Sign in to follow this  
tykra

Computer Attacked

Recommended Posts

Now whats going on? Was one of those HJT fixes a driver that shouldnt have been removed?

No, the ones I listed were 3 orphaned BHO entries in the registry (files already removed by one of the cleaning steps) and the susp.exe is a nasty advertising program by abetterinternet spyware(description follows):

http://www.webhelper4u.com/transponder/belt_susp.html

 

I'm sorry you had so many problems, it was a bundle of malware, many of which you had listed in your original post.

 

Prevention is really the key.

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

Everyone posting in one thread, it's to confusing to try to sort everyone out. I would suggest starting your own new topic because the bundle of malware can vary from system to system depending on what you got hit with.

 

There are a number of nasties (trojans, worms) doing these bundled downloads. One example I can give you is this one, but there are many out there. If you look at the description under the "Adavanced" tab on the page below you will see how it downloads numerous adware/spyware programs to the victim PC

http://www.sophos.com/virusinfo/analyses/trojdrsmartla.html

Share this post


Link to post
Share on other sites

24 hours later...

 

I used a different approach and beat it.

 

Do a search of the Windows directories for newly installed programs and dlls at the time of the infection (not the time of subsequent infections).

 

The key one was c:\Windows\System32\adobepnl.dll.

 

Tried using regsvr32 /u on it but it kept reregistering...so resorted to HJT "delete file on reboot" and went into safe mode. Did the HJT BHO clean up and Spybot to clear up the other junk and everything is now clean.

 

When not in safe mode, the process "users32" was the culprit that kept regedit/taskmgr etc. blocked. I used HJT process killer to kill this every time it re-activated (any new browser window or explorer window triggered this) which allowed me some semblance of control.

 

Also manually searched and removed anything in the registry associated with "Adware" in the Run and RunOnce, Transponder, RespondMiter and TPS108 keys. I also manually removed all the other dlls that were repeatedly installed by the infection. I did not do anything with msconfig keys.

 

Note that for the first 12 hours, I tried all the tools recommended and couldn't get it clean - hence resorting to excessive brute force.

 

Hope this helps someone

 

Dom

Share this post


Link to post
Share on other sites

Hi everyone,

 

New member here - seems it has become a necessity as I too, have become infected with this malware programme.

 

I'm not a computer genius, and I'm having problems sorting this out. I've installed Spybot, which removed a number of spyware programmes. However it didn't remove the programme completely (I too, continually receive the C:\WINDOWS\system32\users32.exe pop up at start up of my pc, as mentioned before). I then installed Windows Defender x86, as someone mentioned here that it's worked for them - however the programme still remains.

 

Interestingly, Windows Defender shows a list of running applications, one of which is headed 'The Trojan Factory' - Project1, which is currently running under the filepath C:\WINDOWS\system32\users32.exe

 

Now - my question is, I've noticed some of you have managed to get your systems clean, but I don't understand some of the processes that you've completed (i.e. registries etc..).

 

Could someone please (in lamens terms!!!) tell me what to do from here? What programme to install? What file to delete?

 

My greatest appreciation to anyone that can help - it's a tough bugger, this one.

 

Many thanks,

 

Jon

Share this post


Link to post
Share on other sites

this is what i did

 

i changes the user32 file to read only

 

then deleted the file in highjack this

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

ran all my scanners to delete spywar/virus

adaware, spy bot, defender, norton

 

restarted and so far everything is working great

Share this post


Link to post
Share on other sites

Hello People,

 

This is a bundled infection meaning, everyone's system and everyone's multiple infections are going to be different from the next person. If you could please First, update your Adaware as we have a large new update today released

SE1R111 08.06.2006

And do a full system scan. Let it remove any critical object found.

 

Next:

Go to this forum:

http://www.lavasoftsupport.com/index.php?showforum=36

 

and post a Hijackthis log in a NEW TOPIC please. One at a time - we can better sort your issues.

 

If you need here are instructions for how to make a HijackThis log.

Instructions on creating a HijackThis Log

http://www.lavasoftsupport.com/index.php?showtopic=216

Share this post


Link to post
Share on other sites
this is what i did

 

i changes the user32 file to read only

 

then deleted the file in highjack this

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

ran all my scanners to delete spywar/virus

adaware, spy bot, defender, norton

 

restarted and so far everything is working great

 

sikf150, thank you so much for this - it seems to have worked a treat for me. You're a legend.

