First plea

Discussion in 'Malware Help (A Specialist Will Reply)' started by ransom, Apr 19, 2006.

  1. ransom

    ransom Private E-2

    I keep getting a pop-up with a "Your Computer is infected: Critical system error" message (lower right screen).
    In addition there is a red/green flashing icon in my toolbar, and
    my ie homepage has been reset to "safetydefender.com".

    I followed all of the instructions in your tutorial and it's still there.

    I have Norton AV, Adaware, Spybot and Zonealarm installed and updated and run regularly.

    This is really bloody frustrating.

    Please help.
     

    Attached Files:

    ransom, Apr 19, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please do not post HijackThis logs without having run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support I know you implied you ran them but you did not run ALL steps in this procedure.

    If you are having SpywareQuake issues, it is also covered in another sticky thread which you also should have read and run:

    SpywareQuake Removal Procedure

    You do have more problems that SpywareQuake and you will need to run the READ & RUN ME too.
     
    chaslang, Apr 19, 2006
    #2
  3. ransom

    ransom Private E-2

    Thanks

    nailed the sucker---thanks.

    You are right, I couldn't get Panda to download nor Defender to work, but I did everything else (suitably chastened).

    But there was no "spyware quake" program to remove so I assumed this was not the problem, hence my frustration.
     

    Attached Files:

    ransom, Apr 20, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Thanks

    There doesn't have to be a SpywareQuake entry. The procedure still fixed things related to the infection. Look in the smitfiles.txt log and you will see it found and fixed the below:
    They are all part of the SmitFraud family and SpywareQuake is a member of the family. Also your Bitdefender log shows the files related to the infection ( C:\WINDOWS\system32\1024\ldA174.tmp, C:\WINDOWS\system32\xenadot.dll)

    You still have not followed the directions in step 7 of the READ ME for installing HijackThis properly. You are running it directly from the ZIP file. You MUST install HijackThis properly or you will not get any backups for anything we fix with it.

    You also did not empty your Norton Quarantine as per step 0 or the READ ME.

    As a double check, boot into safe mode and use Windows Explorer to delete the below baddies found by Panda (let me know if you have problems delete these or if they are not found):
    C:\WINDOWS\system32\hp3423.tmp
    C:\WINDOWS\system32\ncompat.tlb
    C:\WINDOWS\system32\ot.ico
    C:\WINDOWS\system32\xenadot.dll
    C:\WINDOWS\system32\1024 <--- the whole folder
    E:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.019
    E:\Program Files\Common Files\Totem Shared\Update\Music.dll.010
    E:\Program Files\Common Files\Totem Shared\Update\Windows.dll.044
    E:\Program Files\KaZaA Lite <--- the whole folder

    Was this HijackThis log from before running the SpywareQuake procedure? I would think so. Please install HJT properly and attach a new HJT log.

    Also run the below and attach the runkeys.txt log here:

    Using GetRunKey
     
    Last edited: Apr 21, 2006
    chaslang, Apr 21, 2006
    #4
  5. ransom

    ransom Private E-2

    Ok, thanks again.
    Here's what I know.

    I didn't run Hijack this from zip, I followed instructions and set it up in C:/program files/hjt, but it may have been the first log. I'm attaching today's.

    When I opened Norton Quarantine there was nothing in it so I did not empty it.

    I found none of the files from Panda you mentioned in "Explorer" in C:\
    and when I went into E:\ the computer repeatedly froze, so I don't know if they are in there or not.

    attached are the latest HJT and Runkey
     

    Attached Files:

    ransom, Apr 21, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is drive E an internal hard disk or is it some kind of removable drive (CD, flash drive, etc).

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 21, 2006
    #6
  7. ransom

    ransom Private E-2

    Thanks.
    Again.

    E is an internal unneeded HD with old files on it. Think I'll disconnect it.

    Step 1 is done and I have worked through the link.

    Glad I know where to look if this recurs in any form (but please, God, no!)
     
    ransom, Apr 23, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Apr 23, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds