Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups, Warning On Desktop, Please Help!


  • This topic is locked This topic is locked
9 replies to this topic

#1 favre04

favre04

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 March 2008 - 01:59 PM

New to the community, looks lik a excellence place to resolve issues! I run Windows XP on my LAPTOP, let my daughter on it the other day, and there was a warning on the desktop that It was infected with spyware....I found the below post (Smitfraudfix) in this forum and did that, It got rid of the warning on the desktop but my computer is still having various popups. I downloaded google toolbar to stop the popups with no luck. Also got Spybot & Adware 2007, ran those programs. Spybot and Adware finds stuff, deletes them but the the issues still keep showing up over and over when I run Adware and no luck still stopping the popups. Also ran Norton and it finds issues (cant remember which types) but it says it cannot delete for some odd reason. I also went into my add/remove programs, and deleted various things that I knew wasnt right. Any help guys? Thanks


Download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:18 AM

Posted 07 March 2008 - 06:27 PM

Hi favre04 and welcome to Bleeping Computer.

Let's try something else:
Hopefully this will get you sorted.

Step 1
Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.

    Now close SuperantiSpyware down.

    Next, please reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, a menu with options should appear;
    You will need to use the 'keyboard arrow keys' to navigate on this menu.
    * Select the first option, to run Windows in Safe Mode, then press "Enter".
    * Then choose your usual account.

    Restart SuperantiSpyware
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Step 2
Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs, Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy & Paste the entire report in your next reply.

Post both the reports here if you want and we'll take a look for you.

BBPP6nz.png


#3 favre04

favre04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 March 2008 - 12:32 AM

Ok thanks, did what you suggested, Here's the results from superantispyware:

PERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/07/2008 at 10:10 PM

Application Version : 4.0.1154

Core Rules Database Version : 3416
Trace Rules Database Version: 1408

Scan type : Complete Scan
Total Scan Time : 01:35:55

Memory items scanned : 164
Memory threats detected : 2
Registry items scanned : 4527
Registry threats detected : 26
File items scanned : 50365
File threats detected : 110

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\EFCYYAX.DLL
C:\WINDOWS\SYSTEM32\EFCYYAX.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efcyyax
C:\WINDOWS\SYSTEM32\GEBAWTT.DLL
C:\WINDOWS\SYSTEM32\WVUTUSP.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\JKHFE.DLL
C:\WINDOWS\SYSTEM32\JKHFE.DLL

Trojan.Service
[MDNS] C:\WINDOWS\SYSTEM32\SERVICE.EXE
C:\WINDOWS\SYSTEM32\SERVICE.EXE
C:\WINDOWS\Prefetch\SERVICE.EXE-396E850B.pf

Adware.ClickSpring
[Snte] C:\DOCUME~1\ADMINI~1\APPLIC~1\MCROSO~1\ATTRIB.EXE
C:\DOCUME~1\ADMINI~1\APPLIC~1\MCROSO~1\ATTRIB.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MCROSO~1\ATTRIB.EXE
C:\Documents and Settings\Administrator\Application Data\PPATCH~1\CANREG~1.EXE

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{5734019B-B549-4BE2-B775-89BBDF6421F7}
HKCR\CLSID\{5734019B-B549-4BE2-B775-89BBDF6421F7}
HKCR\CLSID\{5734019B-B549-4BE2-B775-89BBDF6421F7}\InprocServer32
HKCR\CLSID\{5734019B-B549-4BE2-B775-89BBDF6421F7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}\InprocServer32
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5734019B-B549-4BE2-B775-89BBDF6421F7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED120D76-BF31-412C-A99B-783C6676E128}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{ED120D76-BF31-412C-A99B-783C6676E128}
HKCR\CLSID\{ED120D76-BF31-412C-A99B-783C6676E128}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{AFFD906B-CFD5-4D93-9760-499C459ED0BA}
HKCR\CLSID\{AFFD906B-CFD5-4D93-9760-499C459ED0BA}
HKCR\CLSID\{AFFD906B-CFD5-4D93-9760-499C459ED0BA}\InprocServer32
HKCR\CLSID\{AFFD906B-CFD5-4D93-9760-499C459ED0BA}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBYV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFFD906B-CFD5-4D93-9760-499C459ED0BA}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@webstat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ig[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sportsad.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@firstpremierbankcard.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@exitexchange[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@electronicarts.112.2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@66702201[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eyewonder[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adecn[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@1071486122[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sportingnews.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@server.lon.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@a.websponsors[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.epilot[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media.adrevolver[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediatraffic[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[4].txt
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@publishers.clickbooth[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.domainsuite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads2.k8l[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adsby.zwoops[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cbs.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@consumergain[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eb.adbureau[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@electronicarts.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@eyewonder[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@indextools[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@partner2profit[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@richmedia.yahoo[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@scottrade.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.adtrak[2].txt

