Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Smitfraudfix


  • Please log in to reply
18 replies to this topic

#1 sPiN

sPiN

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 06:52 PM

I was following this Guide: http://www.bleepingcomputer.com/forums/t/81275/how-to-remove-spydawn-removal-instructions/

I got to step I got to step 5 of the Automated Removal guide, and now I'm stuck.

It says to go into Safe Mode, and run the .exe, I did that and the screen pops up for a split second then disappears again.

I really want to get rid of this virus or whatever this is. It's a new computer and I'm not very computer smart. PLEASE help me get rid of this thing.

Much appreciated,

sPiN.

BC AdBot (Login to Remove)

 


m

#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 07:18 PM

Hi, :thumbsup: to bleeping computer, sPiN, try this first:

Try This:
  • Please download Rogue Remover Free from Malwarebytes.
  • Please save the file to your normal saved file location or the desktop
  • double click on rr-free-setup to run the installation program
  • accept the license agreement.
  • follow all the steps and click finish to run the program
  • Click the check for updates link
  • click the scan link to start scanning
  • when done, follow the onscreen directions to remove anything that it found.
Let us know your results, please.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 sPiN

sPiN
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 07:41 PM

I scanned it and it said Congratulations, RogueRemover did not detect any items.

#4 buddy215

buddy215

  • BC Advisor
  • 12,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:50 AM

Posted 06 August 2007 - 07:58 PM

Super Antispyware will remove smitfraud malware. Are you sure you have Spydawn on your computer? Haven't seen that one in a while.
Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 08:00 PM

Great, now you are getting somewhere, next step: Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

After you are done with bitdefender, we need to do a scan with superantispyware, if it will not run it in safe mode, go to regular mode and run it there:Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Please let us know, and we need to see the logs.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#6 sPiN

sPiN
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 08:44 PM

Ok, I booted up my computer in Safe Mode and this time for some reason the icon on my start bar (the virus) was gone, I did the scan with Super AntiSpyware and it found 100 things. I removed them, and restarted and it seems to be fine now, though I can't be sure.

Logs:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/06/2007 at 09:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3280
Trace Rules Database Version: 1291

Scan type : Quick Scan
Total Scan Time : 00:16:09

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 822
Registry threats detected : 86
File items scanned : 13306
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\jason stillson\Cookies\jason stillson@tripod[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@zedo[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@doubleclick[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@perf.overture[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@revsci[2].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@casalemedia[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@tribalfusion[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@ads.pointroll[2].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@www.virusprotectpro[1].txt
C:\Documents and Settings\jason stillson\Cookies\jason stillson@atdmt[2].txt

