TechSpot

A Hi and a plee for help, smitfraud-c.toolbar888

By psxnut
Mar 8, 2007
  1. A big hello to you all, I wish it were under better circumstances, but I too have managed to install this bloomin' adware/virus, I have been reading the prior posts on the forum and it seems to me that my computer may have to have this thing removed step by step, could you tell me if this thread here http://www.techspot.com/vb/topic58138.html is the correct tutorial to follow to get shot of it or do I need a little one to one help. I would just format the drive but it contains to much history for me to just dump it all, anyway i'm up to a challenge, I have my sleeves rolled up and ill'e try my hardest to not let it beat me.
    Any help very much appreciated.
    psxnut
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and the Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Thanks for the responce am running through at the moment, can I also add that windows update keeps trying to update the microsoft XML Core Services MS 06-061 and MS 06-071, I get the update shield in the taskbar all the time. I am upto step 13 running a full system scan with noton anti virus in safe mode, AVG Antirootkit found no rootkits. Will post logs soon.
    cheers psxnut

    Hi again,
    Got through it, but forgot to do step 12 (missed it cause it had printed funny on my printout) so i am going back to run combo fix and then all programs in safe mode again, hope this is right will post logs soon, thanks for the help.
    psxnut

    sure sorry about. just a quick question, when I finish AVG antispyware and do logs and then reboot back into normal mode, is it OK to be connected to the net? or is it best not to connect then run a HJT scan?
     
  4. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    P.S. AVG Antirootkit Found No Roots


    symptoms are that the windows update shield sits in the task bar all the time, if you update it downloads 2 files 1 is MS06-061 Microsoft XML CORE Services (924191) 2 is MS06-071 Microsoft XML Core Services (928088)

    When you open MS Internet Browser adware windows pop up.
    Further spyware are downloaded into windows s/w


    Hope this helps.
    Regards psxnut
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    CCE_Patcher.exe
    QuickTime Pro v7.0.4.80 Multilingual.exe
    ClassicStartUp.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\xgqwlxur.dll",setvm

    O4 - Global Startup: Shortcut to ClassicStartUp.lnk = C:\Advance\ClassicStartUp.exe

    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)

    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c9.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Advance<Delete the entire folder.
    C:\My Shared Folder\Cinema Craft Encoder (Cce Sp) v2.70.01.05 Cracked By Innyc (Really Fully Working!!).rar/CCE_Patcher.exe
    C:\Documents and Settings\Owner\My Documents\BitTorrent Downloads\QuickTime.Pro.v7.0.4.80.Multilingual.Incl.Serial<Delete the entire folder.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\xgqwlxur.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Hi, Thanks for that done as stated.

    Just a few observations

    when i booted into windows i got an box come up that said" ERROR LOADING C:WINDOWS SYSTEM32 XGQWLXUR.DLL
    THE SPECIFIED MODULE COULD NOT BE LOADED"

    also still got MS Windows update shield in taskbar

    another box popped up and said" NORTON INTERNET SECURITIES WINDOWS FIREWALL HAS BEEN TURNED OFF, DO YOU WANT TO USE NORTON INTERNET FIREWALL INSTEAD OF WINDOWS FIREWALL (RECOMMENDED) YES/NO SELECTED NO.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\xgqwlxur.dll",setvm

    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)

    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c9.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\xgqwlxur.dll

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Hi again, Thanks for that done as stated.

    Just a few more observations

    when i booted into windows this time the box come up before that said" ERROR LOADING C:WINDOWS SYSTEM32 XGQWLXUR.DLL
    THE SPECIFIED MODULE COULD NOT BE LOADED" was NOT PRESENT.

    still got MS Windows update shield in taskbar

    box said" NORTON INTERNET SECURITIES WINDOWS FIREWALL HAS BEEN TURNED OFF, DO YOU WANT TO USE NORTON INTERNET FIREWALL INSTEAD OF WINDOWS FIREWALL (RECOMMENDED) YES/NO" came up again SELECTED NO.


    was not there so could not delete it.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    To stop the Windows update shield from displaying in your system tray, do the following.

    Right click my computer and select properties. Click the Automatic updates tab and select Turn off Automatic updates. Click apply/ok.

    When Norton gives you the message again, select yes. Reboot your system and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    OK here we go, these are my latest observations:

    rebooted windows normally, no warning boxes. tried internet explorer surfing all seems OK.Windows update shield in taskbar is now Red with white cross in middle and NIS keeps giving warning of Windows update Auto turned off.

