Help
Hi Im trying to remove this after reading some thread here but still unsucessfull.
It happen again all the time, and the privacy defender always try to install but block by antivirus.
The report is here, Thank you.
SmitFraudFix v2.323
Scan done at 10:09:54.85, Thu 05/29/2008
Run from C:\Documents and Settings\Toshiba\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\LevelOne\Common\RaUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Toshiba
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Toshiba\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Toshiba\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINNT\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: IEEE 802.11g Wireless Card.
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7744CF71-323C-4928-B8EC-E5B675E61E22}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Page 1 of 1
Malware Infection, Ie Pop Up Directed To System-defender.com
Back to top
#2
- OBleepin Investigator
-
- Group: Moderator
- Posts: 29,815
- Joined: 14-July 06
- Gender:Not Telling
- Location:Bloomington, IN
Posted 28 May 2008 - 10:19 PM
Hello akitachung and welcome to BC 
I have moved your topic from the HJT forum here to the Am I Infected forum where it can get the attention it deserves.
I have some questions:
Can you provide a link to the topic you read that suggested running SmitfraudFix?
What issues are you experiencing; pop-ups, redirects, etc.; on the computer that caused you to seek out that topic?
What security programs besides Avira Personal Edition Classic Antivirus do you have installed? Did you run scans with them? If so, what did they find?
Orange Blossom
I have moved your topic from the HJT forum here to the Am I Infected forum where it can get the attention it deserves.
I have some questions:
Can you provide a link to the topic you read that suggested running SmitfraudFix?
What issues are you experiencing; pop-ups, redirects, etc.; on the computer that caused you to seek out that topic?
What security programs besides Avira Personal Edition Classic Antivirus do you have installed? Did you run scans with them? If so, what did they find?
Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
#3
- New Member
-
- Group: Members
- Posts: 5
- Joined: 27-May 08
Posted 28 May 2008 - 11:03 PM
My Anti-Vir last detection is BAT/Fake.Privdanger But this thing keep on detected by my antivir but block.
I cant find the topic link now, but it tell us to scan with SmitfraudFix then restart in safe mode and do the clean option 2.
but then i click y on fixing registry it pop up error saying error on clean.reg and cleanup.reg
My IE always pop up, after few minute. The pop up website is system-defender.com
I do run it with Norman Malware cleaner after cleaning they found nothing.
I also did use U3 avast to scan but now no virus/malware found
Currenty only Avira PE i have. Thank you.
I cant find the topic link now, but it tell us to scan with SmitfraudFix then restart in safe mode and do the clean option 2.
but then i click y on fixing registry it pop up error saying error on clean.reg and cleanup.reg
My IE always pop up, after few minute. The pop up website is system-defender.com
I do run it with Norman Malware cleaner after cleaning they found nothing.
I also did use U3 avast to scan but now no virus/malware found
Currenty only Avira PE i have. Thank you.
#4
- New Member
-
- Group: Members
- Posts: 5
- Joined: 27-May 08
Posted 29 May 2008 - 10:24 PM
The pop-up IE will link to :
hxxp://www.system-defender.com/freeware/2...did=37&p=01
I scan it with Malwarebytes'. today and found
Trojan.FakeAlert & Rague.KVMSecure.
The privacy-defender always show up just after i login, but lucky detected by antivirus and blocked.
But I repeat everytime i log in.
Please advice
hxxp://www.system-defender.com/freeware/2...did=37&p=01
I scan it with Malwarebytes'. today and found
Trojan.FakeAlert & Rague.KVMSecure.
The privacy-defender always show up just after i login, but lucky detected by antivirus and blocked.
But I repeat everytime i log in.
Please advice
This post has been edited by quietman7: 30 May 2008 - 08:27 AM
#5
- Bleepin' Janitor
-
- Group: Global Moderator
- Posts: 25,511
- Joined: 09-July 05
- Gender:Male
- Location:Virginia, USA
Posted 30 May 2008 - 08:31 AM
Please do not post active links to possible malware sites. I have disabled the one you posted so others may not become accidentally infected.
You did not follow all the instructions for using Smitfruadfix. The rapport.txt you posted indicates that you only ran option #1 while in normal mode. You still need to complete the next step. Please print out these "instructions". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
The program will go through a series of cleanup processes and automatically start the Disk Cleanup program to remove Temporary files. Wait for the tool to complete and Disk Cleanup to finish.
Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
You did not follow all the instructions for using Smitfruadfix. The rapport.txt you posted indicates that you only ran option #1 while in normal mode. You still need to complete the next step. Please print out these "instructions". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
The program will go through a series of cleanup processes and automatically start the Disk Cleanup program to remove Temporary files. Wait for the tool to complete and Disk Cleanup to finish.
Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
Microsoft MVP - Consumer Security 2007-2012 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
#6
- New Member
-
- Group: Members
- Posts: 5
- Joined: 27-May 08
Posted 02 June 2008 - 10:43 PM
Thank. I have run the sdfix and below is the report.
I'll keep on monitoring the malware and report back, thank you.
SDFix: Version 1.187
Run by Toshiba on Tue 06/03/2008 at 11:01a
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\index.htm - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\capt.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\danger.jpg - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\down.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\spacer.gif - Deleted
C:\WINNT\system32\TFTP924 - Deleted
C:\WINNT\gktxaspm.dll - Deleted
C:\WINNT\mdtgkswr.exe - Deleted
C:\WINNT\pxgdslro.dll - Deleted
C:\WINNT\system32\cdplayer.exe - Deleted
Folder C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 11:16:30
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 9 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Feb 2007 25,600 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\Geo05Service.dll"
Tue 24 Oct 2006 189,440 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\KryptonSupportRAPIWM.dll"
Fri 13 May 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 18 Nov 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Tue 18 Nov 2003 206,370 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Fri 13 May 2005 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Toshiba\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
I'll keep on monitoring the malware and report back, thank you.
SDFix: Version 1.187
Run by Toshiba on Tue 06/03/2008 at 11:01a
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\index.htm - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\capt.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\danger.jpg - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\down.gif - Deleted
C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger\images\spacer.gif - Deleted
C:\WINNT\system32\TFTP924 - Deleted
C:\WINNT\gktxaspm.dll - Deleted
C:\WINNT\mdtgkswr.exe - Deleted
C:\WINNT\pxgdslro.dll - Deleted
C:\WINNT\system32\cdplayer.exe - Deleted
Folder C:\DOCUME~1\Toshiba\LOCALS~1\Temp\privacy_danger - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 11:16:30
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 9 Jun 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Feb 2007 25,600 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\Geo05Service.dll"
Tue 24 Oct 2006 189,440 A..H. --- "C:\Program Files\Trimble\Geo05SerialSet\KryptonSupportRAPIWM.dll"
Fri 13 May 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Tue 18 Nov 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Tue 18 Nov 2003 206,370 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Fri 13 May 2005 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Toshiba\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
#7
- New Member
-
- Group: Members
- Posts: 5
- Joined: 27-May 08
Posted 04 June 2008 - 10:14 PM
I see no pop up and no virus detected anymore. I think the malware have been removed, thank a lot.
#8
- Bleepin' Janitor
-
- Group: Global Moderator
- Posts: 25,511
- Joined: 09-July 05
- Gender:Male
- Location:Virginia, USA
Posted 05 June 2008 - 07:33 AM
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".
• "How to Set Security Options in the Firefox Browser".
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr
- Click "Ok".
- Click the "More Options" Tab.
- Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".
• "How to Set Security Options in the Firefox Browser".
Microsoft MVP - Consumer Security 2007-2012
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Share this topic:
Page 1 of 1