Malware.VirusProtectPro
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}\1.0
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}\1.0\0
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}\1.0\0\win32
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}\1.0\FLAGS
HKCR\TypeLib\{40331B9F-75E5-4E1E-B511-5AA6638B9ADE}\1.0\HELPDIR
HKCR\Interface\{4A2C9DEF-83EB-4575-AD6C-2377FEFC5122}
HKCR\Interface\{4A2C9DEF-83EB-4575-AD6C-2377FEFC5122}\ProxyStubClsid
HKCR\Interface\{4A2C9DEF-83EB-4575-AD6C-2377FEFC5122}\ProxyStubClsid32
HKCR\Interface\{4A2C9DEF-83EB-4575-AD6C-2377FEFC5122}\TypeLib
HKCR\Interface\{4A2C9DEF-83EB-4575-AD6C-2377FEFC5122}\TypeLib#Version
HKCR\Interface\{56943D7C-2283-4D73-B2B1-46173B4844B4}
HKCR\Interface\{56943D7C-2283-4D73-B2B1-46173B4844B4}\ProxyStubClsid
HKCR\Interface\{56943D7C-2283-4D73-B2B1-46173B4844B4}\ProxyStubClsid32
HKCR\Interface\{56943D7C-2283-4D73-B2B1-46173B4844B4}\TypeLib
HKCR\Interface\{56943D7C-2283-4D73-B2B1-46173B4844B4}\TypeLib#Version
HKCR\Interface\{71C9109D-EB8D-49B9-9211-1CBE8A25A9AA}
HKCR\Interface\{71C9109D-EB8D-49B9-9211-1CBE8A25A9AA}\ProxyStubClsid
HKCR\Interface\{71C9109D-EB8D-49B9-9211-1CBE8A25A9AA}\ProxyStubClsid32
HKCR\Interface\{71C9109D-EB8D-49B9-9211-1CBE8A25A9AA}\TypeLib
HKCR\Interface\{71C9109D-EB8D-49B9-9211-1CBE8A25A9AA}\TypeLib#Version
HKCR\Interface\{75F32B07-D45F-4D5B-9266-3863C65D5B29}
HKCR\Interface\{75F32B07-D45F-4D5B-9266-3863C65D5B29}\ProxyStubClsid
HKCR\Interface\{75F32B07-D45F-4D5B-9266-3863C65D5B29}\ProxyStubClsid32
HKCR\Interface\{75F32B07-D45F-4D5B-9266-3863C65D5B29}\TypeLib
HKCR\Interface\{75F32B07-D45F-4D5B-9266-3863C65D5B29}\TypeLib#Version
HKCR\Interface\{84037416-6A70-46E5-9216-CDCC7E2513E7}
HKCR\Interface\{84037416-6A70-46E5-9216-CDCC7E2513E7}\ProxyStubClsid
HKCR\Interface\{84037416-6A70-46E5-9216-CDCC7E2513E7}\ProxyStubClsid32
HKCR\Interface\{84037416-6A70-46E5-9216-CDCC7E2513E7}\TypeLib
HKCR\Interface\{84037416-6A70-46E5-9216-CDCC7E2513E7}\TypeLib#Version
HKCR\Interface\{94E14C33-2473-4185-9FA0-3D881BDB5C0B}
HKCR\Interface\{94E14C33-2473-4185-9FA0-3D881BDB5C0B}\ProxyStubClsid
HKCR\Interface\{94E14C33-2473-4185-9FA0-3D881BDB5C0B}\ProxyStubClsid32
HKCR\Interface\{94E14C33-2473-4185-9FA0-3D881BDB5C0B}\TypeLib
HKCR\Interface\{94E14C33-2473-4185-9FA0-3D881BDB5C0B}\TypeLib#Version
HKCR\Interface\{95D963D7-86E3-434E-BFF6-FCDDEA5F9F24}
HKCR\Interface\{95D963D7-86E3-434E-BFF6-FCDDEA5F9F24}\ProxyStubClsid
HKCR\Interface\{95D963D7-86E3-434E-BFF6-FCDDEA5F9F24}\ProxyStubClsid32
HKCR\Interface\{95D963D7-86E3-434E-BFF6-FCDDEA5F9F24}\TypeLib
HKCR\Interface\{95D963D7-86E3-434E-BFF6-FCDDEA5F9F24}\TypeLib#Version
HKCR\Interface\{9DC10DE5-5104-4554-ACA0-D9F2D146CD4C}
HKCR\Interface\{9DC10DE5-5104-4554-ACA0-D9F2D146CD4C}\ProxyStubClsid
HKCR\Interface\{9DC10DE5-5104-4554-ACA0-D9F2D146CD4C}\ProxyStubClsid32
HKCR\Interface\{9DC10DE5-5104-4554-ACA0-D9F2D146CD4C}\TypeLib
