TechSpot

W32.MyZOR.FK@yf SPYWARE ... PLEASE HELP WITH REMOVAL

By Derek
May 12, 2006
  1. Have tried all, need help deleting W32.MyZOR.FK.yf

    Log is attached...

    Thank you in advance!!!!!
     

    Attached Files:

  2. Spike

    Spike TS Evangelist Posts: 2,168

    :wave: Welcome to Techspot :wave:

    You have a Smitfraud infection

    -- snip -- (no need to follow full instructions)

    Edit : My sincere apologies. On closer review, I see you've already been following the instructions. Please simply perform step 3 once more while in Safe Mode, and post a new HJT log. Please also post the log from the smitfraud fix as an attachment.
     
  3. Derek

    Derek TS Rookie Topic Starter

    Could not follow step 3, Smitfraudfix would not load in Safe Mode

    Could not follow step 3, Smitfraudfix would not load in Safe Mode...
    attached is my newest log...
     

    Attached Files:

  4. Spike

    Spike TS Evangelist Posts: 2,168

    Oh, I see. :blackeye:

    Were you in Safe Mode when you ran it the first time? And when it didn't wwork, what error message (if any) did it give you?
     
  5. Derek

    Derek TS Rookie Topic Starter

    no I was not
     
  6. Spike

    Spike TS Evangelist Posts: 2,168

    What error did you get in Safe Mode, and at what stage. The reason I ask is that pretty much all instructions for the tool suggest that safe mode shouldn't be a problem for it.
     
  7. Derek

    Derek TS Rookie Topic Starter

    still have little yellow triangle in lower right box desktop
     
  8. Spike

    Spike TS Evangelist Posts: 2,168

    You got a yellow triangle when you tried running the fix in safe mode??? That shouldn't happen. If you could, I need you to be as detailed as you can in the problems you are having running the fix, because it is THE fix for Smitfraud at the moment.

    What message is it giving you?
     
  9. Derek

    Derek TS Rookie Topic Starter

    1. Win32.HS.m2 SpyWare has just overcome default security software on Your PC. Your personal information and PC safety is in critical danger.
    To clear Your PC and get rid of dangerous virus you need paid security system patch called "AD-PROJECT".
    By clicking "Continue" You will be taken to official developer's page, where you may download the patch.


    2. smitfraudfix v2.43 process.exe file missing...unzip all the archive in a folder....
     
  10. Spike

    Spike TS Evangelist Posts: 2,168

    Ah! I see!

    process.exe is sometimes detected as a virus, but in fact it isn't one. It's what's known as a "false positive".

    What you need to do is to reboot to safe mode, disable any antivirus/antispyware software on your computer while running the fix (including MS Anti-spyware or Window Defender, or anything else), and then turn it back on afterwards. Just Make sure the fix is still in-tact, download a fresh copy and run it, rather than the copy you've already used.

    Once you've done that (in safe mode - it's important to be in safe mode for it), post a new HJT and the smitfraudfix logfile and we'll check if you're finally clean.
     
  11. Derek

    Derek TS Rookie Topic Starter

    ok will do it in the morning, thanks for the help...
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\notifyf2.dll into the run box and press the enter key.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    atmclk.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpABC9.tmp

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O11 - Options group: [JAVA_IBM] Java (IBM)

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\SYSTEM32\notifyf2.dll
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\hpABC9.tmp

    Reboot into normal mode and turn system restore back on.

    Just as a precaution, go HERE and follow the instructions in step 3.

    Please post a fresh HJT log.


    Regards Howard :)
     
  13. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    try this tool that has been going around. It seems to work:
    -link removed-
     
  14. Spike

    Spike TS Evangelist Posts: 2,168

    That's not a tool. It's a shareware application that is neither useful nor nessecary in this thread., as such, the link has been removed.

    We have an effective and simple tool for smitfraud that's effective against the infection. It's small, it's easy, and requires only a HJT log to be checked afterwards, unlike the applications and instructions that you tried to post which not only require a scan with the application, but "at least three different online AV scans".

    If you aren't going to be constructive and useful Tedster, as Howard pointed out in another thread here, please don't post. It's hard enough as it is.

    Secondly, if you've seen that a post has been deleted by a moderator, please don't repost it.
     
  15. Derek

    Derek TS Rookie Topic Starter

    Looking good...I think?...

    1.Please see attached txt log...
    2.Internet explorer goes direct now to blank page and will not take the tools options change to go to another designated page, any rec's

    3. Any recommendations to get speed back?
    4.Anything else I should do?

    Thanks so much!
    Derek
     
  16. Derek

    Derek TS Rookie Topic Starter

    still can't get the smitfraudfix to work from winzip, always says process.exe file missing...I have downloaded so many programs to try and get rid of this virus, I am not sure what is running and what is not anymore!

    Does the last txt log look ok or should I do something? Please advise.
    Thanks...
     
  17. Spike

    Spike TS Evangelist Posts: 2,168

    I'm afraid you didn't post your last log - it seems you didn't attach it.

    Smitfraudfix isn't supposed to work from winzip. You save the zip file to your computer, and simply extract it to a folder, then boot into safe mode, turn off your antivirus and antispyware software, and run the smitfraudfix cmd file. We will give you advise on speeding up your system once it's been cleaned (no point in doing it while it's still infected).
     
  18. Derek

    Derek TS Rookie Topic Starter

    attached log
     

    Attached Files:

  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Let HJT fix this entry.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    Other than that, your HJT log looks clean.

    Did you manage to get the SmitFraudfix to run correctly?

    Regards Howard :)
     
  20. Spike

    Spike TS Evangelist Posts: 2,168

    You'll be pleased to know that your HJT log is finally clean! :grinthumb

    Follow howards advice above for that entry. It would also be GREAT if you culd tell us the answer to the question he asked, as to whether smitfraudfix was run correctly in the end.

    The first thing that you should find will help speed up your system is to uninstall that Symantec Norton stuff, and replace it with the free AVG antivirus, and a free firewall - either the free Zone Alarm or Sunbelt Kerio Personal Firewall.

    You might also like to prevent spysweeper from running at startup or uninstall it completely. Depending on whether you use the utility(s) or not, you might also consider uninstalling some of the "think vantage" stuff you have threr.

    Given the amount of work you've just done with your machine, it might also benefit from being defragmented, and you might like to run ATF-cleaner from atibune.org to get rid of all your temp files easily. Disable and re-enable system restor so that you clear all the current restore points (which may contain the smitfraud virus).

    Finally, if you're not doing so already, I would recommend that you use Firefox as your web browser. :)

    Hopefully that should have everything sorted for you.
     
  21. Derek

    Derek TS Rookie Topic Starter

    after smitfraudfix, still internet explorer issue
     

    Attached Files:

  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold file(if there)

    c:\windows\system32\blank.htm

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
     
  23. Derek

    Derek TS Rookie Topic Starter

    R0 and R1 still there...Internet Explorer will not delete and acting funny...

    trying to have startup webpage...www.ceoexpress.com will not work
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you find and delete this file?

    c:\windows\system32\blank.htm

    It is possible that the file may be in the following drirectory instead.

    C:\WINDOWS\SYSTEM\blank.htm

    Maybe do a complete search of your system for blank.htm and delete all instances of it.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...