A Hi and a plee for help, smitfraud-c.toolbar888

[psxnut]

A big hello to you all, I wish it were under better circumstances, but I too have managed to install this bloomin' adware/virus, I have been reading the prior posts on the forum and it seems to me that my computer may have to have this thing removed step by step, could you tell me if this thread here https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ is the correct tutorial to follow to get shot of it or do I need a little one to one help. I would just format the drive but it contains to much history for me to just dump it all, anyway i'm up to a challenge, I have my sleeves rolled up and ill'e try my hardest to not let it beat me.
Any help very much appreciated.
psxnut

 

[howard_hopkinso]

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and the Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Thanks for the responce am running through at the moment, can I also add that windows update keeps trying to update the microsoft XML Core Services MS 06-061 and MS 06-071, I get the update shield in the taskbar all the time. I am upto step 13 running a full system scan with noton anti virus in safe mode, AVG Antirootkit found no rootkits. Will post logs soon.
cheers psxnut

Hi again,
Got through it, but forgot to do step 12 (missed it cause it had printed funny on my printout) so i am going back to run combo fix and then all programs in safe mode again, hope this is right will post logs soon, thanks for the help.
psxnut

sure sorry about. just a quick question, when I finish AVG antispyware and do logs and then reboot back into normal mode, is it OK to be connected to the net? or is it best not to connect then run a HJT scan?

 

[psxnut]

P.S. AVG Antirootkit Found No Roots


symptoms are that the windows update shield sits in the task bar all the time, if you update it downloads 2 files 1 is MS06-061 Microsoft XML CORE Services (924191) 2 is MS06-071 Microsoft XML Core Services (928088)

When you open MS Internet Browser adware windows pop up.
Further spyware are downloaded into windows s/w


Hope this helps.
Regards psxnut

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

CCE_Patcher.exe
QuickTime Pro v7.0.4.80 Multilingual.exe
ClassicStartUp.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\xgqwlxur.dll",setvm

O4 - Global Startup: Shortcut to ClassicStartUp.lnk = C:\Advance\ClassicStartUp.exe

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c9.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Advance<Delete the entire folder.
C:\My Shared Folder\Cinema Craft Encoder (Cce Sp) v2.70.01.05 Cracked By Innyc (Really Fully Working!!).rar/CCE_Patcher.exe
C:\Documents and Settings\Owner\My Documents\BitTorrent Downloads\QuickTime.Pro.v7.0.4.80.Multilingual.Incl.Serial<Delete the entire folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\xgqwlxur.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Hi, Thanks for that done as stated.

Just a few observations

when i booted into windows i got an box come up that said" ERROR LOADING C:WINDOWS SYSTEM32 XGQWLXUR.DLL
THE SPECIFIED MODULE COULD NOT BE LOADED"

also still got MS Windows update shield in taskbar

another box popped up and said" NORTON INTERNET SECURITIES WINDOWS FIREWALL HAS BEEN TURNED OFF, DO YOU WANT TO USE NORTON INTERNET FIREWALL INSTEAD OF WINDOWS FIREWALL (RECOMMENDED) YES/NO SELECTED NO.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\xgqwlxur.dll",setvm

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seekmo/ie/bridge-c9.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\xgqwlxur.dll

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Hi again, Thanks for that done as stated.

Just a few more observations

when i booted into windows this time the box come up before that said" ERROR LOADING C:WINDOWS SYSTEM32 XGQWLXUR.DLL
THE SPECIFIED MODULE COULD NOT BE LOADED" was NOT PRESENT.

still got MS Windows update shield in taskbar

box said" NORTON INTERNET SECURITIES WINDOWS FIREWALL HAS BEEN TURNED OFF, DO YOU WANT TO USE NORTON INTERNET FIREWALL INSTEAD OF WINDOWS FIREWALL (RECOMMENDED) YES/NO" came up again SELECTED NO.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\xgqwlxur.dll

was not there so could not delete it.

 

[howard_hopkinso]

Your HJT log is now clean.

To stop the Windows update shield from displaying in your system tray, do the following.

Right click my computer and select properties. Click the Automatic updates tab and select Turn off Automatic updates. Click apply/ok.

When Norton gives you the message again, select yes. Reboot your system and let me know if you`re still having problems.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

OK here we go, these are my latest observations:

rebooted windows normally, no warning boxes. tried internet explorer surfing all seems OK.Windows update shield in taskbar is now Red with white cross in middle and NIS keeps giving warning of Windows update Auto turned off.

