Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please Help Me! Virus On Laptop!

  • Please log in to reply
4 replies to this topic

#1 drj101


  • Members
  • 3 posts
  • Local time:02:19 AM

Posted 08 September 2008 - 01:58 AM

Hi all. Thanks in advanced for any help offered. Sorry so frantic, but i've never had a virus on the laptop and i'm not that computer friendly so i have no way of knowing how to fix it. It is some sort of YELLOW TRIANGLE WITH EXCLAMATION POINT that has begun to pop up on my tool bar. It's not a regular update icon, its some sort of virus that when you click on it keeps telling you that your security and privacy are at risk and then starts opening up all kinds of bogus webpages. To top it off, it's sort of hijacked my desktop and deleted my regular background and now i have some blue screen all over my desktop telling me that i am being warned about several threats and infections.

After some reading i have ran a tool suggested by someone here to someone else experiencing the same virus. The tool i ran was called was SmitFraudFix and i selected various options and ran them but nothing has worked and i still have the same problem. I am now running something else i read on here called Malwarebytes but it hasn't finished doing the scan yet so i don't know if that will fix the problem or not. So far it has found 25 objects infected, whatever that means. I plan to run the fix for that when the scan has completed.

In the meantime here is the text file with the info for SmitFraudFix. I hope it helps someone assist me better. Also, in case it is helpful.... i read somewhere to do a system restore. i tried doing that but much to my surprise it was turned off so i had no way of restoring it to a previous point once i became infected. it only gives me the option to restore today, which is of no help to me since the laptop is infected as of todays date. lastly, i also read to go to device manager and see if there was anything with an exclamation point. i went to device manager and clicked on show hidden devices and there was indeed an exclamation point on something named 'Serial'. No idea what i'm talking about, but i figured it may be helpful to whoever is reading this that may be trying to help me and is much more computer savy than i am.

Thanks again for any help offerred. Here is the text file from Smit.

SmitFraudFix v2.346

Scan done at 0:12:05.12, Mon 09/08/2008
Run from C:\Documents and Settings\Dr J\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode


C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dr J\Desktop\SmitfraudFix\Policies.exe




C:\WINDOWS\default.htm FOUND !
C:\WINDOWS\loader.exe FOUND !





C:\Documents and Settings\Dr J

C:\Documents and Settings\Dr J\Application Data

Start Menu



C:\Program Files

Corrupted keys

Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName"="My Current Home Page"

!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]



Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order:

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4941638B-6DDF-4473-835D-86A6DCA1245E}: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4941638B-6DDF-4473-835D-86A6DCA1245E}: DhcpNameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4941638B-6DDF-4473-835D-86A6DCA1245E}: DhcpNameServer=
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=

Scanning for wininet.dll infection


BC AdBot (Login to Remove)


#2 drj101

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:19 AM

Posted 08 September 2008 - 02:31 AM

hi all

this is the log file for the malware scan

Malwarebytes' Anti-Malware 1.27
Database version: 1127
Windows 5.1.2600 Service Pack 2

9/8/2008 3:19:13 AM
mbam-log-2008-09-08 (03-19-13).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 106940
Time elapsed: 40 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\getsn32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{252874d8-5b00-4b93-a282-4ca656598278} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e221c81b-e518-4f93-b0d2-14e52065417a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e6be5e3a-23f3-4ec2-b9b7-bcd9a601f2a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38754e01-ac2e-482b-95fa-f1aee41823c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9f146720-43f3-4fa6-b9e5-4fb13f8c2ffd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\uesiuqcr.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr J\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\getsn32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP2\A0000007.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP2\A0000008.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000052.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000053.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000061.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000062.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000766.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{62905520-7370-4141-A23C-96F524828AF7}\RP3\A0000767.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr J\Application Data\Microsoft\dtsc\335.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whAgent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr J\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr J\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:04:19 PM

Posted 08 September 2008 - 02:33 AM

Reboot your computer, update and scan again with Malwarebytes. Post a new log and let us know how you computer is behaving.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 drj101

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:19 AM

Posted 14 September 2008 - 02:38 AM

hi again..

ran malware, ccleaner, virtmundo, smitfraud, spybot and it all seemed to have fixed the prob. the desktop was back to normal and the triangle with the exclamation point stopped appearing in the toolbar. everything was fine for about a week and now i had all kinds of programs appear on my program files that i never downloaded. there were things like get module.exe, antivr.exe, gtza.exe or something like that. when i ran the spybot and malware they seemed to have dissapeared again but i dont know what im doing that these things are not gone for good. i keep laptop pretty clean. only thing i can think gave me this problem is a satellite website i go to that is no longer there and i may have downloaded some active x thing to run something. the most recent problem was just giving me pop up after pop up and in a second, the browser would be filled with like 6 or 7 advertising websites. my firewall and antivirus programs are running but doesnt seem to have made a difference. i just did a Hijackthis scan and this is what it gave me. Please let me know if there is anything here that i should click 'fix checked' for. after doing scan on hijack, i see that the getmodule is still there (under item 04). dont know if i should click fix checked or not? please advise. also, is there something i should check in my registry a bit further? thanks again.

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper

O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. -

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Program

Files\Toshiba\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation -

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. -

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

End of file - 9215 bytes

#5 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:04:19 PM

Posted 14 September 2008 - 04:15 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users