TechSpot

Can't seem to 'fix' my problem...

By novus
May 8, 2006
Topic Status:
Not open for further replies.
  1. Ok...long story short...
    an aquaintance sent me an email (turned out it was bugged).
    I, being the nonce that I am opened said email and result...a plague upon my house (well my machine and I think I am now infected also hehe).
    I have run all the diagnostics and fixes that were recommended by you brilliant guys and girls here...followed Howard's cure all and found many many other bugs on my machine and cleaned them out.
    However...the bast...beastlies that created this email in the first place were rather clever. My notification area of my winXP task bar keeps flashing 'virus alerts', 'urgent sustem message:virus!' etc etc and these alerts, when you click on them take you to a host of, antimalware type operations who would want you to buy their product which they have maliciously installed on my machine in the first place. Now I have so much anti spyware stuff installed now I wonder where it will end. However I can't shake these adverts.
    My IE and now firefox has been hijacked also by the same crowd (I suspect) and they have prevented me from changing my homepage from one of their choosing. I cannot change the setting in IE - it appears that I have but upon restarting the same page always appears under 'about:blank' but the homepage is www.securityuptodate.com
    I can post my HJ log but I pretty much removed anything that moved.
    If anyone can help - many thanks.
    I should add that initially the virus alerts said I was infected with that W32myzorFKyf.html virus now it says I have internet trojan iworm_attck_v122.02a.
    I downloaded firefox and made sure not to import any info from IE into it because I didn't want to run the risk of the virus/worm getting into it but sure enough it was also infected.
    Lastly I changed the settings in my task bar manager to hide all alerts but still this hasn't worked. The constantly flashing alert is still there encouraging me to buy some product to get rid of the most likely the very worm that they planted in the first place. brilliant marketing strategy as I am almost at my wits end and ready to fork out the $$ just in the vain hope their ad campaign claims are slightly more honest than their trojan horse marketing ploy.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    By all means post your HJT log as an attachment.

    Whatever you do, don`t click on any more popups. They install more spyware on your computer.

    Regards Howard :wave: :wave:
  3. novus

    novus Newcomer, in training Topic Starter

    here is my log
  4. novus

    novus Newcomer, in training Topic Starter

    P.S:
    Howard - you are truly a scholar and a gentleman - all class.
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dcomcfg.exe
    atmclk.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp88BD.tmp

    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4FB9D8D6-3ECF-4829-A006-1E32DF201375}: NameServer = 203.152.100.32 203.152.112.32 <Only fix this, if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\hp88BD.tmp
    C:\WINDOWS\system32\atmclk.exe

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)

    P.s Thankyou for your kind words.
  6. novus

    novus Newcomer, in training Topic Starter

    Apologies - here is my latest log with the correct date also. Should be pretty similar to the other one - did yesterday (but had the wrong date on it as well).
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I have ammended my above post to include info from your last HJT log.

    Regards Howard :)
  8. novus

    novus Newcomer, in training Topic Starter

    Ok...I have done these things as you directed...the IE homepage is still fixed as 'about:blank' and won't let me change it...no change there....but as yet nothing 'alertish' has come up in the notification area of the taskbar (however sometimes it takes a while for it to happen). Also - at present I have cookies completely disabled and pop ups yet I just got a pop up when I opened techspot (a porn pop up would u believe)...intriguing...
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go HERE and download the smitrem.exe file.

    save the file to your desktop. Double click it to extract the contents to a folder of it's own. Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete. Upon reboot, you can reset your desktop background. Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

    Post a fresh HJT log after doing the above.

    Regards Howard :)
  10. novus

    novus Newcomer, in training Topic Starter

    Hello again,
    here is the latest log after running smitRem..
    same problems apparent however
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Bugger it`s still there. It seems you have a new variant of smitfraud.

    I have just updated my instructions in this thread HERE.

    Go and follow the instructions as outlined in step 3. This is not the same smitfraud removal tool, that you have just used.

    Post a fresh HJT log after you have done that.

    Regards Howard :)
     
  12. novus

    novus Newcomer, in training Topic Starter

    Howard, it would appear you have the 'healing hands'.
    Now, I just have to reverse that ambulance back up the cliff from the bottom of the ravine...
    Ok - I have learned me some valuable lessons here - I believe someone posted on one of the threads that the best course of action in fighting these maggots is common sense - don't open stuff you are not sure of etc.
    Trust me - I'm now very very paranoid and my idle curiosity penchant has receeded along with my hairline.
    I have supplied my last log - maybe it might help others (it should be well and truly free of practically all nasties (at least for the next 5 minutes or so!).
    Thanks for all your help - and the very concise and easy to follow instructions.
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Excellent and well done. Your HJT log is now clean.

    Regards Howard :)
  14. Spike

    Spike Newcomer, in training Posts: 2,371

    That would have been me.

    I've been behind the scenes pestering Howard over this trying to help him find a solution for the last hour or so, but I've been of no use. He did it all on his own (He's far FAR better at these things than me). Well Done Howard! (I'll stop short of three cheers - it doesn't have the same effect on a forum. lol)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.