Nasty spyware / malware problem in IE 6

[Jason]

Hi,

A work colleague's computer (XP sp 1, IE 6) has been infected with some
sort of spyware, he is getting a ring tones advertising window appearing
occasionally, but most the most worrying problem is that he is getting
redirected from a URL. Whenever he visits one of our customers https sites
he gets redirected to:

http://www.art.com/asp/display_artist-asp/_/Aff--CONF/CTID--46302150/RFID--
028648/TKID--

or similar!

I've run Ad-aware 6.0, spybot & CWS Shredder and removed everything harmful
found, I've done an ipconfig /flushdns & also removed all cookies & offline
content. A full AV scan (NAV corporate) didn't bring anything up either.
After searching the registry:

HKLM/Software/Microsoft/Windows/CurrentVersion/Run (I think?)

I found a reference to a file called "automove.exe" in c:\windows\system32.

I removed the "automove.exe" registry entry but it keeps reappearing, I
then moved the file away but we're still getting the same problem. I've
recently tried uninstalling IE, running reclean & then reinstalling IE,
again to no avail. Finally I installed Mozilla on his PC which accesses the
site OK, but unfortunately some important pages (using flash) don't
display; I know these pages are OK as they can be displayed correctly using
IE on another PC.

Does anyone have any ideas of other things I can try.

TIA, Jase.

 

[Jan Il]

Hi Jason

It is likely you have malware, or hijackware on your system causing the
problem, which your antivirus will not detect, as it does not have the same
definitions.

Try this and see if it helps.

Tools > Internet Options > Advanced > Browsing
Uncheck the Enable 3rd party browser extensions

Then do the following to clean the cause from your system:

Download and install, then run the programs below. They are free and very
effective. It is important that you do all the steps and follow all
directions carefully:

(NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again to be sure there
are no lingering items on the system.

CWShredder: Free
http://tinyurl.com/2l9kl

HiJackThis: - Free

Go to
http://computercops.biz/downloads-cat-14.html ,
or
http://tinyurl.com/2oce8
and download HiJackThis. Unzip to a folder other than your Desktop or the
Temp folder, doubleclick HiJackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Press that, save the log some place you remember where it is.
Most of what it lists will be harmless or even required, so DO NOT fix
anything yet.

Open the copy of your log in NotePad and make a copy. Then you can go here
to post you log:

Jim Eshelman's site here:
AumHa Forums - HiJackThis section:
http://forum.aumha.org/

Spyware and Hijackware Removal Support, here:
http://216.180.233.162/~swicom/forums/

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx

<<DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>

You will need to register to open a new thread to post you log. It is free,
and no one will Spam you, it is one of many that provides this service. Once
registered, go to the HiJackThis section on the forum list and click to
open. Then start a new post and post your log. The experts there will
analyze the log and report back the results. Please allow at least a few
hours or a days time for a response, depending on when you post the log

Remember, you must return to the HJT site to get your answer. It is a good
idea to click the "Notify" box so that you will get an electronic
notification by e-mail to let you know when a response has been posted.
But, you must still return to the site of your answer

Hope this helps.

Jan

A work colleague's computer (XP sp 1, IE 6) has been infected with