Real hassle from virus/spyware

Donnie

Honestly, do you still have faith in AVG? Get rid...

rosy

I am beginning to think I'll have to upgrade - I keep all these programs up to date and scan regularly and I have no idea how they got in. I can't think of anything I could have done that could have caused it - I'm a very cautious computer user ( unlike my sons maybe....:( )

Donnie

No need...just use the program supplied and get rid of AVG. No need to wait.

Alfonso_Skinarelli

Hello again Rosy...

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.

Step # 1

Re-configure Windows Explorer to show hidden files & folders:
How to Show Hidden Files & Folders

Ensure you're familiar with rebooting into Safe Mode:
How to Boot into Safe mode


Step # 2

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.

Clean your Cache and Cookies in Firefox (if you also have Firefox installed):
Go to Tools > Options. Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking "Clear All".
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Step # 3

Reboot into Safe Mode now please.

Scan with HijackThis again and place a checkmark in the boxes before the following entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ipehluzjdx.org/TePo0AAID6...Hcvyv/RII.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close ALL OTHER OPEN WINDOWS and click the "Fix Checked" button.


Step # 4

Use Windows Explorer to locate & delete the following files/folders in bold:

C:\WINDOWS\msbbau.dat

C:\Documents and Settings\All Users\Application Data\Four Book Grim Noun\
C:\Documents and Settings\Christopher\Application Data\LONGBARBEGGS\
C:\Documents and Settings\John\Application Data\LONGBARBEGGS\
C:\Documents and Settings\Michael\Application Data\LONGBARBEGGS\
C:\Documents and Settings\Ros\Application Data\LONGBARBEGGS\

*Right click the file or folder and select delete. Note the different user accounts!!


Step # 5

Open Notepad, (Start > Run, type notepad)
Copy ALL the quoted text below to Notepad.
Click File > Save As
Change the Save as type to *All Files*
Save it to your desktop as Fixlop.bat

@echo off
cd %systemroot%\Tasks
attrib -r -s -h A8C0A1C091CF55D4.job
attrib -r -s -h AF95FD95919A6F91.job
del AF95FD95919A6F91.job
del A8C0A1C091CF55D4.job
exit

Double-click Fixlop.bat to run the tool.


Step # 6

Restart the machine and download SmitfraudFix by S!Ri from either of these mirrors to your desktop:

SmitfraudFix Mirror 1
SmitfraudFix Mirror 2

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.

Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"

Select option #1 - "Search" by typing 1 and pressing "Enter".

Copy & paste the contents of the text file which appears back here please.

SOME ANTI-VIRUS PROGRAMS DETECT PROCESS.EXE (A COMPONENT OF THE REMOVAL TOOL USED IN THIS FIX) AS A "RISKTOOL". IT IS NOT HARMFUL AND ANY ALERTS FROM YOUR ANTI-VIRUS PROGRAM OF THIS NATURE SHOULD BE IGNORED.


Step # 7

Then post the following in your next reply please:

1. New HijackThis log.
2. Rapport.txt (Smitfraud log)
3. Any problems you encountered.

=================

I do remember getting Windows Defender to remove it but noone here has ever actually installed it.....

Believe me I am beginning to be a bit more hopeful and you are definitely decreasing my stress levels ! Thanks! ( I hope I haven't tempted fate there...)

Someone must have installed it !! Don't worry though, we'll have you fixed up in no time!

Honestly, do you still have faith in AVG? Get rid...

AVG is an anti-virus program. The issues here are an adware program and a Smitfraud trojan which NO anti-virus program can remove (hence the 3rd party SmitfraudFix removal tool).

However, seeing as Rosy already has eTrust Anti-Virus (server edition), uninstalling AVG is a must. Running two AV programs at once is not recommended.

I am beginning to think I'll have to upgrade - I keep all these programs up to date and scan regularly and I have no idea how they got in. I can't think of anything I could have done that could have caused it - I'm a very cautious computer user ( unlike my sons maybe...

All of these infections have been installed by a user. As already mentioned, Lop is installed with Messenger Plus when someone doesn't read the installation instructions. The prompts are quite clear and ask whether you wish to install the sponsor program (Lop) with the main program...Looking at your HJT log, it's clear Messenger Plus has been installed from the account you've run HJT on.

The Smitfraud infection is a direct result of someone being fooled by a fake Windows prompt to install a new codec so a certain video can be viewed. Installing the codec installs the trojans!!

No need...just use the program supplied and get rid of AVG. No need to wait.

I don't wish to converse about this recommendation on the open forum because it detracts from the issue in hand but I'd be interested to know the details of the fix you offered Rosy and program recommended if you could pm them to me?

Donnie

Nice work, Alfonso Skinarelli.
My problem with AVG is that it has let me down in the past, whereas Avast has saved my computer by stopping viruses and Trojans from installing in the first place.

No need for me to reply via PM. Rosy asked about whether she should purchase a Panda product. I sent her a copy for evaluation.
I didn't want anyone else asking. Nothing sinister.

Alfonso_Skinarelli

Well that sorts that out then, thanks.

rosy

Thanks, I am printing out the instructions as we speak. Can I just clarify something - I am not actually running E Trust antivirus. I know it must be installed in the computer, as a box with it is flashing up when I start up ( this only started up in the last couple of days). However, I went on the the add/remove programs yesterday and the only thing there was the registration stuff for it which I removed. I can't see any etrust on the PC when it lists the programs. If I can only have 1 antivirus program and I have E Trust somewhere on the PC and cant access it, how will I be able to get antivirus protection?

I am also not sure about where to do all this - should I do this for each user on the computer? We all have different accounts, and when you switch on the PC each user has their own access tab which then starts up the PC in their own name. I know these spyware etc things are on different user accounts - my husband and elder son were away last week when these materialised and haven't been on their accounts at all, neither have I or my other son as I have been here all the time checking like a hawk.

Can I also ask, as I have been pondering all night - could someone else have remote access to my PC? Everyone else swers blind they haven't been on any of the sites which were listed in the panda scan. I know I was sitting here and some blue screen popped up with something about Paris Hilton with a .exe at the end. And yesterday when I was shutting down at one point it said it some program ( FTRaces? ) was not responding - I don't know what that is, I wasn't running it. Also once when I went back after a break my screen told me I had two programs running and I only had one. There was definitely never any Messenger Plus installed by us - nobody has it, only the normal messenger. I do remember clicking on a yellow shield for new critical windows updates recently - could that be it then and if so how can you tell the difference between that and a genuine one ? I am not trying to do the "it wasn't us" thing, just to ,make sure that it's not possible for this to have all been done by someone hacking in from outside.

Thanks

Alfonso_Skinarelli

Hold fire on removing AVG under the circumstances then.

These are the entries connected to eTrust. The program is set to fire up on boot so if there's no sign of it, these must be orphaned entries in your registry. Feel free to add these entries to the list for removal I posted above.

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe



You can also add this folder to the list of folders marked for deletion while in Safe Mode....

C:\Program Files\CA\


To address some of your questions.....

I am also not sure about where to do all this - should I do this for each user on the computer? We all have different accounts, and when you switch on the PC each user has their own access tab which then starts up the PC in their own name. I know these spyware etc things are on different user accounts

The Lop adware program will infect each user account but the HJT log you've posted is the account it's been originally installed on. This entry tell me this....

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ipehluzjdx.org/TePo0AAID6...Hcvyv/RII.html

If you check the other accounts using HJT, this entry should not be present. Once we've cleaned up this user account, we'll take a peak at the others for you.

Can I also ask, as I have been pondering all night - could someone else have remote access to my PC? Everyone else swers blind they haven't been on any of the sites which were listed in the panda scan. I know I was sitting here and some blue screen popped up with something about Paris Hilton with a .exe at the end.

There's no sign of any backdoor activity at the moment but I'm sure by the time we've finished we'll have a better overall view of the machine. To give yourself peice of mind, have a look at your firewall settings and the programs which have been allowed internet access. If there are any random process names, there's a good bet they've been allowed access at some point. Post back with any you're concerned about.

There was definitely never any Messenger Plus installed by us - nobody has it, only the normal messenger.

I would suggest someone isn't being entirely truthful with you I'm afraid.

I do remember clicking on a yellow shield for new critical windows updates recently - could that be it then and if so how can you tell the difference between that and a genuine one ?

Smitfraud trojans often spurn legitimate looking popup windows to fool users into clicking them. These are usually warnings of a spyware infection which recommend installing this or that program to remove the beasties.

rosy

Thanks for all that. I am in middle of following your previous instructions and will post back when finished. Will add the above to it.

rosy

This is the Smitfraud log: Will post the rest in a few minutes when done

SmitFraudFix v2.99

Scan done at 11:20:56.29, 24/09/2006
Run from C:\Documents and Settings\Ros\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ros\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ros\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\strCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"!!6076d2b1-634c-4685-843b-f826045ea5dc}"="hemadynamometer"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End