New In Town w/Malware

OGRocky · Mar 20, 2007

Hello All-

As you can undoubtedly see, this is my first post. I have been in and out of the forum for quite some time; I find it extremely helpful and recommend it to anyone needing tech assitance.

Recently, my IE (ver. 7, XP) has been taken over by some type of adware. Each time I run IE, I get a myriad of pop-ups and attempted but blocked pop-ups (shine8.com, cnomy.com, youronlinereview.com, etc.) and occasionally a short musical tone will accompany the impending pop-up or attempted pop-up. Sometimes, a Symantec scan shows a Bloodhound.Exploit.6 was blocked, but has not really done much more than list an Exploit.6 on one full-system scan.

I recently completed each step of the READ & RUN ME FIRST post using all listed virus/malware checks (except Panda) and two online sweeps. They each found something different (often tracker cookies) and I have saved all text logs. After all this, I started running a second Spy Sweeper scan in normal mode and heard that dreaded musical tone and saw a quick flash of the screen. As this happened, the sweep was finding instances of dealhelper and an overture cookie.

In any event, I am hoping you all can provide some assistance; I have attached copies of my Hijack This, newfiles, and runkey logs.

Thanks greatly for any help you all can provide.

OGRocky

TimW · Mar 20, 2007

We also need the logs for:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender -

OGRocky · Mar 20, 2007

Ok. Here you go. Thanks for the prompt reply.

1. AVG Log (1 of 2)

2. Spy Sweeper Log (from safe mode)

3. BitDef Log

TimW · Mar 20, 2007

Re-run AVG Anti-spy and have it remove/quarantine all that it finds.

Use windows explorer to find and delete these:

C:\WINDOWS\SecureWin31.dll
C:\WINDOWS\secureWin32.exe
C:\WINDOWS\secureWin33.exe

If they won't delete, run KillBox and delete them thru that.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A75E294E-C047-4D29-B07E-37B792881BEF}]
Click to expand...

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)

After clicking Fix, exit HJT.

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

OGRocky · Mar 20, 2007

Tim-

Will do. I'll post the logs ASAP. Thanks greatly for your help.

OGRocky · Mar 21, 2007

Hey Tim-

As requested, I re-ran AVG (only found a tracker cook), deleted the three files, ran the fixME file, and ran Hijack, GetRun, and Show. I have attached the logs. One item of note, the 02-BHO: Internet Security line was not in my HJT scan; so, I did not use the Fix.

Again, thanks for your time.

OGRocky

TimW · Mar 21, 2007

Your logs look clean. You may uninstall any programs we had you download.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

OGRocky · Mar 22, 2007

Hey Tim-

Thanks so much for your time and assistance. I wish I could return the favor in some way.

For my own personal knowledge (every little bit helps) was the problem primarily, partially, or completely with the three SecureWin files?

Again, thanks.

OGRocky

TimW · Mar 22, 2007

Primarily ...most of the rest was cleaning out your quarantine folders ....safe surfing!

Log in or Sign up

New In Town w/Malware

OGRocky Private E-2

Attached Files:

hijackthis.log

runkeys.txt

newfiles.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OGRocky Private E-2

Attached Files:

Report-Scan-20070319-063639.txt

Spy Sweeper Session Log.txt

BDScan1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OGRocky Private E-2

OGRocky Private E-2

Attached Files:

hijackthis(2).txt

newfiles(2).txt

runkeys(2).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OGRocky Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member