[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2085
  • Last Modified:

how to delete files from system32 (caused by Spy Falcon)

Hi,

I managed to somehow acquire Spy Falcon on my computer, and stupidly used it's uninstall facility which seemingly hasn't fully removed it.  My internet homepage keeps getting reset to some spyware site, and i have a persistent message by my clock saying "Virus Alert!".

I have run adaware and spybot search&destroy, and they have both deleted a fair few files related to this, but the problem hasn't gone away. I have run hijackthis, and assesed the log file on a website I saw on another thread.
http://www.hijackthis.de/logfiles/860fea685de0fa3ef78e5292babdf0d2.html

It tells me that I have two nasties in C:\WINDOWS\system32.

They are atmclk.exe and dcomcfg.exe.

However, if I try and delete either, the computer says they're in use.

Can anyone tell me how to delete them please, and also, will this get rid of the Virus alert and stop resetting my homepage, or do I have other problems as well??


Thanks in advance, and sorry if this is hard but I'm computer illiterate and only have 180 points as I spent them all when I messed up my home comp a few weeks ago!


P.S. an online virus scan also gives atmclk as adware too, and says that taskdir.exe is a hacktool
0
mycomputerisrubbish
Asked:
mycomputerisrubbish
  • 27
  • 26
1 Solution
 
jasfoutCommented:
0
 
jasfoutCommented:
>and also, will this get rid of the Virus alert and stop resetting my homepage, or do I have other problems as well??

possibly, but it is likely  that there is more
make sure to clear all 'Temp' directories and 'Temporary Internet Files'
0
 
jasfoutCommented:
also after they have been removed do a full scan here
housecall.trendmicro.com
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
NudalusCommented:
http://www.bleepingcomputer.com/forums/topic43659.html

The be all and end all removal process.

safety.live.com will search out and squash anything spy falcon.

Also try turning off system restore quickly: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

REMEMBER: turn it back on after and create a restore point!
0
 
mycomputerisrubbishAuthor Commented:
jasfout, I used moveonboot to delete the files, and it seems to have made a slight difference. Before, if I reset my homepage to google in internet options, then it would immediately set itself to about:blank, and go to http://www.securityuptodate.com/ whenever I clicked home.  Now, internet options still gives my homepage as google, but whenever I click home, it still goes to the security update website.

Also, the virus alert! has gone, but every now and then I get a little thing in the bottom right of the screen telling me "Your computer is infected".

Hence, it's still not cured, but I can't find any problems any more.


and Nudalus, I saw that page on another thread about SpyFalcon. However, none of the files it says to delete seem to exist on my computer, and it ended up doing nothing for me.



I'd quite like to just do a system restore, but unfortunately it tells me it can't restore to any of the about 30 points I have set, as "my computer hasn't changed" or something
0
 
jasfoutCommented:
0
 
jasfoutCommented:
mycomputerisrubbish - sorry I did not earlier look at the hjt log

as previously stated...make sure to clear all 'Temp' directories and 'Temporary Internet Files'
Use Add/Remove Programs to remove anything having to do with 'SearchBar' or 'microgaming' or anything you may have installed from 'microgaming.com'

also check >>Start>>Programs>>StartUp and remove any programs that you do not recognize
Download/Update & start SpyBot S&D >>Mode>>Advanced>>Tools>>System Startup (Spybot will recommend(RED)bad entries - TOGGLE them off, along with anything having to do with 'dlhelper'

run hjt and 'fix' these entries(if still exist):
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpC67D.tmp

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)

O4 - Startup: DLHelperEXE.exe

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab


locate and delete these files if they still exist:
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\hpC67D.tmp
C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
DLHelperEXE.exe

reboot the machine and post new hjt log



0
 
mycomputerisrubbishAuthor Commented:
http://housecall.trendmicro.com/  doesn't seem to be working for me. I'm just trying doing the rest of your last post. So far, the homepage problem seems fixed, but the virus alert! has returned!!

Also, I did a panda online scan and that gave two files in my system registry that are infected. I'll redo it and post the results in a bit...
0
 
mycomputerisrubbishAuthor Commented:
Logfile of HijackThis v1.99.1
Scan saved at 19:19:13, on 11/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134820915244
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)

0
 
jasfoutCommented:
fix these entries:
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)



kill this process then remove it(use moveonboot if necessary)
C:\WINDOWS\System32\00THotkey.exe


reboot then hit it with SpyBot again
0
 
mycomputerisrubbishAuthor Commented:
Sorry, but what do you mean by kill the process?  I don't know how to get to some of the things shown in the hijackthis log file :-(

I have a pandascan nearly finished, with 7 spyware and 1 hacking tool so far. I'll post it when done.



