Jump to content

1972vet

Experts
  • Posts

    1,357
  • Joined

  • Last visited

Posts posted by 1972vet

  1. Download "Dial-a-fix" from Here and save it to your Desktop. Right-click on the .zip file and select Extract All...open the folder and double-click the Dial-a-fix.exe icon. Place a check in the box for the option titled "Fix Windows Update" under the heading WU/WUAU, then click the Go button at the bottom. Follow the prompts. When completed, try the Windows Update site again. Post back your results. Thanks!

  2. Sorry for the oversight on my part...I do remember now telling you that we would troubleshoot that issue once your system is cleaned. Please do this for me.

    Since it's not a malware issue, please create a new thread Here. Give the thread the title "Windows Update Help" and post your windows update log there to my attention. Others may also pick up your thread and post something in response but I'll be there to oversee as well and will indeed take possession of your issue for you. I only mentioned the fact that others may also post there because I believe that forum is open to all members here so be advised that good intentions sometimes will get turned sideways...so please take into consideration that other members instructions may or may not have the desired results you are looking for.

    After you create the post from following the instructions below to copy your Windows Update log for me, send me a PM using This Link and include a link to your newly created thread. That way I'll get the email notification immediately upon your posting:

    Click Start-->Run...In the Open box, type or copy and paste the following:

    %windir%\windowsupdate.log

    ...then click OK.

    A notepad text document will open containing entries logged by Windows Update. Scroll to the bottom to view the most recent information logged. Copy what information you have there for the most recent date (just for that one day). Paste that information into your newly created thread per the above instruction. Thanks!

  3. I see a clean log...congratulations! You can re-enable Windows Defender and you can delete these:

    Symantec Removal tool

    RogueRemover

    ...The Killbox you can keep but before you should try to use it for anything, please thoroughly read through the "Killbox Description and Usage" guide in the Help section of the menu.

    Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

    Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

  4. The executable file vav.exe is targeted by RogueRemover so I'm surprised at those findings.

    Using the Killbox we downloaded earlier, please do this:

    Open Killbox and check the box Delete on Reboot. Now, highlight all the entry below in Bold text and then copy it.

    C:\Program Files\VAV\vav.exe

    Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

    Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

    A second message will ask to Reboot now? you will need to click No for now.

    Remember...Killbox will let you know if the file does not exist.

    Next, please run HijackThis again and check the box next to this entry:

    O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe

    Now close all windows including this browser window. Leaving only the HijackThis application's window open, click the Fix Checked button.

    Now reboot the computer and post back a fresh HijackThis log. Also, please advise how the system is performing for you. Thanks!

  5. OK, the Sys4.exe I was expecting:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    Glad to see mbam took care of that. This one however:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40273316 (Trojan.Vundo) -> Quarantined and deleted successfully.

    ...is not enough to do it I'm afraid. Your log still shows the rogue anti-spyware application running that we re-enabled using the msconfig utility. That's a good thing by the way. Now we can remove it properly.

    Before we go after it though, let's take a look at the add/remove programs list to see if we could get lucky. I haven't seen it in a while now but I know from years past, users were able to remove some of the vundo and or smitfraud/rogue application problems by finding an uninstall string to remove them. In the off chance that it's there, click start-->Control Panel-->Add/Remove Programs...scroll down the list to see if you can locate a program named:

    VAV

    ...if you find it, click once on it to highlight it then click Remove. If the uninstall completes successfully, reboot at this point.

    If you are not able to find an uninstall string there for that program name then continue with the instructions below:

    First, make sure before you procede that Windows Defender is still disabled.

    Please download

    RogueRemover & save it to your desktop.

    • Double-click on rr-free-setup.exe to install in: C:\Program Files\RogueRemover.
    • Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
    • Once the program runs, select Check for Updates.
    • When prompted, select Check for Updates.
    • If prompted again, click Download to receive the latest updates.
    • When completed, close the update window.
    • Finally, select Scan and the program will walk you through the remaining steps.

