Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Cannot Find Iexplore.exe Smitfraud


  • Please log in to reply
19 replies to this topic

#1 wolf_digital

wolf_digital

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 31 March 2008 - 06:24 PM

Hello,
here are my computer specs:

Operating System System Model
Windows XP Home Edition Service Pack 1 (build 2600) HP Pavilion 061 DM181A-ABA a305w 0n31211RE101GLEND10
System Serial Number:
Enclosure Type: Other
Processor a Main Circuit Board b
2.70 gigahertz Intel Celeron
8 kilobyte primary memory cache
128 kilobyte secondary memory cache
128 kilobyte tertiary memory cache Board: TriGem Computer Inc. Glendale motherboard
BIOS: Phoenix Technologies 3.21 07/16/2003
Drives Memory Modules c,d
55.36 Gigabytes Usable Hard Drive Capacity
10.49 Gigabytes Hard Drive Free Space

CyberDrv CW089D CD-R/RW [CD-ROM drive]
3.5" format removeable media [Floppy drive]

FUJITSU MPF3153AT [Hard drive] (15.37 GB) -- drive 1, s/n 01039591, rev 0028, SMART Status: Healthy
WDC WD400EB-00CPF0 [Hard drive] (40.02 GB) -- drive 0, s/n WD-WCAATF535157, rev 06.04G06, SMART Status: Healthy 760 Megabytes Installed Memory

Slot 'J5G3' has 256 MB
Slot 'J5G2' has 512 MB
Local Drive Volumes


c: (NTFS on drive 0) 20.88 GB 2.79 GB free
d: (NTFS on drive 0) 13.17 GB 1.29 GB free
e: (FAT32 on drive 0) 5.96 GB 1.03 GB free
g: (FAT32 on drive 1) 15.35 GB 5.37 GB free
Network Drives
None detected
Users (mouse over user name for details) Printers
local user accounts last logon
Owner 3/31/2008 4:09:38 PM (admin)
local system accounts
Administrator never (admin)
Guest never
HelpAssistant never
SUPPORT_388945a0 never
SUPPORT_fddfa904 never

DISABLED Marks a disabled account; LOCKED OUT Marks a locked account

Microsoft Shared Fax Driver on SHRFAX:
Controllers Display
Standard floppy disk controller
Intel® 82801DB Ultra ATA Storage Controller-24CB
Primary IDE Channel [Controller]
Secondary IDE Channel [Controller] Intel® 82845G/GL/GE/PE/GV Graphics Controller [Display adapter]
hp v72 [Monitor] (15.7"vis, s/n CNR33200MT, August 2003)
Bus Adapters Multimedia
Intel® 82801DB/DBM USB 2.0 Enhanced Host Controller - 24CD
Intel® 82801DB/DBM USB Universal Host Controller - 24C2
Intel® 82801DB/DBM USB Universal Host Controller - 24C4
Intel® 82801DB/DBM USB Universal Host Controller - 24C7 Realtek AC'97 Audio
Communications Other Devices
Lucent Win Modem


Realtek RTL8139/810x Family Fast Ethernet NIC
primary

Networking Dns Servers:
USB Human Interface Device
HP PS2 Keyboard (2K - 3)
HID-compliant mouse
USB Root Hub (4x)
COBY MP3 Player


_____________________________

I didnt do a hijack this as i guess that's for later.
Here are the problems i have got so far.

When i try to click internet explorer it gives me this message: windows cannot find iexplore.exe
<clicking either desktop or start list icons produce same results.> However if i right click it and do properties it will bring up that menu. the one where you can get rid of cookies and all that.

before that i opend up zone alarm and it told me i had an infection. unfortunately after it said fixed i closed it. the infection had a 32 in the name that's all i meber. well when i goto reopen zone alarm my computer turns off like i had unplugged it.

Yea i was sad. it kept doing it.