and sorry to be such a hassle, but I really am clueless!
0
 
jasfoutCommented:
ok ignore my last entry and wait for panda

please note the results of pandascan
0
 
jasfoutCommented:
after further looking 00THotkey.exe seems to be ok
0
 
mycomputerisrubbishAuthor Commented:
Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/emediacodec                                                       Not disinfected               c:\windows\system32\stdole3.tlb                                                                                                                                                                                                                                
Adware:adware/wupd                                                              Not disinfected               c:\program files\MediaGateway                                                                                                                                                                                                                                  
Spyware:spyware/searchcentrix                                                   Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Dave\Desktop\smitRem\Process.exe                                                                                                                                                                                                      
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt                                                                                                                                                                                                        
Spyware:Cookie/Adtech                                                           Not disinfected               C:\Documents and Settings\Dave\Cookies\dave@adtech[2].txt                                                                                                                                                                                                      
Spyware:Cookie/Doubleclick                                                      Not disinfec






I can find and delete all the ones except the one that it says is in the windows registry. How do I get rid of that?
0
 
jasfoutCommented:
go ahead and remove the files
as far as the Registry entry is there a 'more' button or something that will show you the location in registry?
I am still looking at searchcentrix
0
 
jasfoutCommented:
do you have any strange toolbars in internet explorer?
do you have any strange toolbars listed in the Add/Remove Programs list?
0
 
jasfoutCommented:
ok

Remove any these if present in the Add/Remove Programs list:
expand search
search-o-matic toolbar
search-o-webalize search utility
webalize
windirect

and have you worked in the registry before?
0
 
mycomputerisrubbishAuthor Commented:
no, I can't find anywhere at all that gives a hint as to whereabouts in the registry it is.

The only toolbar I have in internet explorer is google as far as I know. That's the only one listed in add/remove programmes as well that I can see
0
 
mycomputerisrubbishAuthor Commented:
none of them are present. And I've restored my registry on my home computer before. I could try that I guess if you think it'd work?
0
 
mycomputerisrubbishAuthor Commented:
Hmm, the file

Spyware:Cookie/Atlas DMT                                                                                   C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt  


doesn't seem to exist, so I can't delete that one. unless it's hidden...
0
 
jasfoutCommented:
>>Start>>RUN>regedit>>File>>Export>>Export Range=All>>Filename=old>>Save

See if you find any of these keys and remove them:

    *HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
      Searchcentrix = %ProgramFiles%\ Searchcentrix\ Searchcentrix.exe
    * HKEY_LOCAL_MACHINE\ Software\ Searchcentrix
    * HKEY_LOCAL_MACHINE\ software\ mygeekinstalled
    * HKEY_CLASSES_ROOT\ SomaticCAB.Setup
    * HKEY_CURRENT_USER\ software\ Dynamic Toolbar
    * HKEY_USERS\ .default\ software\ dynamic tollbar
    * HKEY_CLASSES_ROOT\ gssomatic.gssomatic
    * HKEY_LOCAL_MACHINE\ software\ classes\ gssomatic.gssomatic
    * HKEY_LOCAL_MACHINE\ software\ classes\ somatic.somatic
    * HKEY_LOCAL_MACHINE\ software\ classes\ barbho.class1
    * HKEY_LOCAL_MACHINE\ software\ classes\ gssomatic.gssomatic
    * HKEY_LOCAL_MACHINE\ software\ classes\ mygeek.com
    * HKEY_LOCAL_MACHINE\ software\ classes\ pqhelper.pqhelper
    * HKEY_LOCAL_MACHINE\ software\ classes\ s4helper.s4helper
    * HKEY_LOCAL_MACHINE\ software\ classes\ seantb.seantb
    * HKEY_LOCAL_MACHINE\ software\ classes\ somatic.somatic
    * HKEY_LOCAL_MACHINE\ software\ classes\ spoolsvv.class1
    * HKEY_LOCAL_MACHINE\ software\ classes\ webalize.webalize
    * HKEY_LOCAL_MACHINE\ software\ classes\ wzhelper.wzhelper
0
 
jasfoutCommented:
This tool should do the trick however I have not yet used it
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

refer to this link to see how others have used the tool
http://www.windowsbbs.com/showthread.php?t=54038
0
 
jasfoutCommented:
basic instructions appear to be :

You may like to print out these instructions as you will be unable to connect to the Internet to read them while in Safe Mode.

Boot into Safe Mode and log onto your usual account.

In Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process.
After SmitfraudFix finishes - reboot back into Safe Mode if a reboot is required - and run an HJT scan.

Reboot into Normal Mode and post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, and the contents of the HJT log which you will find in the same folder that you placed hijackthis.exe
0
 
mycomputerisrubbishAuthor Commented:
I found one and deleted it. hopefully this will help.

I'm going out for a bit anyway, so will see later

cheers for your help
0
 
mycomputerisrubbishAuthor Commented:
I'm back. Got an error message on bootup saying that Thotkey file I deleted can't be recovered. Is that bad?!

Also, the virus alert! thingy has returned. This is annoying me now!!
0
 
mycomputerisrubbishAuthor Commented:
I did the smitfraud fix...that also seems to have not worked.

