Kimberly wrote:Hello cedarboy88,
Delete all instances of SmitfraudFix or Smitrem, we will use the latest version since it's updated almost daily. There is a new variant of SpyFalcon running in the wild and I think you might be affected by it.
Other than that, you have a trojan on your PC and Messenger Plus 3 comes bundled with LOP (known to change your homepage). I recommend the uninstall of Messenger Plus 3
I would like to see a startuplist as a start too please. The fact that you are unable to remove the infection may be related to different issues. Please follow the instructions below and post the requested logs. Registry may be disabled or we might find ourselves confronted to a rootkit.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Before we start to fix your computer, I would like you to move HijackThis to it's own folder. Do not attempt to fix anything before you moved HijackThis.
Create a folder for Hijackthis on the C: drive called C:\HJT. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it HJT.
Locate HijackThis.exe and right click on it, select cut, right click in the folder you just did create and select paste.
______________________________
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________
Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
______________________________
Make sure that you can see hidden files.______________________________
- Click Start.
- Click My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Uncheck the Hide file extensions for known file types.
- Click OK.
Reboot your computer in Safe Mode.______________________________
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login under your account.
Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)
Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________
Using Windows Explorer, Search and Delete these Files if listed:
C:\WINDOWS\system32\winjyp32.dll
If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
Using Windows Explorer, Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Note : You will probably find a lot of files, random names like in the sample below - all are *.tmp or *.tmp.exe - make sure you get them all or you will get reinfected by the trojan! Let me know if you are unable to delete them.
C:\WINDOWS\Temp\win53D.tmp
C:\WINDOWS\Temp\win53F.tmp.exe
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
______________________________
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
______________________________
Reboot in normal Mode
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.
Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.______________________________
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (If available otherwise Standard)
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Run HijackThis, click on Open the Misc Tools Section, put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/paste the content in your reply.
Click Back and Click on Scan. When the scan is finished, click Save Log and paste the content in your reply.
______________________________
Download Findlop to your Desktop
http://metallica.geekstogo.com/findlop.zip
Create a folder for Findlop on the C: drive called C:\lop. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it lop. Extract all the files from the zip archive into that folder.
Open the lop folder and doubleclick findlop.bat and it will create the file C:\findlop.txt
Copy the content into your next post.
______________________________
Please post:Your may need several replies to post the requested logs, otherwise they might get cut off.
- c:\rapport.txt
- Winpfind log
- Results of the Kaspersky Scan
- A new HijackThis log and the startuplist
- C:\findlop.txt
Kim
i dont know when u wrote this, but i'm facing the same problem.
but your instruction doesn't seem to work.
i posted a hijackthis log below.
u said about removin winjyp32.dll, but i didn't have that.
but plz note this:
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
i think i saw it once endin with flie missing). is this the prob?? (was scannin in safe mode)
any help is appreciated