Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me! Plz!


  • Please log in to reply
11 replies to this topic

#1 astelluto

astelluto

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 18 October 2007 - 12:58 AM

Ive been infected with some sort of spyware, and no matter what I do I cant get rid of it. I keep getting pop-ups saying I have spyware.cyberlog-x, spybot@mpx, Trojan-Spy.win32@mx, and random website popups along with error messages with REALLY bad spelling mistakes. My computer is uber slow now, and its difficult for me to even access the web. Can anyone help me??

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 18 October 2007 - 01:25 AM

It sounds like you may have a Smitfraud infection on your hands.

How to remove the Smitfraud / Generic Zlob / Quicknavigate / Virtual Maid
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 18 October 2007 - 07:22 AM

When done with the self-help guide, download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Check for Updates" and click Download if any are found.
  • Wait for the updates to finish downloading, then Close the update window.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
Then download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Reboot in "SAFE MODE using the F8 method and launch SUPERAntispyware.
  • In the main screen, under "Scan for Harmful Software" click Scan your computer.
  • There are three scanning options. Choose "Perform Complete Scan" and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure they all have a checkmark next to them and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to reboot, click "Yes".
  • If not, select Close to exit the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 18 October 2007 - 11:20 AM

thanks everyone. Im not in front of my computer at the moment, but as soon as i get home Im going to do what u said. Do u guys want a hijack this log?

#5 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 18 October 2007 - 11:24 AM

also, Ive tried the smitfraudfix in sfae mode, and it still came back. Its like the herpes equivalent for computers....

Edited by astelluto, 18 October 2007 - 11:26 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 18 October 2007 - 11:31 AM

Finish running the other two tools and then let us know how things are doing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 19 October 2007 - 04:11 PM

Well, the Super antispy picked up somethings, but then I had to do a system restore because I deleted the wrong drivers using hi jack this ( doh! ). One thing I have noticed though is the trojan only really acts up when Im online. Otherwise, if I unplug the internet, it doesnt do anything. Is this common??

Edited by astelluto, 19 October 2007 - 04:11 PM.


#8 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 19 October 2007 - 10:07 PM

Well, i did everything. The antispyware cleaned a lot. Only problem is now I cant start it in normal mode. Everytime I try to go in to normal mode the computer mysteriously restarts?? It gets to the windows XP loading screen, then it resarts by itself... :thumbsup: Any ideas as to what is up now??

God, what i wouldnt give to find the bastard that made this virus crap, and strangle him.

Edited by astelluto, 19 October 2007 - 10:10 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 19 October 2007 - 10:24 PM

I deleted the wrong drivers using hi jack this...

HijackThis is an advanced tool. Most of the log entries listed are required to run a computer and removing essential ones can potentially cause serious damage to your system. HijackThis relies on experts to interpret the log entries and determine what needs to be fixed. If you do not have advanced knowledge about computers or training in the use of this tool, you should NOT fix anything using HijackThis without consulting a expert as to what to fix. Using this tool incorrectly could adversely impact your system.

If you cannot start the computer in normal mode, you can use "Last Known Good Configuration" or System Restore from a command prompt in Safe Mode to return to a previous state before your problems began. If, that does not work then do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.
If you cannot download these programs using "Safe Mode With Networking", then your going to need access to another computer (family member, friend, etc) with an Internet connection. Save them to a USB stick or CD and then transfer them to your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 21 October 2007 - 05:05 PM

I deleted the wrong drivers using hi jack this...

HijackThis is an advanced tool. Most of the log entries listed are required to run a computer and removing essential ones can potentially cause serious damage to your system. HijackThis relies on experts to interpret the log entries and determine what needs to be fixed. If you do not have advanced knowledge about computers or training in the use of this tool, you should NOT fix anything using HijackThis without consulting a expert as to what to fix. Using this tool incorrectly could adversely impact your system.

If you cannot start the computer in normal mode, you can use "Last Known Good Configuration" or System Restore from a command prompt in Safe Mode to return to a previous state before your problems began. If, that does not work then do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Dr.Web CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Dr.Web CureIt as follows:
  • Double-click on cureit.exe to start the program. (ignore any prompts to update or check for a new version)
  • When the Dr.Web opens, an "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop. (You can use Notepad to open the DrWeb.cvs report)
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply.
If you cannot download these programs using "Safe Mode With Networking", then your going to need access to another computer (family member, friend, etc) with an Internet connection. Save them to a USB stick or CD and then transfer them to your computer.

thanks a lot ill be doing this tonight.

#11 astelluto

astelluto
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 22 October 2007 - 01:40 PM

Heres the log:

kgdbbnfj.exe;c:\windows\system32;Trojan.EzulaAd;Deleted.;
vvcbjqjh.dll;c:\windows\system32;Trojan.Hammer;Deleted.;

I still have that damn icon in the bottom right corner, and random red x error staments. My computer seems to be running faster though.

Edited by astelluto, 22 October 2007 - 01:40 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 22 October 2007 - 01:54 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users