Serious Adware Problem

**evilfantasy** · #21 22nd Jan 2008, 14:45

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop.
A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press Enter
- This program will scan large amounts of files on your computer for known patterns so please be patient while it works.
- When it is done, the results of the scan will be displayed and it will create a log named rapport.txt
  - This is in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
- Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consultin...rocessutil.htm

**Psychaospath** · #22 22nd Jan 2008, 14:50

SmitFraudFix v2.274
Scan done at 16:49:12.00, Tue 01/22/2008
Run from C:\Documents and Settings\Richard\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Richard

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Richard\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Richard\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 24.197.160.21
DNS Server Search Order: 24.197.160.18
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CB017379-BE3F-4F32-BB52-0B56B6717D3F}: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.197.160.21 24.197.160.18

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**evilfantasy** · #23 22nd Jan 2008, 14:53

Go to add/remove programs and look for Windows Messenger <<Not MSN Messenger
If it is there uninstall it.

----------

PLease download, install, update and run CounterSpy

Download CounterSpy V2 CounterSpy is a 15 day full featured evaluation.

1. Double click the installer on the desktop
2. After Counterspy is installed and you have restarted your computer (if prompted), double-click the icon on
your desktop to begin the install.
3. The Getting Started setup wizard opens. The wizard will guide you through the initial steps needed to configure CounterSpy.
** When the Activate Now prompt appears just click Next

To scan you computer
1. Click System Scan on the main page. The System Scan page opens.
2. Set the scan options on the left side of the page. We recommend selecting Full System scan.
3. Click Scan Now. CounterSpy starts scanning your computer. After the scan is complete, the
CounterSpy System Scan Results summary window opens.
4. Review the summarized information, then click View Results. You return to the System Scan
results page.

To take action against a security risk
1. Select a security risk.
2. Make a selection from the Recommended Action drop down menu next to it and select Remove
** Select Remove in all menus
3. Check the Create restore point option. This will create the Windows backup (useful in case something goes wrong). Then press Take Action
4. Now CounterSpy will ask you to confirm your actions. Press Yes within the window that appeares. This will start the removal process.
5. The program may need to reboot your computer. Clicking Yes if prompted is highly recommended.
--
To manage the quarantined spyware
* CounterSpy maintains a backup of quarantined items.
* To access the Quarantine click on the View menu, select Spyware Scan and then choose the Manage Spyware Quarantine option.
* To remove certain item from the quarantine, place a checkmark next to it and click Permanently remove all checked items. (use this option)
* To restore an item click on the Un-quarantine all checked items link. (un-quarantine is only to be used if the computer is not running correctly due to items being removed by counterspy)

* Clicking on the Check all items link will put a checkmark next to each item. Clicking on Un-check all items will deselect all quarantined threats.

* CounterSpy will ask you to confirm your action. If you want to restore or delete an item, you must reply positively by pressing the Yes button.

* Exit CounterSpy

Next post
Counterspy log