Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Hi there - it is a miracle that I can even post this. I have been battling to take control back over my PC since earlier today when it seems it has been completely taken over by virus's.
I have pop ups going all over the place saying my PC is infected and Total Secure 2009 keeps coming up. I have only now just managed to get the internet working (just).
I have Comodo, Avast and Adaware on my PC but don't know how this has happened as I have been running virus free for probably 9 months now.
I get random messages referring to things such as these:
Variant of the Trojan-Spy.Win.32.BHO
Worm.Win32.Netbooster
etc.
My PC is around 4 years old and I am running Windows XP.
Please help.
Thank you.
Didn't find the information you thought to find? Check out these Similar Threads
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.
Hi and welcome
Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.
Please follow the instructions below and in the order given.
Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.
Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter. You will be prompted :"Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:(C:rapport.txt) or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Warning : running option #2 on a non infected computer will remove your Desktop background.
NEXT**
Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press EnterNotes
1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:
o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
NEXT**
Download Trend Micro Hijack This™ and save to desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on Edit-> Select All then click on "Edit -> Copy" to copy the entire contents of the log.
In your next reply post: Smitfraud C:rapport.txt
Malwarebytes' Anti-Malware log
New HJT log taken after the above scans have run
A heap of other similar lines to the one above fly up the screen but when it gets to that one it just stops. A message also comes up (for about 10 seconds) that says this:
press 'esc' to cancel loading SPTD.sys
The PC then just reboots itself and goes back to booting up normally.
I'm not sure if this is related to the fact it wont boot up in safe mode but for the last 4 or 5 months when i start the PC up it always paused for about 3 or 4 minutes before going to the Windows XP logon screen. During that time my USB ports would lose power and I would have to reconnect my external hard-drive (connected through USB port) at the logon screen for it to be connected.
I look forward to your reply.
I am on Australian time (GMT +10) so I know that there may be a delay between our posts.
couldn't get Malwarebytes' Anti-Malware (from either link - it just went to a blank firefox page)
Can you try again using IE?
I suspect that a sector on the hard drive might be bad and interferes with the boot process or we're looking at a hardware\driver issue, but then again - I could be sadly mistaken
Is your data backed up? I would do while you still can.
but if it is not harddrive death, then repairing the system with a XPcd might be the answer here, anyway here is the link with hope that it is just a corrupted system http://www.geekstogo.com/forum/How-t...s-XP-t138.html
Consider doing the following:
Start - Run - (type) cmd then hit - Enter
This will bring up a DOS style box with blinking cursor,
At the blinking cursor, type: chkdsk /f /r hit - Enter <--- notice the required space before the "/"s.
CHECKDISK will inform you that it cannot be run because files are in use/locked, etc. and will invite you to allow CHECKDISK to run the next time you reboot your machine.
Type Y for yes, and then reboot.
The scans will take about 30-40 minutes, after which your machine will complete its boot into Windows.
You may be good-to-go after the CHKDSK, if it finds any bad-clusters and moves files to known good areas of your hard drive. However, if CHKDSK does find bad-clusters and moves files, it may be necessary to run CHKDSK a 2nd and even 3rd time, until all the bad-clusters are found and all of the affected files are safely moved.
Next:
Run System File Checker (to identify and replace any missing or corrupted Windows system files)
Start - Run - (type) sfc /scannow - Enter <-- notice the required space before the "/"
At that point, try your Defrag utility in Normal Mode
sptd.sys - Driver used by the CD Rom emulation program, Daemon Tools Version 4.
Many folks have reported problems with this Driver file.
If you use Daemon Tools Version 4, consider uninstalling it.
You can always Re-install it again later if you prefer.
I suspect that a sector on the hard drive might be bad and interferes with the boot process or we're looking at a hardware\driver issue, but then again - I could be sadly mistaken
Is your data backed up? I would do while you still can.
but if it is not harddrive death, then repairing the system with a XPcd might be the answer here, anyway here is the link with hope that it is just a corrupted system http://www.geekstogo.com/forum/How-t...s-XP-t138.html
Consider doing the following:
Start - Run - (type) cmd then hit - Enter
This will bring up a DOS style box with blinking cursor,
At the blinking cursor, type: chkdsk /f /r hit - Enter <--- notice the required space before the "/"s.
CHECKDISK will inform you that it cannot be run because files are in use/locked, etc. and will invite you to allow CHECKDISK to run the next time you reboot your machine.
Type Y for yes, and then reboot.
The scans will take about 30-40 minutes, after which your machine will complete its boot into Windows.
You may be good-to-go after the CHKDSK, if it finds any bad-clusters and moves files to known good areas of your hard drive. However, if CHKDSK does find bad-clusters and moves files, it may be necessary to run CHKDSK a 2nd and even 3rd time, until all the bad-clusters are found and all of the affected files are safely moved.
Next:
Run System File Checker (to identify and replace any missing or corrupted Windows system files)
Start - Run - (type) sfc /scannow - Enter <-- notice the required space before the "/"
At that point, try your Defrag utility in Normal Mode
sptd.sys - Driver used by the CD Rom emulation program, Daemon Tools Version 4.
