Unsolicited website browsing

[fordtran]

When I run asp.net and debug the solution, it is shown in the browser MIE6, but just after that a website named :

http://www.winantispyware.com/download/2006/?ax=1&ex=1&mpt=1163947914381&aid=mgcog4_asr

comes up in the browser automatically.

I have restricted

http://www.winantispyware.com

in my MIE(6)restricted sites, but all the same it comes up.
My opening page shows blank.
How can a website just open in my browser without me having an option.
Can someone please try anmd explain to me how this is done ?
Thanks


fordtran

 

[bcastner]

This is malware, a redirector. It is called "SmitFraud".

Download HijackThis and unpack it to a folder. (Not your desktop).

[li]With all applications, IE, and any mail client closed, do a scan. Save the log file;[/li]
[li]Go to Panda ActiveScan:

http://www.pandasoftware.com/activescan

[/li]

After scanning, you'll see an option to create a log afer the scan has finished. Click the See Report button Then click the Save Report button. It will be saved with the name activescan.txt .

Reboot into Windows.

[li]Download, install, and update Ewido/AVG software:

http://www.ewido.net/en/

[/li]
[li]Lauch AVG Anti Spyware by double-clicking the icon on your desktop. [/li]
[li]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". [/li]
[li]ewido will now begin the scanning process, be patient this may take a little time. [/li]
[li]Once the scan is complete do the following: [/li]
[li]If you have any infections you will prompted, then select "Apply all actions" [/li]

IMPORTANT! Don't save the report before you have clicked the Apply all actions button. If you do it will make it more difficult for the helper to interpret the report.

[li]Next select the "Reports" icon at the top. [/li]
[li]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.[/li]
[li]Now close AVG Anti Spyware. [/li]

Post back to the Forum:
- HijackThis log file
- AVG Anti-spyware log.
- Activescan log.

Likely one more application will need to be run. We will know when the logs are posted back to the forum.


____________________________
Users Helping Users

 

[fordtran]

bcastner
Thank you very much for your help. The logfiles are somewhat long here it is :
Hijack
Logfile of HijackThis v1.99.1
Scan saved at 21:21, on 19-Nov-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\DOCUME~1\PEKA\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\system32\tcblucsw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\system32\vcbhaacm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [ItalU] C:\WINDOWS\system32\italfds.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip\..\{31B8D1FC-BF49-48BF-9D69-415F6C548D96}: NameServer = 192.168.10.200,192.168.10.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{31B8D1FC-BF49-48BF-9D69-415F6C548D96}: NameServer = 192.168.10.200,192.168.10.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{31B8D1FC-BF49-48BF-9D69-415F6C548D96}: NameServer = 192.168.10.200,192.168.10.100
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Active scan
Incident Status Location

Adware:adware/adrotator Not disinfected Windows Registry
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\PEKA\Local Settings\Temp\smo998.tmp
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\PEKA\Local Settings\Temporary Internet Files\Content.IE5\KLAFSPYN\vcinst-update-8-31-06[1].exe[ExtractDLL.dll]
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-484763869-1326574676-682003330-1003\Dc142.txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-484763869-1326574676-682003330-1003\Dc152.txt
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe[ExtractDLL.dll]
Adware:Adware/Searchtool Not disinfected C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe[²ÅÇ]
Adware:Adware/Searchtool Not disinfected C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe[²òÇ\SearchTool.dll]
Adware:Adware/Beginto Not disinfected C:\WINDOWS\4-efb7bab6499fc415ee93f4097033deae.exe
Adware:Adware/AdRotator Not disinfected C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:20 19-Nov-06

+ Scan result:



C:\System Volume Information\_restore{64EC28DC-96FE-4D45-8F04-4030FA95C736}\RP56\A0010788.dll -> Adware.TrafficSol : Ignored.
C:\System Volume Information\_restore{64EC28DC-96FE-4D45-8F04-4030FA95C736}\RP57\A0010856.dll -> Adware.TrafficSol : Ignored.
C:\Documents and Settings\PEKA\Local Settings\Temporary Internet Files\Content.IE5\G5U78LMD\PLAY[1].exe -> Downloader.Agent.auv : Cleaned with backup (quarantined).
C:\Downloaded files\Programs\PLAY.exe -> Downloader.Agent.auv : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-484763869-1326574676-682003330-1003\Dc142.txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-484763869-1326574676-682003330-1003\Dc152.txt -> TrackingCookie.Mediaplex : Cleaned.


::Report end

Hope it helps




fordtran

 

[bcastner]

You still have evidence of Smitfraud. Please follow the instruction on this site, and then return to the instructions below:

http://www.dslreports.com/faq/13935

Launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
* The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Start > Run > type in services.msc > [OK][*]Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
[*]Scroll down to AVG Anti-Spyware 4.5 guard > Right-click on it > Properties > Startup Type > Select Manual; Status > Select Stop > OK your way out and close the Services window.* Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from

http://www.ewido.net/en/download/updates/

.
* Exit AVG Anti-Spyware when the update is complete - DO NOT perform a scan yet.