 

Cheers,

 

Jon

Share this post


Link to post
Share on other sites
this is what i did

 

i changes the user32 file to read only

 

then deleted the file in highjack this

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

ran all my scanners to delete spywar/virus

adaware, spy bot, defender, norton

 

restarted and so far everything is working great

 

Hi :)

 

Since im a COMPLETE novice could you please explain step by step what you did to get rid of this?

How and where did you change the user32 file to read only??

And when that is done i just download the highjack this programme, run it and then delete the file mentioned??

(O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll)

 

Understand that this might just be "a shortcut" but it would have been SOOOOOO INCREDIBLE nice to get rid of this ###### the easy way.. S0 PLEASE.. WALK ME THROUGH IT??!!???

Share this post


Link to post
Share on other sites

I just finished cleaning a client's PC of this same infection. It manifested as an about:blank page hijack from "Windows Security Center" and would pop up all kinds of alerts about the computer being infected with spyware. Also, when I attempted to go to the CWShredder website, I was redirected to advertising about other spyware removal programs.

 

Once Ewido was installed on the system, if I opened an explorer window by doing something like Start, Run, C:\WINDOWS, Ewido would immediately pop up with an attempt to clean c:\windows\system32\users32.exe.

 

Of course, you can't find the file while running Windows normally, and when Ewido cleans it, it just kills the process.

 

PestPatrol identifies this as a CWS.Time infection. CWShredder does not find any infection at this time, and Ewido does not see adobepnl.dll as a threat as of 6/8/2006.

 

In any case, based on the information I found in this forum, here are the steps I took to remove the infection:

 

1. Download Ewido (http://www.ewido.net), update it, run full scan to get rid of other nasties.

 

2. Restart in safe mode (press F8 function key while XP is starting. Repeatedly press F8 before the XP loading screen starts to get to the boot menu, then choose Safe Mode from the menu.)

 

3. Once in safe mode, open a command prompt. (Click Start, Run, type cmd, press Enter.)

 

4. In the command prompt window, type the following:

del \windows\system32\adobepnl.dll
, then press Enter.

del \windows\system32\susp.exe
, then press Enter.

del \windows\system32\runsrv32.exe
, then press Enter.

del \windows\system32\runsrv32.dll
, then press Enter.

5. (Optional) Run HijackThis. Remove any 02 BHO references to adobepnl.dll, any 04 Run references to runsrv32.

 

6. Run Ewido full scan again just in case the trojan downloaded anything before restart.

 

Once you've completed those steps, it should be safe to restart.

 

NOTE: Your mileage may vary. The adobepnl.dll has been the culprit based on several of the posts I've seen here, but CalamityJane is right, the filenames may vary, so check the http://www.lavasoftsupport.com/index.php?showforum=36 forum.

Share this post


Link to post
Share on other sites

Folks, again, this is not that hard! Do the stuff Calamity said to do and go to c:\windows\system32 and delete users32.exe while in Safe Mode. Create a directory and attrib it with +r +s +h and this spyware WILL GO AWAY!!!!!!! It can overwrite a file sikf150 so that's why you don't just attrib that filename as read only. Almost any virus or spyware worth its grain of salt can rewrite a read only file, sorry. You need to delete the file and make a directory of the same name or this bad boy is gonna come back in the future, guaranteed.

 

Whoever suggested Windows Defender is wrong. I fixed another infection today using the technique I've stated and BOTH clients had Windows Defender already running on their PC's. Nope, not the answer!!!!!!

 

Follow CJ's instructions, then delete the file, create a directory named users32.exe, attrib it like I said and reboot the PC back into normal mode. Very simple after you do what CJ said to do. Takes a couple hours if you take your time and do it right.

 

Some day the antispyware companies will find a cure for this thing the easy way but in the mean time.....

Share this post


Link to post
Share on other sites

hi guys...

 

I got the same virus...this antispyware, antispywarebox etc...

 

Ive done a few downloads of software... ISpyBot Search and Destry...then tnoght I tried MIcrosoft Defender,,, and another one mentioned on thisthread,,,they all have been useless,,,this thing is a mutherfu**er! high jacks you takes over your home page..can't adjust settings...

 

I did a WHOIS to find out who these bastards are,,,there was no information in the registery basically...I had a trail of 3 different ones,,I think the last one was cashunlim.com...

they must be making a killing $$$$ buy peole that think their page is microsoft,,and getting ripped of for software they don;t even need..I suspect if you buy the software your computer may work again...making them the heros...when really they are the bandits..I reported them to the FTC I believe it was..I got the link via microsoft...who had no direct lkink to contact them...although I did se an article somewhere where microsoft sued a company for doing similar shi*..Im not sure if it was the same company or the same kind of highjacking...

