Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[Referred]smitfraud


  • Please log in to reply

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=959

O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe

O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)

O9 - Extra button: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)

Reboot into safe mode and delete:
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE

Download this file: http://www.bleepingc...g/smitfraud.reg
Doubleclick smitfraud.reg and confirm you want to merge it with the registry.

Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Regards,
  • 0

Advertisements


#17
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Metallica

Thanks so much for helping me
i have checked the files and fixed them as requested
rebooted into safe mode and realised i have no idea how to delete C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
tried searching for files/folders but it didnt work
sorry to be so useless
please advise

lilli
  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Then open "My Computer"
Doubleclick the C: drive icon
Doubleclick WINDOWS folder
Doubleclick SYSTEM
Rightclick SPOOLSRV32.EXE and choose delete

Regards,
  • 0

#19
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok i am such an idiot i think i just mistyped it tried again and deleted it
completed next step
now when i try to download hoster it ask me how i want to open it ?? i which programme, tried notepad and word didnt work
help again
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
No problem.

Hoster is a zipped file.
Download and install freezip
http://members.ozema...lifetv/freezip/
to unzip those and you will see there is a exe inside you can doubleclick.
(Although ME should have a rightclick menu for unpacking them, I think)

Regards,
  • 0

#21
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok
i think i have done every thing
shall i post another log?
also do i need all those new things on my desktop
thanks for your patience you have been great


thought i'd do it anyway
does it look better now


Logfile of HijackThis v1.99.1
Scan saved at 13:56:41, on 13/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co...._1/axofupld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game18.zylomg...gamesplayer.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...478/mcfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Edited by lilli, 13 May 2005 - 06:54 AM.

  • 0

#22
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Incident Status Location

Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
Adware:Adware/IGuard No disinfected Windows Registry
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
just ran active scan and this is what it found 3pm friday london time
  • 0

#23
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Your HijackThis log is clean.

Can you find C:\WINDOWS\SYSTEM\MTC.ini

Rightclick it and choose "Open With .... " Notepad.

Post the content please.

Regards,
  • 0

#24
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
thanks so much again for all your time

does that mean its gone?

here is the file you asked for hope i did it right it was modified 8th april? probably when problem began


]

v=
u=
l0=
c0=

l1= 4".2+
l2=("40%(?
l3="/%0.4.
l4=#6-35
l5=,2&4*-
l6=28;9)7-0
l7=);3<
l8=';171
l9=659??1?A
l10=BaQgW_

[1]
l1=$-08(9564++=
l2=("40%(?
l3="/%0.4.
l4=#6-35
l5=,2&4*-
l6=28;9)7-0
l7=);3<
l8=';171
l9=659??1?A
l10=BaQgW_

[2]
l1=8$31&3)55-
l2=)".,7
l3=)'18*8417/
l4=4$1&*64
l5=,%,8(
l6=32'
l7=&20=6
l8='5)A
l9=(:2=:<?=3?=
l10=4X_c[VYi

[3]
l1=.+&4
l2=,"%..&)2
l3=3#37
l4=180*:;-
l5=/399
l6=%()(:*>

[4]
l1=-,*0((':179
l2=.5'5':179
l3=&0(8.'5+>5;=
l4=1'-&)*=4:<
l5=8'0?5=010@0C:@B
l6=-1<,:-978.@2E<BD
l7=;3<*8.A8>@
l8=+.)<;D3AC4G>DF
l9=0>.<2:;54G>DF

[5]
l1=.25)$+*
l2=/"0
l3=7-3'5+.
l4='%8,42/1
l5=&,45339-;14
l6=6**0<
l7=+,:08<07=1?58
l8=8,,2>.@3C
l9=06*8.5.:#6DI=8;

[6]
l1=$!-6+4:=;+9/2
l2=)''39<:*8.1
l3=3'(4:=;+9/2 E@F8
l4=7735;><,:03
l5=17:8(6,/?=:5CE
l6=32+7=@>.<25
l7=4';8>A?/=36

[7]
l1=#5-64<0-<
l2=!3&&37+
l3=&'1
l4=0$0
l5=$8:8,
l6=%8:<:++?5<<
l7=2';-><
l8=4;-;<,/6/;
l9=,<2=3
l10=:TcS[Tb
l11=6Qj

[8]
l1= 4*0**=1,/
l2=545,%3)=393
l3="6,2,19
l4=4()54280/C9?9
l5=$8.4.39393
l6=35)=393!8D6
l7=&:0601?D836
l8=8,-,@6<6
l9=,@,@6<6
l10=3bS`dg

[9]
l1=.-177)7);.B-?3
l2=/'6:%7+
l3=0/399+9+81@
l4=#3846:
l5=5-3:,:<
l6=33/;7;=
l7=6;086/9@
l8=6@?*<0
l9=5<2@4>BA

[10]
l1=#6&0797+;+A19
l2=54+1)89;+A19
l3=37,7*:*@08
l4=+58(>.6
l5=2(,/5/
l6=%(';188?C8C6E
l7=&)(<299?

Edited by lilli, 13 May 2005 - 08:19 AM.

  • 0

#25
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
cant believe this, my macafee background system scan is still finding infected files
C:\_RESTORE\TEMP\A0013589.CPY
virus name Downloader-YN.dll
this file cannt be deleted

any suggestions
  • 0

Advertisements


#26
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
You can delete that MTC.ini

The files found in the folder C:\_RESTORE arein your Restore Points.
http://kb.bitdefende...indows-Me).html

Regards,
  • 0

#27
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok deleted MTC.ini

turned off system restore which by the way i tried to use to get back to pre virus stage but that didnt work. i assume i should turn it on again next time i reboot.

does that mean we are all done and i can actually look at my bank account after 3 weeks, not that i really want to lol

what do i do with the great big bar of chocolate i just bought because i was getting so depressed. should i send it to you along with my undying gratitude. can't thank you enough really.
  • 0

#28
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Wow. ;)

Who told you about my soft spot? CHOCOLATE !?!

~~ Me runs to beat ~Kat~ to the candy ~~

Yes, it should be safe to check your bank account. Sorry I have no way of fixing the cashflow. :tazz:

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP