Over 1 million tech questions and answers.

Have Spyware That Generates Popup With Ie Strokes - (smitfraud Maybe?)

Q: Have Spyware That Generates Popup With Ie Strokes - (smitfraud Maybe?)

Starting three days ago started getting a popup in Internet Explorer and around desktop that says:"System Error! Your system was infected by unknown trojan.It's dangerous for your system (critical files can be lost)! click Ok to download the antispyware program to clean your system! (Recommended)"Based on internet research, sounds like "Smitfraud"? Have run spybot, adaware, spydoctor, housecall, panda, etc to try and remove it. SpyDoctor found it and said it removed it, but it's still there. Followed directions to run ComboFix, leading me here. PLEASE HELP!!I have ComboFix log saved, but Forum said not to post. Hijackthis log below. Screenshot attached.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:09:37 PM, on 3/28/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXEc:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exec:\PROGRA~1\mcafee.com\vso\OasClnt.exec:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\mcafee.com\vso\mcvsshld.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\PROGRA~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\slserv.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exeC:\WINDOWS\system32\Rundll32.exeC:\WINDOWS\system32\keyhook.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\PROGRA~1\Sony\SONICS~1\SsAAD.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exec:\progra~1\mcafee.com\vso\mcvsftsn.exeC:\Program Files\Common Files\DataViz\DvzIncMsgr.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exec:\program files\mcafee.com\agent\mcupdate.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://bspn.bankers.com/portal/login/html/..._requestid=9776R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: Media Player Codec - {687A466A-D7CB-4FDF-965C-92462A82D7F0} - C:\WINDOWS\dsaip32b.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgentO4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exeO4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exeO4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exeO4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exeO4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exeO4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorunO4 - HKLM\..\RunOnce: [GrpConv] grpconv -oO4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheckO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /RO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.averatec.comO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A4629FC5-D6C8-4D08-A26B-C5CBA2FE190C} (CFtpClientMgr Object) - http://mcs.bankerslife.com/MCSFtp.cabO16 - DPF: {DCB98BE9-88EE-4AD0-9790-2B169E8D5BBB} (HumanConcepts Organization) - http://www.humanconcepts.com/viewer/hcinstall.cabO16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - https://www.escoreboard.com/ESB3/Reserved.R...OpType=PrintCabO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXEO23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXEO23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exeO23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe--End of file - 12202 bytes

RELEVANCY SCORE 200
Preferred Solution: Have Spyware That Generates Popup With Ie Strokes - (smitfraud Maybe?)

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Have Spyware That Generates Popup With Ie Strokes - (smitfraud Maybe?)

Hi,Please read and perform the instructions posted here:http://forums.spywareinfo.com/index.php?showtopic=107621Reboot afterwards, rescan with HijackThis and post the new log in your next reply.

Read other 6 answers
RELEVANCY SCORE 52.4

It appears my computer is infected with some sort of Smitfraud (popup) infection according to multiple scans with Spybot. I have followed the steps outlined in the "Start Here" thread, and still appear to have infections. The following is my most recent hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:00 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe... Read more

A:Smitfraud (popup) Infection

Hi lynkz and Welcome to the Bleeping Computer!Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall

Read other 21 answers
RELEVANCY SCORE 52.4

Help I'm getting Smitfraud toolbar, and various other unwanted popups. It seems to be getting worse. I've tried Spybot Search & Destroy, Ad Adaware, Trend Antivirus, Vundo, and everything else that I can think of and it keeps coming back. Following is my hijack this log. Hope you can help.Logfile of HijackThis v1.99.1Scan saved at 20:56:03, on 2007-02-26Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Fichiers communs\LightScribe\LSSrvc.exeC:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Trend Micro\AntiVirus 2007\tavui.exeC:\Program Files\The ... Read more

A:Smitfraud And Popup Attacks

Welcome to BC moideb Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will receive a prompt asking if you want to remove the files, click "YES".Once you click yes, your desktop will go blank as it starts removing Vundo.When completed,it will prompt that it will reboot your computer,click "OK".Please post the contents of C:\vundofix.txt into your next reply,along with a new Hijackthis log please..Note: It is possible that VundoFix encountered a file it could not remove.In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Read other 11 answers
RELEVANCY SCORE 52

Hello. I am getting a Drive Cleaner popup everytime I surf the web on this particular computer at work. There are various other random popups, but Drive Cleaner is the most common. I have run AdAware 3 times and it presently can't detect any ads. Spybot S&D detects something called Smitfraud-C.Toolbar888 and says I need to restart to remove it, as it resides in system memory. Upon restarting, it scans, detects the same entry again and gives the same message that it needs to restart and scan system memory. Online virus scanners such as Panda show no infections, have just run Stinger and it didn't seem to come up with anything. I have just run HijackThis, and selected system scan and log file, it seems to do the scan, but a windows dialogue comes up saying 'Program Error' 'HijackThis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.' A log still appears in the HijackThis folder so I will post its contents below. System is running Windows 2000. Thank you for your assistance.Logfile of HijackThis v1.99.1Scan saved at 12:41:35 PM, on 3/05/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spool... Read more

A:Smitfraud-c.toolbar888 / Drivecleaner Popup

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Using My Computer/Windows Explorer, navigate to where you have HJT saved.Right-click on the hijackthis.exe file. Select "Rename", call it fluffybunny and press enter.Use fluffybunny.exe from now on.From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing. Here are some great free antivirus programs:Antivir, Avast!, AVG, Bitdefender FreeInstall one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.I have also noticed that you do not appear to have a firewall installed. This is an essential piece of software that acts as an extra layer of security, which restricts access to your computer from the outside world. Therefore, please download one of these free firewalls:Zone AlarmKerioIf you would like some more information about firewalls and how to use them effectively, take a look here. Once you have done all of this, please post back with a new HijackThis log.Thanks,Charles