 

but let me say they should be alkll over this..this shi*is nasty!

I want to strangle the bitches!

 

ANf FYI this had nothing to do with 6/606..I had it weeks ago...and I I was goinggood but then it came back again....earlier today I thought I had it bet.. I had no cookies on ...added all them to my block list... but you can;t do ###### on the computer when you do that...and them i let my gaurd down..lowered the settings and beroe you know it..it BAAAAAAAAAAAAAACk! ANd who yeah..not to mention running the soyware software ( defnder, Spybot) over and over to no avail...

 

I'm re installing my SS tomorrow..I give up...

 

Goodluck to you guys...

Share this post


Link to post
Share on other sites
Smitfraud Fix

 

I see you already have Ewido installed (good!) Just skip the steps that refer to downloading Ewido

 

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

 

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

3 Download, install, and update Ewido AntiMalware (get the free trial version)

http://www.ewido.net/en/download/

 

a. Install Ewido AntiMalware

 

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

 

c. The program will prompt you to update click the OK button

 

d. The program will now go to the main screen

 

e. On the left hand side of the main screen click on Update

 

f. Click on Start. The update will start and a progress bar will show the updates being installed.

 

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

 

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :)

 

4. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

5. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

6. Next, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

........................

 

8. Get a free online AV scan at eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system. SAVE the report at the end to copy back here please.

 

(This scan to make sure your Wininet.dll is fixed if infected)

 

(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

 

9. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Ewido Scan report

 

eTrust online AV report

 

Fresh HijackThis log

 

It worked well, but only now in IE there is still about:blank, a file called users32.exe etc.

How do i get rid of this?

With regard,

 

Fred

Share this post


Link to post
Share on other sites

Hi Fred,

 

Yes, we now have a good fix devised for this nasty.

 

Please go here and start a new topic:

http://www.lavasoftsupport.com/index.php?showforum=36

 

Post a fresh HijackThis log AND your latest Adaware scan log please.

(Instructions on creating a HijackThis Log)

http://www.lavasoftsupport.com/index.php?showtopic=216

 

Each infection for each system is a little different, which is why I'll need to review your log and give specific steps to follow :) We'll glad to help.

 

Also, please make sure you have the latest updates and Ad-Aware version

Please can you make sure that you are using

Ad-aware SE Build 106r1

Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

 

[if not Uninstall your old Ad-aware first then install SE]

Then use the WebUpDate

to get the latest Definition file

SE1R111 08.06.2006

To do this Open Ad-aware

Click the WebUpDate

button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect"

Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main

Ad-aware screen, and look under "Initialization Status"

It should say the Latest Definition file.

then scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

As Logs are stored in :

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start,

click Run

And type in and press ENTER: %appdata%

then click Lavasoft

then Ad-Aware

and then Logs.

scroll down to find the latest one that you have

(by date & time)

and open it right Click select all

copy and then paste the contents of it here.

(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)

I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

 

(note The Application Data is a hidden folder, so you will need to show hidden files and folders)

Share this post


Link to post
Share on other sites

I am running WinXP SP2.

 

I had the same infection yesterday. One of the things I noticed was that when it shows "Your computer has blah blah..." in the lower right corner, a process called QJRKVY.EXE shows in the task manager (no, it didn't shut off the task manager on me). Another thing was that it didn't allow me to delete my temporary internet files from IE. A Windows dangerous task warning would appear and it would end rundll process(which is responsible for showing Properties dialog box of IE).

 

So I booted in safe mode and deleted QJRKVY.EXE from windows\system (I think that's where it was) and from Windows prefetch folder. I also deleted all temporary internet files for all users as well as got rid of all downloaded objects by IE (the ones you access from Tools|Internet Options...|Settings|View Objects menu sequence).

 

I then ran Adaware and Spybot S&D and deleted whatever they found, but didn't have time to verify whether my PC was clean. Now after reading this thread, it appears that it wouldn't be. I am going to try the techniques listed here and see if they work.

 

Thanks everyone.

