Same Ads in different websites, possible spyware

[MnR11]

Hello everybody


I'm having some problems with different websites. It keeps showing the same ads over and over but in different websites, mostly the ones that are popular like msn.com. This keeps showing in firefox as in IE. I have tried using spybotS&D, no results. Scanned the whole computer with AVG and ESET. no threats found. I have also checked the ads on my laptop and i never came across of them there

Could anyone help me with this log?

much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:21, on 2-12-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\PROGRA~1\Ideazon\Reaper\Reaper_Settings.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 72.167.163.234 www.google-analytics.com
O1 - Hosts: 72.167.163.234 pagead.googlesyndication.com
O1 - Hosts: 72.167.163.234 pagead2.googlesyndication.com
O1 - Hosts: 72.167.163.234 ads1.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Reaper Gaming Mouse] C:\PROGRA~1\Ideazon\Reaper\Reaper_Settings.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/.../GAME_UNO1.cab
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata...SUploader4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 6812 bytes

[Angelfire777]

Hi, welcome to TSF!

Before we continue, please follow the instructions presented in this thread: http://www.techsupportforum.com/secu...oval-help.html then post the requested logs.

[MnR11]

Quote:

Originally Posted by Angelfire777

Hi, welcome to TSF!

Before we continue, please follow the instructions presented in this thread: http://www.techsupportforum.com/secu...oval-help.html then post the requested logs.

Thanks for your reply. i have made the logs. Hope this helps



DDS (Version 1.1.0) - NTFSx86
Run by Mounir at 19:17:37,46 on do 18-12-2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.322 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\Ideazon\Reaper\Reaper_Settings.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mounir\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mounir\Mijn documenten\Downloads\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = www.google.nl
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Reaper Gaming Mouse] c:\progra~1\ideazon\reaper\Reaper_Settings.exe
uRun: [Google Update] "c:\documents and settings\mounir\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Zboard] c:\program files\ideazon\zengine\Zboard.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\mounir\menust~1\progra~1\opstar~1\hamachi.lnk - c:\program files\hamachi\hamachi.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mounir\applic~1\mozilla\firefox\profiles\txet5z8l.default\
FF - plugin: c:\documents and settings\mounir\application data\mozilla\firefox\profiles\txet5z8l.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;\??\c:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys [2008-4-8 17952]
R2 ekrn;Eset Service;"c:\program files\eset\eset smart security\ekrn.exe" [2008-7-1 468224]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-29 47640]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-15 27992]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [2007-7-23 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [2007-3-20 18432]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S2 dnscon;DNS Connection;c:\windows\system32\svchost.exe -k LocalServices [2004-8-4 14336]
S2 NetManager;Network Manager Service;c:\windows\system32\svchost.exe -k netm [2004-8-4 14336]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2001-9-7 3584]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-15 20:57 286,720 -c------ c:\windows\system32\dllcache\gdi32.dll
2008-12-02 12:34 <DIR> --d----- c:\program files\Trend Micro
2008-12-01 14:42 5,702 a---h--- c:\windows\nod32restoretemdono.reg
2008-12-01 14:42 568 a---h--- c:\windows\nod32fixtemdono.reg
2008-12-01 14:42 <DIR> --d----- c:\docume~1\mounir\applic~1\ESET
2008-12-01 14:40 <DIR> --d----- c:\program files\ESET
2008-11-26 00:44 80 a------- C:\bootdelete.lst
2008-11-25 15:02 224,016 a------- c:\windows\system32\TabCtl32.ocx
2008-11-25 15:02 <DIR> --d----- c:\program files\GTASACenter
2008-11-25 14:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2008-11-25 14:40 <DIR> --d----- c:\program files\Hitman Pro 3
2008-11-25 14:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro 3
2008-11-24 20:26 <DIR> --d----- c:\program files\PC Satellite TV
2008-11-24 19:51 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-24 17:26 <DIR> --d----- c:\docume~1\mounir\applic~1\Xfire
2008-11-24 17:25 <DIR> --d----- c:\program files\Xfire
2008-11-20 21:44 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-20 10:53 <DIR> --d----- c:\docume~1\mounir\applic~1\Ideazon
2008-11-20 10:51 <DIR> --d----- c:\program files\Ideazon