    Norton Internet sec didn't come up with any firewall message, so I restarted.

    Second boot gave no warnings also. Norton firewall came up checked yes to let NIS control firewall, started IE with no signs of any problems. Surfed a few different pages still no pop ups or warnings.

    Shut down IE.

    Run SS&D found 6 entries
    1 Advertising.com cookie
    2 AvenueA.Inc cookie
    3 BFast cookie
    4 Double Click cookie
    5 MediaPlex cookie
    6 SmitFraud-C.Toolbar888 registry Key

    Before I fixed all, Norton Anti Virus came up and said
    " Found Virus
    C:\windows\system32\ddabx.dll.vir
    Virus Name: Trojan.Vundo
    The file was autodeleted"
    Hit Ok

    Then another
    "Virus Found
    C:\windows\system32\rqrssqn.dll.vir
    Virus Name: Trojan.Vundo
    The file wa autodeleted"
    Hit Ok

    Then Box
    "NIS has finished you must shutdown to finish.
    Before I said OK

    I let SS&D clean 6 entries.
    Hit Ok on NIS box

    Restarted.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, sounds like you did the right things.

    Please post a fresh HJT log and I`ll give it a quick check.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Update

    Just ran SS&D again, found 4 entries

    1 Advertising.com cookie
    2 AvenueA.Inc cookie
    3 DoubleClick cookie
    4 MediaPlex cookie

    fixed all 4 items

    Yipee note no SmitFraud-C.Toolbar888 found. I think we must be going in the right direction.

    Done a ccleaner clean up.

    Just started ad-adware se scan, will do HJT log after it finishes and post.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Running the Ccleaner programme as per the instructions in step9 of this thread HERE, is a good idea. That`ll clear a lot of rubbish off of your system.

    Regards Howard :)
     
  14. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Update

    Ran Ad-Aware SE nothing found

    latest HJT log below
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Good news about the HJT log, thanks

    My system restore has been turned off all the time.I turned it off yesterday so as not to let it restore me back to the bad ol' days or auto save any bad files. Was that wise or not?

    Just some extra info for you and anyone who may be reading this in the future.
    Just done another SS&D scan and come up with 4 cookie entries again, 3 as before but now Mediaplex cookie gone and new one appeared Tradedoubler cookie, fixed them rebooted with internet off scanned with SS&D nothing new found, turned internet back on without running IE, done SS&D scan nothing found, run IE into MSN (default) homepage, run SS&D, found nothing, set homepage to ntlworld/virgin media via IE properties, run IE into new homepage (ntl/virgin) closed IE, ran SS&D scan again, 3 spyware cookies back again.

    This calls for a few question at this point, do you think that the cookies may be being dropped into my temporary internet folder by ntl/media?
    Or do I still have a virus/adware?
    How come these cookies drop in even though i have immunised my pc with SS&D?

    regards psxnut
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Having system restore turned off is down to personal preference. However, if something goes wrong, you won`t be able to restore Windows to an earlier and hopefully working state. This could potentially lead to a reinstall, but it`s your call. Personally, I`ve found system restore to be very useful on occasion.

    Tracking cookies are not something you should be unduly worried about. If you would use Firefox or Opera as your browser instead of IE, you`d get a lot less of them.

    See HERE for lots of info about cookies.

    Regards Howard :)

    This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. psxnut

    psxnut TS Rookie Topic Starter Posts: 30

    Hi,

    Thanks for the reply, I re scanned my pc with all the steps again in the tutorial, only found the tracking cookies, that were coming up all the time. So I had a look at IE settings (wished I had of thought of it earlier) only to find that in my security settings, the part which allows cookies to be downloaded, had been set to download all of them, I reset it to the default, medium level and hey presto, no tracking cookie downloads, rescanned with spybot a couple of times and ad-aware se, now reporting all clear.

    The system seems to be running well now, except for the files we deleted in the clean up stage, needing to be reinstalled.

    Ill'e keep an eye on things and report back if things go downhill, if thats OK.

    I would like to to say to you, that you do not know how greatful I am, for the time you have spent helping me and I must say that you are a credit to your good nature and an icon in my view, to the well being of this vast network we call, the internet. As Dave Allen would "Good night and my your god go with you"

    psxnut:)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...