Read other 14 answers
RELEVANCY SCORE 52

Hi, This is my 1st time posting so bear with me. I have 3 problems. 1) on start up I get a "RUNDLL error loading w054aed4.dll. The specified module cound not be found OK?" This msg does not appear if I run msconfig and turn off everything and reboot. ??? 2) on startup I get a msg "KGB 4.04 KGB trial period is over. This msg not displayed in reg version (in RED) TRIAL PERIOD IS OVER" I went to remove programs and removed it. I went to search and deleted all items that came up. 3) when running spybot I receive a notice of "SMITFRAUD-C KEYLOGGER text file c:\windows\offlog.txt" I tried to fix it by doing a reinstall of XP. I checked with google and found you. Attached is a log from hijack. Thanks for any help given. Donation will follow. Thank You Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\CPPasswd.exe
C:\Program Files\KGB\Mpk.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Creative\SB ... Read more

A:Solved: Kgb Popup & Smitfraud-c Keylogger

Read other 16 answers
RELEVANCY SCORE 51.2

Yesterday i made the foolish mistake of installing VideoAccess Codec onto my laptop. I uninstalled it, now am being bombarded by Ultimate Defender popups. Have run Smitfraudfix numerous times, scanned with AVG (detected nothing), scanned with PandaSoft scanner, scanned with Spybot (detected Smitfraud-C.MSVPS), and currently STOPZilla is blocking MyGeek.CPVFeed. Below is the latest HJT report i have run.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:13 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONF... Read more

A:Ultimate Defender popup, Smitfraud-C.MSVPS, et al.

Hi Welcome to TSG!!
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

Read other 1 answers
RELEVANCY SCORE 51.2

Hi, I have been having some popup troubles lately in IE. I'm on Windows XP.

I have Webroot SpySweeper, but it never finds anything wrong. I also got SpyBot SD and each time I run that it tells me about smitfraud-c.coreservice, and I choose to fix it, spybot then tells me the problem is fixed... but I run it again and the same smitfraud trojan is still there. So I figure that may be the culprit...but who knows.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:57 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\... Read more

Read other answers
RELEVANCY SCORE 47.6

Unfortunately I have picked up some spyware, including smitfraud (the one that replaces your desktop background)My "hijack this log" as is follows:1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\memno.dll/sp.html#55135R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\memno.dll/sp.html#55135R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.phpR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\memno.dll/sp.html#55135R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\memno.dll/sp.html#55135R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\memno.dll/sp.html#55135R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\memno.dll/sp.html#55135R0 - HKLM\Software\Microsoft&#... Read more

A:need help with spyware... Smitfraud and more

Hello needshelp and welcome to the BC fourms. The log that was posted is incomplete. We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ folder by default.Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.I will review your log when it comes in.DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTEROT

Read other 1 answers
RELEVANCY SCORE 47.6

Not sure enought to run smitfraud, so I thought I would show Hijack log before commencing any self help.

Deckard's System Scanner v20070426.43
Run by Caroline on 2007-05-21 at 19:39:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2007-05-21 23:39:54 UTC - RP1222 - Deckard's System Scanner Restore Point
91: 2007-05-21 21:47:51 UTC - RP1221 - System Checkpoint
90: 2007-05-16 17:30:49 UTC - RP1220 - System Checkpoint
89: 2007-05-15 16:33:58 UTC - RP1219 - System Checkpoint
88: 2007-05-14 16:21:23 UTC - RP1218 - System Checkpoint


-- First Restore Point --
1: 2007-02-16 08:35:55 UTC - RP1131 - Software Distribution Service 2.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Caroline.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:49:08 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WIND... Read more

A:Win spyware pop ups, did not run smitfraud yet

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Read other 6 answers
RELEVANCY SCORE 47.6

Hi

I am new to the forum, and have had the same problem as described in the following thread

http://forums.techguy.org/malware-r...74-solved-system-security-status-warning.html

After reading that thread - I downloaded the Spybot Search And Destroy program as suggested. I ran it on the normal mode, and followed instructions for checking problems and fixing them. There still seem some residual problems.

I also downloaded SmitfraudFix (by S!Ri) and ran it with Option 1 also as suggested in the same thread.

Later, I also ran the computer in Safe mode - and ran SmitFraud with Option 2 this time.

(I shall add the results of those two rapport.txt files in subsequent posts - it says the post is too long here. )

Then, I rebooted my computer in normal mode, and it seems a lot better, but

a) Upon running the Search And Destroy program - there still seem to be some proble,s
b) My IE browser still has Security Toolbar 7.1 on it

Please help. Thanks a lot.
 

A:Smitfraud spyware - please help.

Result from rapport.txt after the option 2 run
 

Read other 2 answers
RELEVANCY SCORE 47.2

Hey guys, new here and have had problems removing smitfraud and possible other spyware. I have Mozilla and IE that i use and may have been infected. COmp runs slow, fake Microsft help and support icons appear on my desktop and pop ups appear constantly. If you could lead me to as how to fix it. I have been battling for over a week with this. Thx again, N.

A:Possible Smitfraud/spyware Infection

Welcome to BCIf your using Win XP or 2000, do this:Please print out and follow the generic instructions for using "SmitfraudFix". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)Under the "Configuration and Preferences", click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave a... Read more

Read other 1 answers
RELEVANCY SCORE 47.2

hi, this is my first post on your site. your help with spyware etc looks great and i have followed the instructions before posting- thanks for the advice!my flatmate had been having some computer problems so i told her i'd take a look. i downloaded spybot an found several trojans, malware etc and tried to remove the. most of them disappeared after a few scans, but smitfraud remained. i searched the internet for help to remove it and found this site. i have downloaded adaware, the stinger and all of the other things suggested and run several scans on each. according to spybot, there are now no problems, including smitfraud, so i thought i had been successul. however when using internet explorer i have noticed there are still adverts for spyware removal popping up etc, so im not sure whether i have actually removed everything.i'd be very grateful if someone could take a look and give me some advice on what to do next.here's the hijackthis log:Logfile of HijackThis v1.99.1Scan saved at 14:06:59, on 20/01/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\LEX... Read more

A:Smitfraud And Other Spyware/malware

You have both Norton and BitDefender AV's running - there should only be one active AV on a system - remove one of themYou may want to print this or save it to notepad as we will go to safe mode.Fix these with HiJackThis ? mark them, close IE, click fix checkedO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fiwwvqlb.dll",setvmDownLoad http://www.downloads.subratam.org/KillBox.zip orhttp://www.thespykiller.co.uk/files/killbox.exeRestart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. C:\WINDOWS\system32\fiwwvqlb.dllNote: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.START ? RUN ? type in %temp% - OK - Edit ? Select all ? File ? DeleteDelete everything in the C:\Windows\Temp... Read more

Read other 12 answers
RELEVANCY SCORE 47.2

I have cleaned my computer a few dozen times using adaware, spybot, and have used the smitfraud and command system cleaners found on the internet. I have also used AVG and Stinger to scan for viruses. Whatever I have keeps comming back and installing other stuff along with it.Here is my HijackThis log, if anyone can help me figure out what is in my system.Thanks!Logfile of HijackThis v1.99.1Scan saved at 10:51:51 AM, on 8/18/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\WINDOWS\system32\DRIVERS\CDANTSRV.EXEC:\WINDOWS\System32\mgabg.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ishost.exeC:\WINDOWS\system32\issearch.exeC:\WINDOWS\system32\ismon.exeC:\WINDOWS\system32\isnotify.exeC:\Program Files\Google\Gmail Notifier\G... Read more

A:Reoccuring Spyware, Smitfraud And Others!

Hi Agent0013Download SmitfraudFix (by S!Ri) to your Desktop.http://siri.urz.free.fr/Fix/SmitfraudFix.zipExtract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press EnterThis program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.IMPORTANT: Do NOT run any other options until you are asked to do so!

Read other 17 answers
RELEVANCY SCORE 47.2

Hi! I've read about this site in PC World and have learned a lot, but need help! I've got the Smitfraud, Spysherriff problem. My wallpaper has been covered with a message saying I have a virus, homepage hijacked, flashing icon in tray, etc. The ususal problems I have read about. Here is my Hijack this log. Thanks for any help!!
Logfile of HijackThis v1.99.1
Scan saved at 11:48:54 AM, on 8/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program ... Read more

A:Smitfraud, Spyware Sherriff, etc, Please Help!

hi, welcome to TSG.

IMPORTANT! Move Hijack this from the Temp, or from the zip folder to it's own folder!
Make a new folder in C:\ and call it Hijack this, and Save hijack this to
this folder so that it runs properly and can make back ups. Click scan,
then save the log and post it here so we can take a look at it for you.

Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

www.funkytoad.com/download/hoster.zip

* Click here to download smitRem.exe.
for W2k & XP

http://noahdfear.geekstogo.com/click counter/click.php?id=1

* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


*Download Cleanup from Here
http://www.stevengould.org/software/cleanup/download.html
* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.

* Download the trial version of Ewido Security Sui... Read more

Read other 2 answers
RELEVANCY SCORE 47.2

Hi everyone. Im having a problem with my desktop. I read the forum posts on the topic of the Smitfraud Trojan and followed its steps to remove it. I thought I had succeeded, but now I simply have a white screen with my icons on my desktop. When I right click on it and press properties I get some information about something called "warnhp". WHen I click on source I get the following information::

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
rightMargin=0>
<DIV
style="LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px"><IMG
style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src="file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp">
</DIV><IFRAME id=0
style="Z-INDEX: 10004; BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 737px"
name=DeskMovrW marginWidth=0 marginHei... Read more

A:Spyware/smitfraud Trojan?

Well, Here is a place that will help you get rid of this current problem: http://www.help2go.com/Tutorials/Spyware_I...SpyJack-F).html If you keep going from one problem to another problem one right after another like this is the second one and there might be more to follow, personally I think your system is over infected. One suggestion is to quit using these trial versions of everything (They go out of date and do not work properly) and get rid of the stuff from Symantec (Norton) It leaves a lot to be desired unless you like paying for being infected. If you still have problems with virus, worms, trojans and spyware after running the fix above I would suggest (I know I am going to get in trouble here for this) backup all of your data and then reformat and reinstall Windows and start from scratch. I would then suggest installing Service Pack 2 and a good free firewall, and good anti-spyware programs. believe me you do not have to spend money to be covered. I do not and I am covered very nicely.

Read other 5 answers
RELEVANCY SCORE 47.2

About a week ago I noticed that IE's start page had been changed (to MSN), not by my choice. Also IE lost the ability to play videos which required me to re-download active x. Also around that time my virus scanner started giving me lots of "alerts" stating that spyware and some trojans had been quarantined.

Two days ago computer started going completely crazy. Started getting all these popups in IE (Firefox is not affected at all, although IE popups will show up at all times even when IE is not running). Weird icons started showing up on my desktop and dll's are missing.

I've done the following:

Scanned computer with Adaware twice and removed all malicious items (adaware found only about five).
Run the Smitfraud fix; my computer was infected and I did the fix.
Also ran AVG antispy, which found a TON more stuff.
Virus scanned computer which found even more malware. Quite a few of these were running on startup.

Note all of the above were done in regular mode; I haven't done any in safe mode.

Despite all this I am still getting the crazy popups with IE whether IE is running or not, and IE is running EXTREMELY slowly (oh, and start page still keeps going back to MSN). I also seem to have a bunch of things still running at startup because my computer is really "hanging". Virus scan found a bunch of things that were running at startup and supposedly quarrantined them but I am still having issues. Every time I restart my computer I have different... Read more

A:Smitfraud Gone But Other Spyware Remains, Help!

Welcome to the BleepingComputer HijackThis Logs and Analysis forum slothnamedslow My name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java versions.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.*NOTE*If you have previously downloaded ComboFix,please delete that version and download it again from below. Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click ... Read more

Read other 11 answers
RELEVANCY SCORE 47.2

I hope I am doing this right, I have a PC running windows XP and yesterday morning I started to receive multiple pop ups from the toolbar stating spyware has been found on my computer click here to fix, or something like download the latest antispyware and run FULL SYSTEM SCAN to remove viruses. I knew these messages weren't legit so I ran a scan with Norton and Norton didn't find anything so I tried using PC-Cillin, PC-Cillin found a few things but after I fixed and rebooted the same problems were occuring. So, I download spybot search and destroy and it found several things and I fixed but when I rebooted logged back in I had the same problems. So I downloaded Hijack this and below is the log file. I also tried to run updates from Microsoft and McAfee stinger but whatever is on my computer is keeping me from going to those sites.Also, my desktop has changed to a completely blue back ground with "Warning:Spyware threat has been detected on PC" "Your computer has several fatal errors due to spyware activitiy"Can anyone help me get rid of this thing that is on my PC?Thank you so much for your help!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:02:36 AM, on 2/5/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\sy... Read more

A:Smitfraud Infection? Spyware?

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing. Here are some great free antivirus programs:Antivir, Avast!, AVG, Bitdefender FreeInstall one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible. We are going to boot into Safe Mode later in the fix, and there is no internet access. Download SmitfraudFix (by S!Ri)Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.Reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list. Make sure you choose the option without Networking Support.Once in Safe Mode, open the SmitfraudFix folder again. Double-click smitfraudfix.cmd.Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; an... Read more

Read other 6 answers
RELEVANCY SCORE 47.2

About every week to week and a half, the following items show up in when I run Spybot:

Smitfraud-C
Spy Sherriff
Tibs.vq

I "clean" them using Spybot but they come back as I said. They have a huge impact on my access speed. Please help me to clean them permanently.

Regards
 

A:Recurring spyware (Smitfraud)

Read other 8 answers
RELEVANCY SCORE 46.8

Please review my log file, Malware / Trojans, etc.
I run AdAware SE pro, Spybot Search and Destroy, Ewido Security Suite, Trend Micro Internet Security 12, CClean. The last days I am infected with several Trojans:
TROJ/TORPIG-C TROJAN! - Filenames spotted include ibm00001.exe
Trojan.Goldun - Filenames spotted include tool1.exe
STARTPA-YR TROJAN - Filenames spotted Paytime.exe
SPYBOT-CY Worm Module - Filenames spotted winstall.exe
W32/Colevo-A Worm - Filenames spotted Command.exe
W32/SdBot-CH Worm - Filenames spotted Mdms.exe
Unknown filenames like Ifzol.exe, Ifzom.exe and Secure32.html

I have been browsing the net and found some solutions that I tried. Including save mode, deleting with the programs above et cetera. It seems that I conquered Tool1.exe and Mdms.exe. Unfortunately the others are still bothering me. Is there someone who is willing to help me out this misery? Thanks!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 17:10:45, on 13-11-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Util\Schoonmaak\security suite&#... Read more

A:Infected With Spyware!? - Paytime And Smitfraud

Hi and welcome to BleepingComputer.I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.You may wish to Subscribe to this thread (Options > Track This Topic) so that you are notified when you receive a reply.Please be patient with me during this time.

Read other 7 answers
RELEVANCY SCORE 46.8

First off, thanks to you wonderful volunteers for helping us computer users out of the swamp of malware infestation. Until 2 days ago, I?ve managed to avoid most of the troubles I?ve read about: spyware by the ton, viruses, Trojans, etc?. I use Firefox, stay away from questionable sites, don?t click on links in emails, etc. etc. etc.

Two days ago I paid a visit to the Microsoft IE Marketplace to view their IE7 add-ons. As an avid Firefox user, I was curious if any programs existed allowing IE7 users to more closely approximate the Firefox experience. I?m frequently asked that question from friends/family who are scared to move away from IE. I downloaded three add-ons, directly from the MS site ? IE7 Pro, Smart-mouse and an inline search program.

The next day, during my routine scans, malware popped up: Smitfraud C, AzeSearch., ZToolbar, a couple of new cookies and another red-flag about the Smart-mouse add-on for IE. Needless to say, I was extremely frustrated. I deleted the offending files and re-scanned ? everything came back clean, but I want to make absolutely certain there?s not more lurking beneath the surface.

So, below are the programs I already had installed followed by the steps I?ve taken to thus far and the log from the Deckard Scan.

Programs Already Had Installed:

AVG Anti-Virus
AVG Anti-Spyware
Ad-Aware SE
Spybot S&D
Spywareblaster
Trojan Hunter
F-Secure Blacklight
HijackThis
Deckard?sSystemScanner

Steps I?ve Taken:

1-... Read more

A:Hit with spyware (Smitfraud-C, AzeSearch, VX2.ac, ZToolbar)

Here is the log for the Deckland Scan with my extra.txt file attached:

Deckard's System Scanner v20070328.36
Run by Lisa on 2007-04-06 at 13:03:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Lisa.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:03:25 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\Progr... Read more

Read other 7 answers
RELEVANCY SCORE 46.8

Hi there!My computer has been infected by what I'm gathering is a spyware/malware infection.Although I can still use all programmes, these annoying messages keep popping up for example:Trojan.W32.Looksky detected on your machine. This virus is distributed via the internet through email and active x objects. blah blahThere is also another annoying message that keeps popping up. Both of these produce an automatic internet explorer page leading to a spyware removal product (defender).I have used Ad aware and Spybot, they have removed a few spyware, but Smitfraud keeps coming back. There is a big dark read desktop screen that keep reinstalling itself as well. I have tried performing advice from different blogs to no avail. One piece of advice I followed was a long drawn out process where I used a free download called 'smitRem' which I had to use in Safe Mode. It looked very promising, until I restarted and the all familar messages and desktop came back.I have heard that HIjackThis can be dangerous if used incorrectly, so here is the log I have copied. I hope this helps. Thanks heaps.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:37:24 PM, on 8/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\... Read more

A:Malware/spyware Infection - Smitfraud

Hello nga,You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.The report can also be found at the root of the sys... Read more

Read other 2 answers
RELEVANCY SCORE 46.8

I need help,since yesterday my pc got infected with spyware and i can't seem to remove it all. The signs or effects are:- a yellow triangular icon on the task bar, blinking, and with a message ballon saying "system alert: spyware detected. System detected spyware...". It basicly directs you to a site of "Raze spyware"-a window appears once in a while saying critical system error, your pc is infected by spyware-a window sort of like norton anti-virus has appears saying "Virus alert - High risk - Norton has detected and removed.. Download.trojan"- homepage is blocked and i can't seem to unblock it. Stuck in the page www.updateyoursystem -besides these there are multiple publicity pop upsI've used both Spy-bot and Ad-Aware SE but they don't seem to clean everything and spy-bot keeps detecting Smitfraud-C. and says it's fixed every time but it keeps showing up again.I have here the Hijackthis scan. Hope you can help me. thanksLogfile of HijackThis v1.99.1Scan saved at 17:18:07, on 25-11-2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exeC:\... Read more