    Post back a fresh Hijackthis log.

    Also, please advise how the system behaves for you now. Thanks!

  6. You can remove a failed Symantec install/uninstall or damaged product using their Removal Tool...

    As for the msconfig utility entries that you disabled on startup, these three are malicious:

    C:\Windows\system32\dmcghgdl.dll

    C:\Program Files\VAV\vav.exe

    C:\Sys4.exe

    We need to allow these the opportunity to run on startup if they are still present. Return to the msconfig utility and place a check in the box next to those entries. Apply it, ok it, then close msconfig. Reboot and check the box for the option "Do not show me this again" in the warning message that will pop up on reboot. Run a fresh HijackThis log and post that back here on your next reply. We need to make certain that these are removed before we even consider going back to Windows Update. Thanks!

  7. I'm wondering if the trojans that showed up in the log were picked up by Avira,

    The trojans that I instructed you to remove appeared in the original log. You didn't have Avira installed then.

    ...as I downloaded that after I posted the logs. Would this cause them not to be there? I remember Avira beeping and me denying access to several trojan alerts.

    Let's not continue confusing the masses. The trojans were in your original log. The instructions were to download and run SDFix and SmitFraudFix, both targeting the problem files specifically. Upon posting the logs after running those tools, their respective logs showed absolutely no findings just as they would if your system were not infected...nonetheless, the malware entries were absent from the hijackthis log. Avira also first appeared in that same HijackThis log. The way Avira would have handled an alert from ANY of those trojans you had would not have happened the way you described. It would not just have beeped and asked you for access...that description sounds more like how a firewall would behave. Besides all that, if you DID download Avira AFTER you posted those logs it would not have found the malware since THOSE LOGS showed proof that the malware had already been removed.

    ...If however, you heard Avira beep at you after you posted those logs, what it undoubtedly found would have been the files that the two utilities had arrested from the scans I instructed you to run. This however would not have caused the logs from those scans to show no findings. The only reason for that would be one of these two possibilities:

    1) You scanned twice with each utility and posted the logs from the second scan which of course, would show nothing since the first scan would have removed the malware

    2) You purposely edited the scan logs

    Beyond that, I haven't a clue what else could possibly have happened on your end since it seems feasible that other family members may have gotten to that laptop between posts. Regardless, the tale has a happy ending. Your logs look clean, and I'm very happy to have been some help...now, off to help someone else.

    You can download the latest Java version Here.

    Delete these:

    SmitFraudFix

    SDFix

    Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

    Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

    To assist in the prevention of spyware infections:

    Immunize your browser by installing Spywareblaster. What does it do?

    • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.

    • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

    • Restricts the actions of potentially unwanted sites in Internet Explorer.

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

    You should always have at least (but not more than ) one of these types of third party firewalls running on board:

    Kerio Personal Firewall

    Zone Alarm

    Outpost Free

    Comodo

    Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

    Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

    Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

    Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

    So how did I get infected in the first place?

    Regards, and Happy Surfing!

  8. This old man owns a large piece of property in the woods that he visits regularly. On the lower 40, he has a large pond...he goes fishing there on occasion.

    One morning he pulls the truck along side the road, get's out with his bagged lunch and starts out on his way to the pond to just look things over and see if he might want to drop in a line. He leaves the tackle in the truck and just takes his lunch bag with him.

    On approach, he hears laughter and giggles coming from the area of the pond. Looking around he notices a car that had pulled off the road on the other side of the pond. When he makes his way through the brush there he sees three gorgeous young women all skinny dipping in his pond. He says "Good Morning ladies" and they start right off telling him "Look Mr. there's no way you're going to see us naked" so they insisted on staying under the water until he leaves.

    He says back to them..."I have no intention of telling you ladies to get out of the pond just so I can see you naked. It's your life...you can do whatever you want.

    I'm just here to feed the alligators."