==================== Find3M ====================

2008-12-02 12:46 513,746 a------- c:\windows\system32\perfh013.dat
2008-12-02 12:46 92,824 a------- c:\windows\system32\perfc013.dat
2008-11-12 14:17 98,304 a------- c:\windows\DUMP700f.tmp
2008-11-10 15:41 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2008-11-10 15:41 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-11-10 15:41 28,984 a------- c:\windows\system32\LMIport.dll
2008-11-10 15:41 87,352 a------- c:\windows\system32\LMIinit.dll
2008-11-10 15:41 23,736 a------- c:\windows\system32\lmimirr.dll
2008-11-10 15:41 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-24 12:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:43 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:50 827,904 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 11:05 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 00:46 81,920 a------- c:\windows\system32\frapsvid.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-05-21 08:07 1,914 a------- c:\docume~1\mounir\applic~1\SAS7_000.DAT
2008-05-08 20:38 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-08 20:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\index.dat
2008-05-08 20:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008050820080509\index.dat
2008-05-08 20:38 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 19:18:20,81 ===============

[Angelfire777]

Hi,

NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up

This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine


I suggest you get a free one if you can't afford buying one.

Avira Antivir: http://www.free-av.com is pretty good.

If that is understood, please proceed.


*P2P - I see you have P2P software ( FrostWire 4.13.5) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.


*Your logs look pretty clean so I suspect that it may be the sponsor program that came with messenger plus live. This is odd though because it usually shows somewhere.. Nevertheless, let's try that.

Please uninstall Messenger Plus! Live

The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

The Sponsor Screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

If you entered the code properly, the program will ask you to confirm that you want to Uninstall. You must answer "Yes" to this question, or else, you won't have another chance of Uninstalling.

To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete,restart your computer.


Also, please uninstall this older version of java: Java(TM) 6 Update 5


*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\windows\system32\drivers\spot.sys

Then click submit.

Please post the results to your next reply.


On your next reply, please include a

• Fresh DDS log (just dds.txt)
• A detailed description on how's your machine running.
• virustotal scan result

[MnR11]

Hi thank you for your response, i have uninstalled eset and the fix. Uninstalled Messenger plus!, Frostwire and java update 5. Installed antivir. Only i dont have the spot.sys file was not found in my system, i have searched the whole pc, no results

Here is the new DDS file;

[Angelfire777]

Hi,

*click start > run > copy and paste:

sc delete dnscon

press enter.

do the same for this:

sc delete NetManager


*delete these files:

c:\windows\nod32restoretemdono.reg
c:\program files\ESET << folder
c:\documents and settings\mounir\application data\ESET << folder


*Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply

[MnR11]

Here is the log file of the virusscan.

[Angelfire777]

How's it running?

[MnR11]

Quote:

Originally Posted by Angelfire777

How's it running?

Im still having those ads in websites to see. i have made 6 screenshots, 2 of each browser i have installed on my pc. IE, Firefox and Google Chrome. Im seeing ads that i dont think the websites have posted on their websites. Its like the spyware/malware is taking over the regular ads that are in the websites by its own ads. im having this problem for a couple of months now, just installed chrome a week ago and seeing the same ads there to. i took 2 websites as an example; http://nl.msn.com and http://www.then82blog.com

[Angelfire777]

Can you post a fresh dds.txt please.

[MnR11]

Here it is..

[Angelfire777]

Sorry for the delay in responding.

Holiday's keeping me busy ..

Stay tuned.

[MnR11]

no problem :D

[Angelfire777]

Hi,

Looks like something in your hosts file is redirecting the ads showing in msn..

Please download HostsXpert.

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click "Make Writable?" in the upper left corner.
• Click "Restore MS Hosts file" and then click OK.
• Close HostsXpert.
• Note: If a custom Hosts file was in place, you'll have to edit those entries back in.

Please post a fresh dds.txt and let me know how's it running.

[MnR11]

HI,

I guess that helped

After i restored the hosts file, i did a /flushdns for sure.

but i seems that everything is oke now

Thank you very much for your help

[Angelfire777]

This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and Ok it.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Choose the option to clean up system restore and OK it.
  
  This will remove all restore points except the new one you just created.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing and Happy Holidays!

Note: Please reply to this thread one last time so I could mark it as resolved.

[MnR11]

Thanks for your help Angelfire :)

I did those last steps and great articles, only the first one is offline atm, so i will check that later out. And pass it to my friends out.

Thanks again