A:Infected With Spyware Spyaxe / Smitfraud

* Click here to download smitRem.zip. Save the file to your desktop. Unzip smitRem.zip to extract the files it contains. Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.*Download Cleanup from Here A window will open and choose SAVE, then DESKTOP as the destination. On your Desktop, click on Cleanup40.exe icon. Then, click RUN and place a checkmark beside "I Agree" Then click NEXT followed by START and OK. A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality. Click OK DO NOT RUN IT YET* Download the trial version of Ewido Security Suite here.Install ewido.During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".Launch ewidoIt will prompt you to update click the OK button and it will go to the main screenOn the left side of the main screen click updateClick on Start and let it update.DO NOT run a scan yet. You will do that later in safe mode.* Click here for info on how to boot to safe mode if you don't already know how.* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.* Restart your computer into safe mode now. Perform the following steps in safe mode:si* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and... Read more

Read other 7 answers
RELEVANCY SCORE 46.8

Hi,I'm having some problems with my PC. The PC is acting strangely. Symptoms includes sudden prompts on my screen telling me I have spywares on my PC, constant pop-ups, slow internet speed, re-directing my intended site to some bogus anti-spyware/malware site etc.I found the smitfraud-C.toolbar888, and a few others, when I did a scan using Spybot. While I managed to clean most of the other virus, the smitfraud keeps returning back. The problem is getting worse by the day. I can't even post this on my PC. Whjen I click "New Post", the IE will hang and prompt me to close it. I'm now using another PC in the house to start this post. Hopefully, I can go back to my PC and click "Edit" and add in the logs you required. I have read and tried many solutions available online to try and remove this bugs but to no avail. You guys are my only hope... I even followed some of the advice given here by the experts to other fellow sufferers and deleted some files/registry items after Hijackthis completed the scan. (hope I didn't deleted anything really bad..)Here's the hijackthis log:Logfile of HijackThis v1.99.1Scan saved at 2:20:03 AM, on 6/5/2007Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exe... Read more

A:Malware/spyware Found. Smitfraud-c?

Welcome to the BleepingComputer HijackThis Logs and Analysis forum GeekMaster My name is Richie and i'll be helping you to fix your problems.Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;http://www.microsoft.com/windowsxp/downloa...p1/default.mspxThis will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system. As your machine stands right now it's exremely vulnerable to infection. You need to get these updates installed first before we can proceed or we?ll both be wasting our time.Note:Do not install Service pack 2.If you install SP 2 on an infected machine it will cause serious problems within the operating system.Once you've done,post a new Hijackthis log into your next reply.

Read other 1 answers
RELEVANCY SCORE 46.8

Was able to remove many problems through adaware/spybot. Some still exist though, and performance still seems to make me think there are existing problems, any help is much appreciated!Here is my hijackthis log:Logfile of HijackThis v1.99.1Scan saved at 3:29:03 PM, on 2/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\mcshield.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Network Associates\VirusScan\vstskmgr.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Mon... Read more

A:Smitfraud And Other Spyware/performance Problems, Help Please

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Download SDFix and save it to your Desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Now, please reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list. Open the extracted SDFix folder and double click runThis.bat to start the script.Type Y to begin the cleanup process.It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.Press any key and it will restart the PC.When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt(Report.txt will also be copied to Clipboard ready for posting back on the forum).Make a list of all the programs installed on your computer:Open HijackThis Click the Config... button, then go to the Misc Tools section.Press Open Uninstall Manager. You'll see a list of programs.Select Save List... - save it to your Desktop.The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.Post report.txt in your next re... Read more

Read other 21 answers
RELEVANCY SCORE 46

A friend of mine brought me her laptop, and it was infected pretty thickly with a virus or twenty.I've been following topic 111533 very closely, and have run the following:SDFixSmitfraudfixDeckard's System Scannerand Combofix.Things seem to be getting closer to normal, but I would like a pro to check me out and make sure I got everything.Thanks!! HijackThis log is following.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:04:27 AM, on 10/22/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin�... Read more

A:Possible Smitfraud, Warning! Spyware Threat Had Been Detected

Hello USMCEddie,Welcome to Bleeping Computer Looks like you did pretty good here. Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c cd /d C:\ComboFix\ & Combobatch.batClose all browsers and other windows except for HijackThis!, and click "Fix checked".Reboot your computer.Your Java is out of date, which leaves your computer vulnerable.Updating JavaDownload the latest version of Java Runtime Environment (JRE) 6u3.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click... Read more

Read other 2 answers
RELEVANCY SCORE 46

First of all, some background information: I am not a computer savvy person, but at the workplace, it is pretty much "on the land of the blind, the one-eye is king" situation, with myself being the most knowledgeable on computer related matters where everyone else isn't. Background information of the infected computer: Windows XP Service Pack 3So here is the deal, a co-worker thought her computer was infected with a virus, after she checked her e-mail, and the desktop got switched with a red wallpaper claiming that the computer needed security, because there were possible security violations, and regular pop-ups saying that the computer was open for attacks, to click to download security (task manager had become blocked). After things got worse, she asked me for help. I ran Spybot Search and Destroy, which detected 6 SmitFraud entries (but it was incapable to nullifying them).So, I researched about SmitFraud which took me to the following link:http://www.bleepingcomputer.com/forums/t/17258/how-to-remove-the-smitfraud-generic-zlob-quicknavigate-virtual-maid/After using SmitFraudFix.exe (following steps 1-12), the computer was somewhat better, because invasive unwanted pop-ups subsided, task manager was reinstated, but the problems were far from over.A day later, the computer was unworkable. No programs would open as normal (not even in Safe- Mode), a window requesting with what program would I want to open x or y program surfaced. Can't access any windows within the control pa... Read more

A:Spyware Doctor/antispy Spider/smitfraud

Hello and welcome to BC. Since you hava rootkit the security of your {C should be considered as compromised.A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users.High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. SunBeltThe tools and advice for this malware are best handled by our HiJackThis team.Please follow the instructions in this Guide.. Preparation Guide for use before posting about your potential Malware problem ONce you've prepared the log post that into this forum, HijackThis Logs and Malware Removal, NOT HERE.