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.webHancer
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DO3FJPG0\SYSWCC32[1].EXE

Rogue.Unclassified/Loader
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QSL7FA9F\BUCKBRO[1].EXE

Adware.k8l
C:\PROGRAM FILES\MICROSOFT FRONTPAGE\RTESEKI.HTML

Trojan.Unclassified/17PHolmes-A
C:\WINDOWS\17PHOLMES572.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\EFHKJ.INI
C:\WINDOWS\SYSTEM32\EFHKJ.INI2
C:\WINDOWS\SYSTEM32\VYBEG.INI

Adware.Rabio Search Enhancer
C:\WINDOWS\SYSTEM32\K8\RAVECOM3.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3V1E6UZV\17PHolmes[1].cmt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5XBN6WIP\ctxad-576[1].0005
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9SXKH3UQ\ctxad-576[1].0000
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X4LHRDLJ\ctxad-576[1].0002
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VZLTXTTY\ctxad-576[1].sig
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VVP5DDXE\ctxad-576[1].0004
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QSL7FA9F\ctxad-576[1].0001
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\36UG8QNG\17PHolmes[1].cmt

Edited by favre04, 08 March 2008 - 12:34 AM.


#4 favre04

favre04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 March 2008 - 12:34 AM

And heres the results from F-Secure:

Scanning Report
Friday, March 07, 2008 22:25:48 - 23:29:41
Computer name: PC103273241221
Scanning type: Scan system for malware, rootkits
Target: C:\

Result: 14 malware found
AdWare.Win32.Agent (spyware)
System
AdWare.Win32.Rabio (spyware)
System
Malware.CDHW (virus)
C:\WINDOWS\SYSTEM32\000070.EXE
RiskTool.Win32.Reboot (spyware)
System
Rootkit.Win32.Agent.to (virus)
System
Tracking Cookie (spyware)
System
Trojan-Clicker.Win32.VB.agg (virus)
System
C:\WINDOWS\SYSTEM32\EXPLORER.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RZCDDSUU\080302[1].EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.imu (virus)
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\I0JQBJL6\WAVVSNET[1].EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.cws (virus)
System
C:\WINDOWS\GFHY45JUYHGR.EXE
C:\WINDOWS\SYSTEM32\RFHDFHW.EXE
W32/DLoader.FRDU (virus)
C:\WINDOWS\QUIT.EXE (Submitted)

Statistics
Scanned:
Files: 36675
System: 3162
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 2
Deleted: 0
None: 12
Submitted: 3
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\MSPQMM.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:
F-Secure USS: 2.20.0
F-Secure Hydra: 2.6.7470, 2008-03-07
F-Secure AVP: 7.0.171, 2008-03-07
F-Secure Pegasus: 1.20.0, 2008-02-03
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

Thanks for your help!!!!

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:18 AM

Posted 08 March 2008 - 03:10 AM

Hi favre04

I see results for 'Purity' in your scan results.
Let's just check that there's no others lingering on your system.

Step 1
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything similar with OIN, Outer Info or Yazzle in them.


Important! Reboot when done.

Open My Computer or Windows Explorer, navigate to C:\Program Files and delete any of the named program folders listed above that you find (if they still exist).

Step 2
I think a good clean up is in order as well.

Please download ATF Cleaner by Atribune. (This program is for XP, Windows 2000 and Vista only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If running on Vista.... please right click on the ATF icon ( on your desktop) and select: Run as Administrator.

Let us know how things are now.
Thanks.