Share this post


Link to post
Share on other sites

This is a nightmare. None of the antispyware tools either prevent this or remove it. I got this even though using yahoo virus and antispyware protection. There is almost no info on this on the web if you google; in fact your computer when infected cannot search - all queries get redirected to the antispywarebox site; the government should shut this operation down . I tried lavasoft, spybot search and destroy, microsoft windows defender; did overnight full antivirus scans that came up 'clean' even though clearly my system was infected badly. Lavasoft reports 'a host of bad items like coolwebsearch; vx2 - both a nightmare to get rid of, if even possible. you can temporarily clean your system using lavasoft, and while clean it will allow you to use process manager, but within a few minutes it will reinfect. I found that there was a process called users32 that would come up, the pop ups are run by a process called qirkvy.exe that only appears when the pop ups are on your screen. There are also files called runsrv32.exe run32.dll and a.exe or some variant involved. What I finally did that seems to have helped clean things up was this:

 

First I disconnect from the web. I think there is a trojan - maybe a keylogger - that gets downloaded by this nasty mess, and it keeps downloading more stuff as fast as you can get rid of it. You will need a SECOND non- infected computer to get the software to attack this thing and conduct any research you want to do. I moved downloaded software between the computers by using a flash drive; if you don't have a second computer I don't think there is anything you can do other than take your computer in to someplace to have them root this out. Maybe even they will appreciate the process I'm going to outline, which seems to have worked for me (my fingers are crossed - but it's been a couple of hours an no more popups, no more hijacked home page, google works now, computer is not running as slow as molasses)

 

disconnect from the web

 

Install and run lava soft's adaware, the free version seems to work fine.

After you run this a couple of times, it will find all kinds of stuff that has been downloaded, and clean up at least some of it. It won't get rid of everything though and can't find the reinfection files for some reason.

 

Then get the cwshredder tool from pccillin trend micro site - free

I had to run this four times before it came up clean; coolweb keeps reinfecting your system you have to keep at it until it comes up clean a couple of times.

 

Then follow the directions on the lavasoft site to remove both vx2 and cool web search (which involves primarily deleting all temporary windows files - which are noted on their web site) ALL temp files under all users must be removed. You may find a DAT file that cannot be removed as it will say 'in use by another program' - after I did some more removals the process manager started to work again, I was able to come back and remove this dat file after I shut down non-essential processes. This will take you some time; I wrote a list of ALL the processes on my computer (there were 46) and checked each on from another computer to make sure I knew what they were before stopping them. Some that ARE ok are ALG, CAVRID (antivirus) CAVTRAY, Cryptserv, csrss (note : crss is BAD, csrss is part of windows), Justsched.exe is listed as a trojan on a few sites, and as a java updater on others; I stopped it just in case; stopped itunes, mdm mspmspsv playlist, realplay, and all the others that were not essential to windows. Then I could delete that last temp file . If I had a gazillion hours, I could have done this one at a time and figured out what that file was I suppose ...

 

I then downloaded the vx2 removal tool separately from lavasoft's free adaware program, then install it; then open adaware and 'add it in' My system did not report VX2 from this tool, but lavasoft found it during an earilier scan.

 

After all this you will STILL be infected; but will have gotten rid of some of the bits and pieces and some of the other stuff this nasty D*mn program will load onto your system.

 

Here's where I charted my own course, not having any other reference to go by.

 

I rebooted to safe mode (control 8) to command prompt only; you must use dos commands to delete the files; you can type 'help' and get a list of commands,

 

I went to windows directory; did a sorted directory search by date

From windows/system32

 

dir /o-d

 

look for the files of the same date and time as your infection

you will see users32.exe, jao.dll, wstart.doo, lrf.dat, tcpservice2.exe, winlogon.ini winflash.dll, qjrkvy.exe, thlwin32.dll, adobepnl.dll, vlpmod.dll, questmod,dll, runsrv32.exe, txfdb32.dll, runsrv32.dll, svcp.csv, winsub.xml, bosijegc.exe, raqsteap.exe

DO NOT DELETE wpa.dbl as this is the file that windows creates to track that your copy is licensed!

 

in windows root directory

using the same approach as above you will find a bunch of GIf files and one jpg (footer_back.jpg) you can delete all these; note that some use underlines as spacers, some use dashes. Also delete alexaie.dll, alxie.dll, dlmax.dll, alxtb1.dll; there are about 35 gif's too many to list here;

After all this, I ran microsoft's free 'windows defender' after a reboot and it found one more nasty and removed it.