HKCR\Interface\{9DC10DE5-5104-4554-ACA0-D9F2D146CD4C}\TypeLib#Version
HKCR\Interface\{A140FE51-3136-4E0D-AFDA-1313B30ADFEF}
HKCR\Interface\{A140FE51-3136-4E0D-AFDA-1313B30ADFEF}\ProxyStubClsid
HKCR\Interface\{A140FE51-3136-4E0D-AFDA-1313B30ADFEF}\ProxyStubClsid32
HKCR\Interface\{A140FE51-3136-4E0D-AFDA-1313B30ADFEF}\TypeLib
HKCR\Interface\{A140FE51-3136-4E0D-AFDA-1313B30ADFEF}\TypeLib#Version
HKCR\Interface\{B41DF4F9-0191-46E6-8107-16634FBC7F3C}
HKCR\Interface\{B41DF4F9-0191-46E6-8107-16634FBC7F3C}\ProxyStubClsid
HKCR\Interface\{B41DF4F9-0191-46E6-8107-16634FBC7F3C}\ProxyStubClsid32
HKCR\Interface\{B41DF4F9-0191-46E6-8107-16634FBC7F3C}\TypeLib
HKCR\Interface\{B41DF4F9-0191-46E6-8107-16634FBC7F3C}\TypeLib#Version
HKCR\Interface\{BE1C526E-CCCC-449C-A9CB-691B8C5E2769}
HKCR\Interface\{BE1C526E-CCCC-449C-A9CB-691B8C5E2769}\ProxyStubClsid
HKCR\Interface\{BE1C526E-CCCC-449C-A9CB-691B8C5E2769}\ProxyStubClsid32
HKCR\Interface\{BE1C526E-CCCC-449C-A9CB-691B8C5E2769}\TypeLib
HKCR\Interface\{BE1C526E-CCCC-449C-A9CB-691B8C5E2769}\TypeLib#Version
HKCR\Interface\{BE465556-F79D-476F-9457-74E49F8F400A}
HKCR\Interface\{BE465556-F79D-476F-9457-74E49F8F400A}\ProxyStubClsid
HKCR\Interface\{BE465556-F79D-476F-9457-74E49F8F400A}\ProxyStubClsid32
HKCR\Interface\{BE465556-F79D-476F-9457-74E49F8F400A}\TypeLib
HKCR\Interface\{BE465556-F79D-476F-9457-74E49F8F400A}\TypeLib#Version
HKCR\Interface\{D8DFA789-47D3-4197-B187-23AE2D7DCF6A}
HKCR\Interface\{D8DFA789-47D3-4197-B187-23AE2D7DCF6A}\ProxyStubClsid
HKCR\Interface\{D8DFA789-47D3-4197-B187-23AE2D7DCF6A}\ProxyStubClsid32
HKCR\Interface\{D8DFA789-47D3-4197-B187-23AE2D7DCF6A}\TypeLib
HKCR\Interface\{D8DFA789-47D3-4197-B187-23AE2D7DCF6A}\TypeLib#Version
HKCR\Interface\{E0277D0D-43C7-4ECA-B8C4-545A2E71485B}
HKCR\Interface\{E0277D0D-43C7-4ECA-B8C4-545A2E71485B}\ProxyStubClsid
HKCR\Interface\{E0277D0D-43C7-4ECA-B8C4-545A2E71485B}\ProxyStubClsid32
HKCR\Interface\{E0277D0D-43C7-4ECA-B8C4-545A2E71485B}\TypeLib
HKCR\Interface\{E0277D0D-43C7-4ECA-B8C4-545A2E71485B}\TypeLib#Version
HKCR\Interface\{EA166DBF-EAC4-4D33-B48D-A40B8C8FDEC1}
HKCR\Interface\{EA166DBF-EAC4-4D33-B48D-A40B8C8FDEC1}\ProxyStubClsid
HKCR\Interface\{EA166DBF-EAC4-4D33-B48D-A40B8C8FDEC1}\ProxyStubClsid32
HKCR\Interface\{EA166DBF-EAC4-4D33-B48D-A40B8C8FDEC1}\TypeLib
HKCR\Interface\{EA166DBF-EAC4-4D33-B48D-A40B8C8FDEC1}\TypeLib#Version
HKCR\Interface\{F0ED2F90-DE03-46AD-97C1-709E5A49422C}
HKCR\Interface\{F0ED2F90-DE03-46AD-97C1-709E5A49422C}\ProxyStubClsid
HKCR\Interface\{F0ED2F90-DE03-46AD-97C1-709E5A49422C}\ProxyStubClsid32
HKCR\Interface\{F0ED2F90-DE03-46AD-97C1-709E5A49422C}\TypeLib
HKCR\Interface\{F0ED2F90-DE03-46AD-97C1-709E5A49422C}\TypeLib#Version
C:\Program Files\VirusProtectPro 3.6\ignored.lst
C:\Program Files\VirusProtectPro 3.6\VirusProtectPro 3.6.exe
C:\Program Files\VirusProtectPro 3.6\vpp.ini
C:\Program Files\VirusProtectPro 3.6

