1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VirusHeat can't load remedy..shuts down

Discussion in 'Virus & Other Malware Removal' started by thinman7, Mar 26, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    Help,,

    My work laptop (Acer? windows xp) has been infected w/VirusHeat. Tried to load spybot & spyhunter comp. shuts down before it finishes. Would try to load hijack this but figure it won't work either.

    also tried to delete registry entries listed online but found no matches.
    Can I do something in safe mode - ive worked in that a couple of times but not much.

    Please help.
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, thinman7 :)

    Welcome.

    You can boot your computer in Safe Mode with Networking and be able to download these programs. The programs, however must be ran in Normal Mode:

    [​IMG]Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
    Please download SmitfraudFix (by S!Ri) to your Desktop.

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:21:54 PM, on 3/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\savedump.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\DOCUME~1\scottc\LOCALS~1\Temp\RtkBtMnt.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: e404 helper - {DF47DD37-AC11-4A93-8E16-2B2364AF0897} - C:\Program Files\Helper\1206331595.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
    O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Acer Empowering Technology.lnk = ?
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
    O16 - DPF: {2873FCBD-7894-4814-8502-8EF052C643D4} (TypingMaster Intra) - http://online2.typingmaster.com/tmonline/itutor/TMIntra.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-wedding-dash/WeddingDash.1.0.0.47.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O22 - SharedTaskScheduler: figpecker - {7d7bd0c4-4913-4933-b870-7388a7bffb82} - C:\WINDOWS\system32\lvhjtsa.dll
    O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 12223 bytes
     
  4. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    here is this ...thing???

    what the sam hill do I do with it? I tried to click on the link to load smitfraud but as soon as the download completed, the comp gave me a blue screen and shut down. It shuts down so quickly I couldn't read what it said. help it's late and i have a headache.
    thank you.




    Processes

    VirusHeat 3.9.exe
    DLLs

    iinqyl.dll
    wuuawkz.dll
    eeioq.dll
    txdkfh.dll
    wbchha.dll
    lruvqvw.dll
    xskmoqx.dll
    heuvth.dll
    wcscqa.dll
    Other Files

    VirusHeat 3.9
    VirusHeat 3.9 Website.lnk
    VirusHeat 3.9.url
    Uninstall VirusHeat 3.9.lnk
    VirusHeat 3.9.lnk
    %ProgramFiles%\VirusHeat 3.9
    VirusHeat 4.3
    VirusHeat 4.3 Website.lnk
    VirusHeat 4.3.url
    Uninstall VirusHeat 4.3.lnk
    VirusHeat 4.3.lnk
    %ProgramFiles%\VirusHeat 4.3
    Registry Keys

    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\917f93bf-6714-4e11-8982-59db2e0f88fc
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\747e1fbe-b70f-441d-bbca-6e536c04924a
    917f93bf-6714-4e11-8982-59db2e0f88fc
    VirusHeat 3.9
    747e1fbe-b70f-441d-bbca-6e536c04924a
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\d9f6ce57-0718-4bd1-916f-5fb1f86911c2
    Microsoft\Windows\CurrentVersion\App Paths\VirusHeat 3.9.exe 3.9
    d9f6ce57-0718-4bd1-916f-5fb1f86911c2
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c
    ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c
    0EC085A8-9818-43B7-B975-EC7555EDA4D2
    1A74C41C-0837-4FBE-BA50-621EB70F01CE
    25297614-1B76-4C2C-82C6-62738AA0E8F0
    37F89457-1208-4670-9245-58C62BD6D870
    45477032-ABD0-454D-9CE4-EA34C10322F8
    69E34747-0B27-4B30-AE20-1023BF29E246
    79BE5B3B-80B2-4B77-A042-EFC90F6E0DE7
    7C0EC6BF-81B9-4FE0-9447-4ED29A36BF5D
    7EBB34CF-1728-4136-A968-48F231DAD1B4
    88DAA291-B413-4C46-B378-3BE66F65369E
    936A2F4A-53F8-4D2F-92AA-2F9DE889841C
    AFCC3FA7-82A9-42D5-A405-78711E97A5D6
    CC05A4A3-7B28-488F-AB02-6AAEDB86ACCF
    E80114AA-6653-4952-9E97-5F1DC63BEE0F
    F9109A2A-432B-4ADD-A6FA-06BA22DCD2D9
    FCA3958A-8D38-4D14-8B81-CCD7F68A8A01
    CBD02E9B-37EF-47D2-96B0-3ABBB2EB92BF
    Microsoft\Windows\CurrentVersion\App Paths\VirusHeat 4.3.exe 4.3
    VirusHeat 4.3
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\699fabf8-1087-491f-b57c-80a68929d82b
    699fabf8-1087-491f-b57c-80a68929d82b
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\f0d4f88e-e1f8-460f-a41c-6cfb7f73af79
    f0d4f88e-e1f8-460f-a41c-6cfb7f73af79
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\d4c51fa4-9192-4a9a-8d2a-a0690c92f171
    d4c51fa4-9192-4a9a-8d2a-a0690c92f171
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\a0efe2fe-7249-4403-a00b-8be108617c75
    a0efe2fe-7249-4403-a00b-8be108617c75
    Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40
    DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40
    Software\Microsoft\Internet Explorer\Toolbar\DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\9d19a1a9-3cdf-4f15-a5ca-ea3905febded
    9d19a1a9-3cdf-4f15-a5ca-ea3905febded
     
  5. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, thinman7. :)

    [​IMG]Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, double-click on SmitfraudFix.exe
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along witha hijackthis log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning : running option #2 on a non infected computer will remove your Desktop background.

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    Post a fresh Hijackthis log along with the MalwareBytes Anti-malware report, and contents of C:\rapport.txt produced by Smitfraudfix.
     
  6. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    I tried to download ATF cleaner. Chose select all and emptied select. Comp shut down.
    If I was to have tried this in "safe mode" I didn't. But last night when I tried to connect to internet in safe mode I couldn't. Sorry to be a pain. I am currently using home computer watching laptop reboot. I have purchased a flash drive if that could help at all.

    Awaiting instructions.
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Can you boot in Safe Mode? If you do, run Smitfraudfix, Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    Post the contents of C:\rapport.txt produced by Smitfraudfix.
     
  8. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    I wasn't able to load smitfraud from the internet because i couldn't access it from safe mode - i am trying again now.
     
  9. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Sorry, I didn't read thorough.

    You can download Smitfraudfix to the flash drive, then copy it to the sick's computer desktop or C:\folder. Run the program's option 2 in Safe Mode.
     
  10. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    i am downloading on good comp now. will try to xfer to flash and input on sick
     
  11. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
  12. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    it shut down before the process was over - am trying again now.
     
  13. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    tried to start in safe mode twice - hangs up at "mult(0)disk(0)partition(2)\windows\system32\drivers\agpcpq.sys - and just sits there...advice???
     
  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Can you boot into Normal Mode? We may need to load the Recovery Console. Do you have the XP Installation CD, or the Recovery Console installed?
     
  15. thinman7

    thinman7 Thread Starter

    Joined:
    Mar 26, 2008
    Messages:
    55
    opened in normal mode and have a 'RTHDCPL.EXE - CORRUPT FILE warning . says please run chkdsk utility - haven't done that before. However, on a good note I seem to have lost the flashing cursor from virus heat in the bottom tray. hope that's good anyway. How do i fix corrupt file and will that reinstate virusheat.?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/697409

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice