A few days ago I accidentally inadvertently clicked upon a popup ad that I was trying to get rid of and a black screen appeared on my desktop replacing my wallpaper with a message that still reads, 'Warning, your computer is infected!

How the hec do I get rid of this ruddy thing?

I am fairly new to computers, therefore, at this stage will not go into areas of the computer where I have no knowledge. I have tried using various tools to assist me to change this situation, get it back to normal, to no avail so far.

I have on the computer Symantec Premier System Tools 2005 + AVG Grisoft free edition, also running Spybot Search and Destroy, Adaware, CWShredder, AdwareAway, SpySubtract, Trojan Remover, SysClean and finally Norton GoBack.

An hour or so ago I ran the Trojan Remover, at least the computer after running this speeded up considerably, prior to this it was attaining web pages dead slow.

The computer is a Compaq PIII.

Please be patient with me if you would be so kind, walk me through the process and please help to get this machine; virus, trojan, doodah this and doodah that, completely free of all this crap that seems to have found it's way on here.

Would really appreciate professional experience upon this from someone trustworthy.

Please keep it as simple as possible.

Thank you ever so much for your time and consideration.

All the best!!

Mark

Recommended Answers

All 30 Replies

Download HijackThis selfextracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Thanbk you for taking the time to assist with this.

You say that once I have downloaded the self extracting zip file (done) to double click on the file something or other. How do I do this? What do I click on next?

Thank you for your patience!!

Mark

Hi. Just double click on the file you downloaded and follow the prompts. It should self install to C:\Program Files\HijackThis
Go to that location and double click on hijackthis.exe and then follow the instructions from my previous post :).

Some of what you say makes sense, the rest is like the French language, however - Do I now copy and paste the contents into my next reply or ought I to put the dooberry somewhere else? My apologies for my complete lack of computer language!! Appreciate your help and thank you for getting back to me.

So I take it you have scanned with hijackthis and have a log that it created? If so, open the text file and then highlight the entire text by pressing Ctrl+A together. All text should now be highlighted. Now press Ctrl+C and the text will be copied to the clipboard. Hit the reply button here and then press Ctrl+V and the text will be copied here.

--

Click "Start", "Settings", and then click "Control Panel". Open the "Display" applet.
Click on "Desktop", "Customise Display..." and "Web".
In the box under "Web pages" look for a checkbox named "Security". If found select it and click "Delete".

I'm not sure either :D. Did you download from the link that I gave you? What you posted there was an online scanner. I gave you a link for the actual hijackthis program to install on your pc. If you go to other threads here, you will see what is needed to be posted :).
Did you try the other suggestion from my previous post?

Ok I cocked up I can see that, my apologies.

I followed your instructions ( I think (hopefully)):

Click "Start", "Settings", and then click "Control Panel". Open the "Display" applet.
Click on "Desktop", "Customise Display..." and "Web".
In the box under "Web pages" look for a checkbox named "Security". If found select it and click "Delete".

Clicked Start, clicked Settings, went into Control Panel, clicked on Display, so far so good, that made sense, but where the ruddy dickens is Customise Display, not showing up, hmmmmmmmm my apologies for being just ever so slightly thick as five short planks of wood, but what now? :rolleyes:

Oh my giddy aunt, computer language is more baffling than bloomin French!!

Aghhhhhhh!!! You poor sod putting up with me!!

Can we get this any simpler?

I've edited this section for I was not sure whether it was wise to post the entire logfile here. Is that what you need me to do?

Apologies for being so cantankerous.

I've done it wrong I bet havn't I? It's ok, call me a balmpot!!

Ok I cocked up I can see that, my apologies.

I followed your instructions ( I think (hopefully)):

Click "Start", "Settings", and then click "Control Panel". Open the "Display" applet.
Click on "Desktop", "Customise Display..." and "Web".
In the box under "Web pages" look for a checkbox named "Security". If found select it and click "Delete".

Clicked Start, clicked Settings, went into Control Panel, clicked on Display, so far so good, that made sense, but where the ruddy dickens is Customise Display, not showing up, hmmmmmmmm my apologies for being just ever so slightly thick as five short planks of wood, but what now? :rolleyes:

Oh my giddy aunt, computer language is more baffling than bloomin French!!

Aghhhhhhh!!! You poor sod putting up with me!!

Can we get this any simpler?

My bad. In W2000 just click on the web tab not the customise display, which I don't think exists.

As for the log........almost got it. What did you save it in? The log you posted looks like the results from an online scan that you did, yes??

We need to start again from the beginning. Download onto your pc, the hijackthis program from the link that I provided in my first post. Do not go anywhere else :). Scan your pc with that program only. When the scan has finished the scan button will change to a save button. Save the log to your desktop where it will be easy to access. Copy the entire log and paste it back here please.

Ok I'll try, I'm sooo sorry to be such an annoyance.

As a present for you in the meantime feel free to peruse my landscape photographs: http://inlunarsunphotography.myphotoalbum.com/
In your spare time, sit back and enjoy!! Click on any photograph on the left to be taken to a new page, click on Slideshow.

