red background graphic and error message

Hello,

This problem happened about a week ago, I've run the "read and run me first" programs twice. This is where I'm at now.

The start up is really slow, followed by a blue screen, then a blue screen with icons, next a white screen with icons, then red background with icons and a graphic stating "your privacy is in danger" click here.

when I go online a sometimes a window will pop up accessing a antivirus/antispyware website. Every window I open has a message strip that says "warning your computer may be infected". Every 10 minutes an error message pops up saying
"cannot find file///c:/windows/privacy_danger/index.htm"

here's the logs from the programs

 

Hi mjajax!
Welcome to Major Geeks!

Please follow the instructions in Removing Zlob aka SmitFraud, SpySheriff, Infections. This will produce two logs, both called rapport.txt. Please attach the first rapport.txt to your post here before continuing with the cleaning step. Otherwise the first log will be written over.

Thanks.
abri

 

Dear Abri

I downloaded the fix and ran the program. Thanks for your help

I didn't change the name of one of the rapport files so the first one is the kill process and the second if you need it is the search report after the cleaning if it helps at all, sorry.

Mike

 

Hi mjajax79,

Please do the following. If you find you are unable to run any of the steps, it may be necessary to print out the instructions, shut down your computer and disconnect from the internet, and then boot back up. Disable any antivirus and spyware programs and then run the steps until a reconnection is necessary. When you reconnect, be sure all your antivirus, firewall and antispyware are re-enabled. Try it first though without disabling anything.

1) Please disable your guest account if it's not already disabled.

2) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2_03

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Download and install Erunt. Use it to create a backup of your registry.


6) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

7) Download Hoster
and then follow the below steps:
· Unzip HostsXpert.zip
· It will create a folder named HostsXpert in whatever folder you extract it to.
· Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
· Click the X to exit the program

Now click Start, Run, and enter ipconfig /flushdns and click OK!

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Thanks Abri

I ran all programs like you stated. The red background screen is still there, I haven't seen any other problems yet.

here's the updated logs.

I appreciate you help,
mike

 

Hi mjajax79,

Pllease do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: SXG Advisor - {9C22FF6B-11B2-43B0-9F1A-8B0C209C1FAB} - C:\WINDOWS\dpvtportwf.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {A6074EA4-01C7-40A1-82C3-FC683866AB03} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O21 - SSODL: aswmklt - {F982F732-F4EE-4620-8606-E42AC7261803} - C:\WINDOWS\aswmklt.dll (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

After you click fix, just close hijackthis.


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run Avenger again as you did in post 4 (step 8) only this time use the contents of this box:

4) Run ATF Cleaner (post 4, step 9)

5) And now run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hello Abri,

My computer seems to be running malware free, but is running slow. with all the programs I have on it, what can I delete and what should I save. the startup of the copmuter also goes to the options screen (normal or safe mode) every time before startup in normal.

Here's a list of programs I have on my computer (I might of missed some):

Spybot search and destroy
Smit fraud fix
hostxpert
avenger
atf cleaner
av gas anti-spyware
ccleaner
ERUNT
combofix
mgtools

here is the requested logs to see if my computer is really clean.
Thanks for your help
Mike

 

Hi mjajax79,
Please skip the instructions in post 8 and wait until I can post you a new set. Privacy danger was not removed yet, so this will account for some of the problems you're still having.
abri

 

Hi mjajax79,

There's still one more entry which belongs to the infection which you can fix with hijackthis. The items we put on your computer for scanning and diagnostic purposes we'll have you removed when your logs are clean. First do the following:

Make a copy of these instructions so you can remember them. Shut down your computer and physically disconnect it from the internet. When you boot back up, disable any antivirus and antispyware programs you have running.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O24 - Desktop Component 0: (no name) - (no file)

Optionally you can fix this as well.

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

After you click fix, just close hijackthis.

Re-enable your antivirus and antispyware programs and reconnect to the internet.

Then run GetLogs.bat (in the MGTools folder) and attach a fresh MGlogs.zip with your next post.

Thanks.
abri

 

Hi Abri,

I ran Hijackthis as you directed, and have the fresh logs attached.
Hopefully this solved it.

Mjajax79

 

Hi mjajax79,

Try this:

Fixing Locked Desktop

• Right click on your Desktop and select Properties.
• Then click the Desktop tab
• then click the Customize Desktop button.
• Now in the next window that comes up click the Web tab.
  • Make sure at the bottom that Lock desktop items is unchecked.
• Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
• Then click OK.
• Click Apply. And click OK.

After doing the above, see if you can delete those one or two HijackThis entries again.

You don't have to run the GetLogs.bat to produce a HijackThis log. Just after you try deleting them, run HijackThis again and see if they are still there. Let me know. The 04 entry is at the bottom of all the 04's and the 024 entry is the only 024 entry.

Thanks.
abri

 

Hi Abri,

I followed your advice, the lock desktop items was unchecked. I didn't have to change anything. I ran hijackthis and fixed the problems, when I reran scan the problem lines came back.

Thanks for the help.
mjajax79

 

Hi mjajax79,
It's possible that one of your settings in Symantec is blocking changes in one of the settings. Please check to see if this might be the case. With regard to malware, your computer is looking okay, so please go ahead with the final cleanup instructions so the malware won't come back.

abri