  9. OK...no need to post another hjt log, it looks fine. The Spybot log however does indicate a problem. The startup entries listing shows that the Symantec Live Update wants to run at startup:

    --- Startup entries list ---

    Located: HK_CU:Run

    C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

    ...why it doesn't show in the HijackThis log is the question. There are a couple of possibilities. Have you used the msconfig utility to stop any services/processes from running at startup?

    The entry does need to be removed as there exists the possibility of some conflict issues. You can use the Symantec removal tool but I would like to hear back from you first as to whether or not you may have this startup entry arrested by some other application (perhaps Windows Defender). Such a scenario may just complicate things if you were to try running that tool before removing any restriction that you (or some other application) may have put in place. Can you look into that possibility from your end and report back to us on this?

    Likewise, the Windows Update issue is something we will address when we have removed the Symantec remnants.

  10. That scan looks good. No mention of those registry entries...I think it is safe to assume then that the earlier findings were false positives...by the way, a respected Security Specialist informs me that the "!=" in the world of programing means "Is not equal to". Thus, those earlier findings that Spybot was complaining of were meant to imply that those registry Data Values were not equal to what followed after that equal sign. However, I think now we can relax.

    The spybot log does however show service/process entries for Symantec. Nothing regarding any Symantec installation showed in your previous HijackThis logs. Have you installed this since your last log? Regardless, it is NOT recommended to have more than one antivirus product on board running in real time. Your level of security protection is actually reduced and you run the risk of data loss from the instability that it can cause. You should decide which to keep and uninstall the other.

    Please post back a fresh HijackThis log after uninstalling one of them and advise how the system is performing for you now. Thanks!

  11. Your log shows that Symantec is still installed...there's more than "just one thing" that remains. You can use their removal tool. More on that in just a bit...

    The two entries below both first appeared only after you somehow removed all of the malware entries from the original instructions:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    ...That "O2" entry is valid. It represents the Windows Live Call HoverToCall feature in Windows Live Messenger but it's file has been remove. You could remove that entry using HijackThis but I would hesitate to advise that unless you have no intention of using the Live Messenger anymore.

    That "O6" entry is interesting. I see no evidence of Spybot Search and Destroy which is usually the reason for that entry. Have you used some kind of "Administrative" locking feature? If not, you can run HijackThis again and check/fix that entry.

    As for your assertion that the malware entries were not present in any of the logs from the utility scans I recommended, please understand that what is suggested by those logs is not possible:

    Below is a SmitFraud File that appeared in your original log:

    O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll

    Below is the Trojan-Downloader.Win32.Agent.keu. This also appeared in the original log and it is specifically targeted by SDFix:

    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

    Below is another trojan that appeared in your original log and it too is specifically targeted by SDFix:

    O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

    ...and as we all can see, none of those I recommended that you remove are still present in the last HijackThis log posted.

    I'm still confused......

    I'll bet lol...this stuff is tricky sometimes huh?

    just had quick reread of the instructions regarding the smitfraud bit....especially the part where it said running this on an uninfected system will remove your desktop picture or something like that - it did remove the desktop background, but i'm not complaining, if the trojans or whatever were picked up it's all to the good :-)

    The warning is to advise that the desktop background is removed...whether the system is infected or not, the background is removed. It's purpose is to discourage a user from just downloading and running the SmitFraudFix utility in a willy-nilly fashion...thus an uninfected user will have been saved the heartburn.

    Do you want me to to another scan with the SDFix? If so I shall do this tomorrow night, and there's just one thing from symantec that is refusing to go grrrrr.

    Since the last log you posted shows no evidence of the malware there would be no reason to run the SDFix utility again.

    You can download the Symantec Removal Tool to remove a failed install/uninstall or damaged product.

    Post back a fresh HijackThis log when completed. Please advise how the system performs now. Thanks!

  12. ...the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed.

    That is what confuses me. It's not possible your log would be cleaned up when the scans showed that nothing was found. In the log there were several trojans that SDFix specifically targets, as well there was a smitfraud file that the SmitFraudFix utility also specifically targets...mysteriously though, they've disappeared with no trace of their findings from any of the logs you posted...they're just gone, but at least they're gone.

