Malware I guess

Barnyard Man · Mar 28, 2007

Not sure which it is. Picked it up the other night while not watching what I was doing. I have Norton anti-virus (current addition) and it will not fix it. I have an icon on the bottom right of my screen that is a question mark with a circle around it and it flashes red with a line through it and a message box pops up (system alert) every so often and tells me I have spyware and to click the icon to go to a sight and pay to have it fixed.

Any ideas on how to fix this? I don't mind buying a product but I want to know it will work. I ran Ad-Aware SE for free but it only fixed 20 problems and not this one.

Also have System Alert:Trojan-spy.win32@mx that tells me to click the baloon (misspelled but this is the way it is written) to download official security software which I have not done.

I did a search and because I am not computer literate, I am not able to follow some of the instructions.

Any help would really be appreciated? This site was highly recommended by a friend.

Barnyard Man

chaslang · Mar 29, 2007

Welcome to Major Geeks!

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

Barnyard Man · Mar 31, 2007

A big thank you.

I was not able to get the link you posted to Smithfraudfix to work, but found another link, downloaded the program and followed your instructions.

Again, thank you for your help!

Last log follows:SmitFraudFix v2.162

Scan done at 15:24:08.34, Sat 03/31/2007
Run from C:\Documents and Settings\Valued Customer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

First log follows:
SmitFraudFix v2.162

Scan done at 15:02:00.10, Sat 03/31/2007
Run from C:\Documents and Settings\Valued Customer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9d6fac42-a7be-4702-87ef-75d8dc14249e}"="hemine"

[HKEY_CLASSES_ROOT\CLSID\{9d6fac42-a7be-4702-87ef-75d8dc14249e}\InProcServer32]
@="C:\WINDOWS\system32\tahxqcj.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9d6fac42-a7be-4702-87ef-75d8dc14249e}\InProcServer32]
@="C:\WINDOWS\system32\tahxqcj.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

chaslang · Mar 31, 2007

Barnyard Man said: ↑

I was not able to get the link you posted to Smithfraudfix to work,
Click to expand...

It works fine for me! I even just checked it again. Please do not post logs inline. Attach logs as requested. See: HOW TO: Attach Items To Your Post

Please indicate how things are working.

Barnyard Man · Mar 31, 2007

Things are working fine.

Sorry about posting the logs. I am new to this. I cannot find out how to edit my post or I would delete the logs.

Thanks for your help!!!

Barnyard Man

The link you provided would not work on my computer, sorry but tried it several times and had to go to another site to download the program. Nothing against you, but the link would not work. All that ends well is all well!!!!

chaslang · Mar 31, 2007

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

You can delete SmitFraudFix and any files created by running it.

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Barnyard Man · Mar 31, 2007

All done Master. Thanks for your help!

Barnyard Man:wave :wave

chaslang · Mar 31, 2007

You're welcome. Surf safely!

Log in or Sign up

Malware I guess

Barnyard Man Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Barnyard Man Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Barnyard Man Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Barnyard Man Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member