Norton Internet sec didn't come up with any firewall message, so I restarted.

Second boot gave no warnings also. Norton firewall came up checked yes to let NIS control firewall, started IE with no signs of any problems. Surfed a few different pages still no pop ups or warnings.

Shut down IE.

Run SS&D found 6 entries
1 Advertising.com cookie
2 AvenueA.Inc cookie
3 BFast cookie
4 Double Click cookie
5 MediaPlex cookie
6 SmitFraud-C.Toolbar888 registry Key

Before I fixed all, Norton Anti Virus came up and said
" Found Virus
C:\windows\system32\ddabx.dll.vir
Virus Name: Trojan.Vundo
The file was autodeleted"
Hit Ok

Then another
"Virus Found
C:\windows\system32\rqrssqn.dll.vir
Virus Name: Trojan.Vundo
The file wa autodeleted"
Hit Ok

Then Box
"NIS has finished you must shutdown to finish.
Before I said OK

I let SS&D clean 6 entries.
Hit Ok on NIS box

Restarted.

 

[howard_hopkinso]

Ok, sounds like you did the right things.

Please post a fresh HJT log and I`ll give it a quick check.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Update

Just ran SS&D again, found 4 entries

1 Advertising.com cookie
2 AvenueA.Inc cookie
3 DoubleClick cookie
4 MediaPlex cookie

fixed all 4 items

Yipee note no SmitFraud-C.Toolbar888 found. I think we must be going in the right direction.

Done a ccleaner clean up.

Just started ad-adware se scan, will do HJT log after it finishes and post.

 

[howard_hopkinso]

Running the Ccleaner programme as per the instructions in step9 of this thread HERE, is a good idea. That`ll clear a lot of rubbish off of your system.

Regards Howard

 

[psxnut]

Update

Ran Ad-Aware SE nothing found

latest HJT log below

 

[howard_hopkinso]

Your HJT log is clean as a whistle.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Good news about the HJT log, thanks

Turn off system restore.(XP/ME only) See how HERE.

My system restore has been turned off all the time.I turned it off yesterday so as not to let it restore me back to the bad ol' days or auto save any bad files. Was that wise or not?

Just some extra info for you and anyone who may be reading this in the future.
Just done another SS&D scan and come up with 4 cookie entries again, 3 as before but now Mediaplex cookie gone and new one appeared Tradedoubler cookie, fixed them rebooted with internet off scanned with SS&D nothing new found, turned internet back on without running IE, done SS&D scan nothing found, run IE into MSN (default) homepage, run SS&D, found nothing, set homepage to ntlworld/virgin media via IE properties, run IE into new homepage (ntl/virgin) closed IE, ran SS&D scan again, 3 spyware cookies back again.

This calls for a few question at this point, do you think that the cookies may be being dropped into my temporary internet folder by ntl/media?
Or do I still have a virus/adware?
How come these cookies drop in even though i have immunised my pc with SS&D?

regards psxnut

 

[howard_hopkinso]

Having system restore turned off is down to personal preference. However, if something goes wrong, you won`t be able to restore Windows to an earlier and hopefully working state. This could potentially lead to a reinstall, but it`s your call. Personally, I`ve found system restore to be very useful on occasion.

Tracking cookies are not something you should be unduly worried about. If you would use Firefox or Opera as your browser instead of IE, you`d get a lot less of them.

See HERE for lots of info about cookies.

Regards Howard

This thread is for the use of psxnut only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[psxnut]

Hi,

Thanks for the reply, I re scanned my pc with all the steps again in the tutorial, only found the tracking cookies, that were coming up all the time. So I had a look at IE settings (wished I had of thought of it earlier) only to find that in my security settings, the part which allows cookies to be downloaded, had been set to download all of them, I reset it to the default, medium level and hey presto, no tracking cookie downloads, rescanned with spybot a couple of times and ad-aware se, now reporting all clear.

The system seems to be running well now, except for the files we deleted in the clean up stage, needing to be reinstalled.

Ill'e keep an eye on things and report back if things go downhill, if thats OK.

I would like to to say to you, that you do not know how greatful I am, for the time you have spent helping me and I must say that you are a credit to your good nature and an icon in my view, to the well being of this vast network we call, the internet. As Dave Allen would "Good night and my your god go with you"

psxnut