Logfile of HijackThis v1.99.1
Scan saved at 04:47:41, on 06/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINNT\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\inet10079\winlogon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINNT\system32\UMonit2K.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\YumgoHomepageProtector.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\PhotoWise\quicklnk.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\E96RIB65\hijackthis_sfx[1].exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abebooks.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.abebooks.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.abebooks.com
F3 - REG:win.ini: run=C:\WINNT\inet10079\winlogon.exe
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2K.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet10079\winlogon.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINNT\loader.exe /1
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet10079\winlogon.exe
O4 - Startup: BJ Status Monitor Canon i350.lnk = C:\Documents and Settings\Administrator\cnmss Canon i350 (Local).exe
O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ZDelete Auto-Cleaner - {EB7F329E-F14E-48ae-AB69-4E28C492D382} - C:\PROGRA~1\LSOFTT~1\ACTIVE~1\ZDelete.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://inlunarsunphotography.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Sorry I'm getting a bit slow at this only it is 4:51 in the morning here and I'm ever so knackered. Tell me, have I done it right this time, only I think I followed your instructions to the letter. Please advise if I have done anything wrong.

Cheers mate!!

OK I clicked on Web after doing the Control Panel thingermejiggy but can't see no box with any delete function or something or other???

Looks a lot better. You have the latest version of smitfraud.

-

The annoying message on your desktop is kind of hard to get rid until you do the following.
Click on the upper edge of the screen and drag it down until you notice a cross in the upper right corner. Click the cross to close the screen and you will have access to your real desktop and can change the settings.
It is a modified explorer screen that is laid between your desktop and the shortcuts on it.

-

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* I need you to copy all of the Killbox file paths below and paste them into Notepad.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\System32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\System32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\inet10079\winlogon.exe
C:\WINNT\loader.exe
C:\WINNT\System32\LogFiles\A5281300.so
C:\WINNT\System32\winnook.exe
C:\WINNT\System32\desktop.html
C:\WINNT\System32\screen.html


* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\Log Files
C:\Program Files\Security IGuard
C:\WINNT\inet10079

While still in Safe Mode, do the following:

Make sure all programs and windows are closed, including Internet Explorer. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

F3 - REG:win.ini: run=C:\WINNT\inet10079\winlogon.exe

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet10079\winlogon.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINNT\loader.exe /1
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet10079\winlogon.exe

Close HiJackThis after hitting the 'fix checked' button.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

You REALLY need to cut down on the amount of security and system tools software programs you have installed on that system! You are taking paranoia to a whole new level, it's a wonder your system isn't slowed down to the point of being unusable, and it's a wonder that you are not getting program crashes and blue screens as a result of all those tools trying to run at once!

Hmmmmmm now I'm tempted to agree with you, please advise what I ought to get rid of.

Too, in the past two hours tonight I have had a hell of a job just getting my connection back up and running, and yes, now I have a blue screen too with something called smitfruad virus on it (turned my screen from black to blue).

Please keep each step by step instruction as simple as possible in plain English if you do not mind as at the best of times I find this computer language quite baffling.

Did you enjoy my photos?

Best regards!!

Mark

You said:

Click on the upper edge of the screen and drag it down until you notice a cross in the upper right corner. Click the cross to close the screen and you will have access to your real desktop and can change the settings.
It is a modified explorer screen that is laid between your desktop and the shortcuts on it.

Ok I did that, absolutely nowt happened, well, it did, a white line appeared and if I moved the mouse left or right, by the white line a box appeared then disappeared (sort of), what am I doing wrong now?

Blinkin hec, one of these days I might give up garden design, simply cos it bloomin rains too much here to make it a worthwhile enterprise and take up some sort of software programming instead. If only there was a ghost screen, come box for problems like this that guided you visually every single step of the way. It'd be such an ideal solution and help twats like me from wasting so much of guys like you, time.

Now, where were we?

What do I do next?

Apologies for such ignorance on my part!!

Though your assistance is ever so much appreciated.

I'd much rather be having a conversation about UK politics!!!!!!!!

Bottoms up. Cheers mate!! :rolleyes:

Ok I am trying to follow your instructions to the letter.

I got as far as seeing the hidden files after pressing F8 continuously. They appeared in white letters on a black background.

A few seconds later the computer automatically rebooted of it's own accord.

I then experienced my Norton GoBack feature telling me that the Buffers had reached 100% or something or other. (I let it do what it had to)

I followed your instructions re: the KillBox thing and got my files saved into the Notepad box, highlighted them etc etc.

This is where I get as thick as five short planks of wood again I'm afraid!! What the dickens is Windows Explorer? How do I find it? What does it do? How do I get there? How will I know that I am in the right location to carry out the next set of instructions ie; 'Using Windows Explorer , delete the following, if found, (Please Do Not try to find them by 'Search' because they will not show up that way)

Folders to Delete etc

Stuck :cry: :rolleyes:

What do I do next?

Thank you once again for your patience!! :cheesy:

Windows explorer is what you use to get around on your computer, as opposed to Internet explorer which you use to get around the internet :).
To get to somewhere like your system32 folder, you simply click on My Computer then your 'C' drive, then locate the Windows folder and the system32 folder is in there. Looks like this;
C:\windows\system32

Following all my previous instructions will rid you of the smitfraud infection. Failing that, you will have to do a system restore or reformat :).

