Please Help
Hello All,
And thanks in advance for your help.
It looks like i've got a virus. There is a message that keeps popping up from the icon bar at the bottom of the screen that says
" Your computer is infected. Windows has detected spyware infection. It is reccomended to use special antisoftware tools to prevent data loss. Windows will now download and install the most up to date antispyware for you. Click here to protect from spyware"
This pops up from a icon that looks like a red circle with a white X in it.
When i clicked on it it started downloading something but i stopped it.
ALso i've tried 'System Restore' function many times and even in safe mode, but it couldn't restore. It actually gave a message saying It couldn't restore.
I tried it with different dates as well.
Then i have also run the latest version of AD Aware in regular and safe mode, and it did find some stuff and deleted it but this problem is still there.
Please help. What should i do??
Thanks very much
And thanks in advance for your help.
It looks like i've got a virus. There is a message that keeps popping up from the icon bar at the bottom of the screen that says
" Your computer is infected. Windows has detected spyware infection. It is reccomended to use special antisoftware tools to prevent data loss. Windows will now download and install the most up to date antispyware for you. Click here to protect from spyware"
This pops up from a icon that looks like a red circle with a white X in it.
When i clicked on it it started downloading something but i stopped it.
ALso i've tried 'System Restore' function many times and even in safe mode, but it couldn't restore. It actually gave a message saying It couldn't restore.
I tried it with different dates as well.
Then i have also run the latest version of AD Aware in regular and safe mode, and it did find some stuff and deleted it but this problem is still there.
Please help. What should i do??
Thanks very much
0
This discussion has been closed.
Comments
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Thanks for the advice. Here is the text file from running 'smitfraudfix'
SmitFraudFix v2.323
Scan done at 19:00:40.61, Fri 06/06/2008
Run from C:\Documents and Settings\sandeep\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sandeep
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\sandeep\Application Data
C:\Documents and Settings\sandeep\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\sandeep\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_dlls"="C:\\WINDOWS\\System32\\cru629.dat"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7FAB08E7-A747-43C3-97AC-56814A8F034E}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7FAB08E7-A747-43C3-97AC-56814A8F034E}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7FAB08E7-A747-43C3-97AC-56814A8F034E}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Please advise further.
Many Thanks
Please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
Warning : running option #2 on a non infected computer will remove your Desktop background.
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please save it to your desktop for the moment.
Next, I need you to download and run HijackThis v2.0.2 from here.
http://www.trendsecure.com/portal/en-US/_d.../HJTInstall.exe
Follow all the prompts.
Now run HijackThis and post the generated log in your new reply, along with the rapport.txt that I asked you to save to your desktop just now.
I ran smitfraudfix option #2, and cleaned the files and the registery. Looks like it did not detect the wininet.dll. However the problem is still there.
But when i try to download the 'Hijack this' program it keeps saying page not found.
ALso the rapport file is too big to paste into this reply. I tried and got an error saying i have too much text in this reply and need to limit it to 50000 characters.
What should i do now?
Thanks
Here, try again:
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
I suggest you attach the rapport file to your reply instead of posting it straight here - do you know how?
I dowloaded and installed Hijackthis, but it dosen't seem to run!
I was able to download it onto the desktop. Then i installed it in the 'C:' drive as it reccomended and it put an icon on the desktop ,but when i click the icon nothing happens. I also shut down my 'spysweeper' program and tried it again ,but still the same thing.
I did this all in 'Normal Windows Mode'. Do i need to do it in Safe Mode?
Thanks
P.S. How do i attach the rapport file?
Well click on the "New Reply" button, do not use the Quick Reply feature.
Then you'll notice an icon with an image of a paperclip. Click on that. You'll now get a popup box that allows you to upload files from your computer.
I tried renaming Hijackthis, but it still dosent run.
I have attached the rapport file.
Thanks
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Save it to your desktop.
Note: Do not mouseclick combofix's window while its running. That may cause it to stallNext RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.Do you want to skip supplementary searches?
click NO
[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here, along with the ComboFix log that you saved your desktop earlier on.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Sorry but combofix won't run either!
I don't know what's going on. Am i doing something wrong??
Thanks
Also meanwhile go on to SilentRunners.
I am able to run smitfraurfix. Is that a .exe?
I don't have any other .exe files to check it out.
Can you suggest some other files i could download to check out what you are saying?
Thanks
Also i checked silentrunners, can you please tell me where exactely on the website to go, i don't see a forum like on this site. Is there someone to contact?
Thanks
The link to SilentRunners is here:
http://www.silentrunners.org/Silent%20Runners.vbs
Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you. This topic is now closed.
Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead