Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected. What Do I Do?

  • Please log in to reply
4 replies to this topic

#1 j_golda


  • Members
  • 3 posts
  • Local time:02:04 AM

Posted 23 March 2008 - 11:30 PM

My computer is big time infected.

Here are the symptoms.
1) I keep seeing shortcuts on my desktop to viruswebprotect.com.
2) My home page on my Internet Explorer keeps getting set to htxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
3) Random message boxes with warnings on how my computer is infected keeps popping up.
4) Norton AV keeps detecting and deleting main.htm in my temporary Internet files, but the pop ups and the internet explorer issues keep happening.



Please do not post links of this nature as folks might click on them and possibly infect their computer. Thank you ~ OB

Edited by Orange Blossom, 25 March 2008 - 12:00 AM.
Deactived potentially malicious link ~ OB

BC AdBot (Login to Remove)


#2 ruby1


    a forum member

  • Members
  • 2,375 posts
  • Local time:08:04 AM

Posted 24 March 2008 - 05:15 AM

Hi and welcom :thumbsup:

it would help to know which version of windows you are running

we know you have Norton antivirus installed but , assuming you do NOT have these

you could run thee FREE programs

its exe is http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

also asquared


its exe is http://download6.emsisoft.com/a2FreeSetup.exe
you will need to fully update each, reboot and I suggest you run full deep scans in safe mode;

each of these programs will produce a report whcih it would be helpful if you post them back here for the Experts to examine ; the scans MAY take some time to run so be patient
IF it will let you , you could run an on line scan from trend http://housecall.trendmicro.com/uk/

#3 j_golda

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:04 AM

Posted 24 March 2008 - 11:06 PM

I am on Windows XP, service pack 2.

I ran a2free in safe mode.

Here is the log
a-squared Free - Version 3.1
Last update: 3/24/2008 6:33:14 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 3/24/2008 9:44:40 AM

Key: HKEY_CLASSES_ROOT\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} detected: Trace.Registry.AroundWeb
C:\Documents and Settings\sahayamg\Cookies\sahayamg@atdmt[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@doubleclick[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@media.adrevolver[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@media.adrevolver[3].txt detected: Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@statse.webtrendslive[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Desktop\atplay.exe detected: Adware.Win32.WebEx
C:\Documents and Settings\sahayamg\Desktop\smitfraud\SmitfraudFix\Process.exe detected: Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\sahayamg\Desktop\smitfraud\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f
C:\Program Files\Cisco Systems\VPN Client\ppptool.exe detected: Heuristic.Dialer.RAS


Files: 185005
Traces: 171685
Cookies: 58
Processes: 13


Files: 4
Traces: 1
Cookies: 5
Processes: 0
Registry keys: 0

Scan end: 3/24/2008 10:38:16 AM
Scan time: 0:53:36

C:\Program Files\Cisco Systems\VPN Client\ppptool.exe Deleted Heuristic.Dialer.RAS
C:\Documents and Settings\sahayamg\Desktop\smitfraud\SmitfraudFix\Reboot.exe Deleted Riskware.RiskTool.Win32.Reboot.f
C:\Documents and Settings\sahayamg\Desktop\smitfraud\SmitfraudFix\Process.exe Deleted Riskware.RiskTool.Win32.Processor.20
C:\Documents and Settings\sahayamg\Desktop\atplay.exe Deleted Adware.Win32.WebEx
C:\Documents and Settings\sahayamg\Cookies\sahayamg@atdmt[1].txt Deleted Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@doubleclick[1].txt Deleted Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@media.adrevolver[2].txt Deleted Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@media.adrevolver[3].txt Deleted Trace.TrackingCookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@statse.webtrendslive[2].txt Deleted Trace.TrackingCookie
Key: HKEY_CLASSES_ROOT\clsid\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} Deleted Trace.Registry.AroundWeb


Files: 4
Traces: 1
Cookies: 5


I was also able to run the online scan from Trend. It detected some malware and deleted it.


I also ran SuperAntiSpyware and it detected a few things and deleted them.

Here is the log

SUPERAntiSpyware Scan Log

Generated 03/24/2008 at 07:22 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 00:31:59

Memory items scanned : 201
Memory threats detected : 0
Registry items scanned : 6170
Registry threats detected : 0
File items scanned : 15660
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\sahayamg\Cookies\sahayamg@scan.malwarrior[1].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@sale.trustedantivirus[2].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@protect.trustedantivirus[1].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@richmedia.yahoo[1].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@www.system-defender[2].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@gomyhit[1].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@gomyhit[3].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@protect.trustedantivirus[3].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@trustedantivirus[1].txt
C:\Documents and Settings\sahayamg\Cookies\sahayamg@statse.webtrendslive[1].txt


THe problem still exists. Nothing has changed.


Here is what Norton keeps finding
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Downloader
File: C:\Documents and Settings\sahayamg\Local Settings\Temporary Internet Files\Content.IE5\VGWR3O2L\main[1].htm
Location: Unknown Storage
Action taken: Cleaned by Deletion
Date found: Monday, March 24, 2008 11:04:21 PM

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Downloader
File: C:\Documents and Settings\sahayamg\Local Settings\Temporary Internet Files\Content.IE5\8GKNCRVL\main[1].htm
Location: Unknown Storage
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, March 24, 2008 11:04:45 PM

Edited by j_golda, 24 March 2008 - 11:50 PM.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,046 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:04 AM

Posted 25 March 2008 - 12:03 AM

Hello j_golda,

From your A-Squared log, it appears that you ran SmitfraudFix. This is a specialized tool. May I ask why this was on your computer and if you ran it?

At this point, I would like you to run a scan with SUPERAntiSpyware in Safe Mode. It will find other things than A-Squared does and will provide additional information.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


#5 j_golda

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:04 AM

Posted 25 March 2008 - 11:45 PM

This is all fixed now. I found another post where somebody was describing the exact problem that I had and the answer seemed to be to run MalwareBytes' Anti-Malware. I ran that and it fixed the problem right away.

Thank you for your time.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users