Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sysprotectscanner Pop-up Issues


  • Please log in to reply
34 replies to this topic

#1 pdx5

pdx5

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 16 June 2006 - 12:34 PM

Thanks in advance for an awesome forum! :thumbsup:

I read through a lot of previous posts on same topic and I may need help with what appears to be a common problem. Here are my results from recent HJT log dated 16/06/2006;

Logfile of HijackThis v1.99.1
Scan saved at 9:39:31 AM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Bob\My Documents\Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.legendhomes.com/exchange/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Downloads - {165D4F02-312C-4303-ABCA-AD6B35A2BE4D} - http://www.downloadalot.com (file missing) (HKCU)
O9 - Extra button: Searchalot - {BF6D715B-3F1D-449B-9842-8F1C14798B5C} - http://www.searchalot.com (file missing) (HKCU)
O14 - IERESET.INF: SearchAssistant=
O15 - Trusted Zone: *.rmlsweb.com
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - http://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Vundo Fix Log
VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.4

Scan started at 9:08:04 AM 6/16/2006

Listing files found while scanning....


C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\ssttq.dll
Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\qttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\qttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Could not be deleted.

Performing Repairs to the registry.
Done!


Active Scan Results

Incident Status Location

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bob\Cookies\bob@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bob\Cookies\bob@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bob\Cookies\bob@atdmt[2].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Bob\Cookies\bob@delfinproject[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bob\Cookies\bob@doubleclick[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Bob\Cookies\bob@stats1.reliablestats[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Bob\Cookies\bob@zedo[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\xxyvurs.dll

Edited by pdx5, 16 June 2006 - 04:07 PM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 16 June 2006 - 04:50 PM

Please click here http://www.java.com/en/download/manual.jsp to download the latest version of JAVA 1.5.0.7. Install the application, then go to the Add/Remove Programs options in the Control Panel and Remove ALL previous versions of JAVA.

=============

Check EWido for updates and run it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 16 June 2006 - 07:27 PM

Thank you so much for your assistance "MFDnSC", You Rock!

I've followed your instructions and deleted the previous versions of Java and I've updated the Ewido malware.

Is this all I'll need to do to keep the irritating pop-ups away?
Do I need to do anything with any of the items found in the HJT, ActiveScan or VunDo program?

Thanks Again!

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 17 June 2006 - 09:31 AM

Log looks fine

Turn off restore points, boot, turn them back on – here’s how

XP
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 19 June 2006 - 07:20 PM

Thank you so much for all your assistance MFDnSC.
But I still have a problem and I've held off on doing the system restore until I check with someone first.

I am still receiving unwanted pop-ups even when I simply go to reply to this message. Most of the ads are the same SysProtectScanner or some similar type of ad. This is just so frustrating and I'm so grateful to have experts from BC around to help.

Today I decided to really attack this problem head-on so here's what I've done so far. Please review this data and let me know how I can rid my computer of this nuisance hopefully forever.

Today I ran the following scans;
Ad-Aware
Ewido
Avira AV
Spybot
Nod32
F-Secure Blacklight
VundoFix
Hijack This
Active Scan

Here are the results that I could find and post after the scans.

Logfile of HijackThis v1.99.1
Scan saved at 2:35:12 PM, on 6/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Bob\My Documents\Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.legendhomes.com/exchange/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Spk\Super Pop Up Ad Killer.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Downloads - {165D4F02-312C-4303-ABCA-AD6B35A2BE4D} - http://www.downloadalot.com (file missing) (HKCU)
O9 - Extra button: Searchalot - {BF6D715B-3F1D-449B-9842-8F1C14798B5C} - http://www.searchalot.com (file missing) (HKCU)
O14 - IERESET.INF: SearchAssistant=
O15 - Trusted Zone: *.rmlsweb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - http://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\SunBeltKeriofirewall3152006\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

AD-AWARE

ArchiveData(auto-quarantine- 2006-06-19 10-44-18.bckp)
Referencefile : SE1R112 15.06.2006
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\Bob\recent\00AD3740_kds.lnk
obj[1]=MRU FileReference : C:\Documents and Settings\Bob\recent\Help.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\Bob\recent\Legend Outlook E-mail.lnk
obj[3]=MRU FileReference : C:\Documents and Settings\Bob\recent\Log.lnk
obj[4]=MRU FileReference : C:\Documents and Settings\Bob\recent\Reports.lnk
obj[5]=MRU FileReference : C:\Documents and Settings\Bob\recent\RootkitReveal 6 17 06.lnk
obj[6]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[7]=MRU RegReference : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[8]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[10]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.RDP
obj[11]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.txt
obj[12]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.xml
obj[13]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[14]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
obj[9]=MRU RegReference : S-1-5-21-3266277740-2725192599-853142344-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.hlp