#7 buddy215

buddy215

  • BC Advisor
  • 12,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:50 AM

Posted 06 August 2007 - 09:09 PM

Be sure to do the Bit Defender scan.

If after the above scan you have no reason to suspect you are still infected,
Turn off system restore. This will remove all restore points since some are infected . Turn system restore back on.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 10:19 PM

sPiN

You scanned in safe mode, but you did not run a complete scan. Please run a complete scan, but you can run it in regular mode.

and, run bitdefender also.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 sPiN

sPiN
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 10:48 PM

I just did bitdefender and got these logs.

Scanned File


Status

C:\Program Files\mIRC\media.mrc


Infected with: IRC-Worm.Randon.I

C:\Program Files\mIRC\media.mrc


Disinfection failed

C:\Program Files\mIRC\media.mrc


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0057647.exe


Infected with: Virtool.Cain.A

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0057647.exe


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0057647.exe


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059593.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFX

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059593.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059593.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059593.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059594.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFX

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059594.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059594.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059594.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059595.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFX

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059595.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059595.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059595.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059596.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFW

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059596.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059596.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059596.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059597.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFW

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059597.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059597.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059597.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059599.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFW

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059599.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059599.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059599.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059600.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFW

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059600.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059600.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059600.exe=>(NSIS o)


Update failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059601.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.Downloader.Zlob.AAFW

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059601.exe=>(NSIS o)=>lzma_solid_nsis0006


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059601.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0059601.exe=>(NSIS o)


Update failed


I'm going to run a full superantispyware scan right now.

#10 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 11:01 PM

When you are done with the full SAS scan, if it finds anything else, and needs to restart, please restart and then follow the link on system restore.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#11 igonuts2

igonuts2

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:08:50 AM

Posted 06 August 2007 - 11:12 PM

hey spin,

sounds like you have done some reading. but if you missed this thread you should read it. very informative. read the whole thing and you will get an idea of how many apps and what combinations one might need. helps with setting up IE and securing windows as well.

http://www.bleepingcomputer.com/forums/t/405/antivirus-antimalware-and-antispyware-resources/

good read while waiting!

FYI very important;

for now, i wouldn't do anything untill you're done with this issue as it my eskew the aid provided here.

respectfully,
igo
Why work when you can play!

#12 sPiN

sPiN
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 11:42 PM

I did a new scan, results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/07/2007 at 00:21 AM

Application Version : 3.9.1008

Core Rules Database Version : 3280
Trace Rules Database Version: 1291

Scan type : Complete Scan
Total Scan Time : 00:32:47

Memory items scanned : 383
Memory threats detected : 0
Registry items scanned : 5417
Registry threats detected : 4
File items scanned : 33976
File threats detected : 22

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{4f5f16ef-af9d-4fe6-8410-f0670b58979d}
HKCR\CLSID\{4F5F16EF-AF9D-4FE6-8410-F0670B58979D}
HKCR\CLSID\{4F5F16EF-AF9D-4FE6-8410-F0670B58979D}\InProcServer32
HKCR\CLSID\{4F5F16EF-AF9D-4FE6-8410-F0670B58979D}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GUSUR.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP387\A0059741.DLL

Malware.VirusProtectPro
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP387\A0059744.EXE

Trace.Known Threat Sources
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\PAT1YSO9\main_fill[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\VLMKPL9Q\menu_left[4].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\VLMKPL9Q\icon_update[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\virusprotectpro[4].htm
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\PAT1YSO9\dbver[1].dat
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\101SZ59P\freescan_button[2].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\101SZ59P\top_head[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\logo[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\PAT1YSO9\style[3].css
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\icon_scanner[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\VLMKPL9Q\icon_shield[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\menu_fill[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\101SZ59P\button_buy_now[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\PAT1YSO9\menu_right[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\main_features[3].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\01TFDELM\how[2].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\VLMKPL9Q\protect[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\VLMKPL9Q\footer[1].gif
C:\Documents and Settings\jason stillson\Local Settings\Temporary Internet Files\Content.IE5\101SZ59P\button_download[1].gif

Edit: if I do this, will I lose recent things I've downloaded? For example, 45gb of Inuyasha?

Edited by sPiN, 06 August 2007 - 11:46 PM.


#13 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 11:50 PM

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
It looks like you killed all the really bad nasties, however posting a hijack this log as buddy215 said earlier, would be a final verification.

Edit: if I do this, will I lose recent things I've downloaded? For example, 45gb of Inuyasha?


If it was not infected, it is still there.

I would suggest that you read the How did I get infected thread.

Edited by oldf@rt, 06 August 2007 - 11:55 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#14 sPiN

sPiN
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 06 August 2007 - 11:54 PM

I'm near the end of an anime I've been watching. It just recently finished downloading, if I do a system restore, will I not have the episodes anymore?

#15 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:09:50 AM

Posted 06 August 2007 - 11:57 PM

This is clearing the restore points it does not affect data saved in documents and settings.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users