Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Type Of Spyware Infection


  • Please log in to reply
14 replies to this topic

#1 Galad

Galad

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 19 November 2007 - 09:28 AM

Morning,

Have a problem with one of my PC's. Constant popups about infection, and needing to download some software. The description I used to search this particular issue was "yellow triangle exclamation point system tray". I found info over a year old until I came across this sight. Saw a similar recent issue, so I thought I'd join the community for help. So....

Used the link above (prep guide for using Hijackthis) and ran Housecall last night. It found issues that Adaware and McAfee could not. From the housecall results, I believe I have/had "Freeloader Smitfraud". Prior to housecall and this community, I installed and ran Hijackthis, in preparation for communicating my problem. In retrospect, your guide was exactly what I needed. Thank you for that.

Housecall took over 7 hours to run; also, I recall a previous experience (with a work PC) where it was estimating over 5 hours. Is that software always slow? I run DSL.

Won't get back to that PC until after work tonight; I'll most likely try the next software on your list (Panda or Bit) if the issue still lurks.

What forum is the best place to post my history so others can learn?

Thanks

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 19 November 2007 - 09:35 AM

If you're still having problems see the following fix:

How to remove the Smitfraud / Generic Zlob / Quicknavigate / Virtual Maid
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 19 November 2007 - 10:35 AM

SmitFraud is a generic description for a family of rogue applications/trojans such as Win32.Zlob that uses misleading advertising, downloads rogue security products, changes (hijacks) the Windows Desktop and infects system files. The Trojan uses bogus security warnings and fake alerts to indicate that your computer is infected with spyware or has critical errors. It is responsible for downloading and installing programs that purport to scan for spyware and then uses false scan reports as a scare tactic to goad you into purchasing one of several rogue programs to fix it.

In the "How to" guide, scroll down to where it says Removal Instructions; ignore the part that shows symptoms in a HijackThis log as they will not apply your case.
If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!

The speed of an anti-virus or anti-malware scan depends on a variety of factors.
  • The anti-virus program itself and how its scanning engine is designed to scan.
  • Deep scanning or quick scanning.
  • What action has to be performed when malware is detected.
  • Competition between the scanner and other applications for system resources.
  • Your computer's hard drive size.
  • Disk used capacity (number of files) that have to be scanned.
  • Running processes in the background.
  • Interference from malware.
  • Interference from the user.

Edited by quietman7, 19 November 2007 - 10:36 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 19 November 2007 - 06:15 PM

Hi,

Seems Houscall did not clean out the issue. Going to try Budapest link/fix next....

SmithFraudFix Failed to work also. The infection was present in Safe Mode......

Currently running adaware. Will download and run Spybot after that

Edited by Galad, 19 November 2007 - 07:08 PM.

AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 19 November 2007 - 06:35 PM

Ok. When done with that, please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 21 November 2007 - 08:53 AM

Ran Adaware multiple times (3X) and it did a good cleaning but always found one or two new things each time.

Ran my McAfee virusscan and found nothing. Have my firewall in lockdown except for removal tool program updates.

Installed SpyBot and ran 2X. The first pass it caught multiple items, and upon reboot the PC regained speed. The second pass identified a Virtumonde (Virtumonde.generic) virus.

I will try VundoFix next....

Any other thoughts?

THX
AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 21 November 2007 - 10:05 AM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

Then download and scan with SUPERAntiSpyware Free in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 22 November 2007 - 06:27 AM

Gobble Gobble all,

Vundofix seemed to work, i.e. find even more files.

Ran around the internet for a while and McAfee kept blocking Vundo's and Trojans (where were you when I needed you BEFORE the issues began!).

Finally ran superantispyware, and found a boatload of other stuff.

I'm thinking we did a great job of cleaning through this process, but paranoid there's still a file or two lurking in the weeds....

Thanks for the help!
AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 22 November 2007 - 08:28 AM

You can double-check things by performing an Online Virus Scans.

If things seem ok after that, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then use Disk Cleanup to remove all but newly created Restore Point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 22 November 2007 - 09:36 AM

Ran Spybot this morning and it still found a Virtumonde. But appears to remove it.

Another new bit of info: I get a rundll error on login: c:\windows\system32\eiqlowxg.dll not found. Quick google search comes up empty for that file.....hmmmm....

Edited by Galad, 22 November 2007 - 09:36 AM.

AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 22 November 2007 - 10:18 AM

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. The Cannot find or error loading message usually occurs when the associated .dll has been removed and it becomes an orphaned entry. The file may have been removed during an anti-virus or anti-malware scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

If the file was removed but not the entry, Windows will display an error message indicating that the file was not found or there was an error loading. You need to remove this registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file with the error message.
  • Right-click on the file and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 23 November 2007 - 09:33 AM

Computer is much better! Going to keep my eyes on it for a while.

Autoruns helped to removed that and a few other orphan files.

Superantispyware is running in the background (in my system tray). Necessary?

Again, thanks for help.
AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 23 November 2007 - 10:37 PM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
SUPERAntiSpyware Free vs Pro Comparison Features. If your using the free version, use it as an on-demand scanner...no need to run at startup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Galad

Galad
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US-Foxboro-MA
  • Local time:08:48 PM

Posted 24 November 2007 - 07:52 AM

Completed my restore point. Also.....

Another useful tool through this process was http://secunia.com/software_inspector Turns out most of my stuff was outdated! Good resource.
AMD X2 260 REGOR 3.2G
MSI 870-G45 MS 7599 V2.1
G.SKILL 4G Stick DDR3 1333 (2X)
HIS Radeon HD 4670 1GB DDR3 PCI E
Seagate 500GB 7200 RPM 16MB SATA 3.0Gb/s
LITE-ON 2MB Cache SATA
Rosewill RG430-S12 430W Single 12V Rail

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 24 November 2007 - 08:31 AM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".

Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users