26 replies to this topic

[ken545]

Karen

I have a question for you, its Saturday night, why am I home fighting malware


C:\WINDOWS\tool1.exe <-- This file was deleted but it is part of VirusBurst that is a trojan related to the Smifraud family of trojans. I would like you to run just option #1 for Smitfraud and lets see if its present.



Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

I just need this log at this time

[Classy_Lady]

Hi Ken Not sure about the Saturday night malware fighting vs doing something else however I can tell you I am grateful for your help. Besides, Saturday night is for amatures to be out on the town etc...at our age we know better than to get the hangover and big head ;-) Here is the log SmitFraudFix v2.148 Scan done at 18:09:30.87, Sat 03/10/2007 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\country.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="C:\\WINDOWS\\system32\\ad.html" "SubscribedURL"="" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

[ken545]

Ok Karen,

You have all of or part of Smitfraud.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

This is a standard fix so bypass the download part but I would run AVG again to make sure it gets everything.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and install the 30 day trial of AVG Anti-Spyware 7.5 to your desktop.

• Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run Ewido and update the definition files.
• On the main screen select the icon Update then select the Update now link.
• Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
• Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
• Under Reports
• Select Automatically generate report after every scan
• Un-Select Only if threats were found
• Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.

Boot your computer into Safemode

• Go to Start> Shut Off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
• This will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to SAFEMODE
• Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode

• Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
• Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
• You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
• The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
• A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt





Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start> Control Panel and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete Offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button.
• Click Apply then OK.

• Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
• Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
• AVG will now begin the scanning process, be patient this may take a little time.
• Once the scan is complete do the following:
• If you have any infections you will prompted, then select Apply all actions
• Next select the Reports icon at the top.
• Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
• make sure to remember where you saved that file, this is important
• Close AVG Anti-Spyware 7.5

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd
• Select option #3 - Delete Trusted zone by typing 3 and press Enter
• Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please

[Classy_Lady]

Hi Ken
Feels like we have been 'over the river and through the woods...'. I hope I did all the steps right - here are the logfiles - first HJT

Logfile of HijackThis v1.99.1
Scan saved at 5:07:29 AM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Owner\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Owner\Desktop\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Owner\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HSN Skin Tools Alerts] "C:\Program Files\HSN\bar\1.bin\hsnSkPly.exe" Alerts
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl0007.dll' missing
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldw...x/blockwerx.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmat...er/MMLRadio.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Classy_Lady]

AVG Log..... --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 5:02:00 AM 3/11/2007 + Scan result: :mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned. :mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned. :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned. :mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned. :mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned. :mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned. :mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\volqenhl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP13\A0012129.exe -> Trojan.Small : Cleaned. ::Report end

[Classy_Lady]

Here is the Smitfraudfix report. By the way - what does this Smitfraud do? Do you know how long Ihave had it? The internet link was broken last year but the guy I worked with felt we could just leave it since it didn't seem to bother anything. Also btw - I have lost my desktop background - not a big issue to restore it but wanted to know if it was relavant to what we were 'fixing'? Thanks for being willing to share your expertise and taking the time with me here Ken. ~~Karen SmitFraudFix v2.148 Scan done at 19:57:21.10, Sat 03/10/2007 Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\country.exe Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End

[ken545]

Good Morning Karen

Guess what, where almost done and your log is clean Then only thing AVG found were cookies and a file related to Smitfraud in your System Restore Program so I want you to flush that all out and create a NEW RESTORE POINT

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

• Right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

• Right-click My Computer.
• ClickProperties.
• Click the System Restore tab.
• UN-Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

• Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
  You can name the restore point anything you like, something that you can remember, You will have to be in Catagory View to see this

System Restore Tutorial <-- If you need it





Smitfraud is a Trojan that installs many bogus Anti Spyware Programs that sends out an alarm that your infected and offers you a free scan, when you except the free scan...than your infected. It didn't look like it was full blown, we cut it off before it planted itself in your system.


There is a chain of files called a winsock ,this chain is what connects you to the internet and that 010 entry in HJT is showing that the chain is disrupted ( But still working ) Bsafe tends to do that , I don't know why. Hijackers do that also to route information about you to them but since the file appears safe and your internet connection is ok we will just let that be.

The Smitfraud fix removes your desktop background, its part of the cleaning process.

Close any instance of Internet Explorer and Windows Explorer.

• Go to Start> Control Panel> Internet Options . You shoud be on the General Tab
• Delete Cookies
• Delete Files > and offline content as well
• Then go to the Programs Tab and Reset Web Settings

You can right click on your Desktop and go to Properties then to the desktop tab and reset your desktop to whatever you want.

How is your system running now??

[Classy_Lady]

Ken So far so good EXCEPT I cannot find Performance and Maintenance or anything similar in my control panel in order to create a new restore point! HELP

[ken545]

Karen,

Go to Start> Control Panel and if its a bunch of icons than you are in Classic View, up on the top left you will see an option to switch to Catagory View and Performance and Maintenance in in there.


Ken

[Classy_Lady]

Whew! Found it and put in the Restore point The system seems Ok - maybe a bit sluggish (or my perception could be off because I am 'watching' for something) not sure. Is there something I should do regularly to keep cleen? I was running the Ewido Scan and now can run the Avg but want to try to avoid future infections. We have bsafe to keep temptation from porn sites - we don't really go in chat and usually delete unknown emails without opening....any suggestions for additional precautions? Thanks for your help Karen

[ken545]

Karen,

You can do that System Restore function maybe every 6 months because it does build up, it;s not something to do on a regular basis, just make sure you create a New Restore Point after you flush it out


You can run this free cleaner, its safe to run, it has an issues scan that I would do now after being infected but you dont need to run the issues scan on a regular basis either, I run this cleaner on my own system about once aweek to get rid of all the temp and internet temp files that build up and will tend to clog you up.

Download and Install CCleaner
If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner


Defrag your drive maybe once a month, if you have not done this, the first time may take awhile. This will get all the files on your hard drive in order so that they can be found quicker.

Go to Start> All Programs> Assessories > System Tools> Disk Defragmenter.
This is the Windows Disk Defragger, run this maybe once or twice a month to help speed up your system. The first time you run it, it may take awhile.


Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.

• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• Tom Coyote
• TonyKlein CastleCops
• Grinler BleepingComputer
• Geeks To Go
• Dslreports

Here are some free programs to install, don't leave home without them

• Spybot Search and Destroy 1.4
  Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  
• Ad-Aware SE Personal 1.06
  Check for Updates and run a Full System Scan on a regular basis.
  
• Spyware Blaster It will prevent most spyware from ever being installed.
  
• Spyware Guard It offers realtime protection from spyware installation attempts.
  
• Win Patrol This program will warn you when any changes are being made to your system and give you the option to deny the change.
  
• IE-Spyad
  IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
  
• Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.

Thanks for stopping by Tom Coyote , I'm glad I was able to help you.

[ken545]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php