sari

November 1, 2007

damian,

Your log is clean now - how are things running?

You'll have no sanity left after your twins are born! Congratulations on that!

sari

November 1, 2007

I'm going to ask the author of the program - I haven't seen this before.

October 29, 2007

Marco,

I just re-read my instructions and realized they're outdated. Smitfraudfix is an executable file - you should just be able to doubleclick on the icon to run it. Then you get a message about joedanger not being involved with the program, and are asked to press any key to continue. Is that what happens? What do you mean by your computer gets blocked?

sari

October 26, 2007

damian,

Sorry about that. :blush:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2632CB6A-0A81-1938-807B-74129546BC9B} - C:\WINDOWS\System32\ekzwdgor.dll (file missing)

O2 - BHO: (no name) - {D5F55E01-73FA-4DED-905A-96C1FCF615A1} - C:\WINDOWS\System32\pjdg.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O20 - Winlogon Notify: winpez32 - winpez32.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

I have 2 teenage girls (and no sanity left).

sari

October 25, 2007

damian,

I'm sure there are people that would say I'm no angel! My kids, especially. :lol:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

HJT Entries go here

Now close all windows other than HiJackThis, then click Fix Checked.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please post a new hijackthis log and let me know how things are running.

sari

October 25, 2007

marco,

You had a new variant of smitfraud that the tool didn't get. I notified the developer and he updated it last night. I'd like you to delete your current version of smitfraudfix.

Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Thanks,

sari

October 24, 2007

damian,

That cleaned up a lot of nasty files. May I please see a new hijackthis log?

Thanks,

sari

October 23, 2007

damian,

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks,

sari

October 23, 2007

damian,

Hello, and welcome to Besttechie.net. Your log tells me that Spybot has been trying to delete files on reboot, but either you haven't rebooted or it's not been able to do so. I believe you also have a vundo infection. Please do the following for me:

Go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe, right click on it, and rename it to hjt.exe. Please scan again and post the new hijackthis log for me.

Thanks,

sari

October 23, 2007

Marco,

Hi, and welcome to Besttechie.net. You have a few problems in your log, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work.

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Please post the rapport.txt, the Activescan report, and a new hijackthis log in your reply.

Thanks,

sari

August 3, 2007

Kohu,

Your log is clean now. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
[ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Thanks,

sari

August 3, 2007

happyheart,

I'm sorry for the late reply. I've been busy this week. Your log is clean. I'm not sure about the Yahoo issue. I've done some research on that and haven't found anything at all about that issue. Is it still happening? My concern is that Spywarebot deleted some important files, and it may be necessary to repair your Windows installation.

July 26, 2007

Kohu,

The AVG scan seems to have taken care of your problems - there are only a few minor cleanup items in your log now.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\ALCXMNTR.EXE

After that, Reboot.

Please post a new hijackthis log and let me know how things are running.

Thanks,

sari

July 26, 2007

Ramesh,

Hello, and welcome to Besttechie. I'm going to have you run a program called vundofix, which is written specifically to remove vundo.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Thanks,

sari

July 26, 2007

happyheart,

Hello, and welcome to Besttechie. You do indeed still have infections, so I'm going to help you clean up. For the record, Spywarebot is not an application I would recommend - there are better ones out there, and Spywarebot is considered by many to be a rogue application, because it plays on the name of Spybot Search and Destroy.

Please go to Uploadmalware to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\System32\vssrprxy.exe
In the comments, please mention that I asked you to upload this file
Click on Send File

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [yfdhyyrbwck] C:\WINDOWS\System32\aqoidi.exe

O4 - HKLM\..\Run: [XfkLnlP4] C:\documents and settings\victoria summers\local settings\temp\XfkLnlP4.exe

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [GzK] C:\documents and settings\victoria summers\local settings\temp\GzK.exe

O4 - HKLM\..\Run: [AutoLoader7F7r1RIgZdaZ] "C:\WINDOWS\System32\vssrprxy.exe" /HideUninstall /PC="AM.WILD"

O4 - HKLM\..\Run: [9a8954b8680d] C:\WINDOWS\System32\AC3API42.exe

O4 - HKLM\..\Run: [7soX3FV] vssrprxy.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Wryu.exe

O4 - HKCU\..\Run: [MB77RPZqe] stcrsfr.exe

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Show Hidden Files

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Weboffer

Spywarebot

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\SpywareBot

C:\Program Files\Web Offer

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\System32\aqoidi.exe

C:\documents and settings\victoria summers\local settings\temp\XfkLnlP4.exe

C:\documents and settings\victoria summers\local settings\temp\GzK.exe

C:\WINDOWS\System32\vssrprxy.exe

C:\WINDOWS\System32\AC3API42.exe

C:\WINDOWS\System32\Wryu.exe

stcrsfr.exe <--- You'll have to search for this file, but it may be in either c:\windows or c:\windows\system32

Hide Hidden Files

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Do Not Show hidden files and folders.

* Check the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

After that, Reboot.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari

July 26, 2007

hs_gram,

Yes, please - I promise there's nothing malicious here, but because they're executable files, they sometimes get flagged.

sari

July 25, 2007

hs_gram,

Hi, and welcome to Besttechie. I'm going to help you clean up your PC.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks,

sari

July 25, 2007

Kohu,

Hi, and welcome to Besttechie. You do indeed have a few different infections in your log. Let's get you cleaned up, and then I suggest you ban your brother from your computer. :lol:

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan along with a new hijackthis log.

Please post the contents of C:\vundofix.txt, the AVG Anti-Spyware report, and a new HiJackThis log.

Thanks,

sari

July 24, 2007

elearct,

I'm sorry - since you had run the program, I assumed you would still have it on your desktop.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

From that point, you can follow the rest of the directions in my first post.

sari

July 24, 2007

elearct,

Hello, and welcome to the Besttechie forums. You are indeed infected, so let's get you cleaned up.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.