Many folks have reported problems with this Driver file.
If you use Daemon Tools Version 4, consider uninstalling it.
You can always Re-install it again later if you prefer.
Double click on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Follow my previous reply for downloading HJT.
Please post: ComboFix.txt
New HJT log
I haven't had a chance to do this yet (still at work) but just so you know since I got the virus I don't have access to the 'run' feature on the start menu. I also don't have access to my Task Manager either - it has locked me out of there.
Let's try to restore some settings and see if it can fix task manager and restore policies.
Try these fixes one at a time, then check to see if after each one it worked, then follow instructions to run ComboFix and download HiJackThis.
Please download Enable the Task Managerand save it to your desktop
Double-click on taskmanager.reg and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. REBOOT afterwards.... really important!
Right-click and select: Extract all…
Open the VArestorepolicies folder, right-click the file VArestorepolicies, and select: Install a reboot may be needed for the effects to take place.
If after trying the above and still no joy.......
Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the Code box below in it:
Code:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun"=dword:00000000
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: http://i204.photobucket.com/albums/b.../regMiekie.png
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards
Now please reboot your computer.
If it's possible try to continue with the rest of the fix...
Just a quick update Juliet. I have just started going through your instructions. Have successfully got control of my task manager back. Now just working through the rest of the instructions.
I then tried the chkdsk /f /r at the command prompt - when I rebooted the machine the following message came up:
Checking File System on C:
The type of the file system is RAW
Autochk is not available for RAW drives.
Windows has finished checking the disk.
I tried rebooting a few times but it just kept coming up with that message.
I then tried downloading Malware Anti-Malware and scanned. That worked (logfile below) and picked up a heap of infections.
I then tried repeating the chkdsk but it still kept coming up with the above message.
I noticed I started getting the odd virus stuff popping up again (after the first Malware scan it all seemed to go away) so I did another scan (again, logfile will be below).
I then downloaded Combofix and ran. During one of the reboots it actually did a proper checkdisk and it appeared to fix 4 errors. I will put this logfile below also.
I will now attempt to do the smitfraudfix (will try the safe mode again now) and possibly post in the morning (has hit midnite here).
Cheers.
FIRST MALWARE LOG:
Malwarebytes' Anti-Malware 1.28
Database version: 1225
Windows 5.1.2600 Service Pack 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\body.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt2.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\red.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\text.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Delete on reboot.
COMBOFIX LOG:
ComboFix 08-10-01.02 - user 2008-10-02 23:37:54.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.298 [GMT 10:00]
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
OK, safe mode works now (hurray!) so here's the smitfraudfix logile (along with a HJT one):
SmitFraudFix v2.354
Scan done at 0:14:41.93, Fri 03/10/2008
Run from C:\Documents and Settings\user\Desktop\Smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:18 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Nasty rootkit infection here, we have more work ahead.
Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. No Validation is required.
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'NO' to run the full ComboFix scan.
Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.
NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
NEXT** 1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
NEXT** Next:Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem. Next:Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working. This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Click on this link Here to see a list of programs that should be disabled.
For this next step, please ensure that ComboFix.exe is on your desktop:
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. CAUTION:Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
NEXT**
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK
For I.E. 7 - under Browsing History, click delete... Under Temporary Internet Files, click Delete files...
Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove: Temporary Files
Temporary Internet Files
RecycleBin
Agree to the prompt to perform the action...
NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs. [*]The program will install and then begin downloading the latest definition
files. [*]After the files have been downloaded on the left side of the page in the Scan section select My Computer. [*]This will start the program and scan your system. [*]The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
[*]Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post: ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run
You may need several replies to post the requested logs, otherwise they might get cut off.
Also at this time I need an update on how the computer is at the moment.
OK, it all seems to be going well so far. I have just finished the combofix (the one where I dragged the notepad file onto it). Here is the logfile (I am continuing the rest of the instruction and will post the kaspersky and hjt logs when done).
ComboFix 08-10-02.04 - user 2008-10-03 20:46:39.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT 10:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\chundate.scr
C:\WINDOWS\renwen.scr
C:\WINDOWS\system32\ekrn.exe
C:\WINDOWS\system32\MediaCodec.exe
C:\WINDOWS\system32\uxqxgnir.exe
F:\tnuiqb.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\revmxwxw
C:\Documents and Settings\All Users\Application Data\revmxwxw\joxmxevw.exe
C:\WINDOWS\chundate.scr
C:\WINDOWS\renwen.scr
C:\WINDOWS\system32\ekrn.exe
C:\WINDOWS\system32\MediaCodec.exe
C:\WINDOWS\system32\uxqxgnir.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
Not looking to bad so far.
Did you run Flash Drive Disinfector?
Post the Kaspersky log when you can.
Hi there,
Yes, I did run the flash driver disinfector. I am currently running the kaspersky scan - it is taking a long time so I will have to leave it going overnight. Hopefully it will be done in the morning and I will be able to post that along with a hijak this log.