    Nonetheless, since your last log looks clean I would like to see another log after you've removed Symantec and updated your java. Thanks!

  13. Your log looks clean...you can re-enable Windows Defender.

    Spybot just found tracking cookies. You'll pick those up every visit to the web page that planted them. Since you're using Firefox just configure it to remove cookies when you close the browser.

    With Firefox open, click Tools-->Options-->Privacy Tab...in the Cookies section, click the drop down menu and select to keep until "I close Firefox". Click "OK" and close Firefox. With this setting, even though you collect cookies while you surf, they will disappear as soon as you close the browser but the next time you visit web pages that require you to log on using and ID and password, you will have to enter the data again. A small price to pay for privacy.

    The Registry entries that spybot flagged look almost normal...and I think they probably are but I'm just not accustomed to seeing the entry look like it does the way you posted it and I don't ask for logs from Spybot as a general rule since they are so HUGE. The Registry items that spybot has presented as possible hijack attempts might be a couple of false positives.

    The entry (for example) for the first one listed:

    HKEY_CLASSES_ROOT\regfile\shell\open\command\!=regedit.exe "%1"

    ...should actually appear as such:

    HKEY_CLASSES_ROOT\regfile\shell\open\command

    ...and the Value data for that key should be:

    regedit.exe "%1"

    What this key represents is an association to the executable file "regedit.exe" whenever you attempt to open a ".reg" file:

    HKEY_CLASSES_ROOT\.reg

    ...the default action would be for windows to use the "regedit.exe" file to open it, which is as it should be.

    I think what spybot means by the "!=" which appears before the "regedit.exe" file in that registry key it lists is that "what follows is the Value data"...perhaps. At least, that's how I interpret that but who knows for sure, the author of Spybot S&D may have had something else in mind.

    You can check that key yourself to see if what I have detailed above is accurate for you. Just navigate to that registry key and take a look at the last folder in that line. The Comand folder should be the only folder you have listed under the Open folder...and of course, the Value data should be as I mentioned above...I might also mention, when I run Spybot it doesn't present those keys in my case so I should also ask is the version of Spybot that you have up to date?

  14. We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

    • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
    • Click on Tools, General Settings
    • Under Real-time protection options, unselect the Turn on real-time protection check box
    • Click Save

    After all of the fixes are complete it is very important that you enable Real-time Protection again.

    Next, let's make sure you can View All Files.

    Next, please download the KILLBOX. Save it to your desktop.

    DO NOTHING ELSE WITH IT YET.

    Reboot the computer into Safe mode. Once in safe mode and logged on as "Administrator", please continue with the instrucitons below:

    Open killbox.exe...First click on Tools-->Delete Temp Files.

    A box will open with a list of all user profiles.

    Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

    Temporary Internet Files

    Temp Files

    XP Prefetch

    If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files.

    Exit by clicking the Button titled Exit(Save Settings).

    Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them.

    C:\Documents and Settings\User\Local Settings\Temp\nsw1A.tmp

    C:\Documents and Settings\User\Local Settings\Temp\nss15.tmp

    C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll

    Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

    Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

    A second message will ask to Reboot now? you will need to click No for now.

    Note: Killbox will let you know if a file does not exist.

    If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

    Next, please run HijackThis again and check the box next to this entry:

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    Close all windows now except for the hijackthis application's window, then click the Fix Checked button.

    Reboot and post back a fresh HijackThis log. Thanks!

  15. I'm a bit confused with the information that you posted. You said yesterday in post #6 that you had all your logs and were ready to post but that you were having problems. Then, today you posted the logs but the date of the scan for sdfix for example, is today's date. Did you edit that log? The reason I ask is because there were a few trojan files in your log that sdfix specifically targets. There's no chance that it would have missed them yet the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed.

