Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#106
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You can open notepad, by going to Start> All Programs > Accessories> Notepad

I edited my post as I told you to save it by the wrong name (would not cause harm, just a little error :tazz: )

Open Notepad, and copy/paste the box below into a new notepad file. Change the "save as" type to "All Files". Save it as regfix.reg on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

Make sure there is no blank line above "REGEDIT4".

Locate regfix.reg on your Desktop and double-click on it. If you receive any message, let me know BEFORE following the next steps!!
  • 0

Advertisements


#107
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
:tazz: HEY!! you changed it....i did what you said, but now as i look back, the file name you're requesting changed????

are we cool... ;) ?????????????????????

Edited by bananafanafo, 26 April 2005 - 12:10 PM.

  • 0

#108
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
post #106 please :tazz:
  • 0

#109
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Ok..got the edit message....

deleted remove.bat

did the same, launching as specified!! thanks!! such simple things.....

and now have a regfix.reg file on desktop, with a few little green boxes as an icon...

.......double clicked, script file blocked by MS Antispy and i'm back here

:tazz:
  • 0

#110
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Remember when I asked you to disable MS Anti-Spyware? This is one reason why! We have to do this part otherwise we can not continue.
  • 0

#111
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Good point, however...i did disable it; i had mentioned that i did it a bit different than your instructions...so, since i havn't done anything to that, i trust the Autoupdate that ran when i started this account reassessed and turned itself back on???? i guess that's a good thing...i'll have to go over to the other account to disable it...no icons located here??
  • 0

#112
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's not located under Start > All programs ?
  • 0

#113
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Yes, found it...and deactivated...hmmm, it had also run a scan last night...3am auto scheduler?...1 item located but not treated, removed it...so now i will double click again on regfix.....
  • 0

#114
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
hmmmmmmmmm????

blocked by MS Antispy again, script file....etc etc...guess i'm not getting MS fully shutdown...brb...
  • 0

#115
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
How about disabling, then exiting the program?...if this doesn't work only other options are to a.) leave your system dirty, b) uninstall MS Anti-Spyware and re-install it in just a minute when your system is clean (VERY close!)
  • 0

Advertisements


#116
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
MSAnti removed, double-click gets the following message, i said No until u give the go ahead...

Are you sure you want to add the information in C:\DOCUME~1\OWNER\Desktop\regfix.reg to the registry? Yes No

just me
  • 0

#117
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
YES!
  • 0

#118
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Ok..off to do the other stuff!!! I can feel it now!!!!!!!!!!! :tazz:
  • 0

#119
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
here do it in this order (if you have already left to follow my other post, it's FINE!)

I need you to copy all of these instructions and paste them into a notepad and save it for use while in safe mode.

1) Please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

2) Once in Safe Mode, please run Killbox.

3) Select "Delete on Reboot".

4) Open the notepad file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\Documents and Settings\owner\Start Menu\Programs\Startup\netdb.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\TASKMGRU.EXE


5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let it reboot.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis and place a check next to the following items if found and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - Startup: netdb.exe

O15 - Trusted IP range: 64.127.104.144


Close HiJackThis.

Restart your computer and Post a new HiJackThis log.
  • 0

#120
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Say....is it possible to download this entire thread from the forum ???i've taken notes, but it sort of feels like a relationship about to move on to the next level...might want this in my Keepsakes box.... :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP