I worm_attck v122.02a

  • Thread starter Thread starter Richard Bentley
  • Start date Start date
R

Richard Bentley

As the subject title says, I think I have a worm/spyware that I can't delete
using the new windows defender.

Do you know a really easy way of deleting the spyware?

I'm at the end of my witts with this infection.
As far as I know it's a scam to get me to buy an adware programme to remove
the annoiance!!!

I found an article explaining how to remove the worm,
but failed to follow the instructions.

Please help.
 
From: "Richard Bentley" <[email protected]>

| As the subject title says, I think I have a worm/spyware that I can't delete
| using the new windows defender.
|
| Do you know a really easy way of deleting the spyware?
|
| I'm at the end of my witts with this infection.
| As far as I know it's a scam to get me to buy an adware programme to remove
| the annoiance!!!
|
| I found an article explaining how to remove the worm,
| but failed to follow the instructions.
|
| Please help.
|



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
David H. Lipman said:
From: "Richard Bentley" <[email protected]>

| As the subject title says, I think I have a worm/spyware that I can't delete
| using the new windows defender.
|
| Do you know a really easy way of deleting the spyware?
|
| I'm at the end of my witts with this infection.
| As far as I know it's a scam to get me to buy an adware programme to remove
| the annoiance!!!
|
| I found an article explaining how to remove the worm,
| but failed to follow the instructions.
|
| Please help.
|



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thanks for the reply.
I think I have managed to delete something from the information you supplied.
Click to expand...
I'm operating XP Home Edition, but still can't get the internet start
page to hold onto MSN, without reverting back to a virus warning screen and
the green Disabled - red No Entry symbol (bottom right) is still flashing. I
haven't seen the yellow shield since I ran the Noahdfear tool. Thanks.
The mcafee normal scan is:C:\Copy (10) of Copy of Copy of Copy of Copy of...
Downloader-DC
C:\Copy (11) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (11) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
C:\Copy (12) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (14) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (15) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (16) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (17) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (2) of Copy of Copy of Copy of Copy of ... Downloader-DC
C:\Copy (2) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
C:\Copy (22) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (23) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (24) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (25) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (26) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (27) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (28) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (29) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (3) of Copy of Copy of Copy of Copy of ... Downloader-DC
C:\Copy (3) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
C:\Copy (30) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (31) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (32) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (33) of Copy of Copy of Copy of Copy of... Downloader-DC
C:\Copy (34) of Copy of Copy of Copy of Copy of... Downloader-DC
I haven't yet scanned in safe mode yet, but will give it a go if it needs to
be done.
Thanks for your advise to a complete beginner.
 
From: "Richard B." <Richard (e-mail address removed)>


| I'm operating XP Home Edition, but still can't get the internet start
| page to hold onto MSN, without reverting back to a virus warning screen and
| the green Disabled - red No Entry symbol (bottom right) is still flashing. I
| haven't seen the yellow shield since I ran the Noahdfear tool. Thanks.
| The mcafee normal scan is:C:\Copy (10) of Copy of Copy of Copy of Copy of...
| Downloader-DC
| C:\Copy (11) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (11) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
| C:\Copy (12) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (14) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (15) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (16) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (17) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (2) of Copy of Copy of Copy of Copy of ... Downloader-DC
| C:\Copy (2) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
| C:\Copy (22) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (23) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (24) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (25) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (26) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (27) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (28) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (29) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (3) of Copy of Copy of Copy of Copy of ... Downloader-DC
| C:\Copy (3) of Copy of Copy of Copy of lf_F28.tmp Downloader-DC
| C:\Copy (30) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (31) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (32) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (33) of Copy of Copy of Copy of Copy of... Downloader-DC
| C:\Copy (34) of Copy of Copy of Copy of Copy of... Downloader-DC
| I haven't yet scanned in safe mode yet, but will give it a go if it needs to
| be done.
| Thanks for your advise to a complete beginner.

Please don't edit the McAfee log. Please Copy and paste the contents of the log as-is.
 
I've got this worm, complete with popups and overridden home page. I
ran some software recommende on other sites called Hijackthis. The
report produced is below.

Logfile of HijackThis v1.99.1
Scan saved at 20:28:15, on 19/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\cahoot webcard\CahootWebcard.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://bfc.myway.com/search/de_srchlft.html?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell.co.uk/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75}
- C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} -
C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} -
C:\WINDOWS\system32\hp47BE.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program
Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program
Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program
Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CahootWebcard] C:\Program Files\cahoot
webcard\CahootWebcard.exe /dontopenmycards
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL
9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program
Files\GetRight\getright.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 32Red Poker - {437F7F6F-FFCC-47e1-8A4B-C992493CF6C3}
- C:\Program Files\32RedMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
- C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
https://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -
http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) -
http://www.betfred.com/company/gamessections/common/betfredlauncher.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking
Profile Manager Class) -
https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127334873906
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) -
http://66.119.139.74/cabs/zinst.cab
O18 - Filter: application/x-internet-signup -
{A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program
Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program
Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,
Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program
Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate
Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program
Files\Intel\Wireless\Bin\WLKeeper.exe

Any ideas what I do next to get rid of this?

Mark
 
David said:
From: "Richard Bentley" (e-mail address removed)

| As the subject title says, I think I have a worm/spyware that I can't
delete
| using the new windows defender.
|
| Do you know a really easy way of deleting the spyware?
|
| I'm at the end of my witts with this infection.
| As far as I know it's a scam to get me to buy an adware programme to
remove
| the annoiance!!!
|
| I found an article explaining how to remove the worm,
| but failed to follow the instructions.
|
| Please help.
|



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe
Mode.

If you are using any version of Sun Java that is prior to JRE Version
5.0,
then you are strongly urged to remove any/all versions that are prior
to JRE
Version 5.0. There are vulnerabilities in them and they are actively
being exploited.

Therefore, it is highly suggested that if there are any prior versions
of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version
5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://tinyurl.com/95tzv

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of
C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to enable WGET.EXE to download the needed McAfee related
files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML
or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the
scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer).
However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you
will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be
shown in your bowser
but your PC will automatically be shutdown. It is suggested that you
move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save
a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal
tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in
your reply.

* * * Please report back your results * * *
Click to expand...


Had this same annoying virus. followed your links and (touch wood) it
has worked like a dream! Thank you.
 
From: "markandsarah" <[email protected]>

|
| Had this same annoying virus. followed your links and (touch wood) ithas worked like a
| dream! Thank you.-- markandsarah

Thanx for updating this thread.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WinPC Defener (fake antivirus) removal 4
Virus Infection? 8
Security Tool virus removal help 5
Windows 7 hardest hit by WannaCry worm 1
Trojan-Spy.Bzub removal help 2
Any link between malware and scam calls? 2
Need help with removal of some sort of trojan 33
help with registry! 2

Back
Top