    Please finish up with the removal of the outdated java and your Symantec stuff then post another fresh HijackThis log. Also, advise how the system performs now. Thanks!

  16. There are three signs of old age. The first is loss of memory. I forgot the other two.

    I'm Retired. I was tired yesterday, and I'm tired again today.

    When I was younger, all I wanted was a nice BMW. Now, I don't care about the W.

    I'm in the initial stages of my golden years. SS, CD's, IRA's, AARP...

    When I was in the military, the motivational phrase was "Death before dishonor"...now it's Adventure before dementia!

    We got married for better or worse. She couldn't do better, and I couldn't do any worse.

    Old People Rock.

    At my age...everything I buy comes with a lifetime guarantee!

    Don't worry about tomorrow! After all, today is the tomorrow you worried about yesterday.

    The shortest sentence is "I am." The longest is "I do."

    You know why old men wear their pants so high? You'll find out!

    With age comes wisdom...and discounts.

    I was always taught to respect my elders. Now I don't have anyone to respect anymore.

    I asked my wife if old men wear boxers or briefs? She said "Depends".

    I'm so old...I don't buy green bananas.

    Goodbye tension! Hello pension.

    It's nice to be here. At my age, it's nice to be anywhere.

    That Snap Crackle and Pop in the morning?...well, it ain't my freaking Rice Krispies!

    You know you're getting old when...you throw a wild party and the neighbors don't even realize it.

    Some days I wake up grumpy...and some days, I just let her sleep.

    Senior Campbell's Soup label:

    "New LARGE TYPE Alphabet Soup"

    The secret to staying young is to live honestly...eat slowly, and lie about your age."

    Quit worrying about your health...It'll go away.

    I must be getting older...All the names in my phone book end with M.D.

    I'm not old. I'm Chronologically Gifted.

    Retirement is the best medicine.

    Florida:

    God's Waiting Room

    Experience is a wonderful thing. It enables you to recognize a mistake when you make it again.

    At my age...Flowers scare me!

    I'm so old that whenever I eat out, they ask me for money up front.

  17. Let's try to uninstall a couple of the problems...Please click start-->Control Panel-->Add/Remove Programs. Scroll down the list to locate the program names:

    Antivirus 2008 PRO

    Java (jre1.6.0_02)

    Click on each (one at a time) to highlight them, then click Remove. Reboot when finished uninstalling. When we are satisfied the system is cleaned, we can download the latest version of Java.

    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    I am going to give you two sets of instructions...both relating to the Smitfraud infection that you have. The first set of instructions will cause the tool that we will download, to find the bad files. The second set will allow the tool to delete the bad files it found.

    With each set there is a log generated. It is important that you remember to post both logs in your next reply. You must perform these steps exactly as presented and cannot skip a step. The application will delete nothing unless you first allow it to find the bad files...which is why you must follow these instructions exactly as presented:

    Set #1

    Please download:

    SmitfraudFix (by S!Ri)

    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press"Enter"; a text file will appear, which lists infected files (if present). Please remember to copy/paste the content of that report into your next reply.

    Note :

    process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    Set#2

    Next, reboot the computer into Safemode.

    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press"Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into your Normal Windows user mode.

    A text file will appear onscreen, with results from the cleaning process; please remember to copy/paste the content of that report into your next reply as well.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.

    Next, please download SDFix and save it to your Desktop.

    Double click SDFix.exe and the files will be extracted to %systemdrive%

    (Drive that contains the Windows Directory, typically C:\SDFix)

    Reboot the computer into Safe mode again.

    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt
      (Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).

    Please run HijackThis again and check the box next to these entries that may still exist:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll

    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

    O4 - HKLM\..\Run: [7405c5df] rundll32.exe "C:\WINDOWS\system32\tcrrjsdm.dll",b

    O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

    O21 - SSODL: okmdepgb - {8E5F73BF-6D5D-4713-BCE9-CED3018182B0} - C:\WINDOWS\okmdepgb.dll

    O21 - SSODL: axrfgvek - {2503A820-0A9C-4265-B76D-85C6E57363F2} - C:\WINDOWS\axrfgvek.dll

    O21 - SSODL: CheckVoid - {bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} - C:\WINDOWS\Resources\CheckVoid.dll

    Close all windows now except for the hijackthis application's window, then click the Fix Checked button. Reboot again to properly record the changes made to the hard disk.

