Problems

reight8 · Oct 19, 2007

My computer is super slow from the time it loads up until i try to click and run anything. The internet wont even connect and the desktop has a desktop recovery screen on. Also control alt delete takes forever to show up too.

i read the read me, im some what familiar with it, but without getting on the internet i cant download anything to it...

what should i do?

i already went through the add/remove programs and removed outerinfo and viewpoint media player.

abri · Oct 19, 2007

Hi reight8!
Welcome to Major Geeks! A slow computer can have several causes, one of which is malware. It could also be that you have a bad sector on your harddrive. If you have any access to a Norton's Disk Doctor, please run it and see if it can locate any bad sectors that could be causing the problem. If it finds something, it will reroute your process around it. You may also want to ask in the Software Forum for other tools that do the same thing.
As for checking for malware, can you get to another computer that has an internet connection and download a few of the installation programs there onto either a cd or a flash drive? If so, please attempt to get the installation programs for the following and run them. Try to run Combofix before you install the others. If your problem is malware-related, it may give you some relief. If your problem is not a malware problem, you may need to use your operating system cd to attempt a recovery.

Run this utility:

1. Download this file - Combo Fix
2. Double click combofix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.
3. When finished, it will produce a log for you. Attach this log to your next reply.
Click to expand...

Whether you are able to run Combofix or not, please try to get the following three scans:
Using ShowNew

Using GetRunKeys

Downloading, Installing, and Running HijackThis

If this is still too much, please try to get a hijackthis log to us.

abri

reight8 · Oct 20, 2007

i am using the infected computer now. i ran downloaded combo fix and put it on a cd then ran it on here. it made the internet start working and made the computer a little faster.

also on the desktop the wall paper is a message saying spyware is detected from an ip address and it has it in red.

im going to download the other programs now. ill send the combo fix log right now though. thank you.

reight8 · Oct 20, 2007

alright heres the hijack this log. Also i ran spybot and found

smitfraud-c.
aconti
mirar
win32.agent.pz
win32.trafficsol.c
adbreak
microsoft windows security center override

i fixed the selected and re ran the program. the only thing that came back was the win32 agent.pz

abri · Oct 21, 2007

Hi reight8!
Please do the following next:
I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2:PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Booting in Safe Mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

* GetRunKey
* ShowNew
* HJT

How are things working now?

reight8 · Oct 21, 2007

alright so here is the first log from the tool.

reight8 · Oct 21, 2007

heres the other rapport log.. i will get you the others in a little. i have a few things to take care of.

the wallpaper on the desktop returned to normal and it hasnt showed any signs of any problems yet. thank you for your time and help.

reight8 · Oct 21, 2007

Oya i also ran hijackthis real quick and have the log.

abri · Oct 21, 2007

reight8

please do the following:

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: CvgraphObj Object - {12355F3E-90C3-41AA-8705-15969AF7F210} - C:\WINDOWS\vgraph.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {561713B1-52F3-4481-898E-7E22CD9773B2} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Skyblueads browser optmizer - {7DB476DD-EA1E-4c91-880F-DCD1888740A1} - C:\WINDOWS\system32\cpmrotate.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive4.dll (file missing)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [frof] C:\PROGRA~1\COMMON~1\frof\frofm.exe

Again, make sure ALL browser windows are closed when you click FIX.
Click to expand...

Please attach a fresh log from HijackThis and then work through the READ & RUN ME FIRST and post the requested logs.

abri

reight8 · Oct 21, 2007

alright i will do that now. do i still need to get you the getnewkey and save new logs???

reight8 · Oct 21, 2007

alright heres the log

abri · Oct 22, 2007

Hi reight8!

The F2 entry didn't get deleted, so I need for you to work through the instructions in the READ & RUN ME FIRST. Both Counterspy and Panda pick up this infection, but I'm not sure yet whether they can delete it. Please be sure to have Counterspy fix what it finds! You may have to run it in normal mode. When you finish you will have 6 logs to post to us and you will need to post twice for the attachments.

-Counterspy
-BitDefender
-Panda
-ShowNew (newfiles.txt)
-GetRunKeys (runkeys.txt)
-HijackThis

abri

reight8 · Oct 28, 2007

Alright so, did everything that you asked. Bitdefender didnt work and panda didnt work..

ill attach all the logs i have right now.

spybot still found the win32 agent pz

reight8 · Oct 28, 2007

logs....

reight8 · Oct 28, 2007

logs 2

abri · Oct 29, 2007

Counterspy picked up a ton. The F2 entry is unfortunately still there. We will work on it again tomorrow. Was the commercial keylogger something you installed yourself?

abri

Log in or Sign up

Problems

reight8 Private E-2

abri MajorGeek

reight8 Private E-2

Attached Files:

log.txt

reight8 Private E-2

Attached Files:

hijackthis.log

abri MajorGeek

reight8 Private E-2

Attached Files:

rapport.txt

reight8 Private E-2

Attached Files:

rapport.txt

reight8 Private E-2

Attached Files:

hijackthis.log

abri MajorGeek

reight8 Private E-2

reight8 Private E-2

Attached Files:

hijackthis.log

abri MajorGeek

reight8 Private E-2

reight8 Private E-2

Attached Files:

counterspy.txt

hijackthis.log

newfiles.txt

reight8 Private E-2

Attached Files:

runkeys.txt

abri MajorGeek