BBPP6nz.png


#6 favre04

favre04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 March 2008 - 12:45 PM

Ok finished,,,,, Nah, still popups.......it seemed to be ok, but I shut down and restarted and now I just had the below pop up that just come up, (along with others)....with page cannot be displayed, Also upon startup it takes awhile (2-3 minutes) for windows to load (Icons to show up on desktop). It was fast loading before I started having problems. Thanks for your help!!!



[=http://72.52.211.87:8080/Gateway/landing.php?gateway=1&publisher=pub_14&subid=823692478&destination=aHR0cDovL2MuZW5oYW5jZS5jb20vYz9lMT1lQ0pVdU9SWmRSZ1FrdFcwcGp3WGNnRmpBMlhZM2dEdmowMHNVbUdZemhVQUZGWUNsWWRXUlcyR2ZBMWVYcGYwUTJxaGFjNHRsYTNzQlUycXR3eWNhTjJxMEVrcEtkVWxYRVhqem1MTVl5cVE1UnBybFVTU29rdXdrd0VmSGhHeXhhRHFGU1hqR0Exb2VjRnR4QXcyUmwxWFlRUDVIcFNlcHI1YTB5UGFiTHR6a1piRG9zY1h0NXhUeFpIRTFjUFNTaVd5MFZOM0VubmVEcGtYMlljRXJMYUY0T0xvMzNza2xPMEJWUUQwZkxWcWxkemhIb3Zha1p0QnVJeHFUYVVoUTFXdWdKTmNyRWRSd3ZjTnlYalZyRU9FM29JMVBJdTFZQWxwcmdhcXNhaDFIU3EweFZxcnRYZVBTT29kWnFIQ3pjY3J5MHZNTW5NTTNVSUp0UkJETlc1aEZBbkNFSUJCVW0zR29iSGJHRGNCam1LcE4xUHgza0tDWnJFbVJSTyZoPXNGTER5M3N2WHluYnNRQkhXJmI9Mj
EzMjc0Mg==]http://72.52.211.87:8080/Gateway/landing.p...mI9MjEzMjc0Mg==



I also get this popup alot...

//c5.zedo.com/jsc/c5/ff2.html?n=377;c=99;s=36;d=27;w=1024;h=768]http://c5.zedo.com/jsc/c5/ff2.html?n=377;c...27;w=1024;h=768[/url]]http://c5.zedo.com/jsc/c5/ff2.html?n=377;c...27;w=1024;h=768[/url]


AND Norton just alerted me that a malicious script was detected and asked me what to do right when the ZEDO popup came up, I stopped the script which was recommended

Edited by favre04, 08 March 2008 - 01:37 PM.


#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:18 AM

Posted 08 March 2008 - 01:47 PM

Hi favre04

In your 1st post you quoted the instructions for SmitfraudFix.... did you actually run this program?

If not..........
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Don't run option 2 yet, just do this and post the report back.

BBPP6nz.png


#8 favre04

favre04
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 March 2008 - 01:57 PM

Yes I ran smitfraud the other day...Heres the results from option #1

mitFraudFix v2.300

Scan done at 12:55:20.04, Sat 03/08/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process


hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS



Scanning for wininet.dll infection


End

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:18 AM

Posted 08 March 2008 - 02:51 PM

Oh well, not much point in running 'option 2' then.
You can see from the SAS report and the F-Secure report that your computer was very infected.
We can only do so much here, if you were to post a Hjt Log we would have access to a lot more tools.
There's obviously still a lot going on in the background here.

I suggest you post a HijackThis log for examination.
A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.

Read the Preparation Guide before posting a HijackThis Log.
Please read, and follow, all directions carefully

Run a log, and post it in the HijackThis Logs and Analysis forum.

Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response from the HJT Team, because they are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


If you haven't heard back from them in 5 days, go to this topic, Haven't Had A Reply In Five Days?, and carefully follow all directions.

BBPP6nz.png


#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:18 AM

Posted 15 March 2008 - 08:58 PM

Now that you have your log posted here: http://www.bleepingcomputer.com/forums/t/135449/various-pop-upsunknown-virus-problem/ I am closing this topic to avoid confusion. If you still have issues once you have been cleared by the HJT Team, PM a moderator to reopen the topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users