Well i then realised, something now sucked. actually i wont mention what i said.
so i get the computer back up click on zone alarm to make sure it wasnt just a glitch.
newp. so i figure i will get on the net and see what i can do. well the explorer problem wouldnt let me.

so i curse um say not nice things. i have just installed a high speed connection. 5mbps. fortunately i still had aol so i configured it and started searching.

i rand spybot and it found something called :

--- Search result list ---
Smitfraud-C.gp: Picture (File, fixed)
C:WINDOWSsystem32ot.ico


Oh man i did the copy full report to clip board and pasted. would have take 3 years to read all that. i deleted all but the above

i tried to install avast antivirus: when i tried to open after install i got this message: avast detected unauthorized modification of this program file (c:program filesalwil softwareavast4ashavast.exe)

then i decided to come here. because well. you guys are primo. now i rememberd i had firefox on my computer and as i hate aol browsing i just used it instead. i made it my default browser. now my aol searching wont work so if this hit's the crapper i am really screwd. however i havent restarted aol yet to see if it was just a glitch when i did the firefox thing.

Anyway i could really use some help.
Thanks in advance! i am afraid to turn off the computer as i am able to use the forums at the moment.

Btw the reason i used firefox is because belarc advisor wouldt show my statistics. i thought firefox would allow it if i made it default wich i did. belarc uses a internet browser window to display it's results. they wouldnt show until i did firefox

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 31 March 2008 - 11:32 PM

Hello and welcome. Your first 3 grives are quite full. Which deive was windows installed to?
Please do this
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 31 March 2008 - 11:38 PM

it is on c drive!
And hieee!!! tyty
i am following your directions now

#4 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 31 March 2008 - 11:49 PM

here you go. It didn't ask me to reboot. so i am just copy and pasting.
Malwarebytes' Anti-Malware 1.09
Database version: 576

Scan type: Quick Scan
Objects scanned: 34420
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{9ca1536d-5689-40ca-b92a-f646301517d7} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{09dc28c6-bce2-42b1-b3ea-8ab82f0f3b0a} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\vx3.game (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\vx5.game (Heuristics.Malware) -> Quarantined and deleted successfully.

and thanks again : )

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 01 April 2008 - 10:27 AM

How is the PC running now? Are you downloading games off the internet thru sharing? Are there some uneccessary programs and things you can Remove thru Control Panel to free up space .


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 01 April 2008 - 05:20 PM

hello again Boopme,
my computer shutdown and i rebooted. after i had done the malbyte.
well the avast i had installed tried to do a boot scan. i had never opened it because i had the message that unautorised changing of a file. well it found 2 instances of win32 something but i got worried and just did an escape on the scan. the reason is because of that file being changed in the begining. i didn't trust it.
windows still can't find explorer with the desktop icon.
i will try to free up some space.
i have alot of music and stuff on the computer as well as a couple of beefy games.
Here is my report you ask for.
SmitFraudFix v2.309

Scan done at 16:58:52.23, Tue 04/01/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1206998783\ee\AOLSoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.BIPPY


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.BIPPY\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNER~1.BIP\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 67.15.202.9
DNS Server Search Order: 67.15.202.9
DNS Server Search Order: 72.21.36.74
DNS Server Search Order: 75.126.60.131

HKLM\SYSTEM\CCS\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CCS\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks heaps in advance : )

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 01 April 2008 - 06:09 PM

Good now do the cleaning and tell what is happening. Post the Log.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by boopme, 01 April 2008 - 06:10 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 01 April 2008 - 06:34 PM

heya boopme : )

Did it. background is gone when i restarted.

here is the report

SmitFraudFix v2.309

Scan done at 18:22:41.68, Tue 04/01/2008
Run from C:\Documents and Settings\Owner.BIPPY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CCS\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{15AC85A1-A058-4F83-ACD6-B3589E19D81F}: NameServer=67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.158.96.130 24.158.96.131


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


i should also tell you i uninstalled avast before we started the last part. when the puter would restart it would give me that message about being modified where i put in my logon password.. you know a java popup. it isn't doing it now.

EDIT: things are worse. i have something called rtsecar.exe
sometimes the computer locks as in a cant ctrl dlt alt or click anything in the taskbar. my cpu is running at 100% this just started today. thanks in advance. i did this edit at 8:49 i didnt post as reply as i don't wanna be a tard and bump.

Edited by wolf_digital, 01 April 2008 - 07:49 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 01 April 2008 - 08:44 PM

Things are OK then good lets do 2 more things. Also have you checked to see if the disk needs defragmenting?

