Tilted Forum Project Discussion Community - View Single Post

Cynthetiq · 03-28-2008, 05:08 PM

I'm wondering if all those little helper apps aren't just flagging it s a privacy issue. since none of the other adware and other secruity apps aren't going apeshit.

GNX Bingo is also suspect

Freeze.com toolbar

Quote:

Adware.Softomate Adware.Softomate is a potentially unwanted adware program that installs a toolbar in Internet Explorer. It does not provide a EULA nor displays a license agreement when installed.
Adware.Maxifiles Maxifiles adds a toolbar onto your task manager and creates pop-up advertisements.
Spyware.Rogue_Anti-Spyware_Products Rogue and suspect anti-spyware products use deceptive and unfair practices to trick consumers into purchasing them. Methods can include not providing proven, reliable anti-spyware protection or being prone to ridiculous false positives; unfair, deceptive or high pressure sales tactics; being associated with known distributors of spyware/adware or having been known to install spyware/adware themselves.

GNX Bingo

Quote:

Security Risk Description
Adware.Agent.BN Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.

everytime you open your browser you reinfect yourself with this line:

Code:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2

these other items are also suspect. It looks like you cleaned off some of the Freeze.com toolbar but not all of it.

Code:

O21 - SSODL: bokpkov - {77A17D2D-E12E-46B6-9A42-6066EBA42BED} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {10AFEF02-A70D-4578-8234-8706725C4B95} - C:\WINDOWS\altvxvm.dll

R3 - URLSearchHook: (no name) - {65255C76-B542-44A2-BA6F-2D6B2DF2DB34} - (no file)
R3 - URLSearchHook: (no name) - {E26029B4-C5E8-4645-9C02-E798715F8C0D} - (no file)

O2 - BHO: GNX Bingo - {7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4} - C:\WINDOWS\drnpfdxlsk.dll
Toolbar: Freeze.com Toolbar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)
BHO: TBSB04757 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Freeze.com Toolbar\freeze_us.dll (file missing)

This is the best help I can do next to doing it myself. The other thing to do is to tell your g/f to stop downloading a bunch of extra crap. Codecs to watch porn is a good way to get infected these days. So are all those toolbars and "fun" helper applications.

Quote:

How to remove softwarereferral/safewebnavigate hijackers and etlrlws toolbar
Softwarereferral infection is a hijacker. If your computer was infected, you got many popups, Internet Explorer start page changed to softwarereferral.com, blinking stopsign with X in system tray, continual system alert popups.

Download HijackThis and double click on the file for install.
Download CCleaner. Double click on the file for install.
Download Combofix.
Download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your Desktop.

Reboot your computer again in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: GNX Bingo - {B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55} - C:\WINDOWS\kdftlboepta.dll
O2 - BHO: GNX Rolex - {CD6DCA54-AE70-4562-BD9E-0C0A32F01347} - C:\WINDOWS\drnpfdxsnp.dll
O3 - Toolbar: etlrlws - {13F5AE57-486D-41B6-BA43-806EA7CCAE14} - C:\WINDOWS\etlrlws.dll
O4 - HKCU\..\Run: [awedpedp] C:\WINDOWS\system32\naxgxwbu.exe
O4 - HKLM\..\Policies\Explorer\Run: [bZ76ULmU0g] C:\Documents and Settings\All Users\Application Data\titkpyhg\vyzwdszw.exe
O21 - SSODL: bokpkov - {919071FA-540C-4492-BE14-79F7E72B24A1} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {360925C8-9CA2-4D10-9C9D-4DA09A5840FB} - C:\WINDOWS\altvxvm.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Note: SSODL modules can have random name(blue color) and some different clsid(red color), use google for check them.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd.
Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Close any open browsers. Double click on combofix.exe and follow the prompts.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

If everything seems to be good - pop ups are gone, no any redirects, then you should make a new restore point.Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.

If you are still having problems with spyware after completing these instructions, maybe you have another version of the infection, then please follow the steps: How to use Spyware Removal Forum.