YourPrivacygaurd related help needed

CssSnake6 · Oct 19, 2007

Hi, My computer recently caught some Trojans and worms but thanks to Avast, I got past the worst part. anyways, My computer does not seem to be in any immediate danger, theres no Windows popping up or Extreme Overuse of the CPU by unseen malware. I think I particaly removed the Yourprivacygaurd.com thing, All thats happening is When I try to change my background (Which is currently white) I get this in a windows internet explorer Window:

"Cannot Find 'file:///C:/WINDOWS/privacy_danger/index.htm'. Make shure the path or internet address is correct"

I am actually quite worried that this may lead to a bigger problem though. And I already had to re-install windows on my computer literally 15 times in the past due to Viruses completely corrupting my system beyond repair, and cant use the windows cd's anymore.

please let me know what I should do.

bjgarrick · Oct 19, 2007

Welcome to MG's!

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply. See: HOW TO: Attach Items To Your Post

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

CssSnake6 · Oct 20, 2007

Ok, I havent downloaded the zip file yet, but another problem has come up.

every 5-10 min or so, Avast will Prompt me saying it found a trojan in the following files:

C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\ac8zt2\main_uninstaller.exe
C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\ac8zt2\msmdev.dll
C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\ac8zt2\nsduo.dll
C:\DOCUME~1\JASONB~1\LOCALS~1\Temp\ac8zt2\rmv.exe

I kept doing "move to chest" but Avast will prompt me about the exact same files I quarantined, AGAIN.

once I do that, my computer seems to "Refresh" itself, and for a moment I can see the normal background, but then it go's white again and i get the First error message I posted.

Whats going on? :confused

chaslang · Oct 20, 2007

CssSnake6 said: ↑

Whats going on? :confused
Click to expand...

You need to complete the instructions that BJ already gave you because those files are part of what the procedure is meant to fix.

CssSnake6 · Oct 20, 2007

Everything looks fine, I am now able to change my background without getting the error message. I'm gonna wait to see if the problems with avast happen again.

(8 min later)

I'm still getting the problems with avast.
same files, what now?

bjgarrick · Oct 20, 2007

The next step is to run our initial instructions and post the requested logs.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gifWhen you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy Log - only for Windows XP, 2K, & NT users

AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users

Bitdefender Log - from step 6

Panda Scan Log - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis Log

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
Click to expand...

CssSnake6 · Oct 20, 2007

In step 6A, it says to run the online virus scans, but the internet wont work in safe mode, should I just reboot in normal mode and do it then?

chaslang · Oct 20, 2007

CssSnake6 said: ↑

In step 6A, it says to run the online virus scans, but the internet wont work in safe mode, should I just reboot in normal mode and do it then?
Click to expand...

Step 6A also says

If you cannot connect in safe mode for any reason (like dial-up users), run the online scanners in normal boot mode.
Click to expand...

So the answer is yes, run in normal boot mode.

CssSnake6 · Oct 27, 2007

Ok, I have done all the scans over again, and my computer seems to be clean, And its running fine. The problems with avast and my background are gone.

However, In the event that anything Should happen, I know where to find you guys.

Thanks for the help, and god bless!

bjgarrick · Oct 27, 2007

I would recommend posting the requested logs so we can confirm you're clean. Just because you're not having obvious problems doesn't mean you're not infected.

It's up to you but I would recommend it.

CssSnake6 · Oct 29, 2007

Well, You're the Windows MVP here, so I'll do just that. I have all the logs except the one from Bitdefender (forgot to save it) and Panda never gave me a log or an option to save one.

The BitDefender takes forever to scan my computer, so I'll post another reply with the logs ASAP.

bjgarrick · Oct 30, 2007

Okay! If you can't get the online scan logs, just post what you have and we will go from there. If needed we can run alternate scans later.

CssSnake6 · Oct 31, 2007

Ok, heres the scans.

I had to upload the bit defender scan in a zip folder in this URL cuz it wouldnt let me upload a html file on either this site or fileden

http://www.fileden.com/files/2006/8/6/157975/bdscan.zip

bjgarrick · Nov 4, 2007

Please attach fresh logs from ShowNew, GetRunKey & HijackThis.

CssSnake6 · Nov 12, 2007

Ok, here they are.

chaslang · Nov 12, 2007

If your copy of CounterSpy is the free trial from the READ & RUN ME, uninstall it now since we are finished with it now! Then delete the below folders which may be left behind by the uninstall:
C:\Documents and Settings\Jason Bloomer\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also locate the below file and delete it:
C:\WINDOWS\hostctrl.dll

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_13
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

Make sure you tell me how things are working now!

CssSnake6 · Nov 13, 2007

The site wont let me upload any more file attachments, so heres a URL link to them:

http://www.fileden.com/files/2006/8/6/157975/runkeys3.txt

http://www.fileden.com/files/2006/8/6/157975/newfiles3.txt

As for the computer, she's running fine. haven't noticed anything slowing it down yet.

chaslang · Nov 13, 2007

CssSnake6 said: ↑

The site wont let me upload any more file attachments, so heres a URL link to them:
Click to expand...

You probably just needed to empty your browser cache and then do a refresh. Then you would probably be able to attach the new logs.

I still see CounterSpy install. Is this a paid version or the copy from the READ ME (looks like it is new to me)? If it is from the READ ME, you need to uninstall it unless you are going to buy it.

ATF-Cleaner and CCleaner are not working properly for you. You need to manually delete all files in the below folder to cleanup a ton of old garbage:
C:\Documents and Settings\Jason Bloomer\Local Settings\Temp\

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

CssSnake6 · Nov 15, 2007

Ok, thanks for the help guys. PC is looking great again!

chaslang · Nov 15, 2007

You're welcome. Surf safely.

Log in or Sign up

YourPrivacygaurd related help needed

CssSnake6 Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

CssSnake6 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

CssSnake6 Private E-2

Attached Files:

rapport1.txt

rapport2.txt

bjgarrick MajorGeeks Admin - Malware Expert

CssSnake6 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

CssSnake6 Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

CssSnake6 Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

CssSnake6 Private E-2

Attached Files:

counterspy.txt

newfiles.txt

runkeys.txt

bjgarrick MajorGeeks Admin - Malware Expert

CssSnake6 Private E-2

Attached Files:

hijackthis2.log

newfiles2.txt

runkeys2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

CssSnake6 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

CssSnake6 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member