An unsolicited site enters constantly my browser using URL either “asecuremask.com” or “virusprotectpro.com”, and can not be deleted. It doesn't appear in startup list or in add/remove list in the control panel and neither in C: program files.
Also will not be detected by Ad-Aware scan.
An icon blinks on the systray and every 5 minutes or so sends a warning and proposal for scan.
I enclose my last hijackthis log and perhaps anybody can point out the culprit or give me an advice how to get rid of this annoyance.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 6:02:43, on 04-Sep-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO. This is very important to get an optimal and comprehensive fix. Warning : running option #2 on a non infected computer will remove your Desktop background.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm
Scan done at 9:29:41.01, 04-Sep-07
Run from C:\Documents and Settings\dv\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dv
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\dv\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\dv\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Video ActiveX Access\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run AVG Anti-Spyware
Wait a few moments and AVG Anti-Spyware should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Click on the Update now LINK at the top of the window
Click on the Start update button
Wait for the update to download and install
This is very important to get the LATEST updates
Click on the Status ICON
Under "Your computers Security"
Click change status on Resident shield to inactive(ONLY consider activation of that feature once you are clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close AVG Anti-Spyware.
We will be using this tool in a later step.
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Running SmitfraudFix – 2nd Part
Once in Safe Mode, double-click on SmitfraudFix.exe Warning: running option #2 on a non infected computer will remove your Desktop background.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Restart your computer in Safe Mode again.
AVG Anti-Spyware - 2nd Part
Click on Scanner on the toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
Make sure that Set all elements to: shows Quarantine
Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
When the program has finished, it will display the message All actions have been applied.
Then click the Save Scan Report button.
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Tray Icon and select Exit.
Now copy the report back to this topic.
Run a new HijackThis (HJT) scan.
Please ensure that you have posted the SmitfraudFix, AVG, and HJT logs in this thread.
Thank you
I suppose that Smitfraudfix did the job when in safe mode. however the bogus sites disappeared.
I attached the three log files which you requested.
BTW, I found that the annoying sites are hosted in Ukraine, and I send a notice to the host, (abuse@inhoster.com) but no reply. It appears to be a regular server, with full address and phone. can anything be done to prevent frauds from him iv the future?
Thanks again
Yochanan
Your file attachments were very difficult to read since each word letter has a space after it in NOTEPAD and other editors. Try pasting directly into the post rather that using attachments and/or use a different editor to manupulate such text. Try opening your attachments - you may see what I mean.
Tce followingly will be minor housecleaning cleanup items.
Read over the following directions. Ask if anything appears unclear to you.
Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:
Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Do not run CCleaner until requested later.
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
Make sure that all browser windows and internet links are closed, even this one! CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Run CCleaner.
FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.
Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.
Uncheck ”Cookies” option (advisable)
Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
Click the ”Analyse” button.
Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.
***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FILES:
ALCMTR.EXE
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
Logfile of HijackThis v1.99.1
Scan saved at 8:07:48, on 10-Sep-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Congratulations, your log shows that your SYSTEM IS CLEAN
There are a few things you must do once you are completely clean:
Re-hide your System Files and Folders to prevent any future accidents.
Reconfigure Windows XP to hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading deselect "Show hidden files and folders".
Check the "Hide protected operating system files (recommended)" option.
Click Yes to confirm. Click OK.
Please downloadATF Cleanerby Atribune. This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Reset and Re-enable your System Restoreto remove bad files from the backup that Windows makes as no program is able to clean those files:
TO DISABLE SYSTEM RESTORE
Right-click "My Computer", and then left click "Properties".
Left click on "System Restore Tab"
Check box beside "Turn Off System Restore"
Left click on "Apply"
Reboot your System
TO ENABLE SYSTEM RESTORE
Remove check mark from "Turn Off System Restore"
Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
Spywareblaster<= SpywareBlaster will prevent spyware from being installed.
Spywareguard<= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Spybot to remove Spyware<= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
Spyad<= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file<= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar<= Get the free google toolbar to help stop pop up windows.
