Jump to content

pskelley

Trusted Malware Techs
  • Content Count

    1,759
  • Joined

  • Last visited

Everything posted by pskelley

  1. Hello Mike and welcome to the forum, You have a Smitfraud infection, before I address it I would like to give you this information. C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove Programs. http://www.clickz.com/news/article.php/3561546 http://www.greatis.com/appdata/u/v/viewmgr.exe.htm http://www.spywareinfo.com/newsletter/arch...4.php#viewpoint Tutorial and link to download http://siri.geekstogo.com/SmitfraudFix.php I would like to see the C:\rapport.txt from both the Search function and the Clean function, along with a new HJT log that is created after a reboot when you finish with Smitfraudfix so those changes can go into effect. Search: Double-click SmitfraudFix.exe Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) Double-click SmitfraudFix.exe Select 2 and hit Enter to delete infect files. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt Optional: To restore Trusted and Restricted site zone, select 3 and hit Enter. You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Please use New Reply NOT New Topic and do not code or quote the information. Thanks
  2. Hi Sarah, If you have not run the diagnostic test here, I suggest you do so if you can, they may pickup on something for you: http://pcpitstop.com/pcpitstop/default.asp Be careful what you touch inside the box, static can render the unit useless: http://www.overclock.net/faqs/110621-info-...lectricity.html Pick up canned air from a office supply (about $5) asnd blow out the insides, fans, etc. http://www.writersservices.com/www/c_cleaning.htm Unlikely it is RAM if you purchased from a reputable dealers, but here is some information: http://www.pcstats.com/articleview.cfm?articleID=1565 Thanks...Phil
  3. Am I talking to Sarah or Pete? This is a fair explanation of a rootkit: http://en.wikipedia.org/wiki/Rootkit Nothing is showing in the Blacklight log though. I can not research more without more information. I suggest you review the google information I posted. Your HJT log looks fine, I fear you have other problems that are not related to malware. Good information here: http://support.microsoft.com/kb/293077 It is so important that we use the exact error message. You will benefit from using google: http://www.google.com/ to research them because that is what I will do and it will get the answer to you quicker. I mainly deal with malware, but I am more than willing to help as much as I can. I may also be able to direct you to other forum's that can help with these problems? I suggest you post here: http://forums.pcpitstop.com/index.php?showforum=3 as there are knowledgeable folks there who do not work with malware who will try to help also. Link them to this topic. What new hardware have you installed recently? Here are a couple of troubleshooting links that may help: http://support.microsoft.com/kb/834938 http://kb.wisc.edu/helpdesk/page.php?id=502 http://www.microsoft.com/resources/documen...r.mspx?mfr=true http://www.microsoft.com/windowsxp/using/s.../devicemgr.mspx Thanks...Phil
  4. Looks like you have issues not related to malware, see this: http://www.google.com/search?sourceid=navc...ss%5for%5fequal C:/Windows/system32/Isass.exe <<< are you sure that spelling is correction, I nesd the complete error message, not just a word or two if you want help troubleshooting them. LSA Shell error <<< same here, post the message "word for word" Win32k.sys <<< same here, complete error message: http://www.google.com/search?sourceid=navc...;q=Win32k%2esys Device Driver error <<< same here http://www.google.com/search?sourceid=navc...ce+Driver+error ___________________________ Please let me take a look at a Blacklight scan to make sure there is no rootkit infection. Please download F-Secure BlackLight Beta: https://europe.f-secure.com/exclude/blacklight/index.shtml Save it to its own folder in the Desktop Double-click blbeta.exe to run the program Click : Scan A list of all items found is created The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers). Please provide the log created by BlackLight in your next reply. Post that log and a new HJT log. Thanks
  5. Good morning and Happy New Year. Let's see how we did. So you will know this is the item we are removing: http://www.symantec.com/security_response/...-051714-2837-99 Please review the information under all tabs so you will understand this one usually comes from p2p file sharing, that is why I will suggest you uninstall this program: LimeWire 4.12.6 Uninstall list: J2SE Runtime Environment 5.0 Update 8 J2SE Runtime Environment 5.0 Update 9 See this information: http://forums.spybot.info/showpost.php?p=1...amp;postcount=2 You need an update, download the newest version and remove all old versions in Add Remove programs. LimeWire 4.12.6 (seems the newest information indicate the program is OK, understand it is the practice of sharing infected files that is the problem at the very least) http://www3.ca.com/securityadvisor/pest/Pe...px?id=453088059 and see this: http://www.spywareinfo.com/articles/p2p/ Limewire (The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean. Older and newer version may not be.) I suggest if you must use p2p files sharing, you uninstall that program in Add Remove programs and choose a safe program from the list. Here is more information: http://pcpitstop.com/spycheck/p2p.asp http://pcpitstop.com/spycheck/badtorrent.asp As far as I can see, the balance of your installed programs look ok. Looks like the fix killed the worm, how is the computer running now? Let's do some cleaning like this: Please download ATF Cleaner by Atribune http://www.atribune.org/content/view/25/2/ Save it to your Desktop. We will use this later. Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\Limewire\LimeWire.exe Close all programs but HJT and all browser windows, then click on "Fix Checked" http://forums.security-central.us/showthread.php?t=1925 <<< Tutorial Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. Click Exit on the Main menu to close the program. System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Thanks http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  6. Hello sarahb, welcome to the forum, it looks like you may have cut off the HJT log as I see no services running at the end and this is unusual. Please click the Format tab at the top of Notepad and make sure "Word Wrap" is NOT checked. Now click on Edit then Select all, copy and paste the highlited information from now on. You do have infections, we will start like this. It is very important that you read and follow the directions carefully. You may want to print them because you wil be working in safe mode during this cleanup. 1. Please download Ewido Anti-Malware Install ewido anti-malware Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.(the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. 5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. I would also like to see a copy of your uninstall list, you can get that like this: add/remove in the control panel. Open Hijackthis. Click the "Open the Misc Tools" section Button. Click the "Open Uninstall Manager" Button. Click the "Save list..." Button. Save it to your desktop. Copy and paste the contents into your reply. Thanks
  7. Welcome to the forum, your log looks to be free of malware, if you want to know how to turn off programs not needed, use this information: http://netsquirrel.com/msconfig/ If you wish to know what a file is, use google to find out: http://www.google.com/ That particular file containes a Microsoft Knowledge Base number in it. Here is the google: http://www.google.com/search?hl=en&q=m...G=Google+Search Since it appears to be part of a Windows Update, it is probably safe. If you want to check it you can have the file scanned at one of these free online scanners. http://virusscan.jotti.org/ http://www.kaspersky.com/scanforvirus http://www.virustotal.com/flash/index_en.html Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Thanks...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  8. Looks clean, be nice to hear from you though, let's do this now. System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. If you keep this free scanner. make sure you clean the quarantine folder, you put some junk in there. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Thanks...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  9. Thanks for returning your information, one more nasty that did not go with the rest: http://www.google.com/search?sourceid=navc...=winexy32%2edll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll I also suggest you remove DAP from your computer, read this: http://www.greatis.com/appdata/u/d/dap.exe.htm I would like to run a good Spyware tool to make sure nothing is hiding also if it works for you. Let's do this. 1) Please download ATF Cleaner by Atribune http://www.atribune.org/content/view/25/2/ Save it to your Desktop. We will use this later. 2) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make. Open Windows Defender, Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. After all of the fixes are complete it is very important that you enable Real-time Protection again. 3) How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/...l42.html#delreb Start Hijackthis Click on the Config button Click on the Misc Tools button Click on the button labeled Delete a file on reboot... A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\winexy32.dll and click on it once, and then click on the Open button. You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now. 4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: (check and remove this advanced option if you did not set it) O11 - Options group: [iNTERNATIONAL] International* O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll Close all programs but HJT and all browser windows, then click on "Fix Checked" 5) Follow the instructions exactly in this link. Make sure you delete or at least quarantine what is located and save the Report-Scan.txt to post for me. http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/ Thanks to John McKenna for the tutorial 6) Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. Click Exit on the Main menu to close the program. Restart the computer and post the Report-Scan.txt from AVG AS and a new HJT log. Let me know how the computer is running now. Thanks
  10. Welcome to the forum, please follow these directions. 1) The junk will attract more, keep offline as much as possible until you are clean. 2) Follow the instructions in this link: http://siri.geekstogo.com/SmitfraudFix.php Thanks to S!Ri, and any others who helped with this fix. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Search: Double-click smitfraudfix.cmd Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Save that report, I wish to see it, there is no doubt you have the infections so move on to Clean: Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) Double-click smitfraudfix.cmd Select 2 and hit Enter to delete infect files. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt and Optional: To restore Trusted and Restricted site zone, select 3 and hit Enter. You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post the two reports from Smitfraudfix and a new HJT log. I will respond with directions as soon as possible after that. Please use "New Reply" and do not quote or code, copy and paste all replies. Thanks
  11. http://www.google.com/search?hl=en&q=m...G=Google+Search Try uninstalling the game that is causing this, these error messages will probably stop. Thanks Resolved the malware issues, this member will have to follow the links I provided and troubleshoot problems with the game at the website of where they downloaded it or one of the forums concerned with issues with the game.
  12. http://www.google.com/search?sourceid=navc...spearhead%2eexe http://www.google.com/search?sourceid=navc...tm%29+Spearhead http://www.gpdownloads.co.nz/dl.dyn/Files/3146.html <<< look to the left at this site, there are forums, you appear to have a corruption with one or more of the games files. Others seem to have the same problem. I just do not do this kind of troubleshooting. I would suggest you contact the maker of the game, or if you downloaded it online, download it again. Here is some information about the other file which is not a Windows file either: http://www.google.com/search?sourceid=navc...q=nvoglnt%2edll Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O20 - Winlogon Notify: khfdb - C:\WINDOWS\system32\khfdb.dll (file missing) Close all programs but HJT and all browser windows, then click on "Fix Checked" AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Thanks...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  13. Yes, as stated in the instructions, I need to see a new AVG scan result and a new HJT log that is made after AVG removed what it located. Could I have the exact error messages you are receiving from your game and from Firefox. You may have to download both of them again? Firefox is releasing a new version as we speak: http://www.mozilla.com/en-US/firefox/ <<< please DO NOT download the new version until out work is complete. Thanks
  14. For some reason you chose to ignore what the AVG Spyware located??? This did nothing for you. Please run that scan again, choose to delete or at least quarantine what is located. Ignore something only if you know it is not bad. Post the new results and a HJT log run after the scan has been run. I will have suggestions at that time that may help speed up your computer. Thanks
  15. Good job running that tool If it is ok with you I would like to run one more good spyware tool to make sure nothing is hiding. If that works for you, then do this. 1) Follow the directions in this link to download, install, update and run AVG Anti-Spyware 7.5. http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/ Thanks to John McKenna for the excellant tutorial. 2) Please download ATF Cleaner by Atribune http://www.atribune.org/content/view/25/2/ Save it to your Desktop. We will use this later. 3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: O2 - BHO: (no name) - {47E16ECD-2B91-45AE-901B-1818E1B5AA37} - C:\WINDOWS\Microsoft.NET\ruls.dll (file missing) O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab (next one, if you are positive it is safe you can leave it) O16 - DPF: {08EE4BCE-527E-4760-B11A-B829415E9103} (MaxisGolfTeleX Control) - http://simgolf.ea.com/teleport/simgolf/MaxisGolfTeleX.cab Close all programs but HJT and all browser windows, then click on "Fix Checked" (It is your computer but I suggest you either purchase the game and then carefully read the EULA when installing or play them online. Downloading free games from the internet is dangerous) 4) Run ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. Click Exit on the Main menu to close the program. Restart the computer and post the results of the Spyware scan and a fresh HJT log. Let me know how the computer is running now. Thanks Your Java program is out of date and that may be why you got infected? Ser this information: http://forums.spybot.info/showpost.php?p=1...amp;postcount=2 C:\Program Files\Java\jre1.5.0_06\ <<< out of date.
