Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Haven't said Hi in a while. Sorry, the only time I use the forum is when I want something - more accurately, when I have something I don't want.
Got something "System Alert" - tells me that I have spyware that it can help me get rid of. Tried removing it from "remove programs" (it is called system alert popup) but when I click remove it don't do anything. When I click on the flashing Icon it takes me to a site called Spydawn.com
I have included a Hijack this log for you. Again, plse help.
Logfile of HijackThis v1.99.1
Scan saved at 9:22:31 PM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
This is one of the many SmithFraud\Zlob infections. Please follow directions for the first part of the fix.
Please download SmitfraudFix (by S!Ri). Save it to your desktop.
Double-click the Smithfraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.
No need for a new HJT log, just the results from the SmithFraud tool.
Scan done at 0:11:54.81, Tue 03/13/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
PS The army sent a new Captain to the Iraq desert, upon arriving, he met up with the Sergeant who took him on an inspection of the post. Coming up to the Messhall, the captain noticed a camel behind the tent. He asked the Sergeant what the camel was doing there.
Sergeant tells the captain, "well... after a while the men get urges being out in the desert with no women - so they use the camel".
Captain doesn't really agree, but, lets it go.
After a couple months, the Captain gets the urge. He orders the sergeant to bring the camel to his tent. Camel shows up, Captain brings over a stool, stands on it and drops his pants. After he was done, he asked the sergeant, that's what the men do right? The sergeant says " No Sir, usually they just get on and ride to town where the women are.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!
Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.
Double-click the file and select your language.
Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
Once install has completed, run the program.
Be sure the two options are enabled:
Resident shield
Aromatic updates
From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
After the update finishes, the status bar will display "Update successful"
Click the 'Scanner' tab, and select the 'Settings' tab.
Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
Exit AVG. DO NOT run a scan yet.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
AFTER SmitfraudFix finishes (and after a reboot if required), please open AVG. (If a reboot is required, please boot BACK into Safe Mode.)
Click on Scanner
Click on Complete System Scan and the scan will begin.
When the scan is finished, click the [Save report] button at the bottom of the screen.
Then hit the [Save report as] button.
Save the report to your desktop.
Click the 'Scanner' tab again and then click the [Apply all actions] button.
Close AVG
Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)
Scan done at 7:38:16.78, Tue 03/13/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Logfile of HijackThis v1.99.1
Scan saved at 7:34:01 PM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Some unusual things like background missing, some of my kids schoolwork gone,change in home page and machine seems to be running a lot slower than before. Once the internet is up and running it seems ok but getting there seems to be taking a fair bit more time. Also Security Center reporting out of date virus protection. Originally it was telling me that virus protection was turned off. I double checked, everything was fine with the anti virus program and then when I went back to Security Center, then it told me out of date. I updated ( it was set to automatic prior to this but somehow got chnaged to manual) and still telling me out of date.
I think im close, but I dont think we are done.
Thanks
Dana
Last edited by Dcmurray; 16th March 2007 at 05:38.
Some unusual things like background missing, some of my kids schoolwork gone,change in home page and machine seems to be running a lot slower than before. Once the internet is up and running it seems ok but getting there seems to be taking a fair bit more time. Also Security Center reporting out of date virus protection. Originally it was telling me that virus protection was turned off. I double checked, everything was fine with the anti virus program and then when I went back to Security Center, then it told me out of date. I updated ( it was set to automatic prior to this but somehow got chnaged to manual) and still telling me out of date.
I think im close, but I dont think we are done.
Thanks
Dana
Ok, for the desktop this should fix it:
Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.
For kids homework, I'd need to know where it was done, meaning where was it saved to? If any temp folder, than its gone, cuz the tool empties all temps. Have you tried searching by date modified\created?
And which Security Center are we speaking of? Windows or a third party app?
Let me know and I'll try not to over look your reply this time.
Hi Tom, Please have a look at this report, more spyware found - it tells me that it went to quarantine but want to make sure. I think they are the same as before.
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP93\A0053769.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP93\A0053770.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP93\A0053727.dll -> Downloader.Zlob.atf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP93\A0053728.exe -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP93\A0053729.exe -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
::Report end
Also when I went to the control panel> web pages there was nothing there. Insofar as the Security, it was windows but it seems to have been resolved. Machine is still running slow, I use Cleanup to clear out temp files, not to worried about the homework thing, it sure can't hurt the kids to do it twice, maybe a better mark as a result.
Thanks again!
Dana
Last edited by Dcmurray; 21st March 2007 at 20:17.
Yeah no worries about those findings as they are in sys restore, just turn off sys restore, reboot, turn on sys restore, reboot again that will clear them out.
For the machine being a bit quicker I'd disable a bunch of things from starting, I see quite a few which really don't need to be starting with Windows.
Tom - Yet another job well done - Thank the computer Gods for folks like yourself! Again, much appreciation for your help! Good news - Its spring!!! Might not be a big deal for Arizona Boys but on the East Coast of Canada it was cccccoooold this winter. Thanks again!
Tom - Yet another job well done - Thank the computer Gods for folks like yourself! Again, much appreciation for your help! Good news - Its spring!!! Might not be a big deal for Arizona Boys but on the East Coast of Canada it was cccccoooold this winter. Thanks again!
Dana
Glad we could be of assistance.
Due to resolution this topic is closed.
If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.
PS: Blender is in Canada as well, I love telling her via our many IM chats how nice and warm it is here as she freezes her you know whats off
