PDA

View Full Version : pesttrap and double click.



tedster
2007-02-19, 21:58
I have run spybot and it has discovered these two ''trojans?''. They have been destroyed several times but keep reappearing along with a web page that I have tried to block in ''Sites.' It is http://asecuritystuff.com/

I am running Windows XP

I have tried to follow the instructions by TASHI headed Rogues: Virus burst etc. I have downloaded HijackThis but cannot download Smitfraud fix zip version. I keep getting told that I should down load and run spy doctor. I am also getting an alarm in my toolbar at the bottom of the desktop which says that I have trojan-spy.EWin32@mx and that I should down load the software. My Spy bot has been updated. Thanks for any help you can give me. FWIW I am 71 and not much of a computer chap. Tedster.

pskelley
2007-02-20, 22:07
Hi Tedster and welcome to the forum. The key word here is Smitfraud. They want you to send $$ and then they will do nothing for it, that's call fraud. You need to follow these directions:
http://forums.spybot.info/showthread.php?t=4015

I need to see at Least a HJT log and the results of SmitfraudFix "Search" function.

I am posting a direct link to Smitfraudfix:
http://siri.geekstogo.com/SmitfraudFix.php

Follow these directions from the link:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

You will need to read this information:
Note:
process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

The fix must have the process.exe to work, if it is not in the folder when you open it, then you will need to turn your antivirus program off while you download the tool.

I am fairly sure you have the infection but it is best for me to see the results of the "Search" because Desktop damage can be done if the fix is run on an uninfected computer.

Thanks

tedster
2007-02-21, 16:15
Thanks, I downloaded the Smitfraudfix and selected 1 and saved the file. However, when I rebooted in Safe Mode and double clicked on SmitfraudFix.exe, I did not get any selection from which to choose. instead, I go a whole bunch of icons. Also running Spy bot now shows me as having quite a few of these pop-ups and when I tell it to remove them it does, but they all come back.

tedster
2007-02-21, 16:17
Oh yes, I was using the free version of AVG which allowed these popups in :((( and now running Norton IS does not even find them. Tedster

pskelley
2007-02-21, 17:38
I need to see the results of the report.txt which you saved when you ran the "Search" function. That is the only way I will know if you are infected. Understand I have never seen a HJT log either.
Now if you are saying you are no longer infected. let me know that also and I'll post some information for you and close the topic.

Thanks

tedster
2007-02-21, 19:11
I am certain I am infected. Following is a copy of the File created by SmitfraudFix.exe.
SmitFraudFix v2.144

Scan done at 12:09:06,50, 21-02-2007
Run from C:\Documents and Settings\Ted\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ted


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ted\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ted\FAVORI~1

C:\DOCUME~1\Ted\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video Access ActiveX Object\ FOUND !
C:\Program Files\Video ActiveX Object\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

[HKEY_CLASSES_ROOT\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8329660f-e248-4872-98cc-fb9c4fec7ba8}"="didynamia"

[HKEY_CLASSES_ROOT\CLSID\{8329660f-e248-4872-98cc-fb9c4fec7ba8}\InProcServer32]
@="C:\WINDOWS\system32\xkrdk.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8329660f-e248-4872-98cc-fb9c4fec7ba8}\InProcServer32]
@="C:\WINDOWS\system32\xkrdk.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-02-21, 19:29
Indeed you are, follow these directions:
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the Report.txt from Smitfraudfix and a HJT log.

Thanks

tedster
2007-02-21, 20:46
Hi thanks, I did this, but after the Safe reboot when I double clicked on SmitfraudFix.exe I did not get a list of numbers from which I could select. I got a screen full of icons. So I did not know what to do. Tedster

pskelley
2007-02-21, 21:00
I don't know what to do either. This fix is used all over the world to remove this junk daily. Try running it without doing it in safe mode and see what happens. I can tell you it will not clean as good when the junk is running.
Here are the files that should be in the folder:
Process.exe
Reboot.exe
restart.exe
smitfraudfix.cmd
SrchSTS.exe
swreg.exe
swsc.exe

If any are missing delete the whole folder and download it again.

Thanks

tedster
2007-02-21, 21:54
okaaaay!!!! This time it worked. Should I do the optional delete of the Trusted Zone?

tedster
2007-02-21, 22:01
I did receive a request to add doubleclick to my list of authorized cookies, which I blocked.

pskelley
2007-02-21, 22:42
I suggest you do unless you abolutely know nothing has infected that area. It sure does not hurt, just the inconvience of restoring the protection for SpywareBlaster and/or IE-SPYAD if you use them.
Remind me to post instructions for blocking all unwanted cookies before we finish.

Thanks

tashi
2007-03-03, 01:02
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.