  16. OK, thanks for returning that information. That is a strange looking Vundo infection, let's see what happens when we run the fix. Atribune's fix will locate the bad stuff and it may take several tries to remove it all. You want to watch the Vundofix report until you see all files located have been deleted. Read your instructions so you understand them, then follow them carefully. Thanks to Atribune and any others who helped with this fix. Please download VundoFix.exe to your desktop Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. If there is a file VundoFix doesn't find we need it submitted. Please submit the files to upload malware http://www.uploadmalware.com Restart the computer and post C:\vundofix.txt and a new HiJackThis log Thanks
  17. Welcome to the forum, it looks to me like you have a hidden Vundo trojan infection because of no BHO's or 020 items showing in your HJT log. Vundo usually directs you to rouge spyware programs like Winfixer. If you wish to find out, rename HijackThis.exe, call it dumb_nelby2.exe or whatever you wish. Restart the computer and post a new HJT log and let's see what shows up. Thanks
  18. G'Day Simon and thanks for returning your information and your comments. I do a small business in the area but all online work is volunteer. I do it because I like to help people and I hate malware C:\Program Files\Java\jre1.5.0_07\ <<< out of date, this will get you infected. See this information. http://forums.spybot.info/showpost.php?p=1...amp;postcount=2 Your logs are all looking good. You can empty the quarantine folder in AVG Anti-Spyware if you decide to keep the scanner. If all is running well again, I would say you are good to go. AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Safe surfing...Phil Cheers...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  19. Welcome to the forum, follow the instructions in this link: http://siri.geekstogo.com/SmitfraudFix.php You have the infection so continue through the instructions, this information applies to the Optional item: Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. after you complete those instructions, then follow the instructions in this link: http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/ John McKenna <<< thanks to John for the tutorial When you finish post the reports from Smitfraudfix, the scan results from AVG Anti-Spyware, a new HJT log and your comments. Let me know how the computer is running now. Thanks
  20. No Joe, I am not familiar with the program, my suggestion would be to discuss it with RR. http://content.rr.com/rdrun/care_support.htm The AVG Spyware scan is optional. You had a good bit of junk in the last, but I believe it was run before Smitfraud "Clean". It's up to you if you want that final check, and if you do run it I suggest you do it in Safe Mode. I will give you closing information in case you decide the computer is running well and you do not wish to do more. AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml Sorry for the confusion at the start and thanks for your cooperation in the cleanup, good job Thanks...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  21. Thanks, that's much better. Smitfraud will clean in normal mode but needs safe mode to kill running program effectively. What about this item: C:\Program Files\MEDIC\bin\sprtcmd.exe Can you validate it is safe? If not, use one or more of these free scanners to find out: http://virusscan.jotti.org/ http://www.kaspersky.com/scanforvirus http://www.virustotal.com/flash/index_en.html Post that information for me to view. Scan for and post an AVG Anti-Spyware - Scan Report, let me know about the item above and how the computer is running now. I do not need to see any cooklies in the report, you can edit them before posting. Thanks...Phil
  22. Well thanks for stopping by for a check, here is what I suggest. 1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm 2) Keep your Java program updated, it is a security risk, see this information: http://forums.spybot.info/showpost.php?p=1...amp;postcount=2 C:\Program Files\Java\jre1.5.0_06\ <<< out of date 3) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe For your information, Viewpoint is installed by aol probably without your knowledge, at the least it is a resouce waster. Remove it in Add Remove programs http://www.clickz.com/news/article.php/3561546 http://www.greatis.com/appdata/u/v/viewmgr.exe.htm http://www.spywareinfo.com/newsletter/arch...4.php#viewpoint 4) Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online: http://forums.spybot.info/showthread.php?t=279 http://russelltexas.com/malware/allclear.htm http://forum.malwareremoval.com/viewtopic.php?t=14 http://www.bleepingcomputer.com/forums/topict2520.html http://cybercoyote.org/security/not-admin.shtml 5) Safe surfing Thanks...pskelley Trusted HJT Advisor PCPitStop forum http://pcpitstop.com/about/supportus.asp If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
  23. I apologize for the confusion. Jacee has asked me to continue helping you. I will use the information you have provided thus far, but for now I want you to click on this link: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php It will help you with the visuals. Do this in the numbered order: Please understand that first "Clean" failed and it is probably because it was not run in safe mode as the instructions indicate: Clean: Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually But in normal mode: Scan done at 11:31:44.65, Sat 10/14/2006 Run from C:\Documents and Settings\joseph\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in normal mode Please follow these directions carefully as that is your best chance of success. 1) Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.zip 2) Use: Extract all the archive content. 3) Search: Double-click smitfraudfix.cmd Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt (I wish to see the report from both the "Search" function and the "Clean" function) 4) Clean: Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) Double-click smitfraudfix.cmd Select 2 and hit Enter to delete infect files. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt 5) Optional: (please do this instruction also) To restore Trusted and Restricted site zone, select 3 and hit Enter. You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. ***This information applies to the optional cleaning: Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Restart the computer and post the two Reports from SmitfraudFix and a fresh HJT log. We will have more to do. Thanks...Phil
  24. I apologize, you must have started another topic instead of replying to the one Jacee started with you. Return to the original topic and post there using add reply and do not start new Topics, she will not get notified when you post. Thanks
  25. Edited this information because I was not aware Jacee was helping this member. pskelley
×
×
  • Create New...