Read other 1 answers
RELEVANCY SCORE 46

Hi, I am hoping that you can help. I have been hijacked by a trojan called Smitfraud.c. I have run spyware removal to no avail it is still there. I am at my wits end, can you help? I am running XP Professional.

I have downloaded HijackThis and the log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:57 AM, on 14/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\Gzmwzt.exe
C:\WINDOWS\mppiymr.exe
C:\Program Files\Szncs\Swjve.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\bsw.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ISTsvc\istsvc.... Read more

A:Solved: Help!! Trojan spyware - Smitfraud.c has taken over my computer

Read other 9 answers
RELEVANCY SCORE 46

I'm having some real serious spyware and trojan problems. I have Spybot Search & Destroy, which says I have smitfraud, which I've tried to remove a few times, reboot the system and it's still there... I keep getting popups and Spyware Doctor keeps telling me things are trying to access the internet. I don't know what to do anymore.

Here are my logs for HJT and SUPERAntiSpyware

Logfile of HijackThis v1.98.0
Scan saved at 6:45:11 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\avp.exe
C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\... Read more

A:MAJOR PROBLEMS: smitfraud, trojans, spyware, etc.

I saw in another smitfraud thread to use combofix... here is the log for that...
"Matt" - 2007-05-16 20:57:53 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\Matt\Desktop\FIX\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aegqemwb.dll
C:\WINDOWS\system32\gwkdbxoh.dll
C:\WINDOWS\system32\hvdpabkn.dll
C:\WINDOWS\system32\ncchdkrd.dll
C:\WINDOWS\system32\xoijtroc.dll
C:\WINDOWS\system32\iifebxx.dll
C:\WINDOWS\system32\jkkjhhf.dll
C:\WINDOWS\system32\hoxbdkwg.ini
C:\WINDOWS\system32\nkbapdvh.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\WINDOWS\system32\components
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))
2007-05-16 20:54 11,776 --a------ C:\WINDOWS\smanager.7.exe
2007-05-16 19:08 1,465,242 ---hs---- C:\WINDOWS\system32\rqtwa.ini2
2007-05-16 18:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-16 18:36 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SUPERAntiSpyware.com
2007-05-16 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-16 16:37 83,536 --a------ C:\WINDOWS\system32\drivers\iksyss... Read more

Read other 1 answers
RELEVANCY SCORE 45.6

Hi,

I turned on my computer on Friday having left it so my housemates could use it (mistake...) and the desktop has changed to a blue background with yellow text that reads "Warning, Spyware detected on your computer, install an antivirus or spyware remover to clean your computer" and a bunch of icons had appeared.

I left them well alone, and ran a selection of antivirus packages - Spybot Search and Destroy, Lavasoft Ad-Aware, and McAfee Virusscan. That picked up a fistful of things, which I deleted/cleaned etc. Mostly they were just suspicious cookies, but there was one at the bottom called Zlob?

Anyway, if I right-click the desktop and select properties, I am still missing the tab to change the desktop background and possibly a few others - this implies to me I still have a problem.

Any help would be much appreciated, I have run Deckard's and the main.txt is below, the extra.txt is attached. I have also run Pandascan and can attach the output from that if it would help?

Many thanks

-Shirt



Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-10 21:19:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-08-10 20:20:04 UTC - RP1369 - Deckard's System Scanner Restore Point
2: 2008-08... Read more

A:Blue Desktop with spyware detected - appears to be Smitfraud?

OK, don't worry about it.

Did a system restore, then ran MalwareBytes Anti-Malware, followed by a Panda scan and then Spybot Search and Destroy.

Those no longer show anything as a threat, I'm going to run another online scan (Kaspersky or similar) overnight.

Got the pointers from other threads, so please keep posting because this forum is a hell of a lot of help! :)

Read other 10 answers
RELEVANCY SCORE 45.6

I did a spyware scan, it found 94 , including the smitfraud. My computer is running very slow and sometimes freezes all together. Please find my log enclosed. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:56:47 AM, on 26/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS�... Read more

A:smitfraud found in spyware & very slow computer issues

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

Read other 1 answers
RELEVANCY SCORE 45.6

Logfile of HijackThis v1.99.1
Scan saved at 20.50.21, on 28/01/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmi\FinePixViewer\QuickDCF.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\RALINK\RT2500 USB Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\Acr... Read more

A:[SpyAxe/SmitFraud type- WinHound] spyware problems

Read other 11 answers
RELEVANCY SCORE 44.8

I've been trying to get rid of this for days now. Read 100s of googled pages and tried every
anti-virus/malware software removal tool recommended. Nothing has succeded, the trojan
keep reinstalling itself somehow and appearing as a Red Ball with Exclamation in the Sys Tray
on the lower right desktop.

Hovering a cursor over it only yields two choices, Open or Ignore.
If you open it, Security Warning window pops up, with Spyware Detection Alert
as the header. There is then some phoney "Your system might be infected" wording,
then 2 buttons to choose from, Full Scan or Learn More.

If the internet connection is left on, and the MSIE browser open,
it eventually starts throwing unwanted advertising windows.

This started out as a mistakenly installed WinAntiVirus malware, which
persisted through DOZENS of attempt at removal.

I've run the following software at least 10 different times, in both SafeMode
and Normal.

Windows Defender (Beta 2) does not find anything.

VundoFix V6.2.8 found some stuff early on, but removed it and now finds nothing

SpyBot S+D 1.4 found instances of SmitFraud Toolbar, claimed to have removed them, but they
kept re-appearing after rebooting.
I used the Process Explorer software to try and find the Threads in the
WinLogon.exe to kill as suggested, killed what seemed to be the random generated dlls,
but it didn't work. Trojan systray kept re-appearing after reboot.
Now it finds nothing on scan.