Ok here is what I am going to do. I have just somehow put online another old P11 pc, got it online, would you mind if you have time, taking me through step by step on the process of what I have to do?

I think it might be easier from the other machine for you to tell me exactly which buttons to press, what I ought to be seeing, and how to get this whole process running smoothly.

Good Morning btw. Again, thank you for all your help!!

Celtic

Oakey doakey, the old P11 is up and running, streuth, I did it!!

OK, would you mind holding my hand, metaphorically speaking of course, and take me step by step on how to do this, only I'm lost again.

When on the pc with the smitfraud problem, (next door to me on the desk), I started up in SafeMode the first time and via clicking F8 continuously was able to view those hidden files you were on about. Though just now, I did the same again, and could not see the files in question.

From which step would you like me to start over on this process?

I think I might at this rate learn French instead. Actually, maybe not, being typically British, we can't stand the ruddy French even though we have not, with the Americans assistance, been invaded for over a thousand years. I hope your'e not French, if so my sincerest apologies, it's not your fault!! :p

Please pardon me interjecting a sense of humour into this process, if you'd rather I stay on track and not come up with wisecracks, simply tell me to stick a sock in it and I'll gladly oblige.

Cheers me 'andsome!! :rolleyes:

Good morning? It's nearly my bedtime :).

Go to Start/Programs/Accessories and right click on windows explorer. Choose the option to send to desktop.
Once it is there double click on it. A window will pop up. In the left hand panel of that window there will be a list of directories starting with Desktop.
Scroll down the list untill you get to my computer. Press the + symbol to the left of it. Double click on your 'C' drive. You will now see all folders (not sub-folders) on the 'C' drive.
The files/folders to be deleted on the 'C' drive such as these;
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
will be found there.

To delete this one; C:\WINNT\sites.ini you need to double click on the WINNT folder that you should be able to see and the sites.ini, C:\WINNT\popuper.exe and the C:\WINNT\loader.exe files will be in there.
Once those files have been deleted just hit the back button at the top left of the windows explorer toolbar and you will be back in the 'C' drive.
From there you should be able to see the system32 folder where the other files from my post 17 will be.
The Program Files folder will also be seen in the 'C' drive view.
I am now off to the shower then bed :).

Happy hunting :mrgreen:

You know what the best thing in England is?

No. Pray, do tell me, for I cannot stick this ruddy country, it gets right up my blinkin nose, first, all it ever does is rains non friggin stop, b/ the people here generally are as miserable as hell, c/ everything is extraordinarily expensive. I can't wait to emigrate myself. Now, since starting on this ruddy thing, I had put my lunch in the oven to heat it up, got so engrossed in what I am supposed to be doing, that I forgot all about it, just went to check it just now and found the ruddy meal had been burn't to a ruddy cinder, ruddy streuth, tis all too much!! :cry:

Anyway. Looking on the positive side of things. There are no problems, only solutions :D

Ok, in front of me, on the pc with the ruddy virus, I have got into some folder or something or other called C:/WINNT whatever the ruddy dickens that is. I'm looking for the doodahs that you mentioned as per your last message, but can't seem to see them, what the ruddy dickens do I do now? Ought I to highlight them all (somehow) and send them to you in a pm, so that you can advise which ones I need to be clicking on next? Or is that not a good idea?

Hope everything is going well for you down under, apologies for the assumption that you were an American, I didn't mean to insult you.

Tally ho!! Rest well.

:o Celtic

Bloody emoticons, I can't stand the darn things, who invented them anyway?

You know what the best thing in England is?

The way to Australia :D.

Have to admit to being a Pom, but I have been here for over 30 years now, so I suppose I should be an aussie by now :).

If you go up a couple of posts you will see where I explained as best I could, where you will find those files/folders. To delete them you simply right click on them one at a time and select delete. Click yes when asked for confirmation.
Some of these files may be hidden, so before you go hunting do the following;

Go to Start/Settings/Control Panel and double click on folder options. There should be four Tabs at the top of the window that just popped up, one of them being 'view.' Hit that button. Now look for Show hidden files and folders and put a dot in the round radio button to the left of that line. Click apply, then ok.

Now go hunting :D.

Yes Sir!!

Now get thee ass to bed. Hopefully, see you in the morning. Rest well.

Hmmmmmmm now Celtic, before you get too exasperated (darn it the other pc, just booted down automatically for some unfathomable reason) (sighhhhhhh), ok, breathe in, breathe out, there you go, easy does it, ruddy as cantankerous as my ole windbag girlfriend the thing is, ok I'll try your next set of commandments.

Good job weren't it that Moses on climbing Mount Sinai and having a conversation with God didn't receive said instructions on a laptop, think about the confusion that might have ensued if he hadn't instead with the wisdom he had, written everything down on tablets of stone!!

Good night, God Bless!!

hello all,

can you show how to get rid of this virus with windows XP operating system..


thanks in advance
jephino

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.