A VERY NEWBIE NEEDS HELP WITH VIRUS

[kILES]

:-[So Sorry! I'm new to using the internet and not very good @ going about it.I got a message that a virus was detected and was put it in the chest. I've deleted it already, so dont know  However, at the taskbar it still flashes with a red cross and a blue question mark. (stupid me) clicked on it and it was "www.virprotect.com"...they're an anti-spyware protection site. It wants me to install from them. I will get a pop up saying System Alert saying it has detected spyware and to stop any corruption etc  it wants me to install. I dont want them, I never did!! But can someone please tell me step by step what to do, because I can't seem to get rid of it!!
I have a wireless broadband..Windows XP (home edition)..
I really really appreciate it!

[FreewheelinFrank]

Hi kILES,

You are right not to want this product: it's a scam intended to steal your money.

Run these tools and see if they help:

http://www.malwarebytes.org/rogueremover.php

http://siri.geekstogo.com/SmitfraudFix.php

Also try these scanners:

AVG Anti-Spyware Free (Requires Win2k/XP)

Spybot Search & Destroy

SUPERAntiSpyware Free

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

When you have finished, scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

[kILES]

Hi 
Thanks for the help. I tried what you suggested, however it only worked for about a day!. But the little icon still appears flicking away @ the bottom by the clock ..I get a system alert saying the following:"System has detected a number of spyware applications that may impact the performance of your computer. Click the icon to get rid of unwantd spyware by downloading an up-to-date spyware solution" (see my previous post)....I moved them 2 chest!....Also i had a look see @ the virus.. these are what I found if it helps in anyway..."win32:Adware-gen[Adw]"........win32:zlob-AJZ[trj] has been detected....."win32:zlobAKN[trj]....I have now since deleted it but I STILL get the little icon @ the bottom by the clock!!
Your help is GREATLY APPRECIATED!
Thanks..kILES

[oldman]

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool";
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user

[kILES]

Hi..Hope i've done it right...I've attached the report..

[oldman]

Please note, the cleaning may take some time, so let it run to completion

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

Please post the C:\rapport.txt and a HJT log in your next reply.



.
You will also need this

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[kILES]

Thank goodness I dont have the annoyning icon anymore. I followed the steps..please find the 1st attachment (hijack)

[oldman]

HI

Please post the log produced by smitfraud fix after you ran it the second time, so we can see the cleaning results.

The usual location is C:\rapport.txt

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer "yes"
click tools
click resident
uncheck resident "teatimer" and SDHelper if installed
click allow change
reboot


Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8685CC} - C:\Program Files\Helper\1201605123.dll (file missing)
O22 - SharedTaskScheduler: esperantido - {67dc0736-075a-4647-95f5-d5421b838fed} - C:\WINDOWS\System32\svxmhpz.dll (file missing)

Close all other browsers/windows, click fix, close HJT.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
Even though your java is up to date, it looks like some older versions may still be present. The old versions can be exploited by malware.

Please go to add/remove programs and uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 4

Open windows explorer and navigate to to C:\Program Files\Java . Delete any subfolders except the subfolder jre1.6.0_04 which is the newest.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

[kILES]

DSS main.txt attachment

[kILES]

DSS extra.txt attachment (2 of 3 attachments)

[kILES]

Was unable to attach the smitfraud file as it said it was too large, which was why I couldn't before!!...

[oldman]

This looks pretty good, just a little more to go.

This one is a rogue, so go to add/remove programs and uninstall, if present

RegSort v1.1.5



Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\ws2

scroll down a bit and click "send file", wait for the results and post then in your next reply.


Open a new notepad and copy and paste the following into it


@echo off
dir "C:\890f15220779759dc064" >> look.txt
start look.txt

Click file, save as. Set save it to desktop, name it look.bat, and set the file type as all files  click ok  You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.



Please download
 OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\WINDOWS\system32\tmp.reg
C:\Program Files\RegSort v1.1.5
 



Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Please post the results from all three. Thanks.

[kILES]

virustotal attchmnt...
Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.08 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.09 -
AVG 7.5.0.516 2008.02.09 -
BitDefender 7.2 2008.02.10 -
CAT-QuickHeal None 2008.02.08 -
ClamAV 0.92 2008.02.10 -
DrWeb 4.44.0.09170 2008.02.09 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5522 2008.02.08 -
Ewido 4.0 2008.02.09 -
FileAdvisor 1 2008.02.10 -
Fortinet 3.14.0.0 2008.02.10 -
F-Prot 4.4.2.54 2008.02.10 -
F-Secure 6.70.13260.0 2008.02.09 -
Ikarus T3.1.1.20 2008.02.10 -
Kaspersky 7.0.0.125 2008.02.10 -
McAfee 5226 2008.02.08 -
Microsoft 1.3204 2008.02.10 -
NOD32v2 2861 2008.02.09 -
Norman 5.80.02 2008.02.08 -
Panda 9.0.0.4 2008.02.09 -
Prevx1 V2 2008.02.10 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.09 -
Sunbelt 2.2.907.0 2008.02.09 -
Symantec 10 2008.02.10 -
TheHacker 6.2.9.215 2008.02.09 -
VBA32 3.12.6.0 2008.02.09 -
VirusBuster 4.3.26:9 2008.02.09 -
Webwasher-Gateway 6.6.2 2008.02.10 -
Additional information
File size: 24 bytes
MD5: 2183c7b13690e5243ad4686bc296181f
SHA1: 6edb418b46670e8c85f45388826fa564ef3c60e8
PEiD: -

[kILES]

notepad attchmnt..look.txt

[kILES]

OTMoveIt results...thanks
C:\WINDOWS\system32\tmp.reg moved successfully.
C:\Program Files\RegSort v1.1.5 moved successfully.
 
OTMoveIt2 v1.0.19 log created on 02102008_182444