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[10]=IECache Entry : Cookie:bob@atdmt.com/
obj[11]=IECache Entry : Cookie:bob@linksynergy.com/
obj[12]=IECache Entry : Cookie:bob@doubleclick.net/
obj[13]=IECache Entry : Cookie:bob@2o7.net/
obj[14]=IECache Entry : Cookie:bob@tribalfusion.com/
obj[15]=IECache Entry : Cookie:bob@bfast.com/
obj[16]=IECache Entry : Cookie:bob@statcounter.com/
obj[17]=IECache Entry : Cookie:bob@advertising.com/
obj[18]=IECache Entry : Cookie:bob@as-us.falkag.net/



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:03:18 AM, 6/19/2006
+ Report-Checksum: 941CEBCE

+ Scan result:

C:\Documents and Settings\Bob\Cookies\bob@adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Bob\Cookies\bob@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Bob\Cookies\bob@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Bob\Cookies\bob@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Bob\Cookies\bob@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup


::Report End
=================================================================
AVIRA AV[b][u]


AntiVir PersonalEdition Classic
Report file date: Monday, June 19, 2006 11:09

Scanning for 409725 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username:
Computer name:

Version informations:
AVSCAN.EXE : 7.0.0.42 557096 4/12/2006 02:46:40
AVSCAN.DLL : 7.0.0.42 53288 4/12/2006 02:46:40
LUKE.DLL : 7.0.0.42 118824 4/12/2006 02:46:43
LUKERES.DLL : 7.0.0.42 25640 4/12/2006 02:46:43
ANTIVIR0.VDF : 6.35.0.1 7371264 4/12/2006 02:46:37
ANTIVIR1.VDF : 6.35.0.5 2048 4/12/2006 02:46:37
ANTIVIR2.VDF : 6.35.0.33 173568 4/12/2006 02:46:37
ANTIVIR3.VDF : 6.35.0.48 23552 4/12/2006 02:46:37
AVEWIN32.DLL : 7.1.0.13 1536512 4/12/2006 02:46:38
AVPREF.DLL : 7.0.0.1 49192 4/12/2006 02:46:40
AVREP.DLL : 6.35.0.47 679976 4/12/2006 02:46:40
AVRPBASE.DLL : 7.0.0.0 2162728 5/8/2006 20:35:40
AVPACK32.DLL : 7.1.0.1 335912 4/12/2006 02:46:39
AVREG.DLL : 6.31.0.90 27688 4/12/2006 02:46:40
NETNT.DLL : 6.32.0.0 6696 4/12/2006 02:46:43
NETNW.DLL : 6.32.0.0 9768 4/12/2006 02:46:43
RCIMAGE.DLL : 7.0.0.71 1642536 4/12/2006 02:46:47
RCTEXT.DLL : 7.0.0.75 77864 4/12/2006 02:46:47

Configuration settings for the scan:
Jobname: '%s'.................: Manual Selection
Configuration file............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Boot sectors..................: A,C,D
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: -1
Primary action................: 1
Secondary action..............: 0

Start of the scan: Monday, June 19, 2006 11:09


The scan over running processes will be started
51 Processes was scanned

Start scanning boot sectors:

Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 18 files ).


Starting the file scan:

The path A:\ could not be found!
The device is not ready.

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Bob\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Bob\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Bob\Application Data\Microsoft\Windows Defender\FileTracker\{D1CDDEE4-BB70-489D-9966-9DD9FC11CF98}
[WARNING] The file could not be opened!
C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiCL0001.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiP10000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiP20000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiPT0000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiSL0001.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiSP0000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiST0000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\CiVP0000.000
[WARNING] The file could not be opened!
C:\Inetpub\catalog.wci\INDEX.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiCL0001.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP10000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiP20000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiPT0000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSL0001.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiSP0000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiST0000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\CiVP0000.000
[WARNING] The file could not be opened!
C:\Program Files\Dell\Support\UI\Search\catalog.wci\INDEX.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiCL0001.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiP10000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiP20000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiPT0000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiSL0001.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiSP0000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiST0000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\CiVP0000.000
[WARNING] The file could not be opened!
C:\System Volume Information\catalog.wci\INDEX.000
[WARNING] The file could not be opened!
C:\WINDOWS\SoftwareDistribution\EventCache\{F67E2233-23B1-4DE0-9996-2E505A9D07A8}.bin
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\DRIVERS\sptd6365.sys
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\DRIVERS\vaxscsi.sys
[WARNING] The file could not be opened!
The path D:\ could not be found!
The parameter is incorrect.



End of the scan: Monday, June 19, 2006 11:47
Used time: 38:00 min

The scan has been done completely.

