W32.MyZOR.FK@yf SPYWARE ... PLEASE HELP WITH REMOVAL
- Thread starter Derek
- Start date
- Status
:wave: Welcome to Techspot :wave:
You have a Smitfraud infection
-- snip -- (no need to follow full instructions)
Edit : My sincere apologies. On closer review, I see you've already been following the instructions. Please simply perform step 3 once more while in Safe Mode, and post a new HJT log. Please also post the log from the smitfraud fix as an attachment.
You have a Smitfraud infection
-- snip -- (no need to follow full instructions)
Edit : My sincere apologies. On closer review, I see you've already been following the instructions. Please simply perform step 3 once more while in Safe Mode, and post a new HJT log. Please also post the log from the smitfraud fix as an attachment.
You got a yellow triangle when you tried running the fix in safe mode??? That shouldn't happen. If you could, I need you to be as detailed as you can in the problems you are having running the fix, because it is THE fix for Smitfraud at the moment.
What message is it giving you?
What message is it giving you?
1. Win32.HS.m2 SpyWare has just overcome default security software on Your PC. Your personal information and PC safety is in critical danger.
To clear Your PC and get rid of dangerous virus you need paid security system patch called "AD-PROJECT".
By clicking "Continue" You will be taken to official developer's page, where you may download the patch.
2. smitfraudfix v2.43 process.exe file missing...unzip all the archive in a folder....
To clear Your PC and get rid of dangerous virus you need paid security system patch called "AD-PROJECT".
By clicking "Continue" You will be taken to official developer's page, where you may download the patch.
2. smitfraudfix v2.43 process.exe file missing...unzip all the archive in a folder....
Ah! I see!
process.exe is sometimes detected as a virus, but in fact it isn't one. It's what's known as a "false positive".
What you need to do is to reboot to safe mode, disable any antivirus/antispyware software on your computer while running the fix (including MS Anti-spyware or Window Defender, or anything else), and then turn it back on afterwards. Just Make sure the fix is still in-tact, download a fresh copy and run it, rather than the copy you've already used.
Once you've done that (in safe mode - it's important to be in safe mode for it), post a new HJT and the smitfraudfix logfile and we'll check if you're finally clean.
process.exe is sometimes detected as a virus, but in fact it isn't one. It's what's known as a "false positive".
What you need to do is to reboot to safe mode, disable any antivirus/antispyware software on your computer while running the fix (including MS Anti-spyware or Window Defender, or anything else), and then turn it back on afterwards. Just Make sure the fix is still in-tact, download a fresh copy and run it, rather than the copy you've already used.
Once you've done that (in safe mode - it's important to be in safe mode for it), post a new HJT and the smitfraudfix logfile and we'll check if you're finally clean.
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\notifyf2.dll into the run box and press the enter key.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
atmclk.exe
Close task manager.
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpABC9.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files(if there).
C:\WINDOWS\SYSTEM32\notifyf2.dll
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\hpABC9.tmp
Reboot into normal mode and turn system restore back on.
Just as a precaution, go HERE and follow the instructions in step 3.
Please post a fresh HJT log.
Regards Howard
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\notifyf2.dll into the run box and press the enter key.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
atmclk.exe
Close task manager.
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpABC9.tmp
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files(if there).
C:\WINDOWS\SYSTEM32\notifyf2.dll
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\hpABC9.tmp
Reboot into normal mode and turn system restore back on.
Just as a precaution, go HERE and follow the instructions in step 3.
Please post a fresh HJT log.
Regards Howard
That's not a tool. It's a shareware application that is neither useful nor nessecary in this thread., as such, the link has been removed.
We have an effective and simple tool for smitfraud that's effective against the infection. It's small, it's easy, and requires only a HJT log to be checked afterwards, unlike the applications and instructions that you tried to post which not only require a scan with the application, but "at least three different online AV scans".
If you aren't going to be constructive and useful Tedster, as Howard pointed out in another thread here, please don't post. It's hard enough as it is.
Secondly, if you've seen that a post has been deleted by a moderator, please don't repost it.
We have an effective and simple tool for smitfraud that's effective against the infection. It's small, it's easy, and requires only a HJT log to be checked afterwards, unlike the applications and instructions that you tried to post which not only require a scan with the application, but "at least three different online AV scans".
If you aren't going to be constructive and useful Tedster, as Howard pointed out in another thread here, please don't post. It's hard enough as it is.
Secondly, if you've seen that a post has been deleted by a moderator, please don't repost it.
Looking good...I think?...
1.Please see attached txt log...
2.Internet explorer goes direct now to blank page and will not take the tools options change to go to another designated page, any rec's
3. Any recommendations to get speed back?
4.Anything else I should do?
Thanks so much!
Derek
1.Please see attached txt log...
2.Internet explorer goes direct now to blank page and will not take the tools options change to go to another designated page, any rec's
3. Any recommendations to get speed back?
4.Anything else I should do?
