 |
||
Spyware Secure pop-up's
|
||
|
|
|
|||||||
| Register | Projects | Blogs | FAQ | Search | Today's Posts | Mark Forums Read |
2007-09-05, 17:41
|
#1 |
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
Spyware Secure pop-up's
I seem to receiving pop-up's from http://www.spyware-secure.com/fullpa...ime=312e323132
I've tried everything that I can possibly think of : 1. SpyBot This application tells me that it finds "spyware-secure" and when I ask it to fix the problem, it says that the problem's been fixed. I keep getting the pop up's though. 2. AVG Spyware AFTER removing all temp folders with the help of ATF CLEANER, I did a complete scan of my system (more than 306000 objects which took roughly one hour) and they found 21 infected objects : Tracking cookies - which I quarantined. Am attaching the scan report : --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 16:41:51 05/09/2007 + Scan result: :mozilla.69:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.70:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.71:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.21:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.24:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Com : Cleaned. :mozilla.29:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.78:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Estat : Cleaned. :mozilla.46:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned. :mozilla.47:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned. :mozilla.51:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Netflame : Cleaned. :mozilla.31:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.32:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned. :mozilla.19:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.20:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.33:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.34:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Revsci : Cleaned. :mozilla.87:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned. :mozilla.88:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned. :mozilla.89:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned. :mozilla.90:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned. :mozilla.37:C:\Documents and Settings\Rajeev Mehra\Application Data\Mozilla\Firefox\Profiles\qx1wo67a.default\cookies.txt -> TrackingCookie.Weborama : Cleaned. ::Report end --------------------------------------------------- 3. The Latest Hijack This Log This log was taken AFTER doing the AVG scan Logfile of HijackThis v1.99.1 Scan saved at 17:35:06, on 05/09/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\ATI-CPanel\atiptaxx.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe C:\PROGRA~1\LECOMP~1\SMARTB~1\MotiveSB.exe C:\Program Files\Creative\Shared Files\CTSched.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Club-Internet\Agent Wi-Fi V2\McciTrayApp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Creative\Shared Files\CamTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe C:\Program Files\Club-Internet\Lanceur\lanceur.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Rajeev Mehra\Local Settings\Temp\wz56a6\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.club-internet.fr R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Afficher Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Fichiers communs\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\LECOMP~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon O4 - HKLM\..\Run: [Club-Internet_McciTrayApp] C:\Program Files\Club-Internet\Agent Wi-Fi V2\McciTrayApp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [fsc-reminder.exe] C:\WINDOWS\reminder\fsc-reminder.exe 2453463 14 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe" O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: Club Internet.lnk = C:\Program Files\Club-Internet\Lanceur\lanceur.exe O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.fr O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1224488079750 O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\VAScanner\comHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Validation de mot de passe Symantec IS (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe ------------------------------------------------------- I still have popup windows crashing on my screen. Most come from Spyware-Secure.com while there are others coming from some casino's and xxx sites... I can't seem to think of anything else right now. Could someone please help me with this? Thanks in advance. BTW, I use the latest firefox version so am wondering how they managed to beat firefox security. |
|
|
2007-09-06, 00:54
|
#2 |
|
Security Expert
Join Date: Nov 2005
Location: @localhost
Posts: 4,541
Rated LASSHes: 1
|
hi Beesakopie,
two things: download and run vundofix.exe: http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. ------------------------------------ Download SmitfraudFix (by S!Ri) to your Desktop: http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt stop at this point and post a HijackThis log along with the contents of the c:\rapport.txt. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. --------------------------------------- do the above, then: post the vundo log, the smitfraud log and a new hjt log. shelf life |
|
|
|
2007-09-06, 12:31
|
#3 | |||
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
Hi there Shelf Life
Thanks for taking the trouble to look into this. The Vundofix programme did not find any infected files. Am attaching the log as requested: ------------------------------------------------ Quote:
