virus
07-07-2005, 05:26 PM
#1
3.0 BAR
Thread Starter
Join Date: Mar 2003
Posts: 4,217
virus
my computer has just been virused by W32.DESKTOPHIJACK,and TROJAN-SPY.HTML.SMITHFRAUD.COM. they started with **** sites and gambling sites popup. now my computer is fucked. still trying to clear it. this sucks! hope they dont get my laptop since I am currently using it. my desktop is fucked.
07-07-2005, 05:35 PM
#2
1.0 BAR
Join Date: Aug 2003
Posts: 302
Re: virus
Originally Posted by rudebwoy
my computer has just been virused by W32.DESKTOPHIJACK,and TROJAN-SPY.HTML.SMITHFRAUD.COM. they started with **** sites and gambling sites popup. now my computer is fucked. still trying to clear it. this sucks! hope they dont get my laptop since I am currently using it. my desktop is fucked.
flrman1
23-Jun-2005, 11:01 AM
Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!
* * Go here (http://www.filehippo.com/download_ccleaner.html) to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.
* Click Here (http://www.downloads.subratam.org/KillBox.exe) and download Killbox and save it to your desktop.
* Click here (http://metallica.geekstogo.com/smitfraud.reg) to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.
* Click here (http://service1.symantec.com/SUPPORT...01052409420406) for info on how to boot to safe mode if you don't already know how.
* Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
PSGuard
Search Maid
Exit Add/Remove Programs.
* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
* Restart your computer into safe mode now. Perform the following steps in safe mode:
* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\wp.bmp
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\WINDOWS\System32\OLEADM.dll
C:\Windows\System32\intmonp.exe
C:\WINDOWS\system32\hp8675.tmp
C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\desktop.html
C:\Windows\system32\hookdump.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hp5C68.tmp
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\Windows\System32\ole32vbs.exe
Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.
Exit the Killbox.
* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Find and delete these folders if they exist:
C:\Program Files\PSGuard
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files
* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.
* Start Ccleaner and click Run Cleaner
* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
* Restart back into Windows normally now.
* Download the Hoster from here (http://www.funkytoad.com/download/hoster.zip) . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
* Run ActiveScan online virus scan here (http://www.pandasoftware.com/activescan/).
When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!
Post a new HiJackThis log along with the results from ActiveScan
23-Jun-2005, 11:01 AM
Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!
* * Go here (http://www.filehippo.com/download_ccleaner.html) to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.
* Click Here (http://www.downloads.subratam.org/KillBox.exe) and download Killbox and save it to your desktop.
* Click here (http://metallica.geekstogo.com/smitfraud.reg) to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.
* Click here (http://service1.symantec.com/SUPPORT...01052409420406) for info on how to boot to safe mode if you don't already know how.
* Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
PSGuard
Search Maid
Exit Add/Remove Programs.
* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
* Restart your computer into safe mode now. Perform the following steps in safe mode:
* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\wp.bmp
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\WINDOWS\System32\OLEADM.dll
C:\Windows\System32\intmonp.exe
C:\WINDOWS\system32\hp8675.tmp
C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\desktop.html
C:\Windows\system32\hookdump.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hp5C68.tmp
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\Windows\System32\ole32vbs.exe
Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.
Exit the Killbox.
* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Find and delete these folders if they exist:
C:\Program Files\PSGuard
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files
* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.
* Start Ccleaner and click Run Cleaner
* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
* Restart back into Windows normally now.
* Download the Hoster from here (http://www.funkytoad.com/download/hoster.zip) . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
* Run ActiveScan online virus scan here (http://www.pandasoftware.com/activescan/).
When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!
Post a new HiJackThis log along with the results from ActiveScan
07-07-2005, 09:45 PM
#3
0.0 BAR
Join Date: Jan 2005
Posts: 0
Thread
Thread Starter
Forum
Replies
Last Post
buk9tp
General Discussion
4
03-15-2006 03:43 PM
OnYx
General Discussion
11
01-26-2004 11:10 PM
Dr.Boost
General Discussion
42
08-10-2003 03:22 PM