Thanks so much!
Derek
still can't get the smitfraudfix to work from winzip, always says process.exe file missing...I have downloaded so many programs to try and get rid of this virus, I am not sure what is running and what is not anymore!
Does the last txt log look ok or should I do something? Please advise.
Thanks...
Does the last txt log look ok or should I do something? Please advise.
Thanks...
Derek said:
I'm afraid you didn't post your last log - it seems you didn't attach it.
Smitfraudfix isn't supposed to work from winzip. You save the zip file to your computer, and simply extract it to a folder, then boot into safe mode, turn off your antivirus and antispyware software, and run the smitfraudfix cmd file. We will give you advise on speeding up your system once it's been cleaned (no point in doing it while it's still infected).
howard_hopkinso
Posts: 21,238 +17
Let HJT fix this entry.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
Other than that, your HJT log looks clean.
Did you manage to get the SmitFraudfix to run correctly?
Regards Howard
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
Other than that, your HJT log looks clean.
Did you manage to get the SmitFraudfix to run correctly?
Regards Howard
You'll be pleased to know that your HJT log is finally clean! :grinthumb
Follow howards advice above for that entry. It would also be GREAT if you culd tell us the answer to the question he asked, as to whether smitfraudfix was run correctly in the end.
The first thing that you should find will help speed up your system is to uninstall that Symantec Norton stuff, and replace it with the free AVG antivirus, and a free firewall - either the free Zone Alarm or Sunbelt Kerio Personal Firewall.
You might also like to prevent spysweeper from running at startup or uninstall it completely. Depending on whether you use the utility(s) or not, you might also consider uninstalling some of the "think vantage" stuff you have threr.
Given the amount of work you've just done with your machine, it might also benefit from being defragmented, and you might like to run ATF-cleaner from atibune.org to get rid of all your temp files easily. Disable and re-enable system restor so that you clear all the current restore points (which may contain the smitfraud virus).
Finally, if you're not doing so already, I would recommend that you use Firefox as your web browser.
Hopefully that should have everything sorted for you.
Follow howards advice above for that entry. It would also be GREAT if you culd tell us the answer to the question he asked, as to whether smitfraudfix was run correctly in the end.
The first thing that you should find will help speed up your system is to uninstall that Symantec Norton stuff, and replace it with the free AVG antivirus, and a free firewall - either the free Zone Alarm or Sunbelt Kerio Personal Firewall.
You might also like to prevent spysweeper from running at startup or uninstall it completely. Depending on whether you use the utility(s) or not, you might also consider uninstalling some of the "think vantage" stuff you have threr.
Given the amount of work you've just done with your machine, it might also benefit from being defragmented, and you might like to run ATF-cleaner from atibune.org to get rid of all your temp files easily. Disable and re-enable system restor so that you clear all the current restore points (which may contain the smitfraud virus).
Finally, if you're not doing so already, I would recommend that you use Firefox as your web browser.
Hopefully that should have everything sorted for you.
howard_hopkinso
Posts: 21,238 +17
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
Click on the fix checked button.
Close HJT.
Locate and delete the following bold file(if there)
c:\windows\system32\blank.htm
Reboot into normal mode and turn system restore back on.
Regards Howard
Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html
Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
Click on the fix checked button.
Close HJT.
Locate and delete the following bold file(if there)
c:\windows\system32\blank.htm
Reboot into normal mode and turn system restore back on.
Regards Howard
R0 and R1 still there...Internet Explorer will not delete and acting funny...
trying to have startup webpage...www.ceoexpress.com will not work
trying to have startup webpage...www.ceoexpress.com will not work
howard_hopkinso
Posts: 21,238 +17
Take a look HERE It might help.
Did you run the CWshredder programme?
http://www.intermute.com/spysubtract/cwshredder_download.html
This has got me stumped at the moment.
Regards Howard
Did you run the CWshredder programme?
http://www.intermute.com/spysubtract/cwshredder_download.html
This has got me stumped at the moment.
Regards Howard
howard_hopkinso
Posts: 21,238 +17
Did you find and delete this file?
c:\windows\system32\blank.htm
It is possible that the file may be in the following drirectory instead.
C:\WINDOWS\SYSTEM\blank.htm
Maybe do a complete search of your system for blank.htm and delete all instances of it.
Regards Howard
c:\windows\system32\blank.htm
It is possible that the file may be in the following drirectory instead.
C:\WINDOWS\SYSTEM\blank.htm
Maybe do a complete search of your system for blank.htm and delete all instances of it.
Regards Howard
- Status
Latest posts
-
US TikTok ban could begin next year as Biden signs law, but legal battle looms- dirtyferret replied
-
Logitech thinks the computer mouse needs an AI upgrade- kimo1 replied
-
Seagate's new Mozaic 3+ HAMR hard disk drives can last longer than conventional PMR HDDs- Squid Surprise replied
