1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware wiped dot com

Discussion in 'Windows XP' started by ginorre9, Jan 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ginorre9

    ginorre9 Thread Starter

    Joined:
    Mar 4, 2006
    Messages:
    55
    I recently removed Malwarewiped.com from a friends laptop. It would only load a page stating that the computer was infected. I used safe-mode and ran adawareSE and spydoc. I am able to surf different sites but remain to receive ads. I noticed a item in the add/remove programs listed as " Internet Security Add-On" When I attempt to remove this item it states that te computer should be rebooted before removing. I have done this a couple times with no success. Could the laptop still be infected or would there be a simple solution to remove that item.

    Thanks....
     
  2. ozrom1e

    ozrom1e

    Joined:
    May 15, 2006
    Messages:
    11,849
    To download HJTsetup.exe To Download HijackThis go to the following: http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Filename = 1137518044HJTsetup.exe

    Save the file to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\HijackThis.
    Continue to click Next in the setup dialog boxes until you get to the Select Additional Tasks dialog.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialog box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy doing that copies the text to the clipboard, you won't see it yet....
    Come back here to this thread and Paste the log in your next reply. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    A security expert should take a look at your log - please be patient.
     
  3. ginorre9

    ginorre9 Thread Starter

    Joined:
    Mar 4, 2006
    Messages:
    55
    Logfile of HijackThis v1.99.1
    Scan saved at 11:31:18 PM, on 1/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Video ActiveX Object\isamonitor.exe
    C:\Program Files\Video ActiveX Object\pmsngr.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Video ActiveX Object\pmmon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Video ActiveX Object\isamini.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HistoryKill 2006\histkill.exe
    C:\WINDOWS\system32\rundll32.exe
    E:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [histkill] "C:\Program Files\HistoryKill 2006\histkill.exe" /STARTUP
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Acer Empowering Technology.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
    O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Do the following:

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm[/
     
  5. ginorre9

    ginorre9 Thread Starter

    Joined:
    Mar 4, 2006
    Messages:
    55
    SmitFraudFix v2.132

    Scan done at 23:50:09.60, Wed 01/17/2007
    Run from C:\Documents and Settings\Roland Lachapelle\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Roland Lachapelle


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Roland Lachapelle\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ROLAND~1\FAVORI~1

    C:\DOCUME~1\ROLAND~1\FAVORI~1\Online Security Test.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\Video ActiveX Object\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

    [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Second part of this fix:


    Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
    not use Safe Mode with Networking for this fix!)


    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background. (The warning does not apply to you ginorre9, it's for others)
     
  7. ginorre9

    ginorre9 Thread Starter

    Joined:
    Mar 4, 2006
    Messages:
    55
    SmitFraudFix v2.132

    Scan done at 0:29:38.59, Thu 01/18/2007
    Run from C:\Documents and Settings\Roland Lachapelle\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

    [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\DOCUME~1\ROLAND~1\FAVORI~1\Online Security Test.url Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
    C:\Program Files\Video ActiveX Object\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

    [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
    @="C:\WINDOWS\system32\gwquvw.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Good work that should take care of SmitFraud trojan for you.

    We do need to complete the entire fix, but do not have to right now, it is late and I have to go. I will post the steps and you can
    finish it now, or not depending on the amount of time you have, post the logs asked for and I can check them in the morning.

    _ _ _ _
    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

    Next, post a fresh Hijackthis log and we will check it.

    Do this, after making and posting a log:

    Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

    Both probably will not fit on one reply so just use two. See you then!
     
  9. ginorre9

    ginorre9 Thread Starter

    Joined:
    Mar 4, 2006
    Messages:
    55
    Thanks Byteman for all your help. It looks to me that the problem is solved. Panda only found one item and doesnt look to be harmful....but here it is in case I am wrong.

    Incident

    Potentially unwanted tool:Application/Processor
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You should be all set. The file detected by Panda is part of the Smitfraud removal tool, it is detected by antivirus scans because of what it is, as a process that is automatically supposed to trigger alerts, but that is safe and just the way the removal tool is built.

    You will need to clean your System Restore Points, as using one will put back the malware, Restore is not picky what it backs up.


    Please do the following:

    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.Wait for hourglass to stop and it says
    "Turned Off"

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    After you have turned System Restore on and created your first new Restore Point, Windows will from now on make them for you, you also can manually create one at any time. making new Points will eventually result in the older (and sometimes better) Points being removed as there is only X amount of space the feature can use.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/536185

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice