Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Task manager disabled and antispywareupdates.net infection and more [C

Started by dwhippet , Mar 22 2008 06:18 PM

  • This topic is locked This topic is locked

#1
dwhippet
Posted 22 March 2008 - 06:18 PM

dwhippet

    New Member

  • Member
  • Pip
  • 1 posts
I cleaned this computer 5 days ago with Bazooka and spybot. removed over 150 instances of spyware. 2 days later it started getting popups stating it was infected with spyware and to click here for more information on how to clean it. It woudl take you to a site called antispywareupdates.net. Fortunately, this ws already being blocked by IE 6.

Today I ran a scan with CA antivirus, Lava Soft Ad-Aware 2007, SuperAntispyware, AVG Antispyware and finally Panda Active scan. It still showed active spyware instances. I am no longer getting the antispyware, but my task manager is disabled. That may be the last of it, but am not sure.

When I cleaned it Tuesday I had to reenble the taks manager and the active desktop. I thought then I should do this step, but hoped I got it all.

I am running winxp pro sp2, patched to today.

here are the logs:

AVG Anti spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:03:16 PM 3/22/2008

+ Scan result:



C:\Program Files\180search assistant -> Adware.180Solutions : Cleaned.
C:\Program Files\180search assistant\180sa.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180search assistant\sau.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant\saap.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant\sac.exe -> Adware.180Solutions : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} -> Adware.Generic : Cleaned.
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-790525478-1993962763-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\nsu3DA.tmp\Install.dll -> Not-A-Virus.Adware.180Solutions : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law [email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law office@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end


ACTIVE SCAN:

Incident Status Location

Spyware:spyware/whazit Not disinfected c:\windows\system32\KYF.DAT
Adware:adware/startpage.aco Not disinfected c:\windows\system32\NTNUT32.EXE
Spyware:spyware/fastsearchweb Not disinfected c:\windows\system32\SHDOCPE.DLL
Adware:adware/123mania Not disinfected c:\windows\system32\SIPSPI32.DLL
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/ncase Not disinfected c:\windows\DIDDUID.INI
Adware:adware/topconvert Not disinfected c:\windows\UPDATETC.EXE
Adware:adware/portalscan Not disinfected c:\program files\STC
Adware:adware/kingporn Not disinfected Windows Registry
Adware:adware/surfassistant Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe

SuperAntispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 05:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:41:30

Memory items scanned : 335
Memory threats detected : 2
Registry items scanned : 4126
Registry threats detected : 31
File items scanned : 27404
File threats detected : 20

Rogue.Unclassified/Loader
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE

Trojan.Downloader-Gen/Burre
C:\WINDOWS\SYSTEM32\MARWIN32.DLL
C:\WINDOWS\SYSTEM32\MARWIN32.DLL
C:\WINDOWS\SYSTEM32\CYGWN32.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\InprocServer32
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\InprocServer32#ThreadingModel
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\ProgID
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango

Adware.180solutions/Seekmo
C:\Program Files\Seekmo\seekmohook.dll
C:\Program Files\Seekmo
C:\DOCUMENTS AND SETTINGS\LAW OFFICE\LOCAL SETTINGS\TEMP\SAI3D7.TMP
C:\DOCUMENTS AND SETTINGS\LAW OFFICE\LOCAL SETTINGS\TEMP\NSU3DA.TMP\RESOURCE.DLL

Adware.Zango Toolbar/Hb
HKCR\InstIE.HbInstObj
HKCR\InstIE.HbInstObj\CLSID
HKCR\InstIE.HbInstObj\CurVer
HKCR\InstIE.HbInstObj.1
HKCR\InstIE.HbInstObj.1\CLSID
HKCR\Toolbar.HtmlMenuUI
HKCR\Toolbar.HtmlMenuUI\CLSID
HKCR\Toolbar.HtmlMenuUI\CurVer
HKCR\Toolbar.HtmlMenuUI.1
HKCR\Toolbar.HtmlMenuUI.1\CLSID

Rogue.AntiSpywareSuite
HKU\S-1-5-21-790525478-1993962763-1343024091-1003\Software\AntiSpywareSuiteDownloader
HKLM\Software\AntiSpywareSuiteDownloader
HKLM\Software\AntiSpywareSuiteDownloader#TotalSize
HKLM\Software\AntiSpywareSuiteDownloader#SeekPos

Rootkit.Unclassified/SysDamp-Traces
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Reserved

Rogue.TrustedAntiVirus
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#SBI [ C:\Documents and Settings\Law Office\Local Settings\Temporary Internet Files\Content.IE5\KDCXAJSD\install_sbd_en[1].exe ]

Trojan.Media-Codec/V5
C:\Program Files\Helper

Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE

Trojan.FakeDrop-180AX
C:\WINDOWS\FLEOK\180AX.EXE
C:\WINDOWS\180AX.EXE

Trojan.FakeDrop-SWin32
C:\WINDOWS\SWIN32.DLL

Trojan.FakeDrop-2020Search
C:\WINDOWS\2020SEARCH.DLL

Trojan.FakeDrop-CDSM32
C:\WINDOWS\CDSM32.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law [email protected][1].txt

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\907608617.EXE


HIJACK This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:17 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141083023502
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe (file missing)
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6379 bytes


Uninstall Log:


Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
CA Anti-Virus
CA Anti-Virus
Canon iP1600
Canon Utilities Easy-PhotoPrint
Easy-WebPrint
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
iHateSpam
LaserJet 1020 series
Microsoft Office 2000 Premium
OrderReminder HP LaserJet 1020
Panda ActiveScan
PCI Audio Applications
PowerDVD
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SiS Audio Driver
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WVID Filter (remove only)
  • 0

Advertisements

#2
sage5
Posted 22 March 2008 - 07:39 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi dwhippet,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
SmitfraudFix (by S!Ri
SDFix
OTMoveIt2 by OldTimer.
Deckard's System Scanner


The real time protection used by programs like Windows Defender can interfere with malware cleaning procedures.
Please follow the steps below to temporarily disable Windows Defender
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your system has been deemed free from malware, you can re-enable Windows Defender's Real Time Protection.



Fix the Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it UserinitFix.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Run SDFix:
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as C:\SDFix\Report.txt

Shut down & Reboot normally:


Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt, extra.txt, C:\SDFix\Report.txt & C:\rapport.txt in your next reply.



The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.


Cheers,

sage5

Edited by sage5, 22 March 2008 - 07:40 PM.

  • 0

#3
sage5
Posted 03 April 2008 - 06:25 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP