Securepccleaner, and then within a few seconds the second will go to Gomyron.com. But it'll shuffle through trustedantivirus and intervarioclick before getting to those.
Should I go into the quarantine folder and delete those moved files?

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users