As of this moment my system seems ok but this whole thing seems to have eluded the antivirus and antispyware vendors completely; I hope they get with it and check out this new menace. I hope my long hours of fighting this helps some other poor soul - typing this long message is payback for the many times I've gone to the help lines searching for info myself.

Please if you know anyway to get internet authorities to act (if there are internet authorities ) they should shut down these internet sites The website was created on May 23rd of this year, but '[email protected] estdomains.com was the registrar, who allowed a completely anonymous registration

Share this post


Link to post
Share on other sites

Hi, I'm Uwe from Germany,

 

I Ihink I have the same problem. Since yesterday I get some Erros that my computer work slow and so one. I download the ad-aware SE build 106r1 with the last Definition and the hijackthis program. What shall i do with the logfile where must i post it.

 

Can some body helb me.

 

Thanks Uwe

 

Sorry for bad english.

Share this post


Link to post
Share on other sites

Good news! The free tool: SmitfraudFix has been updated this morning for this variant. :)

 

Please delete any prior version SmitfraudFix folder and files and download the new version 2.57 SmitfraudFix

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

Note: This tool will remove the (Smitfraud) fake antispyware program, latest varient called Antispywarebox, and any prior similar variants, however, if you had a bundled malware problem, there may be other issues that remain If you ONLY had the Smitfraud pest alone, this tool should be all you need.

 

4. If you are still having a problem, please scan with HijackThis to produce a log. Post that log into a new topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

The log from SmitfraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

:D:D

 

Thanks CalamityJane, for your Post #46. I have done it like you write. I boot my system and all works fine. I become the atack from a side with greetingcards.

 

Bye, bye

 

Uwe

Share this post


Link to post
Share on other sites

Hi :)

 

Rigger

 

I ran the ewido program and it removed the malware antispywarebox.com.

I tried to run the commands you outlined in item #3 but they were not found on the hard drive.

Thanks for your help!!!!

Whoever created antispywarebox.com should be charged with a felony.

 

Billyboy

Share this post


Link to post
Share on other sites

I've been following this forum for 3 days since my infection trying to determine the best course of action amongst all the threads. In preperation I downloaded all the applications recommended, but before having to try the long version, I caught Calamity Jane's last post regarding SmitfraudFix 2.57. I tried that first and it took care of everything. See the log below for ALL the crap that smitfraud found during the scan. An HJT scan in followup showed that I'm clean (knock on wood).

 

Here's the smit log:

SmitFraudFix v2.57

 

Scan done at 14:09:50.18, Sat 06/10/2006

Run from C:\Documents and Settings\Bob's Photo\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\alexaie.dll Deleted

C:\WINDOWS\alxie328.dll Deleted

C:\WINDOWS\alxtb1.dll Deleted

C:\WINDOWS\bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\dlmax.dll Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\susp.exe Deleted

C:\WINDOWS\svchost.exe Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\ZServ.dll Deleted

C:\WINDOWS\system32\a.exe Deleted

C:\WINDOWS\system32\adobepnl.dll Deleted

C:\WINDOWS\system32\alxres.dll Deleted

C:\WINDOWS\system32\bridge.dll Deleted

C:\WINDOWS\system32\dailytoolbar.dll Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\parad.raw.exe Deleted

C:\WINDOWS\system32\questmod.dll Deleted

C:\WINDOWS\system32\runsrv32.dll Deleted

C:\WINDOWS\system32\runsrv32.exe Deleted

C:\WINDOWS\system32\taskdir.dll Deleted

C:\WINDOWS\system32\taskdir~.exe Deleted

C:\WINDOWS\system32\tcpservice2.exe Deleted

C:\WINDOWS\system32\txfdb32.dll Deleted

C:\WINDOWS\system32\udpmod.dll Deleted

C:\WINDOWS\system32\users32.exe Deleted

C:\WINDOWS\system32\wstart.dll Deleted

C:\WINDOWS\system32\zlbw.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

I recommend this as the FIRST course of action for anyone whose infection includes the antispywarebox variant, regardless of any other symptoms. Hopefully this will save you some time, keeping any further clean-up to a minimum. Excessive thanks to the person(s) responsible for the swift and effective upsdate to smitfraud.

 

Lastly, THANK YOU to CJ, gunny, rigger, everyone who contributes their time and invaluable knowledge to those of us who have no other means but to curse the proprietors of these assanine stunts. And you do it for no other reason than the fact that you're smarter than they are. Hats off. You are all my heroes.

Share this post


Link to post
Share on other sites
Sign in to follow this