HomemadeTurbo - DIY Turbo Forum

HomemadeTurbo - DIY Turbo Forum (https://www.homemadeturbo.com/)
-   General Discussion (https://www.homemadeturbo.com/general-discussion-6/)
-   -   virus (https://www.homemadeturbo.com/general-discussion-6/virus-42344/)

rudebwoy 07-07-2005 05:26 PM
virus
 
my computer has just been virused by W32.DESKTOPHIJACK,and TROJAN-SPY.HTML.SMITHFRAUD.COM. they started with porn sites and gambling sites popup. now my computer is fucked. still trying to clear it. this sucks! hope they dont get my laptop since I am currently using it. my desktop is fucked.

tukinnam 07-07-2005 05:35 PM
Re: virus
 
Originally Posted by rudebwoy
my computer has just been virused by W32.DESKTOPHIJACK,and TROJAN-SPY.HTML.SMITHFRAUD.COM. they started with porn sites and gambling sites popup. now my computer is fucked. still trying to clear it. this sucks! hope they dont get my laptop since I am currently using it. my desktop is fucked.
quotes from http://forums.techguy.org/archive/t-374465.html

flrman1
23-Jun-2005, 11:01 AM
Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!


* * Go here (http://www.filehippo.com/download_ccleaner.html) to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.


* Click Here (http://www.downloads.subratam.org/KillBox.exe) and download Killbox and save it to your desktop.


* Click here (http://metallica.geekstogo.com/smitfraud.reg) to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.


* Click here (http://service1.symantec.com/SUPPORT...01052409420406) for info on how to boot to safe mode if you don't already know how.


* Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
PSGuard
Search Maid

Exit Add/Remove Programs.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:



* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\system32\hhk.dll

C:\Windows\System32\wldr.dll

C:\Windows\System32\wp.bmp

C:\Windows\System32\helper.exe

C:\Windows\System32\intmon.exe

C:\Windows\System32\shnlog.exe

C:\WINDOWS\System32\OLEADM.dll

C:\Windows\System32\intmonp.exe

C:\WINDOWS\system32\hp8675.tmp

C:\WINDOWS\System32\winnook.exe

C:\WINDOWS\desktop.html

C:\Windows\system32\hookdump.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\system32\msole32.exe

C:\WINDOWS\system32\hp5C68.tmp

C:\Program Files\PSGuard\PSGuard.exe

C:\WINDOWS\System32\spoolsrv32.exe

C:\Windows\System32\ole32vbs.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete these folders if they exist:

C:\Program Files\PSGuard
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files



* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Download the Hoster from here (http://www.funkytoad.com/download/hoster.zip) . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


* Run ActiveScan online virus scan here (http://www.pandasoftware.com/activescan/).

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

Bone1 07-07-2005 09:45 PM
Re: virus
 
http://housecall.trendmicro.com/


All times are GMT -5. The time now is 12:44 PM.


© 2024 MH Sub I, LLC dba Internet Brands