Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Monster


  • This topic is locked This topic is locked
11 replies to this topic

#1 helplease

helplease

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 20 March 2008 - 03:38 PM

Hey i was just wondering if anyone could help me out

my desktop has 2 icons on it saying
Uncensored Porn and bdsm Gallery
There are pop ups saying i have spyware.IEMonster.b.Spyware.IEMonster.b and
adwarezlob.Porn-advertiser.ba
there are also security warnings

I have Verizon internet security suite and i haver been running scans on that and i have ad-aware 2007 that i have been
running scans on as well


Nothing is working so if anyone else has a suggestion felll free to share it

Here is one of my security suite scans
Verizon Internet Security Suite Anti-Spyware
Spyware Report (3/19/2008 10:09:13 PM)
Scan Target Scanned Items Detected Spyware Items
Local Disk (C:) 69321 17
Cookies 278 5
Registry 27552 4
Memory 37 0
Total 97188 26



Spyware Type Item Action
CyberTrader Pro-Market Spyware cookie C:\Documents and Settings\Annalise\cookies\annalise@pro-market[2].txt Delete
Data.Coremetrics.com Spyware cookie C:\Documents and Settings\Annalise\cookies\annalise@data.coremetrics[1].txt Delete
Nebuler S Registry hkey_local_machine \software\microsoft\mssmgr Quarantine
euroclick.com Spyware cookie C:\Documents and Settings\Annalise\cookies\annalise@adopt.euroclick[1].txt Delete
adbureau.net Spyware cookie C:\Documents and Settings\Annalise\cookies\annalise@tremor.adbureau[1].txt Delete
adecn.com Spyware cookie C:\Documents and Settings\Annalise\cookies\annalise@adecn[2].txt Delete
VirusProtect 3.8 Registry hkey_local_machine \software\microsoft\windows\currentversion\explorer\browser helper objects\{f10587e9-0e47-4cbe-84ae-7dd20b8684bb} Quarantine
Crushpy P Application C:\WINDOWS\system32\drvfom.dll Quarantine
Crushpy P Application C:\WINDOWS\system32\drvjul.dll Quarantine
Crushpy P Application C:\WINDOWS\system32\drvvoh.dll Quarantine
Crushpy P Application C:\WINDOWS\Temp\gos1AC.tmp Quarantine
Crushpy P Application C:\WINDOWS\Temp\gosD9.tmp Quarantine
Aflac L Application C:\WINDOWS\system32\drvfomr.dll Quarantine
Aflac L Application C:\WINDOWS\system32\drvjulr.dll Quarantine
PidinBot A Application C:\WINDOWS\system32\winupdate.exe Quarantine
PidinBot A Application C:\WINDOWS\Temp\win19E.exe Quarantine
PidinBot A Application C:\WINDOWS\Temp\winD4.exe Quarantine
Virtumonde OS Application C:\WINDOWS\system32\nnnkjih.dll Quarantine
Virtumonde OS Application C:\WINDOWS\system32\opnnlli.dll Quarantine
Aflac Q Application C:\WINDOWS\system32\drvnob.dll Quarantine
Aflac Q Application C:\WINDOWS\system32\drvtoj.dll Quarantine
Aflac Q Application C:\WINDOWS\Temp\gos197.tmp Quarantine
Aflac Q Application C:\WINDOWS\Temp\gosE2.tmp Quarantine
Bewschy C Registry hkey_classes_root \interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} Quarantine
Bewschy C Registry hkey_classes_root \typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} Quarantine
Pripecs JE Application C:\Program Files\tmp4229250.exe Quarantine

Edited by helplease, 20 March 2008 - 04:13 PM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 20 March 2008 - 08:49 PM

Hello and welcome. Please telll us what is your operating system ,(XP,Vista etc ...)?

Please do this next.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 helplease

helplease
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 March 2008 - 03:48 PM

Here you go.


SmitFraudFix v2.307

Scan done at 16:16:12.03, Sat 03/22/2008
Run from I:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1

DNS After Fix

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 22 March 2008 - 04:24 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Next:
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.

Edited by boopme, 22 March 2008 - 04:25 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 helplease

helplease
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 March 2008 - 05:06 PM

Ok I tried to get the SUPERantispyware program but the website is temporarily unavailable. It did not open a new text window when we opened it in regular windows mode either. And the icons are still on the desktop.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 22 March 2008 - 05:10 PM

Let me look for something. Did the Smit Fix run and could you get the log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 helplease

helplease
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 March 2008 - 05:29 PM

SmitFraudFix v2.307

Scan done at 18:19:37.87, Sat 03/22/2008
Run from C:\Documents and Settings\Annalise\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DCF0204A-A749-4821-81BD-D208CD0C3A51}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 22 March 2008 - 05:44 PM

Any better after SmitFIX removed some things ??

Edited by boopme, 22 March 2008 - 10:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 helplease

helplease
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 22 March 2008 - 06:18 PM

It worked for a few minutes but then stuff started popping up again.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 22 March 2008 - 10:53 PM

Please download VundoFix to your desktop.
  • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in the next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 helplease

helplease
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 28 March 2008 - 05:52 PM

Thank for all of your help but i think i was inover my head so i had to take to someone to get it fixed

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:17 AM

Posted 29 March 2008 - 09:32 AM

Thank you for letting us know. Good luck.
I will clos the topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users