4. Please download WebRoot SpySweeper from

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

(Click on Download the trial on the right to download the 2 week trial version of the program.):[*]Save the download to your desktop, then Install it. Once the program is installed, it will open.
[*]It will prompt you to update to the latest definitions, click Yes.
[*]Once the definitions are installed, exit SpySweeper
5a. If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

5b. Reboot into Safe Mode, you can do this by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Close all open windows/programs/folders. Have nothing else open/running during the next steps!

6. Scan with AVG Anti-Spyware as follows:

* Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.[*]Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
[*]Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
[*]Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".* Click the "Scan" tab to return to scanning options.
* Click "Complete System Scan" to start.
* When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

Important! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

* Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports <=this folder

Exit AVG Anti-Spyware but do NOT reboot.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

7. Open SpySweeper:
[*]You do NOT want to use the Diagnostic option.
[*]click Options on the left side.
[*]Click the Sweep Options tab.
[*]Under What to Sweep please put a check next to the following:

• 
  [*]Sweep Memory
  [*]Sweep Registry
  [*]Sweep Cookies
  [*]Sweep All User Accounts
  [*]Enable Direct Disk Sweeping
  [*]Sweep Contents of Compressed Files
  [*]Sweep for Rootkits
• Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, Copy everything in that window and Paste it into Notepad, saving the TXT file.
• Click the Summary tab and click Finish.
  8. Reboot into Windows & reconnect to the internet.
  
  9. Download & install
  http://www.ccleaner.com/downloadbuilds.asp
  ]CCleaner
  Please select/download the toolbar-free CCleaner v1.34.407 (or later) - Basic version instead of the Standard Build (which also installs Yahoo Toolbar).
  
• Once installed, run CCleaner
• Next: click Options > click Advanced > Uncheck "Only delete files older than 48 hrs" > click [OK]
  
• Return to Cleaner main then click Run Cleaner (bottom right)
  
• A pop up box will appear advising this process will permanently delete files from your system.
  
• Click "OK" and it will scan and clean your system.
  
• Click "exit" when done.
  
  CCleaner should be run with the above settings in each User Profile! Don't forget to do this.
  
  IMPORTANT! Rename hijackthis.exe to findvundo.exe, then close all browser windows & scan with HijackThis (findvundo.exe). Save the log.
  
  In a reply to this thread, please post, in order:
• the AVG Anti-Spyware report,
• the SpySweeper log,
• the Active Scan report,
• the latest HijackThis log, and tell us
  
  Assuming no Vundo infection, you should be clean at this point.
  
  
  
  ____________________________
  Users Helping Users

 

[fordtran]

I get the following when trying to visit that site :
broadbandreports.com system message

We have detected this IP address has used a web accelerator or pre-fetch agent or site mirror tool
These tools not welcome ...
Please disable it, then type in the URL http : //

http://www.dslreports.com/enable/196.25.255.195

(remove the spaces!) to restore access immediately.

I do not know how to remove these
Thanks

fordtran

 

[bcastner]

Disable Google web accelerator, part of the Google toolbar.


____________________________
Users Helping Users

 

[fordtran]

I only have Google and Google toolbar helper and both are disabled, but still the same response.

fordtran

 

[bcastner]

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop.

Now boot into Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.


____________________________
Users Helping Users

 

[fordtran]

bcastner
Thanks again for your help - I appreciate. It is a long process and I will finish it tomorrow - already past midnight here. Is there a way I can contact you on another matter.
Thanks

fordtran

 

[fordtran]

Hi Bcastner

herewith the logfiles :

SmitFraudFix v2.122

Scan done at 18:19:20.12, 20-Nov-06
Run from C:\Downloaded files\Programs\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:43 20-Nov-06

+ Scan result:



C:\Documents and Settings\PEKA\Cookies\peka@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

Spysweeper and hijackthis ultimately found nothing.

See my remark in previous post
Thanks




fordtran

 

[bcastner]

Tell me how things are going with IE now.


____________________________
Users Helping Users

 

[fordtran]

Hi bcastner

It seems to be OK now. Thanks you very much for your help.




fordtran

 

[bcastner]

You can find me at the AUMHA forums for issues of you other concerns:

http://aumha.net/

Happy Thanksgiving,
Bill Castner


____________________________
Users Helping Users

 

[fordtran]

Hi Bill
The redirector is still active despite this process. There are a few things that did not go as planned .

1. Spysweeper only has a diagnostic option that I can run - If I say no to it, it does not run at all.
2. I cannot tick the option for sweep rootkits - it is present but untickable.
3. Some virus/spy sweeper regularly pop up with a notice of a serious threat named 'spyware.safesurfing'

Thanks


fordtran

 

[bcastner]

Lets check for Vundo:

Please download VundoFix.exe from here:
»

http://www.atribune.org/ccount/click.php?id=4

and save it to your desktop


Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click YES

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click OK.