The programme did not prompt me that it wanted to reboot or anything. I should imagine thats because it didn't find anything...(?) Then I did the Smitfraud Fix thing. (thanks for sending me the french version - i have however used it in english to ensure that things are legible  )The rapport.txt is copied as under : ------------------------------------------------- Quote:
The Latest Hi-Jack This log was done AFTER the SmitFraud process : --------------------------------------------------------- Quote:
Has anything shown up? I still get the pop-ups !! cheers Beesakopie |
|||
|
|
|
2007-09-06, 23:41
|
#4 |
|
Security Expert
Join Date: Nov 2005
Location: @localhost
Posts: 4,541
Rated LASSHes: 1
|
hi Beesakopie,
still popups? amazingly i thought vundo and or smitfraud would fix the problems. --------------------------- scan with HJT, put a checkmark beside the items below, close all windows and click fix checked. O4 - HKCU\..\Run: [fsc-reminder.exe] C:\WINDOWS\reminder\fsc-reminder.exe 2453463 14 O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file) -------------------------- navigate to the C:\windows dir. see if you can find and delete a folder named: "reminder" inside the folder is a executable: fsc-reminder.exe 2453463 14 delete the entire named folder "reminder" ------------------------------- reboot once and post a new hjt log. shelf life |
|
|
|
2007-09-07, 11:23
|
#5 | |
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
Hi Shelflife
Ok, I got rid of Fsc-reminder executible. I fixed the issue first with HiJack This and then I found the directory in c:\windows which had the executible file like you'd indicated. I manually deleted the folder. Am attaching the latest HJT log (after re-boot, as instructed) : Quote:
|
|
|
|
|
2007-09-07, 11:44
|
#6 | |
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
sorry for the double post - but I seem to have thought of something and I can't edit my post above :
On the HJT log, there are a few processes that seem to be wierd : Quote:
Should I "fix" these on HJT? Cheers, Beesakopie |
|
|
|
|
2007-09-07, 12:09
|
#7 |
|
Security Expert
Join Date: Nov 2005
Location: @localhost
Posts: 4,541
Rated LASSHes: 1
|
hi,
yes you can delete those 2 016 items. also look in add/remove programs panel for CID, and uninstall it if present (those are IE plugins, which could be the source of the problem) post a add/remove list like this also: start hjt click on "open misc tolls section" at top clcik on "misc tools" then "open uninstall manager" then "save list" post the list in next reply. ----------------------------- also you can disable any IE add ons like this: (maybe alittle different for IE 7.0) open IE>tools>manage addons see any that you arent sure about? click on it and disable it. --------------------- short on time shelf life |
|
|
|
2007-09-07, 13:32
|
#8 | |
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
Hi Shelf Life
1. Have "fixed" the 016 programmes on HJT. 2. Here is the Uninstall list from HJT. I've now realised that there is a lot of stuff I need to / can get rid off !!! Quote:
* "Mise à jour" : Update PS: Take your time. For the moment, I am using the latest firefox version and have activated the option of blocking all cookies. I still get the pop-up's though ... |
|
|
|
|
2007-09-08, 00:06
|
#9 | |||||
|
Security Expert
Join Date: Nov 2005
Location: @localhost
Posts: 4,541
Rated LASSHes: 1
|
hi Beesakopie,
no joy yet. nothing really in the uninstall list. i was looking for malicious third party add-ons. Quote:
Quote:
the 4 KB numbers.... are patches from windows update. just scroogle the number. Quote:
Quote:
Quote:
--------------------- also run step 2 of the smitfraudFix: best to do it in safe mode so you might want to copy/paste the directions into notepad so you can read them in safe mode: Reboot into Safe Mode * Restart your computer. * Before the Windows logo appear, tap F8 repeatedly. * chose the first option: safe mode ----------------------- in safe mode: Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. -------------------- post the log in next reply. shelf life |
|||||
|
|
|
2007-09-09, 12:49
|
#10 |
|
Junior Member
Join Date: Sep 2007
Posts: 6
|
Shelf Life,
Thanks a lot for your help. I seem to have fixed the problem. I found a French online security magazine article on the internet that detailed my problem succintly and even offered a solution. Here is the link : http://www.secuser.com/alertes/2007/spyware-secure.htm It basically tells me that the spyware-secure installs a rootkit into the computer and this rootkit triggers off the pop ups. It goes on to say that this menace was discovered in Jan 2007 and is not "malicious" in the strict sense of the term. This is basically a commerical propostion used by spyware - secure to sell its software. I think you can translate the page with babel fish to read it fully. Anyways, I did what the article told me - viz. downloaded AVG rootkit. This programme found one hidden EXE file called jvcwmep.exe in my system32 folder. (This file shows up in the Smitfraudfix log BTW) There were 5 other variants of jvcwmep (.dll /.bat/.dat etc) in other areas of the machine. I removed these files with AVG rootkit and since then (I did this about 2 days back - just after the last time I posted) and till now haven't received any pop-up's. I think I have thus solved the problem. One other thing : 1. NickW, the french translator here on spybot helped me get on the right track. Please give her further powers to help people on this forum. She is doing a great job. Thanks once again to all at spybot. I think this thread may be closed. Cheers ! |
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
