RJARRRPCGP Posted July 19, 2007 Share Posted July 19, 2007 (edited) I'm working on someone's Compaq Presario.Also, it will open another Internet Explorer window to this web site:h**p://www.udefender.com/freeware/3/?wmid=6010&mid=MjI6Ojk3OA==&lndid=15&p=1 Edited July 19, 2007 by RJARRRPCGP Link to comment Share on other sites More sharing options...
ilko_t Posted July 19, 2007 Share Posted July 19, 2007 Usually SmitFraudFix is the first program to start with in case of fake security alerts. You need to know what you are doing, if not better post it's log here. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 19, 2007 Author Share Posted July 19, 2007 Can't upload! The message board banned uploading! Link to comment Share on other sites More sharing options...
ilko_t Posted July 19, 2007 Share Posted July 19, 2007 You may copy-paste the log from Notepad here, or use alternative upload server, such as ohshare.com and post the link. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 19, 2007 Author Share Posted July 19, 2007 OK: SmitFraudFix v2.204Scan done at 18:31:15.92, Thu 07/19/2007Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\ALCXMNTR.EXEC:\WINDOWS\avp.exeC:\WINDOWS\mgrs.exeC:\Program Files\LimeWire\LimeWire.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWSC:\WINDOWS\.protected FOUND !C:\WINDOWS\avp.exe FOUND !C:\WINDOWS\mgrs.exe FOUND !C:\WINDOWS\privacy_danger FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start MenuC:\DOCUME~1\COMPAQ~1\STARTM~1\Programs\Startup\.protected FOUND !C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» DesktopC:\DOCUME~1\COMPAQ~1\Desktop\Error Cleaner.url FOUND !C:\DOCUME~1\COMPAQ~1\Desktop\Privacy Protector.url FOUND !C:\DOCUME~1\COMPAQ~1\Desktop\Spyware?Malware Protection.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm""SubscribedURL"="""FriendlyName"="Privacy Protection"[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]"Source"="about:home""SubscribedURL"="about:home""FriendlyName"="my current home page"»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler MiniportDNS Server Search Order: 192.168.1.254HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS3\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Link to comment Share on other sites More sharing options...
ilko_t Posted July 19, 2007 Share Posted July 19, 2007 Restart in Safe Mode, run SmitFraudFix again and choose 2 (Clean), this should take care of it. When finished restart in Normal Mode, run SmitFraudFix again, choose 1 (Scan) post it's log here along with a log from HiJackThis (google for link and hit do a system scan and save a log file), this is to ensure nothing bad has left in the system. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 19, 2007 Author Share Posted July 19, 2007 Here is the log:SmitFraudFix v2.204Scan done at 19:46:14.92, Thu 07/19/2007Run from C:\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\LimeWire\LimeWire.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWSC:\WINDOWS\privacy_danger FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start Menu»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» DesktopC:\DOCUME~1\COMPAQ~1\Desktop\Error Cleaner.url FOUND !C:\DOCUME~1\COMPAQ~1\Desktop\Privacy Protector.url FOUND !C:\DOCUME~1\COMPAQ~1\Desktop\Spyware?Malware Protection.url FOUND !»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm""SubscribedURL"="""FriendlyName"="Privacy Protection"»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"System"=""»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler MiniportDNS Server Search Order: 192.168.1.254HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS3\Services\Tcpip\..\{B7BD76F9-ACE6-4719-B139-2B47EE0132BC}: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 20, 2007 Author Share Posted July 20, 2007 Also, it displays "YOUR PRIVACY IS IN DANGER!". Link to comment Share on other sites More sharing options...
Tarun Posted July 20, 2007 Share Posted July 20, 2007 Have you run any other scanners, such as Ad-Aware and Spybot? Also, have you run an Anti-Virus program yet? If not, download and install Avast, then do a boot-time scan after updating the program. Link to comment Share on other sites More sharing options...
ilko_t Posted July 20, 2007 Share Posted July 20, 2007 The worst part is gone, run SmitFraudFix again in Safe Mode, choose 2 (Clean) and make sure you answer Yes to the question to clean registry entries. Reboot in Normal Mode and post the contents of C:\Rapport.txt (if not there search for it) along with a log from HiJackThis. If SmitFraudFix doesn't fix it this time we will clean the rest manualy. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 20, 2007 Author Share Posted July 20, 2007 (edited) Have you run any other scanners, such as Ad-Aware and Spybot? Also, have you run an Anti-Virus program yet? If not, download and install Avast, then do a boot-time scan after updating the program.Yep.It definitely wasn't gone. The same pop-ups, fake Windows security messages and websites opening up!Also, kept on displaying a message about being infected with the Netsky trojan, apparently fake! Seems to get triggered by every file I download! Edited July 20, 2007 by Tarun Link to comment Share on other sites More sharing options...
ilko_t Posted July 20, 2007 Share Posted July 20, 2007 Without the information I asked you for (the 2log files from HiJackThis and SmitFraudFix) I cannot help you any further, scanning with various antivirus/antispyware programs will not help you much with that kind of infections, it'd be just waste of time, beleive me I see and remove them from client's machines at least 2-3 times every week. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted July 20, 2007 Author Share Posted July 20, 2007 Sorry about not getting the log from HiJackThis. I thought you only wanted the log from SmitFraudFix. Also, the HDD was wiped before 12 AM. Couldn't take it anymore! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now