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next:
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 01 April 2008 - 09:18 PM

ok i did that. i was finally able to get back on
i installed pctools firewall plus
these are some of te processes i was seeing before
wuauclt.exe
rtsecar.exe
aolsoftware.exe
i watch my processes constantly so i knew those didnt belong.
What should i do next.?
oh.
i created the restore point and will now do the disk cleanup
well i click disk cleanup and the hourglass flickers but nothing else happens.
i havent locked up for a while so i spose thats good
: )

EDIT: Um now the background for the forums doesnt show when i click on my post.
i am gonna try to reboot

Edited by wolf_digital, 01 April 2008 - 09:22 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 01 April 2008 - 10:04 PM

Ok can you check the full path of these processes,please.
The proper one should be:

wuauclt.exe
C:\Windows\system32\wuauclt.exe

aolsoftware.exe
C:\Program Files\Common Files

rtsecar.exe is malware and very bad
W32/Vanebot-AX Worm
http://www.sophos.com/security/analyses/w32vanebotax.html

An intruder has complete control over your machine . I won't recommend cleaning this machine unless you have NO use for trusting it in the future. A reformat/reinstall of the operating system is really the only safe recommendation I can make. First thing, get this computer off the internet and off of any networks. If you need to access the internet, even to visit this topic here, use a known clean computer. However, your stolen information and the presence of an intruder, the damaqe is already done and no telling what else may have been compromised at this point.


Many security experts believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.
Please read When should I re-format? and Reformatting the computer or troubleshooting; which is best; which is best?".

If you should decide otherwise and take that risk, we will help you attempt to clean the PC. No promises or guarantees it can be trusted. You need to decide. Let us know what you want to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 02 April 2008 - 12:26 AM

Hello,
Don't have a windows disk to reformat with.
Bought this off a friend bout 2 years ago.
bleh.
If you don't mind i'd like to try for a fix.
the ones i mentioned before stoped after i dled and installed pc tools firewall plus.
i did a little cheking of my own in the startup. there is an entry called phmptxj32.exe.
i am not an idiot. i know that doesnt belong there especially when the file name brings up a big goosegg on google. i guess the retards figure it won't be noticed. it's in hklm\.
any help would be apreciated.
i don't let my passwords be stored on anything.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 PM

Posted 02 April 2008 - 01:38 PM

Ok we'll give it a go. Just in case I wasn't clear this is an W32.IRCBot trojan, meaning it Will call home and send your personal data,credit` card,finacials,passwords etc.. You must change them.
Can you do a search of your drive to find that file. phmptxj32.exe.
If so submit to one of these then post back the reply. If not we will try something else.
Virustotal
Jotti's malware scan .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 wolf_digital

wolf_digital
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:north east tennesee
  • Local time:11:10 PM

Posted 02 April 2008 - 06:10 PM

Hello,
it didnt show in search. i did a higjack this because earlier i thought i found it.
i found this
O4 - HKLM\..\RunServices: [Network Host Service] phmptxj32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

i clicked fix for it and backweb because i knew they were bad. i maybe shouldn't have but : (.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:10 PM

Posted 03 April 2008 - 07:23 AM

Don't have a windows disk to reformat with. Bought this off a friend bout 2 years ago.

I see that your using an HP Pavilion so there may not be an original XP CD Disk.

By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific recovery disk or recovery partition for performing a clean factory restore.

A Recovery Disk is a CD-ROM or DVD data disc that contains a complete copy/image of the entire contents of the hard drive that will restore the system to its factory default state at a certain time. Essentially, it will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards.

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it.

Recovery partitions may only work with a start-up floppy disk or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs.

Some built in recovery partitions can be accessed by hitting Ctrl+F11, just F11 or F10 during bios startup. Others like those used by IBM Thinkpads will display a message at bootup instructing you to press F11 to boot from the recovery partition. For more information, see Understanding Partition recovery. If you find that your machine has a recovery partition, that is an option to consider especially when your machine has been compromised by a nasty infection.

phmptxj32.exe is related to an infection that uses random 7 letters followed by 32.exe so that's probably why your not finding any info.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users