Allsexsms.com in IE - revolting. Please help

[runthroughfire]

Hi

IE pops out the attached [now removed] revolting window, can't be resized, dragged or got rid of - have to shut down machine

Am attaching my hijackthis log

PLEASE HELP

Thanks

David

 

[RealBlackStuff]

Run HJT and 'fix' all your O16 entries.

Then go online (with IE) to:
http://housecall.trendmicro.com/
and have them scan your PC online.

Then I would suggest you download and run MS Antispyware Beta from http://www.microsoft.com/athome/security/spyware/software/default.mspx

Then post a new HJT-log.

 

[runthroughfire]

Fixed the O6 entries
Tried to run trendmicro scan from IE, but IE still infected
New HJT log attached

 

[RealBlackStuff]

Looks like you did not run MS Antispyware!

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
put HijackThis in e.g C:\HJT and NOT on your Desktop or in Temp!.

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager.
On Windows 95/98/ME, press CTRL+ALT+DELETE.
On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
Click the Processes tab, select the process (if there), click End Process for:
rssfeed.exe
proxy4free.exe
realsched.exe
secure.exe
dsb.exe
dazzler.exe
kaps_mm.exe
stopAds.exe

Next, try to UNinstall anything to do with (not delete yet!):
C:\Program Files\WIRESS\rssfeed.exe
C:\Program Files\LocalProxy\proxy4free.exe
C:\Program Files\SHA256\secure.exe
C:\Program Files\DSB\dsb.exe
C:\Program Files\WIZZ\dazzler.exe
C:\Program Files\Kaps\kaps_mm.exe
C:\Program Files\AdsBlocker\stopAds.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
C:\Program Files\WIRESS\rssfeed.exe
C:\Program Files\LocalProxy\proxy4free.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1040
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WIRESS] C:\Program Files\WIRESS\rssfeed.exe
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [Kaps] C:\Program Files\Kaps\kaps_mm.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - Global Startup: BTTray.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll (file missing)
O15 - Trusted Zone: *.energyfactor.com
O15 - Trusted Zone: *.hardcorefantasyland.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF9BB65A-EEBF-451C-8C05-EDD8F2C640BD}: NameServer = 192.168.254.254
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

 

[mc68k]

I've got a problem very like this, sorry for digging up such an old post. Tis here pop up only came up when you connected to the internet early in the morning(BST) so I think my other problem could be closely linked to it. The info here helped me get rid of this pop up butmy internet connection still breaks every couple of minutes, after 8pm(BST). Obviously this gets very annoying. Just hope someone can help out if this is a virus.

HJT log

removed
**************************************************
Anyone have any idea why my internet connection could be breaking so frequently(does it look like a virus/spyware)?

 

[RealBlackStuff]

Read: How to post your Hijackthis log-files as an attachment.

 

[mc68k]

sorry seen the log file earlier in the post and thought I'd get away with it. Well here it is attached this time, sorry for the mistake earlier. Oh yeah just for the record too, did the above but adsBlocker came back, dbs proxy4free and dazzler didn't.
Any help much appreciated.
Cheers

Mick

 

[Spike]

here's your problem, in part at least...

http://66.249.93.104/search?q=cache...ups/MEMreaload-7672.html+MEMreaload.exe&hl=en

...MEMreaload.exe /checkmouse /updateration
Description: Added by the LAZAR trojan downloader.

Boot into safe mode, turn system restore OFF, and hit control alt delete. End any of the following processes should they be running...
O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\system32\Indexindicator.exe /check
O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
O4 - HKLM\..\Run: [Suite] C:\WINDOWS\system32\SuiteOffices.exe /cleandb
O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\system32\Recalculate.exe /reloadenterpice
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe

O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe

Run a virus/trojan scan (see sticky in this forum).

Run HJT, and let it fix any of the above entries should they exist,
And of course, all 016 entries.

 

[mc68k]

Alright thanks spike that seems to have done the job. I'll just wait until tonight to see wether the internet connection continues to break and if the pop up comes back. Think its finally sorted.
Cheers
Mick

 

[mc68k]

My internet connection still breaks after 8 at night, though none of the files are back from above. I've attached my hjt file, taken at night (now) when connection's breaking every couple of minutes.

 

[Spike]

The only thing that's wrong with that log is that there are now lots of entries with missing files that you should fix, if only because it makes the file easier to read.

Other than that, as far as I can see your disconnections from the internet are caused by something other than what can be seen in your HJT log. The fact that it breaks after 8 in the night suggests that it's something other than spyware causing the problem.

 

[mc68k]

I fixed the missing file ones from hjt, any idea what I should be looking for as to why it would go off at certain times of the day? Cheers for all the help so far too.

 

[Shadowrunner]

Hi

IE pops out the attached [now removed] revolting window, can't be resized, dragged or got rid of - have to shut down machine

Am attaching my hijackthis log

PLEASE HELP

Thanks

David

get firefox it blocks popups/annoying toolbars
if that doesnt work
or trend micro, remove all ur temp internet files. i maen EVERYTHING. back passwords/usernames up if need be -- just do it in notepad

 

[Spike]

It does - but that doesn't remove the problem. The only way to solve a spyware problem you already have is to remove the spyware. THEN it's a good idea to take preventative measures. The problem with those popups has been fixewd now though.

as for the disconnecting, I don't have any idea at all. Maybe you could start a thread in storage and networking

 

[mc68k]

I'll check it out tonight, see if I can see the process that is run just as connection breaks to work it out.
Thanks.

 

[lizisonfire]

heya, i have the same allsexsms.com pop-up and it's not very pretty. i tried to follow the advice up there ^ of RealBlackStuff and so deleted quite a few things.... it doesn't seem to have gone though =(

can anyone please help me? my hijack this log is attached hopefully...

 

[RealBlackStuff]

See this post for reference: Use these HJT-instructions when asked
The text underneath goes between the dotted lines of that post.
...........................................................................................
/P/ C:\WINDOWS\TEMP\ICSUPP95.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\EBAYTB.DLL
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\EBAYTB.DLL
/P/ O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
/P/ O4 - HKLM\..\Run: [Indexindicator] C:\WINDOWS\SYSTEM\Indexindicator.exe /check
/P/ O4 - HKLM\..\Run: [MEMreaload] C:\Program Files\ServicePackFiles\MEMreaload.exe /checkmouse /updateratio
/P/ O4 - HKLM\..\Run: [Suite] C:\WINDOWS\SYSTEM\SuiteOffices.exe /cleandb
/P/ O4 - HKLM\..\Run: [Reload] C:\Program Files\ServicePackFiles\reload.exe /reloadenterpice
/P/ O4 - HKLM\..\Run: [Diesel] C:\WINDOWS\SYSTEM\Recalculate.exe /reloadenterpice
/P/U/ O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\RunServices: [VidSvr]
/P/U/ O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O9 - Extra button: Freeserve - {659E8680-F8EA-11D3-83E4-C80559E5362D} - http://www.freeserve.net/ (file missing) (HKCU)
Fix all your O16 - DPF: entries
...........................................................................................

 

[lizisonfire]

so far so good... it came up for a while but then i realised i hadn't deleted the temp files and so did it again. thankya very much x

 

[mc68k]

Still the internet connection continues to break at night, every about 5 mins or so, right through (from 7pm to 7am) every night. I posted in the network forum, but no luck as yet sorting out this problem. I still get the feeling it's the left overs from a virus or something. Any way I took a screen shot exactly as the internet connection was broken of the task manager, hope this can help lead to the solution, not honestly sure if it helps, but just incase nayone recognises any of the processes, or what my next step should be.

Cheers for any help
Mick.

Edit couldn't attach the file, it's bmp so should be ok, though was getting standard can't find server, can't display page error in IE and a popup error in firefox saying document contains no data. I'll try posting again later.

 

[RealBlackStuff]

If you are on dial-up, try another ISP. You may also have set your timeout/disconnect after being idle for 5 minutes or so.
If you are on broadband, sort it with your ISP.

 

[mc68k]

it would appear I fixed the problem, the answer might make more sense to you tech minded people rather than myself(software engineer). Originally the internet connection was a half Mb connection, got upgraded automatically by the isp to a 1.1 (the max we could get on the line). There's 2 phones in the house, at the start with the smaller line didn't need microfilter on the one upstairs, though just before I rung to find out realised with the increased traffic in the evening, having no microfilter on second phone socket could be causing connection to drop. I plugged it in, connection hasn't dropped since. Seems like it's fixed it.

Cheers for all the help.
Mick.