Antispyware-reviews.biz problem

Status
Not open for further replies.
Z

zanderbak

I have a similar problem to others who have recently posted on this site.

An advert pops up every 15mins or so alleging I have a spyware problem and links through to an anti-spyware software advert at this site: antispyware-reviews.biz/?wmid=4663&pwebmid=R3n1c2Bg8A

I can't seem to get rid of it. Hoping someone might be able to help.

HiJack this log below.

Thanks.
 

Attachments

  • zanderbak_hijackthis_log_300308.txt
    14.9 KB · Views: 6
Download Smitfraud Fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Clean:

Reboot your computer in Safe Mode
(before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infected files.

You will be prompted: Do you want to clean the registry ? answer Y (yes)
and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:

To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
----------------------------------------------------

Additional Steps:

(Start -Run)
sc stop Messenger
sc config Messenger start= disabled

Restart

Then continue to Viruses/Spyware/Malware, preliminary removal instructions
 
Cheers Kimsland.

Followed the advice and deleted C:\ProgramData\tatchyto\tsnubefg.exe.

Also found some other random unsigned programmes that were launching on start-up. They were:

C:\ProgramData\ywaopzfl\nyjyzktv.exe
C:\ProgramData\ejfnpgfj\ehszkncv.exe
C:\ProgramData\ldxdnabj\gdibwpwz.exe
and C:\Windows\System32\lstydqxq.exe

All were installed at around the same time as C:\ProgramData\tatchyto\tsnubefg.exe and all were from unknown publishers. Google searching didn't turn anything up. Hence, I deleted them all.

Not sure what impact that will have until I get in from work and can spend a prolonged amount of time on the machine. Hopefully it will have got rid of the problem.
 
Good work (glad they're deleted)

But you will need to temporarily turn off system restore (found in Control Panel - System)

Once turned off, you can then turn it back on.

This will remove any old restore points (that probably contain these files)
 
Having spent about an hour on my laptop this evening, deleting those files seems to have sorted out the problem - there haven't been any pop ups since logging on (where I would have expected there to have been).

Many thanks for your help kimsland.
 
It works! Thanks!

I don't know who you are, but you really are a tech GURU.
I searched the web for solutions to this without success.
this is the one that worked. Vista Ultimate 64...
Thank you!
 
C:\ProgramData\ywaopzfl\nyjyzktv.exe
C:\ProgramData\ejfnpgfj\ehszkncv.exe
C:\ProgramData\ldxdnabj\gdibwpwz.exe
was the folder deleted too or just the file?
 
Same issue please help!

Hi, I have the same problem. I have ran smitfraudfix too. My report is attached. I'm still having the pop ups from that site though. Any ideas? Please help! I feel like I've tried everything. Thanks so much. Here's the result from smitfraud #1:

SmitFraudFix v2.309

Scan done at 9:34:24.15, Sun 04/06/2008
Run from C:\Documents and Settings\Sandee\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WnvIRQ32.exe
C:\Documents and Settings\All Users\Application Data\pgbcvady\hcfibmjm.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Winnov Videum NT\WvStatus.Exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\AOL\1174943572\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\ICQ6\ICQ.exe
C:\WINDOWS\system32\xqrofmfm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandee


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sandee\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sandee\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 66.75.160.63
DNS Server Search Order: 66.75.160.64

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B7FC172B-3173-4CE6-A882-1E781558C7E9}: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=66.75.160.63 66.75.160.64


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Status
Not open for further replies.

Similar threads

orangeshadow
Games lag and freeze in 15-20 minute intervals.
Replies
0
Views
468
orangeshadow
orangeshadow
Daniel Sims
US Department of Justice files broad antitrust suit against Apple
2
Replies
29
Views
595
trparky
T
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
405
Fastturtle
F

Latest posts

Back