4198 Scanning directories
216073 Files were scanned
0 viruses and/or unwanted programs was found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3289 Archives were scanned
58 Warnings
0 Notes
===============================================================
NOD32 SCAN

Scan performed at: 6/19/2006 12:22:02 PM
Scanning Log
NOD32 version 1.1607 (20060619) NT
C:\Program Files\Eset\nod32.exe - is OK
Operating memory - is OK
MBR sector of the 1. physical disk - is OK
Active boot sector of the 1. physical disk - is OK

Date: 19.6.2006 Time: 12:22:10
Scanned disks, folders and files: C:
C:\AUTOEXEC.BAT - is OK
C:\BOOT.INI - is OK
C:\BOOTSECT.DOS - is OK
C:\CONFIG.SYS - is OK
C:\DELL.SDR - is OK
C:\hiberfil.sys - error opening (File locked) [4]
C:\IO.SYS - is OK
C:\IPH.PH - is OK
C:\MSDOS.SYS - is OK
C:\NTDETECT.COM - is OK
C:\NTLDR - is OK
C:\pagefile.sys - error opening (File locked) [4]
C:\VundoFix.txt - is OK
Number of scanned files: 225278
Number of threats found: 0
Time of completion: 14:00:40 Total scanning time: 5910 sec (01:38:30)
Notes:

================================================================

ActiveScan Log 6 19 2006

Incident / Status/ Location

Adware:adware/swimsuitnetwork / Not disinfected / c:\windows\system32\MYDLL.dll
Adware:adware/brands / Not disinfected / Windows Registry
Spyware:Cookie/Falkag / Not disinfected / C:\Documents and Settings\Bob\Cookies\bob@as-us.falkag[2].txt
Spyware:Cookie/Reliablestats / Not disinfected / C:\Documents and Settings\Bob\Cookies\bob@stats1.reliablestats[1].txt

=================================================================

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 2:17:07 PM 6/19/2006

Listing files found while scanning....


C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\ssttq.dll
Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.tmp
C:\WINDOWS\SYSTEM32\qttss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.ini2
C:\WINDOWS\SYSTEM32\qttss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.4

Java version is 1.5.0.7

Scan started at 3:41:10 PM 6/19/2006

Listing files found while scanning....


C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\ssttq.dll

Edited by pdx5, 19 June 2006 - 07:33 PM.


#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 20 June 2006 - 08:23 AM

You did not remove this - Java version is 1.4.2.4

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 June 2006 - 03:54 PM

Thanks again MFDnSC,

I had unistalled the earlier version of Java but it obviously didn't get rid of everything properly. I've done a search by files and deleted anything by Java dated earlier than June 2006 so now I believe it's all gone. Here is a new Vundo Log showing only the newest version 1.5.0.7:

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.7

Scan started at 1:38:03 PM 6/20/2006

Listing files found while scanning....


C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\ssttq.dll
Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.bak2
C:\WINDOWS\SYSTEM32\qttss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\qttss.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ssttq.dll
C:\WINDOWS\SYSTEM32\ssttq.dll Could not be deleted.

Performing Repairs to the registry.
Done!

I'm unable to open/run the SmitFraud program due to NOD32 blocking it but I will continue to hack away at this issue and I'll edit this e-mail with the scan log from SmitFraud shortly.

Thank you for your patience and all your help!

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 20 June 2006 - 04:01 PM

I think you posted the wrong log - I need the one from smitfraudfix

I will assume there are files ther so

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 June 2006 - 04:40 PM

Thanks for the quick reply!

I'm stuck trying to download and unzip the file for SmitFraud, I've tried downloading the file zipped and then disconnecting from the internet while I disable all of the security programs. When I extract the files for SmitFraud everything appears okay (no security messages) but when I try to open the smitfraudfix.cmd I come up with the red screen indicating that the process.exe file is missing and to hit any key to continue which just closes down the program?

Any suggestions to work around this? Is there another program I can use or is there another way to safely download this file other than what I'm trying now?

Thanks again for all your help!

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 20 June 2006 - 04:50 PM

You are not extracting the folder to the desktop - there will be 7 files in the folder
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 June 2006 - 05:07 PM

I've downloaded the zipped file to my desktop and then I extract all 7 files in the folder. Then when I go to run the smitfraudfix.cmd program I get the DOS red error screen with the message that there is a missing process.exe file and to hit any key to continue which closes the program down? I'm not sure what I'm doing wrong or what my computer is doing to prevent this program from downloading properly?

Thanks for any assistance you can offer.

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 20 June 2006 - 05:11 PM

You have to extract the folder to the desktop
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 June 2006 - 05:26 PM

Sorry about any confusion but I have been downloading the 1 zipped file and the 7 extracted files to my desktop as instructed.

When I run the smitfraudfix.cmd program I continue to receive the red screen with the process.exe file missing message. Even though I'm not receiving any error messages from my anti-virus programs is it possible that something is intercepting the process.exe file?

I've been turning off the anti-virus programs during the download and extraction process and then reactivating them to get back on the forum.

I appreciate all your efforts to assist me in this troubleshooting.

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:20 PM

Posted 20 June 2006 - 05:33 PM

You should hav a folder on your desktop and in that folder is the 7 files
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 pdx5

pdx5
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 June 2006 - 06:32 PM

Sorry for my confusion and I really do appreciate your patience and help.

I have downloaded the original zipped file to my desktop.
I have extracted the 7 files in the original zipped file to my desktop.
I try to run the smitfraudfix.cmd program from the file on my desktop and a DOS type screen opens up with the red screen indicating that the program is missing the process.exe file.

I'll try to insert a few pics to see if that helps but I'm not sure what to do differently to try to run this program.

Posted Image

Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users