Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Served By Internet Software


  • This topic is locked This topic is locked
8 replies to this topic

#1 Angor

Angor

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 19 April 2008 - 01:03 AM

I keep getting this notice popping up in the bottom right hand corner of my screen "Ad served by Internet Software" and then i get bombarded by internet pop-up add, it is driving me insane i am using Trend internet Pro 2008 and i scanned with the newest adaware (as of 17 April), please help the following are the logs i recieved after running dss and Hijackthis

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 28 April 2008 - 02:52 PM

Hello Angor,

Welcome to Bleeping Computer :blink:

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Angor

Angor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 30 April 2008 - 11:24 PM

Thank you Thank you Thank you Thank you Thank you Thank you This is awesom thanks so much for you time please find attached another log

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 01 May 2008 - 01:56 PM

Hello,

You're welcome. :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Angor

Angor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 03 May 2008 - 04:43 AM

The are the two logs you asked for, again thanks for the time

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 03 May 2008 - 09:50 AM

Hello,

You're welcome. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: cpmsky browser optimizer - {536581e2-219a-ee16-b2a7-713620b8e19d} - C:\WINDOWS\system32\{771cff12-ef79-6564-b25b-c10e3195b35f}.dll
O2 - BHO: (no name) - {6156A32A-C512-4e23-AA9A-2315F4265681} - (no file)
O2 - BHO: (no name) - {693E67C7-4881-459A-B036-B548F2ECE63D} - C:\WINDOWS\system32\auth.dll
O2 - BHO: InternetSoftware - {AF7E9EBB-E1CF-7F7C-C608-13185698F3E9} - C:\Program Files\InternetSoftware\InternetSoftware-2.dll
O2 - BHO: (no name) - {AFACAC4F-7A3D-471A-AEA3-822DD5CB7E9A} - C:\WINDOWS\system32\auth.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{771cff12-ef79-6564-b25b-c10e3195b35f}.dll" DllInit
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplates/...login-devel.cab
O20 - Winlogon Notify: rsmarfka - rsmarfka.dll (file missing)
O20 - Winlogon Notify: __c00B8124 - __c00B8124.dat (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\qdgbyfld.dll
C:\WINDOWS\system32\gltdmfko.dll
C:\WINDOWS\system32\xyyypvpv.dll
C:\WINDOWS\system32\mebdvkwb.dll
C:\WINDOWS\system32\rdlumpjx.dll
C:\WINDOWS\system32\lcgpwcvw.dll
C:\WINDOWS\system32\ainptegq.dll
C:\WINDOWS\system32\bnpwrcko.dll
C:\WINDOWS\system32\{771cff12-ef79-6564-b25b-c10e3195b35f}.dll
C:\WINDOWS\system32\ghukfblw.dll
C:\WINDOWS\system32\ulgbnstj.dll
C:\WINDOWS\system32\pjxbhmra.dll
C:\mxuxc.exe
C:\WINDOWS\system32\bbdddosa.dll
C:\WINDOWS\system32\comd32.dll
C:\WINDOWS\system32\auth.dll
C:\WINDOWS\system32\mavpcbfs.dll
C:\WINDOWS\system32\iqrqhsrb.dll

Folder::
C:\VundoFix Backups
C:\Program Files\InternetSoftware

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{536581e2-219a-ee16-b2a7-713620b8e19d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF7E9EBB-E1CF-7F7C-C608-13185698F3E9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFACAC4F-7A3D-471A-AEA3-822DD5CB7E9A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rsmarfka]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B8124]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8c98ae4f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8fab9dd3]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Angor

Angor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 07 May 2008 - 04:46 AM

Please find attached the logs you asked for

Attached Files



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 07 May 2008 - 11:20 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\{771cff12-ef79-6564-b25b-c10e3195b35f}.dll-uninst.exe
C:\WINDOWS\system32\myss_sb.dll
C:\WINDOWS\system32\myss_sb_uninstall.exe
C:\WINDOWS\system32\_{771cff12-ef79-6564-b25b-c10e3195b35f}.dll
C:\Documents and Settings\All Users\Application Data\Frag great bend logo
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\system32\{771cff12-ef79-6564-b25b-c10e3195b35f}.dll
C:\Documents and Settings\Owner\Application Data\TrustedAntivirus

Folder::
C:\Program Files\TrustedAntivirus
C:\Program Files\FBrowsingAdvisor
C:\Program Files\FBrowserAdvisor

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:47 PM

Posted 18 May 2008 - 07:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users