____________________________
Users Helping Users

 

[fordtran]

Hi Bill

There was no Vundo



fordtran

 

[bcastner]

Start, Run, regedit

Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


In the right pane, delete the value:

"WinAntiSpyware 2006 Scanner" = "C:\Program Files\WinAntiSpyware 2006 Scanner\was6.exe"


Navigate to and delete the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ExplorerUWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D7DE254-2FBD-4C09-9077-3DC4A2DEBE9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1230649B-B980-44A5-B259-9B09EBEA6331}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1236DE55-EDED-4675-AF10-BA15EDDB4D7A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B11}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{_CLSID_WAShellExecuteCheck}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ExplorerUWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ExplorerUWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95411}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42611}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{12398A44-7DFC-4C46-BD8F-41259D169A0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37411}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UWAS6.UWAS6
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwasfsd.CreationNotifier
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwasfsd.CreationNotifier.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.ShellHook
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.ShellHook.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.WASContextMenu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uwashellext.WASContextMenu.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\WinAntiSpyware 2006 Scanner_is1
HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2006 Scanner
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uwasfsd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uwasfsd
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
\ICQ
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
\ICQ\Agent
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Mirabilis
\ICQ\Agent\Apps
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\WinAntiSpyware 2006 Scanner
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\WinAntiSpyware 2006 Scanner\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wasfsd.CreationNotifier
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wasfsd.CreationNotifier.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAS_is1
HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiSpyware 2006
HKEY_ALL_USERS\Software\WinAntiSpyware 2006
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wasfsd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\*\shellex\ContextMenuHandlers\ExplorerWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ExplorerWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers
\ExplorerWAS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UWAS6.UWAS6
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\washellext.WASContextMenu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\washellext.WASContextMenu.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WASPChk.WASPChk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYSTEM\ControlSet003\Services\wasfsd


Exit the Registry Editor.



____________________________
Users Helping Users

 

[bcastner]

Also, boot into Safe Mode.

Navigate to and delete the following files if they exist:

%Windir%\ISSM0064.DAT
%System%\lanbruns.exe
%Temp%\ExtractDLL.dll

Delete the file %System%\msxml3a.dll, if it isn't needed. If you are unsure about this, you can leave these file without causing any further harm to the computer.

Exit Windows Explorer.

Click Start > Run.
Type regedit

Navigate to and delete the following subkeys:

HKEY_CLASSES_ROOT\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKEY_CLASSES_ROOT\CLSID\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}
HKEY_CLASSES_ROOT\CLSID\{71D1708F-973D-4600-AF01-AD86688403AE}
HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
HKEY_CLASSES_ROOT\Interface\{0A0CB91F-304B-44AD-9460-9C55465163A4}
HKEY_CLASSES_ROOT\Interface\{2AB7A3C6-9D09-428C-AA65-07BD49FB7065}
HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}
HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}
HKEY_CLASSES_ROOT\Interface\{57CB9B97-9FF9-4C87-88A4-56A867FFC95E}
HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}
HKEY_CLASSES_ROOT\Interface\{F1AD96E6-E575-44D9-9BBF-F3FDCF06C454}
HKEY_CLASSES_ROOT\TypeLib\{00DC9FF2-EA77-49C7-8DEF-722FD81CAB59}
HKEY_CLASSES_ROOT\TypeLib\{227D1E33-EAD4-4ACE-BE32-4ACFAAD072DD}
HKEY_CLASSES_ROOT\TypeLib\{33ADD70F-53AB-4F97-B4B6-997881820F6D}
HKEY_CLASSES_ROOT\TypeLib\{34A35BBB-8C19-4482-864C-290BD8DD6A5D}
HKEY_CLASSES_ROOT\Var3.RsyncHlpr.1
HKEY_CLASSES_ROOT\VBRun.VBRunDLL
HKEY_CLASSES_ROOT\VBRun.VBRunDLL.1
HKEY_CLASSES_ROOT\LowSol.RichEditor
HKEY_CLASSES_ROOT\LowSol.RichEditor.1
HKEY_CLASSES_ROOT\Pool.LANBridge
HKEY_CLASSES_ROOT\Pool.LANBridge.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Netsync
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RsyncMon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\regsync
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vbrundll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richedtr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
HKEY_LOCAL_MACHINE\SOFTWARE\RSyncMon
HKEY_LOCAL_MACHINE\SOFTWARE\VBRun
HKEY_LOCAL_MACHINE\SOFTWARE\Lanbridge
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RSyncMon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VBRunDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichEditor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LANBridge
HKEY_LOCAL_MACHINE\SOFTWARE\SafeSurfing
HKEY_LOCAL_MACHINE\SOFTWARE\RichEd
HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List\netsync.exe
HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List\regsync.exe
HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List\lanbrup.exe


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the appropriate value from the following:

"RSync" = "%Windir%\netsync.exe"
"regsync" = "%System%\regsync.exe"
"richup" = "%System%\richup.exe"
"lanbrup" = "%System%\lanbrup.exe"


Exit the Registry Editor.




____________________________
Users Helping Users

 

[bcastner]

And could you check something for me. The link I gave you to Swpsweeper was:

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

Are you certain you downloaded and installed only from that link?

The public trial of Spysweeper will not fix any issues, only diagnose them. I am a little baffled by your issues with the Trial I suggested, so if you could tell me if you used my Link to download Spysweeper I would appreciate it.


____________________________
Users Helping Users