AdAware SE Personal 1.06r1 will no longer up... Read more

A:Impossible Smitfraud , Winantivirus, Spyware Detection Alert, System Tray

Logfile of HijackThis v1.99.1Scan saved at 1:03:15 AM, on 11/8/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\SYSTEM32\Rpcnet.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Sony\VAIO Event Service\VESMgr.exeC:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exeC:\Program Files\Windows Media Connect\mswmcls.e... Read more

Read other 7 answers
RELEVANCY SCORE 44.8

Hi, regrettably one of our PCs got hijacked. My DSS logs are copied below. Any help would be much appreciated.Other details:The desktop is replaced with a fake warning screen with the title:Warning: Spyware threat has been detected on your PC.It includes a link to a site where malware removal software is offered for sale.When IE7 is open, multiple redirects happen, and performance is spotty.The notification toolbar frequently informs that the computer has been hijacked, or an internet attack is occuring.Deckard's System Scanner v20071014.68Run by JDH on 2008-05-12 12:10:42Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --92: 2008-05-12 19:10:47 UTC - RP894 - Deckard's System Scanner Restore Point91: 2008-05-11 18:44:38 UTC - RP893 - Last known good configuration90: 2008-05-11 18:44:33 UTC - RP892 - System Checkpoint89: 2008-05-11 18:44:33 UTC - RP891 - Installed CorelDRAW Graphics Suite X388: 2008-05-11 18:44:33 UTC - RP890 - Removed FontNav-- First Restore Point -- 1: 2008-05-11 18:44:17 UTC - RP803 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as JDH.exe) -------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:12:28 PM, on 5/12/2008Platform: Windows XP SP3 (Win... Read more

A:Hijacked - Smitfraud And Or Vundo? Warning: Spyware Threat Has Been Detected On Your Computer

Hello JDH27,regrettably one of our PCs got hijacked. Is this a work or corportate computer? We will run ComboFix. You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. You need to disable your Eset Antivirus before running ComboFix, as it will prevent it from running. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix To work properly, you must install ComboFix on the Desktop. When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time. You DO NOT need to have the Windows CD to install Recovery Console! Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a ... Read more

Read other 11 answers
RELEVANCY SCORE 44.4

I am being bombarded with a security alert saying my computer is infected with spyware and my internet homepage has been taken over by a site wanting to do scans. The site is www.safetyhomepage.com and I can't get rid of it.
I would be grateful for any assistance.
Here is my HJT logfile

Logfile of HijackThis v1.99.1
Scan saved at 12:54:17 PM, on 14/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp3\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr... Read more

A:Spyware popup

Read other 9 answers
RELEVANCY SCORE 44.4

I am running XP home additiona and I am getting popup ads every 2 minutes and I have tried many things with no luck. It is defintely some kind of SpyWare on steriods. I took the advice of dvk01 on thread http://forums.techguy.org/showthread.php?t=185859, but still no luck. I even ran SpyBot and Ad-Aware in Windows XP Safe mode and it said it cleaned everything, but still no luck. As soon as I reboot the Spy Ware starts again. Also, it appears that the files that are causing this issue are...

ai_loader.exe
mamma-ia-ss.exe
mamma-dmk-ss.exe
mamma-dummy.exe
mamma-ikw-ss.exe
mamma-ss.exe
mamma-tvm-ss.exe

These were caught by Zone Alarm personal firewall. Furthermore, I have found the following dlls under C:\WINDOWS\SYSTEM32 that have a Date Modifed of 6/18/2004 or greater and I cannot delete these.

AvMDRVR.DLL
Lronardo da Vinci.dll

I also ran HiJack This and the most recent log file is below. Any help that can be provided would be exremely appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 1:07:58 PM, on 06/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\W... Read more

A:SpyWare Popup Ads that will not go away

Do Spybot and Ad-Aware tell you the name of the spyware that you're infected with? If so, try doing a search for it on Google. Maybe you can find instructions on how to permanently remove it.
 

Read other 1 answers
RELEVANCY SCORE 44.4

I am running XP home additiona and I am getting popup ads every 2 minutes and I have tried many things with no luck. It is defintely some kind of SpyWare on steriods. I took the advice of dvk01 on thread http://forums.techguy.org/showthread.php?t=185859, but still no luck. I even ran SpyBot and Ad-Aware in Windows XP Safe mode and it said it cleaned everything, but still no luck. As soon as I reboot the Spy Ware starts again. Also, it appears that the files that are causing this issue are...

ai_loader.exe
mamma-ia-ss.exe
mamma-dmk-ss.exe
mamma-dummy.exe
mamma-ikw-ss.exe
mamma-ss.exe
mamma-tvm-ss.exe

These were caught by Zone Alarm personal firewall. Furthermore, I have found the following dlls under C:\WINDOWS\SYSTEM32 that have a Date Modifed of 6/18/2004 or greater and I cannot delete these.

AvMDRVR.DLL
Lronardo da Vinci.dll

I also ran HiJack This and the most recent log file is below. Any help that can be provided would be exremely appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 1:07:58 PM, on 06/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\W... Read more

A:SpyWare Popup Ads that will not go away

Do Spybot and Ad-Aware tell you the name of the spyware that you're infected with? If so, try doing a search for it on Google. Maybe you can find instructions on how to permanently remove it.
 

Read other 1 answers
RELEVANCY SCORE 44.4

Hi everyone,

I have been search for hours and hours and tried everything. My problem is that I have been getting many pop ups asking me to buy antispware products which after some research are spyware themselves. They pop up randomly, somtimes when i'm not even surfing.It also pops up when i open internet explorer simultaneously. i.e there are two windows when i open IE. One I opened and one ad pop up.

I use windows xp pro sp2. I have downloaded all windows updates and installed them. Ran a virus check. Detected vundo virus. Removed that according to symantec.com. Used lavasoft ad-aware, spybot and spyware doctor. Updated them and scnned again.

Yet it still pops up. I use IE7.

Here are some of the links that pop up:


If someone would beabe to help me, I would be very grateful

Thank you very much

Emma
 

A:Spyware/Ads Popup

Read other 13 answers
RELEVANCY SCORE 44.4

Logfile of HijackThis v1.99.1Scan saved at 3:50:56 PM, on 4/11/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\LTSMMSG.exeC:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exeC:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exeC:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exeC:\WINDOWS\System32\ezSP_Px.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exeC:\Program Files\Ad-Protect\ad-protect.exeC:\Program Files\Creative\Shared Files\CAMTRAY.EXEC:\Program Files\... Read more

A:Popup Spyware

Hello,We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1 for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.Click here to get Service Pack 1Warning: You must only update to Service Pack 1, and not Service Pack 2. Doing this before your computer is clean can cause Windows to become unstable. We will update to SP2 after the log is clean.After you have updated your computer to SP1, please restart your computer and post a new HJT log.

Read other 9 answers
RELEVANCY SCORE 44.4

I am currently on my friends computer and he is running Windows XP Pro SP3.

And randomly get popups saying you can downloading free spyware programs and a fake popup window saying you have infections.

Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:50 PM, on 2/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHD... Read more

Read other answers
RELEVANCY SCORE 44.4

Hi-I'm back. I was here last fall, and it helped. Thank you! I seem to have a bunch of greyware, spyware and at least one trojan (if not more). I have done a number of online scans with Trend Micro, and even though it's supposed to clean the computer, this trojan keeps reappearing. My computer is running very slowly, acting like it has memory problems, when it doesn't as I upgraded my RAM from 268 to 768MB last fall. Browser pages which were loading very quickly are slow. Applications hesitate like mad when I try to open them. I've seen windows that ask if I want to allow a program to open a page on the internet, which were never present before and don't seem legitimate. I am posting my hijackthis log and let me know if you want to see my Panda Activescan or Bitdefender logs.Thank you!Logfile of HijackThis v1.99.1Scan saved at 11:05:04 AM, on 5/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\... Read more

A:Infections, Spyware, Popups, False Security Warnings, Smitfraud, Everything Is Running Slowly

Hello pacificoast, Welcome back. I am not seeing much in you log, so lets dig deeper. You will need to use Internet Explorer for this scan. Disable your antivirus program and go here to run BitDefender Online Scan. Click on I Agree. Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer. NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.******************Download ATF (Atribune Temp File) Cleaner? by Atribune DO NOT run it yet. Download and install AVG Anti-Spyware 7.5 (formerly Ewido) This is a 30 day trial of the programAVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.Both the Resident Shield and Automatic Updates will only be availa... Read more

Read other 8 answers
RELEVANCY SCORE 44.4

I am infected with Smitfraud -Toolbar888 -Zlob -Zlop.AQ -Nebular -Spyware Detection Alert and i hope thats all. Logfile of HijackThis v1.99.1Scan saved at 8:37:43 AM, on 11/17/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEc:\program files\common files\logitech\lvmvfm\LVPrcSrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Comodo\Firewall\cmdagent.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\system32\Rundll32.exeC:\PR... Read more

A:Infected With,smitfraud-zlob-spyware Detection Alert-nebularzlop.aq-toolbar888 And I Hope Thats All.

Hello webergr13, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.Please take note of the following:1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.5. Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.Thanks,htv8

Read other 48 answers
RELEVANCY SCORE 44

Hi, bit of a weird thing happened, I got a spyware popup for the first time ever on this computer... I was playing Eve Online, when suddenly my game minimized and I had a grey window appear in the middle of my screen asking me to install some sort of toolbar into IE...

A run through of what I seem to remember:

I had MSN Messenger running.
A CMD box opened then closed, no text appeared inside it.
I closed the popup immediately.
I didn't have IE running

In my haste I went into C:\ and found a series of unusual files to my surprise, one of which was TB.exe which I deleted on the spot without thinking (No idea what that was). The other was some compressed file with a number letter name, and then there was SW.bat... I deleted them all.

A HJT is attatched, any help is appreciated. I do know I'm an idiot randomly deleting suspicious files...

Thanks .
 

A:Solved: Spyware popup!

Read other 15 answers
RELEVANCY SCORE 44

Hi, i have tried numerous ad programs that just don't help get rid of this one popup thing, i've tried Ad-aware and Spybot Search and Destroy. and the popup thing still comes up! here is my hijack.log so HELP please!
Erik

Logfile of HijackThis v1.98.2
Scan saved at 9:47:00 PM, on 11/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Viewpoint\Viewpoint Manager\View... Read more

A:Popup/Spyware- MyHijackthis.log

Welcome to TSG!!
Download Spybot http://www.majorgeeks.com/download4392.html
Click on "Search For updates" When prompted.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Reboot.

Download Adaware SE http://lavasoft.element5.com/software/adaware/

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window: Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Reboot.

Create a permanent folder on your hard drive for Hijackthis, like My Documents\HJT
Click on this link to download Hijackthis. Save the download to the permanent folder you created. Post a new log from your permanent folder.
 

Read other 1 answers
RELEVANCY SCORE 44

I'm having some serious problems with casinos poping up on my pc, as well as something called "winfix 2005". I've run Microsoft's anti-spyware, ewido security suite to no avail.. Help will be rewarded with tasty Jello Pudding Pops. Thanks a bunch!Here's my Hijackthis log entry:Logfile of HijackThis v1.99.1Scan saved at 1:56:20 PM, on 8/5/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Symantec\pcAnywhere\awhost32.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXEC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\... Read more

A:Spyware popup craziness...

Hello NobodyJones and welcome to the BC malware forum. I think there is more here than what we are seeing in the HijackThis log. Let's run a different scanner and see what it shows us.Download WinPFind.zip and unzip the contents to the C:\ folder.Start in Safe Mode Using the F8 method:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.OT

Read other 9 answers
RELEVANCY SCORE 44

How do I stop the unwanted popup spyware? I use Win98/AOL9.0 and I also use a History Kill program that has a popup blocker. Spyware popups seem to be the only popup I get but they are many and often.
 

A:Unwanted Popup Spyware

Read other 16 answers
RELEVANCY SCORE 44

Hi all

I was fortunate enough to have avoided any problems for almost an entire year on my new computer, when suddenly out of the blue I was hit with a drive by browser hijacking and, a mad influx of popups!

Its been a while since I had to do the spybot and hijack thing... can you please refresh my memory on how to handle this annoying problem

Much thanks!
 

A:Spyware and Popup ups... AAACCKK!!

Read other 7 answers