Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please.


  • Please log in to reply
19 replies to this topic

#1 Mankind

Mankind

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 08 April 2008 - 02:54 PM

Hi,

I have Windows 2000 pro. The problem began like a day ago when I was downloading a song then all of a sudden my computer rebooted. When it started again, I was left with a red circle and a white X in the middle of it at the right bottom corner of windows and it's stating that my computer is infected with spyware.

I ran Kaspersky and it says that my computer is well protected but that I have an adware "not a virus" called C:\WINNT\system32\univrs32.dat. It claims that it will delete it when the system restarts, but it is still there.

I tried running windows in safe mode and I was actually able to locate the file and delete it, but the problem is, it is still there when I log in on regular windows.


Any kind of advice will be very helpful, but on a simple level. I don't really know much about computers.

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 08 April 2008 - 03:32 PM

may one ask from which sourse you were downloading the song and were you using any P2P program to enable the download?

apart from the Kaspersky what other protection programs do you have on there, when did you last update them and run them ?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 08 April 2008 - 03:37 PM

Hello please follow these instructions. Let us know how the PC is running afterward,thanks.

Start with this BC tutorial. How to remove the Smitfraud / Generic Zlob

NEXT:
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop .. DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 08 April 2008 - 05:06 PM

may one ask from which sourse you were downloading the song and were you using any P2P program to enable the download?

apart from the Kaspersky what other protection programs do you have on there, when did you last update them and run them ?


No, I was not using a P2P program at the time. I'am not sure, but I think this is the site from where I downloaded the song.
http://shardad-rohani.hanzmusic.com/hanz/s139984.html

I did a search for that artist and a few results poped up so I checked a few different sites, but I think that's the one I downloaded from. Oh and btw I first downloaded the song called Sweet Moment and didn't have any problems there, but then when I went on to download the first one on the list....Freedom, that's when the problem started.

I only use Kaspersky. From my understanding, I think Kaspersky automatically updates everyday.

Hello please follow these instructions. Let us know how the PC is running afterward,thanks.

Start with this BC tutorial. How to remove the Smitfraud / Generic Zlob

NEXT:
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop .. DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Thank you. I will try it very carefully.

EDIT: Ok I downloaded SmitFraudFix.zip, but Kaspersky gives me a warning and am scared now. I really don't want to mess my computer any more than it already is.

This is the warning:
THREATS HAVE BEEN DETECTED!
detected: riskware not-a-virus:RiskTool.Win32.Reboot.f File: C:\Documents and Settings\----\My Documents\My Music\SmitfraudFix.exe//data.rar/SmitfraudFix\Reboot.exe

Also, I have some Window updates. Should I download them now or download them when I deal with the problem first?

Edited by Mankind, 08 April 2008 - 05:38 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:55 AM

Posted 08 April 2008 - 10:42 PM

Certain embedded files that are part of legitimate programs or specialized fix tools such as SmitfraudFix may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Some common detections include process.exe, restart.exe, and reboot.exe.

These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases, the detection is a "False Positive".

However, do this instead.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 April 2008 - 04:14 AM

SDFix: Version 1.167
Run by Harold on Wed 04/09/2008 at 5:31a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\0.exe - Deleted
C:\WINNT\system32\braviax.exe - Deleted
C:\WINNT\system32\univrs32.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 05:37:27
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 16 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Harold\Application Data\U3\temp\Launchpad Removal.exe"
Mon 7 Apr 2008 1,582 A.SH. --- "C:\Documents and Settings\Harold\Application Data\Roxio\Dragon\3.x\DiscInfoCache\SanDisk_U3_Cruzer_Micro_4.05_300_DICV018_DRGV9000007.TMP"
Mon 7 Apr 2008 4,327 A.SH. --- "C:\Documents and Settings\Harold\Application Data\Roxio\Dragon\3.x\DiscInfoCache\SONY_DVD_RW_DRU-820A_2.0c_200_DICV018_DRGV9000007.TMP"

Finished!

I'd like to point out that while SDFix was scanning, a small box popped up saying this:

Registry Editor
Cannot import assosfix.reg: Error opening file. There may be a disk or file system error.

1) Is that error going to be a problem?

Btw the spyware appears to have been removed because I don't see the little red circle anymore at the right hand bottom corner, so that's good news!

2) So do I still need to go on to phase two, which is to run Malwarebytes Anti-Malware?

3) Also, like I said before, I now have some Window updates. Should I download them now or should I wait till I do all the scanning?

Can someone answer my 3 questions please? Thank you. (sorry, not very computer literate)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:55 AM

Posted 09 April 2008 - 08:29 AM

Yes, please continue with the instructions to run MBAM and post the log. Hold off on downloading your updates until we are finished. As for that error. I've seen it reported before but it doesn't seem to affect SDfix from doing its job so don't worry.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 09 April 2008 - 03:06 PM

Malwarebytes' Anti-Malware 1.11
Database version: 604

Scan type: Quick Scan
Objects scanned: 25654
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Harold\Local Settings\Temporary Internet Files\Content.IE5\6JMVQ523\Installer2[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:55 AM

Posted 10 April 2008 - 06:38 AM

How is you computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 10 April 2008 - 03:35 PM

Well...after the scanning it was running very slow, but then I restarted the computer and it was ok. I have a slow computer anyway. My Computer doesn't seem to be infected anymore with spyware, so thank you very much.

Do I run the Window updates now?

Edited by Mankind, 10 April 2008 - 03:37 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 10 April 2008 - 03:58 PM

First do this and then update.
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 10 April 2008 - 04:12 PM

Sorry, but I don't see any "system restore" on windows 2000 pro.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 10 April 2008 - 04:53 PM

I'm sorry,I mistakenly thought it was XP. You cannot perform that process as I mentioned.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Mankind

Mankind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 10 April 2008 - 05:07 PM

It's ok. I guess I'll have to download windows updates now then.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 10 April 2008 - 05:12 PM

Yes move on to the updates.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users