Antispyware.com pop ups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Fran, Aug 5, 2006.

  1. Fran

    Fran Private E-2

    Hello.

    I have recently been getting supposed Windows Security centre alerts from my computer which were taking me to Titan Shield Anti Spyware. When we installed the BT AntiSpy wear tool it picked up a number of items which when deleted immediately came back the next time we logged on one of which was trojan.win32.dialer.bi.

    Not being very computer literate I found your site on the internet and have followed both your Spyware Quake and SpyFalcon Removal procedure and your READ THIS procedure.

    I have thefollowing logs
    -smitfiles.txt
    -runkeys.txt
    -newfiles.txt
    -counterspy.txt - attached
    -bdscan.txt - attched
    -activescan.txt - attached
    -hijackthis.log

    Not sure how to attach the rest in this message! Max 3??

    A few things I noticed while running these programs. The popups have now changed colour and direct me to a site selling Anti Spyware Soldier instead of Titan Shield and it still is a Freeserve web page even though I am now on BT broadband.

    I could not change the System Restore setting when I tried to following your instructions. The PC is a DELLDimension 2350.

    Also I could not install Microsoft Defender as it said it could not verify my operating system even though I have installed SP2 in the past.

    Hope I followed everything correctly.
    Thanks for your help in advance

    Fran
     

    Attached Files:

  2. AbbySue

    AbbySue MajorGeeks Administrator

    Welcome to MajorGeeks Fran!:)

    To include all of the logs you need to make an additional reply to your thread and attach them. We do have a 3 attachment limit per post.

    I apologize for the confusion. I have updated the FAQ: How To Attach Items To Your Post and will do the same for the READ & RUN ME FIRST thread so that self-starters like yourself are aware of this limitation in advance.:)
     
  3. Fran

    Fran Private E-2

    Here are 3 more of the attachments I mention above.

    Also I attached smitfiles.txt in the original thread and not counterspy.txt.

    Thanks Fran
     

    Attached Files:

  4. Fran

    Fran Private E-2

    And finally the Hijackthis log which I ran after all the other actions had been carried out.

    I do hope you can help.
    Please let me know if there is anything I have missed.

    Thanks Fran
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of infections! One of them is Troj/Tfactory-A.

    Let's get started fixing them.


    Start by downloading - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.


    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\smartdrv.exe
    C:\WINDOWS\system32\officescan.exe


    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
    O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
    O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
    O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
    O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
    O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
    O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
    O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll
    O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
    O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
    O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.



    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\windows\system32\a.exe
    c:\windows\system32\alxres.dll
    c:\windows\system32\bridge.dll
    c:\windows\system32\dailytoolbar.dll
    C:\WINDOWS\system32\office_pnl.dll
    c:\windows\system32\runsrv32.exe
    C:\WINDOWS\system32\smartdrv.exe
    C:\WINDOWS\system32\officescan.exe
    C:\WINDOWS\system32\susp.exe
    c:\windows\system32\tcpservice2.exe
    c:\windows\system32\txfdb32.dll
    C:\WINDOWS\SYSTEM32\aksnwklb.exe
    C:\WINDOWS\SYSTEM32\chdnidrl.exe
    C:\WINDOWS\SYSTEM32\envkqxbh.exe
    C:\WINDOWS\SYSTEM32\jrdbrrmi.exe
    C:\WINDOWS\SYSTEM32\pkmwtnay.exe
    C:\WINDOWS\SYSTEM32\qvtzwtyy.exe
    C:\WINDOWS\SYSTEM32\thjickub.exe
    C:\WINDOWS\SYSTEM32\ulylzrnh.exe
    C:\WINDOWS\SYSTEM32\wbxpglan.exe
    C:\WINDOWS\SYSTEM32\wgqhrxkx.exe
    C:\WINDOWS\SYSTEM32\yjmsqkve.exe
    c:\windows\BTGrab.dll
    c:\windows\dlmax.dll
    c:\windows\susp.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.

    Also download the newest version of ShowNew (updated since you last uses it) and attach a new log from ShowNew.

    Make sure you tell me how things are working now!
     
  6. Fran

    Fran Private E-2

    Hi

    I have followed all the instructions given without any problems.
    I did not receive a PendingFileRenameOperations prompt in Killbox.

    I am attaching the 2 logs you requested - the HJT one and the new version of ShowNew which I downloaded.

    I have run my Anti Spy again and this is what it picked up now - sorry for sounding ignorant but not sure if this means I still have problems or not!

