TechSpot

Antispyware-reviews.biz problem

By zanderbak
Mar 30, 2008
  1. I have a similar problem to others who have recently posted on this site.

    An advert pops up every 15mins or so alleging I have a spyware problem and links through to an anti-spyware software advert at this site: antispyware-reviews.biz/?wmid=4663&pwebmid=R3n1c2Bg8A

    I can't seem to get rid of it. Hoping someone might be able to help.

    HiJack this log below.

    Thanks.
     

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Download Smitfraud Fix
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Clean:

    Reboot your computer in Safe Mode
    (before the Windows icon appears, tap the F8 key continually)

    Double-click SmitfraudFix.exe

    Select 2 and hit Enter to delete infected files.

    You will be prompted: Do you want to clean the registry ? answer Y (yes)
    and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:

    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    ----------------------------------------------------

    Additional Steps:

    (Start -Run)
    sc stop Messenger
    sc config Messenger start= disabled

    Restart

    Then continue to Viruses/Spyware/Malware, preliminary removal instructions
     
  3. zanderbak

    zanderbak TS Rookie Topic Starter

    Thanks. Have followed all steps. Log files attached.

    AVG AntiRoot didn't find anything.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  5. zanderbak

    zanderbak TS Rookie Topic Starter

    Cheers Kimsland.

    Followed the advice and deleted C:\ProgramData\tatchyto\tsnubefg.exe.

    Also found some other random unsigned programmes that were launching on start-up. They were:

    C:\ProgramData\ywaopzfl\nyjyzktv.exe
    C:\ProgramData\ejfnpgfj\ehszkncv.exe
    C:\ProgramData\ldxdnabj\gdibwpwz.exe
    and C:\Windows\System32\lstydqxq.exe

    All were installed at around the same time as C:\ProgramData\tatchyto\tsnubefg.exe and all were from unknown publishers. Google searching didn't turn anything up. Hence, I deleted them all.

    Not sure what impact that will have until I get in from work and can spend a prolonged amount of time on the machine. Hopefully it will have got rid of the problem.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Good work (glad they're deleted)

    But you will need to temporarily turn off system restore (found in Control Panel - System)

    Once turned off, you can then turn it back on.

    This will remove any old restore points (that probably contain these files)
     
  7. zanderbak

    zanderbak TS Rookie Topic Starter

    Having spent about an hour on my laptop this evening, deleting those files seems to have sorted out the problem - there haven't been any pop ups since logging on (where I would have expected there to have been).

    Many thanks for your help kimsland.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You did System Restore reset?

    Also download CCleaner and clean all the temporary stuff out.
    Maybe defrag after that.

    Done :)
     
  9. xavian

    xavian TS Rookie

    It works! Thanks!

    I don't know who you are, but you really are a tech GURU.
    I searched the web for solutions to this without success.
    this is the one that worked. Vista Ultimate 64...
    Thank you!
     
  10. kritius

    kritius TS Guru Posts: 2,084

    C:\ProgramData\ywaopzfl\nyjyzktv.exe
    C:\ProgramData\ejfnpgfj\ehszkncv.exe
    C:\ProgramData\ldxdnabj\gdibwpwz.exe

    was the folder deleted too or just the file?
     
  11. bellachanel

    bellachanel TS Rookie

    Same issue please help!

    Hi, I have the same problem. I have ran smitfraudfix too. My report is attached. I'm still having the pop ups from that site though. Any ideas? Please help! I feel like I've tried everything. Thanks so much. Here's the result from smitfraud #1:

    SmitFraudFix v2.309

    Scan done at 9:34:24.15, Sun 04/06/2008
    Run from C:\Documents and Settings\Sandee\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WS_FTP Pro\ftpsched.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\WnvIRQ32.exe
    C:\Documents and Settings\All Users\Application Data\pgbcvady\hcfibmjm.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\Winnov Videum NT\WvStatus.Exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\Program Files\Common Files\AOL\1174943572\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AOL 9.1\waol.exe
    C:\Program Files\ICQ6\ICQ.exe
    C:\WINDOWS\system32\xqrofmfm.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\NuvaTime\NuvaTime(tm).exe
    C:\Program Files\Common Files\Sonic Shared\CineTray.exe
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\AOL 9.1\shellmon.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandee


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandee\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sandee\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 66.75.160.63
    DNS Server Search Order: 66.75.160.64

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Start your own thread, list the problems and ill get back to you then.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...