I’ve got an ongoing problem with malware, specifically, <goscansoon.com>, <scanriteweb.com> and <safetyshareonline.com> all known scumware sites. This started up back a few months ago and at first they were infecting my computers. BTW, I have 4 computers on a LAN with one used as an ICS Internet Gateway box to share the internet connection.

I ran Etherpeek and found out what the URL and IP addresses were of these scumware sites and I kill filtered them in my firewall (blackice defender) and so far they haven’t been able to get back in my computers, but, they are wreaking havoc on a good number of attempts at one specific server. It’s not showing up anywhere else but on that particular server and it doesn’t do it every time either. Usually it’s early in the AM not long after the computer has been booted up but I have had it hit at other times of the day also. I’ve been in contact with that server’s Admin and even sent him logs showing where the stuff is activated somehow by his server but to date he nor I have been able to pin down exactly what is triggering the redirect to the scumware site?

So, I decided to come here and see if you guys could help us out.

Here is my hyjackthis log

Thanks,

Ken

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:17 PM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 2557 bytes

This is an FYI on this computer. This is a Dell laptop that I did a clean install on yesterday. I finished all the updates and some other installs and this morning I went to that server in question to check my Webmail and got hit by the scumware redirect on this one also. Since this computer was connected to my LAN during this install and update process, I'm not absolutely sure that something hasn't gotten into it so that is the reason I posted the log for this computer. There's not much on it at this point and it has a short log.

One of the URLs on that server that is a problem is <ed4time.com>.

Just wanted to post a final note on this and thank you all for the lack of help in resolving this issue. It’s people like you that really give internet forums a bad name. And since I am a past PAYING customer of SBS&D I figure it gives me the right to bitch because no one had the time to even comment on this very short log.

Therefore, PLEASE REMOVE THIS ACCOUNT AS I NEVER PLAN TO RETURN. IF I NEED HELP IN THE FUTURE, THEN I’LL GO SOMEWHERE BESIDES HERE TO FIND IT!

Ken

Hello ken0069,

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)


And since I am a past PAYING customer of SBS&D I figure it gives me the right to bitch because no one had the time to even comment on this very short log.


Spybot-S&D is free for personal use. Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

Users who post in the malware removal forum are helped by volunteers who give freely of their time. It is not a shop and no-one has the "right" to "bitch" at them.

Regards.