Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thanks To You Guys, I Finally Cleansed My Pc!


  • Please log in to reply
1 reply to this topic

#1 oferst

oferst

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 November 2007 - 04:51 PM

Hello, as you noticed I am new here.
My PC got infected with a virus that changed desktop to active desktop, added 3 shortcuts(Error Cleaner.url, Privacy Protector.url and Spyware?Malware Protection.url), popups calling me to install 'anti-virus' and opening of IE7, switching windows etc.
I tried 3 different Anti-viruses, including Housecall and 2 Anti-Spyware programs and didn't manage to remove it, not to talk about even finding the infected files!

So I searched in google for a solution and came across this thread: http://www.bleepingcomputer.com/forums/t/107793/error-cleaner-privacy-protector-spyware-and-malware-protection-need-help-removing-please/.
There someone suggested the tool 'SmitfraudFix'.
So first of all I want to thank you!
I run this tool in check mode and this is what I got:

SmitFraudFix v2.252

Scan done at 23:08:36.75, Mon 11/12/2007
Run from E:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\cmd.exe

 hosts


 C:\


 C:\WINDOWS

C:\WINDOWS\kbdctrl.dll FOUND !
C:\WINDOWS\neobus.dll FOUND !
C:\WINDOWS\privacy_danger FOUND !
C:\WINDOWS\qdertu.exe FOUND !

 C:\WINDOWS\system


 C:\WINDOWS\Web


 C:\WINDOWS\system32


 C:\WINDOWS\system32\LogFiles


 C:\Documents and Settings\Ofer


 C:\Documents and Settings\Ofer\Application Data


 Start Menu


 C:\DOCUME~1\Ofer\FAVORI~1

C:\DOCUME~1\Ofer\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Ofer\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Ofer\FAVORI~1\Spyware?Malware Protection.url FOUND !

 Desktop

C:\DOCUME~1\Ofer\F245~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Ofer\F245~1\Privacy Protector.url FOUND !
C:\DOCUME~1\Ofer\F245~1\Spyware?Malware Protection.url FOUND !

 C:\Program Files 


 Corrupted keys


 Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:home"
"SubscribedURL"="about:home"
"FriendlyName"="my current home page"
 

 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


 Rustock



 DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - מי י-יציאה של מתזמן מ ות
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138


 Scanning for wininet.dll infection


 End

After that, I rebooted in Safe Mode, and I chose to cleanse the system using the second option of the tool.
After the cleansing, this is the report I got after 2 cleansings(just to make sure):
SmitFraudFix v2.252

Scan done at 23:24:25.59, Mon 11/12/2007
Run from C:\Documents and Settings\Ofer\™…Œ‡ „’…ƒ„\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

 Killing process


 hosts

127.0.0.1  localhost 

 Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


 Generic Renos Fix

GenericRenosFix by S!Ri


 Deleting infected files


 DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6462D8FF-2045-4875-AC7C-EF27F5A46FCD}: NameServer=10.0.0.138


 Deleting Temp Files


 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


 Registry Cleaning
 
Registry Cleaning done. 
 
 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


 End
As you see it doesn't include info about removing the malware because this is the report of a second cleansing.
So now I am clean of this.
But I wanted to ask:
Should I do something with these lines there in the second report?
 SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

 SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Thanks in advance!

Edited by oferst, 12 November 2007 - 05:05 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 AM

Posted 25 November 2007 - 02:02 PM

Your fine.

Now do this.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users