    Finally paste the contents of the Report.txt back here along with your rapport.txt documents from the smitraudfix utility and a fresh HijackThis log.

  18. ...the system seems stable....everything runs great...

    ...wht caused this problem in the first place???any ideas....

    I have more than just ideas but we will get to that later. All things in their proper time. I'm happy to read that you have noticed such an improvement but I need to advise you that your system is still infected.

    Please finish up with the instructions I posted for you in my post #6 and post back the requested log so we can complete this cleanup process for you properly. Thanks!

  19. Oh we're not finished yet...I'll let you know when I see clean logs and will send you on your way at that time.

    Do you like your on board Command Software System's Antivirus application, and do you know how to use it? Just thought I'd ask as I don't see this software very often these days and when I do, most users didn't even know they had it or how to use it.

    I noticed that you had used the system's msconfig utility in an effort to remove ctfmon.exe from startup...which, as you can see from the log, is not the proper way to remove the language tool bar.

    To uninstall the Language Tool Bar, go to the "Regional and Language Options" icon in the Control Panel. Choose the Languages tab. Click on Details. On the Settings tab, click on the Language Bar button at the bottom. Uncheck the two checked items there and click "OK" then "Apply" and OK your way out. Close the Control Panel.

    Next you must unregister these two files:

    Msimtf.dll and Msctf.dll

    Click Start-->Run...then enter the following commands (one at a time) into the run box and click "OK":

    Regsvr32.exe /u msimtf.dll

    Regsvr32.exe /u Msctf.dll

    Reboot the system to properly record the changes made to the hard disk. You should now notice that ctfmon.exe no longer starts when Windows starts.

    Please open a blank Notepad by clicking start-->run

    Then, in the run box type Notepad.exe and click "OK".

    Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please remember to post back the new log that will be generated.

    File::

    C:\WINDOWS\-0-02751_.tmp

    C:\WINDOWS\BMdb96b652.xml

    Registry::

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=-

    Next please run HijackThis again and check the box next to the following entries:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    Close all windows now (including this browser window)...leaving only the HijackThis application's window open, then click the Fix Checked button.

    Reboot and post back the combofix log and a fresh HijackThis log...also, please advise how the system behaves for you now. Thanks!

  20. A man who just died is delivered to a local mortuary

    wearing an expensive, expertly tailored black suit.

    The female blond mortician asks the deceased's wife how

    she would like the body dressed. She points out that the

    man does look good in the black suit he is already

    wearing.

    The widow, however, says that she always thought her

    husband looked his best in blue, and that she wants him

    in a blue suit. She gives the Blond mortician a blank

    check and says, 'I don't care what it costs, but please

    have my husband in a blue suit for the viewing.'

    The woman returns the next day for the wake. To her

    delight, she finds her husband dressed in a gorgeous

    blue suit with a subtle chalk stripe; the suit fits him

    perfectly.

    She says to the mortician, 'Whatever this cost, I'm very

    satisfied. You did an excellent job and I' m very

    grateful. How much did you spend?' To her astonishment,

    the blond mortician presents her with the blank check.

    'There's no charge,' she says.

    'No, really, I must compensate you for the cost of that

    exquisite blue suit!' she says.

    'Honestly, ma'am,' the blond says, 'it cost nothing.

    You see, a deceased gentleman of about your husband's

    size was brought in shortly after you left yesterday,

    and he was wearing an attractive blue suit. I asked his

    wife if she minded him going to his grave wearing a

    black suit instead, and she said it made no difference

    as long as he looked nice.'

    'So I just switched the heads.'

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.