Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Big IoT Botnet Starts Large-Scale Exploitation of Drupalgeddon 2 Vulnerability

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Adult finder virus and popups

Started by djadry , Mar 14 2009 11:00 AM

This topic is locked

2 replies to this topic

#1 djadry

Members
1 posts
OFFLINE

Local time:02:12 PM

Posted 14 March 2009 - 11:00 AM

Hi, i have a virus that sometimes when i click on a google result opens me a "adult finder" page and sometimes opens popups... can you help me? excuse me for my english but i'm a 16 years old italian...

this is my report:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmi\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\E_S00RP2.EXE
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Last.fm\LastFM.exe
C:\Programmi\Opera\opera.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\autorun.inf FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Francesco

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FRANCE~1\IMPOST~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Francesco\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\FRANCE~1\PREFER~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Programmi

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 85.255.112.134
DNS Server Search Order: 85.255.112.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: NameServer=85.255.112.134,85.255.112.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: NameServer=85.255.112.134,85.255.112.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6C9D6E1F-C0AE-42D0-8884-9C90271DE3BE}: NameServer=85.255.112.134,85.255.112.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.112.134,85.255.112.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.112.134,85.255.112.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.112.134,85.255.112.10

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

help me! :thumbup2:

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 teacup61

Bleepin' Texan!

Malware Response Team
17,075 posts
OFFLINE

Gender:Female
Location:Wills Point, Texas
Local time:02:12 PM

Posted 25 March 2009 - 07:22 PM

Hello djadry,

Posted Image

Sorry about the delay. :thumbup2:

Your English is just fine, and no reason to apologize.

Do you still have SmitfraudFix?

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea

Please make a donation so I can keep helping people just like you.
Every little bit helps!
You can even use your credit card! Thank you!

Error reading poptart in Drive A: Delete kids y/n?

Back to top

#3 teacup61

Bleepin' Texan!

Malware Response Team
17,075 posts
OFFLINE

Gender:Female
Location:Wills Point, Texas
Local time:02:12 PM

Posted 04 April 2009 - 06:09 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Please make a donation so I can keep helping people just like you.
Every little bit helps!
You can even use your credit card! Thank you!

Error reading poptart in Drive A: Delete kids y/n?