    AdMess
    ZServ
    Bridge
    VX2.Pynix
    WStart.dll
    TribalFusion.com

    So far no pop ups (yet!!!)

    Thanks for your help
    Fran
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's because we did not quite get everything of the first pass! Note you can ignore the TribalFusion.com one. That is probably just a cookie and is not a problem.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32fab.exe
    C:\WINDOWS\SYSTEM32\0.618490040302277.exe
    C:\WINDOWS\alexaie.dll
    C:\WINDOWS\alxie328.dll
    C:\WINDOWS\alxtb1.dll
    C:\WINDOWS\Pynix.dll
    C:\WINDOWS\ZServ.dll
    C:\WINDOWS\System32\ questmod.dll
    C:\WINDOWS\System32\ runsrv32.dll
    C:\WINDOWS\System32\ udpmod.dll
    C:\WINDOWS\System32\ winblsrv.dll
    C:\WINDOWS\System32\ wstart.dll
    C:\WINDOWS\SYSTEM32\lrf.dat

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew.

    Make sure you tell me how things are working now! If you get any detections from your antivirus program, please attach a full log so I can see exactly what and where it is detecting it.
     
  8. Fran

    Fran Private E-2

    Hi

    Ran through the instructions with no problems. PendingFileRenameOperations message not received.

    AntiSpy program not picking anything up now other than some tracking cookies(?) which it says are not a security threat.

    Here are the logs.

    Hopefully everthing ok now?? Need to make sure I follow your steps on Malware Prevention to stop it happening again!!!!

    Fran
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are still infected and some of the files I ask you to fix with Killbox are still there and a new one also showed up:


    C:\WINDOWS\SYSTEM32\
    questmod.dll 5 Aug 2006 12544 "questmod.dll"
    runsrv32.dll 5 Aug 2006 29184 "runsrv32.dll"
    smaexp32.dll 7 Aug 2006 8 "smaexp32.dll" <----- NEW
    udpmod.dll 5 Aug 2006 8704 "udpmod.dll"
    winblsrv.dll 5 Aug 2006 17920 "winblsrv.dll"

    You need to look for ALL of these in the C:\WINDOWS\SYSTEM32\ folder and get them deleted. Make sure viewing of hidden and system files is enabled per the READ ME. Then run Windows Explorer to look for these files. Do you see them? Can you delete them? If not, do you get an error message? Try deleting them in Safe Mode. Make sure after reboot, that they do not come back.
     
  10. Fran

    Fran Private E-2

    Hi,

    Sorry the files had not been deleted.

    I checked that the viewing of hidden files and system files was enabled and it was.

    I deleted the files to the recycle bin and then emptied the bin all in safe mode. There were no error messages. I checked when I rebooted in normal mode and they are not there (at the moment!). The smaexp32.dll file said it was created 2 mins after the winblsrv.dll file on the 5th August so no idea why it just showed up in the newfiles.txt log.

    I have run the ShowMe program again after the deletions and the results are attached below. I didn't run a HJT log again this time. Do you want me to do that now??

    Thanks Fran
     
  11. Fran

    Fran Private E-2

    Here is the log
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good job! The baddies are all gone now. ;)

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!



    After doing step 8 ( you jsut need to update your version of Sun Java), you should then goto Add/Remove programs and uninstall the below old versions:
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment Standard Edition v1.3.1_01
     
  13. Fran

    Fran Private E-2

    Hi

    Just running through the "How to Protect Yourself from Malware" thread and was testing the AVG Free Anti Virus software and it picked up a file it said was a trojan horse generic.SDO.

    c:\\ windows\system32\ssghgguo.dby The file was created on the 4th August.

    I don't seem to be having problems with the computer anymore.

    What do I do with it - AVG didn't "heal it"?

    Thanks Fran
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just have AVG delete the file. It it cannot do it in normal boot mode. Just delete it yourself after booting in safe mode. You could also run AVG in safe mode. Sometimes that works too (that is why much of the READ & RUN ME is run in safe mode).
     
  15. Fran

    Fran Private E-2

    Hi

    Done that and all seems good AVG has put a couple of old supposed "tojan horse" files into its vault and nothing else has been detected so I guess we are all clear of problems and up to date on protection.

    Thanks so much for all your help - not sure what we would have done it we hadn't found the website. Hopefully won't need your help again.

    :)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! You should empty AVG's fault once you are comfortable that the files it has put there are not needed by you for anything.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds