Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tdssserv.sys in my system


  • Please log in to reply
26 replies to this topic

#1 sim001

sim001

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 21 January 2009 - 08:51 PM

3 days back i was attacked by win32.zafi.b virus and go google virus , i dont know how i got both of this i have deleted zafi from my system using safe mode but i m not able to delete tdssserv.sys in my device manager ,though i have disabled it . i ran malware bytes and has seen that now the virus is palced with a ellow circle with excalmatory mark , i donno how to delete it i have ran malware bytes 3 times already and even in safe mode , i went into registry and saw there are tdss virus in few places but donno how to delete them from registry as it is not allowing me to delete , can ne one attend to my prob wld be greatful , pls tell me wat tpo do , i have already installed combo fix ut havent run it yet , i m waiting for some guidence plssss help me

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 21 January 2009 - 08:57 PM

Hello and welcome. First I moved your topic from XP to here.
This is a serious infection and I will first post you this advice.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to continue cleaning please post your MalwareBytes log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 21 January 2009 - 09:08 PM

Please DO NOT run ComboFix until asked to.... See the BLUE type at top of page...

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 21 January 2009 - 09:27 PM

i first will try to get rid of it , if not will load a new operating system

i m not able to find the log where can i find it i have searched in malware bytes folder

---------------

#5 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 21 January 2009 - 09:37 PM

##
this is my first scan result
--------------------

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

21/01/2009 5:30:11 PM
mbam-log-2009-01-21 (17-30-11).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|I:\|)
Objects scanned: 176955
Time elapsed: 1 hour(s), 48 minute(s), 3 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{BF39731B-1CC7-4951-AFBE-A899686D38D7}\RP266\A0107324.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmhlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\santu\Local Settings\Temp\TDSS5d97.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\santu\Local Settings\Temp\TDSS5e52.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS1766.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.

-----------------------
this is my 2nd scan
-----------------------

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

21/01/2009 10:22:50 PM
mbam-log-2009-01-21 (22-22-50).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|I:\|)
Objects scanned: 178421
Time elapsed: 1 hour(s), 42 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{BF39731B-1CC7-4951-AFBE-A899686D38D7}\RP266\A0107334.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF39731B-1CC7-4951-AFBE-A899686D38D7}\RP266\A0107335.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF39731B-1CC7-4951-AFBE-A899686D38D7}\RP266\A0107336.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF39731B-1CC7-4951-AFBE-A899686D38D7}\RP266\A0107337.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

Edited by sim001, 21 January 2009 - 09:39 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 21 January 2009 - 09:43 PM

OK good you found it and we'll clean those out those at the end. WE need to run a few more tools.

Run SAS from your regular user account:
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Now Part 1 of S!Ri's SmitfraudFix :
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 22 January 2009 - 04:19 AM

here is the log after superantispyware scan, it took around 5 hrs for complete scan
-----------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/22/2009 at 06:34 PM

Application Version : 4.25.1012

Core Rules Database Version : 3721
Trace Rules Database Version: 1695

Scan type : Complete Scan
Total Scan Time : 05:41:35

Memory items scanned : 241
Memory threats detected : 0
Registry items scanned : 7451
Registry threats detected : 0
File items scanned : 123270
File threats detected : 33

Adware.Tracking Cookie
C:\Documents and Settings\santu\Cookies\santu@trafficmp[1].txt
C:\Documents and Settings\santu\Cookies\santu@revsci[2].txt
C:\Documents and Settings\santu\Cookies\santu@mediaplex[2].txt
C:\Documents and Settings\santu\Cookies\santu@xiti[1].txt
C:\Documents and Settings\santu\Cookies\santu@adbrite[1].txt
C:\Documents and Settings\santu\Cookies\santu@advertising[1].txt
C:\Documents and Settings\santu\Cookies\santu@imrworldwide[2].txt
C:\Documents and Settings\santu\Cookies\santu@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\santu\Cookies\santu@doubleclick[2].txt
C:\Documents and Settings\santu\Cookies\santu@casalemedia[1].txt
C:\Documents and Settings\santu\Cookies\santu@statcounter[1].txt
C:\Documents and Settings\santu\Cookies\santu@atdmt[1].txt
C:\Documents and Settings\santu\Cookies\santu@apmebf[2].txt
C:\Documents and Settings\santu\Cookies\santu@media.sensis.com[1].txt
C:\Documents and Settings\santu\Cookies\santu@tribalfusion[1].txt
C:\Documents and Settings\santu\Cookies\santu@ad.yieldmanager[1].txt
C:\Documents and Settings\santu\Cookies\santu@adlegend[2].txt
C:\Documents and Settings\santu\Cookies\santu@tacoda[2].txt
C:\Documents and Settings\santu\Cookies\santu@at.atwola[2].txt
C:\Documents and Settings\sahi\Cookies\sahi@sonyeurope.112.2o7[2].txt
.kontera.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\santu\Application Data\Mozilla\Firefox\Profiles\xwics8jx.default\cookies.txt ]
C:\Documents and Settings\simi\Cookies\simi@ads.mediaturf[1].txt
C:\Documents and Settings\simi\Cookies\simi@atdmt[2].txt
C:\Documents and Settings\simi\Cookies\simi@keywordmax[1].txt

Adware.Vundo/Variant-MSFake
C:\PROGRAM FILES\MICROSOFT WORKS\LNCHTOUR.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\SETUP\PFILES\MSWORKS\LNCHTOUR.EXE

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 22 January 2009 - 10:19 AM

Hi,there were a lot of files to go thru a sort.. please run the SmitfraudFix . We don't want to leave any of this .
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 22 January 2009 - 06:01 PM

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\BurnAware Professional\nmsaccessu.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\santu


C:\DOCUME~1\santu\LOCALS~1\Temp


C:\Documents and Settings\santu\Application Data


Start Menu


C:\DOCUME~1\santu\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK

#10 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 22 January 2009 - 06:07 PM

i ran that in nornal mode not in safe mode is it ok????

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 22 January 2009 - 07:45 PM

Yes part 1 in normal,Part 2 in Safe.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 22 January 2009 - 10:32 PM

jc

Edited by sim001, 23 January 2009 - 12:14 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 22 January 2009 - 10:51 PM

Hello, no sometimes that happens with the tool. Is your clocks time still in it's normal format?
**
Fix that desktop with this//
Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall

If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done, go back into your Desktop Settings and you should be able to change the color/theme to whatever you want.
**

Now just one more tool to run. SDFix..
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 sim001

sim001
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 22 January 2009 - 11:20 PM

hey even my home page is changed,, i m seeing more changes after i ran those tools why is that???

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:16 AM

Posted 22 January 2009 - 11:27 PM

What was in the log? The malware may be there and is corrupting the files. This is a problematic malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users