And I got the same message when I rebooted again about the Thotkey file. I guess I'll have to try and restore it somehow, but I can't work out how to use the hijackthis backup files
0
 
mycomputerisrubbishAuthor Commented:
Right, another update!

I think (touch wood!) I may have finally beaten the malware. The following link seems to have helped, and I hope the ewido scan may have finally have got rid of the nasties

http://forums.whirlpool.net.au/forum-replies-archive.cfm/485496.html

The other two bits were exactly what you had suggested earlier though, so you were definitely along the right lines!


Could you possibly just tell me which file I didn't want to delete though which has caused me to get the error message when I log on?

" Retrieval of "THotkey" failed.
Error code - 0x00031402, 0x00000002"


I restored the hijackthis one I deleted and that doesn't seem to have helped.



I'll leave it a while before closing just to check I am free of the stuff, but thanks very much for all your help!!
0
 
jasfoutCommented:
>Thotkey file I deleted can't be recovered. Is that bad?

no not bad, just needs to be removed from the startup list

start SpyBot S&D >>Mode>>Advanced>>Tools>>System Startup (Spybot will recommend(RED)bad entries - TOGGLE them off, along with anything having to do with 'dlhelper'

If you give me the model# from the bottom of the notebook, I will find you a link
0
 
jasfoutCommented:
oops...
start SpyBot S&D >>Mode>>Advanced>>Tools>>System Startup (Spybot will recommend(RED)bad entries - TOGGLE them off, along with anything having to do with 'dlhelper'


should have read:
start SpyBot S&D >>Mode>>Advanced>>Tools>>System Startup
TOGGLE offthe one that calls 00THotKey

0
 
mycomputerisrubbishAuthor Commented:
I think I did that, but it's made no difference (what model number is it you wanted?). The

" Retrieval of "THotkey" failed.
Error code - 0x00031402, 0x00000002"

box says touchED error at the top if that means anything to you!


and another error I've noticed (sorry if this is lots of questions, tell me to get stuffed if this is something else!!) is that I now can't play videos online, I get the white box with a red cross you usually get when a pic won't load. Is this something I've deleted, or is the a seperate matter related to the fact my java seemed to do something to itself yesterday?!!  It's not that important anyway, only a junk video on the FHM email!
0
 
jasfoutCommented:
the missing file 00THotKey.exe is for the  <<  >  >> []  || buttons on the front of the notebook to control the media player.
It can either be disabled from auto starting if you dont use them
or if you give me the model of the notebook I will send you a link from which you can reinstall the missing files.

As far as the Java issue...yes I beleive it is related and all references to Java should be removed from Add/Remove Programs then Install the latest version from here:
http://www.java.com/en/download/windows_xpi.jsp
0
 
mycomputerisrubbishAuthor Commented:
sorry, but I'm still not with you on the notebook. Is this related to windows media player? I think that could be what's broken, not java, as it won't play videos in that either
0
 
jasfoutCommented:
What is the model # of the computer?  it is a notebook/laptop isnt it?
0
 
mycomputerisrubbishAuthor Commented:
ahh, laptop. Ok sorry, I didn't understand what you meant...I'm a bit dim ;-)


Is Toshiba Satellite 2450-201 what you're looking for?  Or is that just the model...?!
0
 
jasfoutCommented:
What is the model # of the computer?  it is a notebook/laptop isnt it?
0
 
mycomputerisrubbishAuthor Commented:
I downloaded it and unzipped it, but double clicking on the windowsXP file's contents doesn't seem to do anything, and I still get the error on startup. I take it it is the TFnF5 file I'm supposed to be opening?

as for the java, I've uninstalled and reinstalled it but it's mad no difference. Could it be the codec I vaguely remember deleting. Either way, it's a seperate problem and i've caused you enough trouble for these 185 points (you deserve 1000 with the patience you've shown but I'm afraid I don't have them!). I'll just reinstall media player or something drastic :-D
0
 
mycomputerisrubbishAuthor Commented:
Just read the readme...


Installation
Provide general installation instruction first.
The SD host controller driver should be installed first. After installing the SD host controller driver,we can install the SD memory card driver. Each driver can be installed as follows operations.


1.Open the Windows Explorer

2.Browse to the right language folder under Toshiba Hotkey for Display Devices

3.Mark the Tfnf5Wxp.inf File

4.Click the right mouse button than select "Install"




What's the SD host controller driver?  Right clcking doesn't give an install option, and choosing open does nothing
0
 
jasfoutCommented:
0
 
mycomputerisrubbishAuthor Commented:
What does extract mean? The whole dowloaded products have their own files in C:\unzipped\ so is that Ok, or do I literally just take the one flie I'm using and put it in a separate file?

Also, with the second one, the thing that calls it self setup starts installshield which then asks me if I want to completely remove the selected application and all it's components? Do I want to do that or not?!!
0
 
jasfoutCommented:
no as long as they are unzipping to a directory that is fine.

yes it is recognizing that you already have it installed.  Go ahead and uninstall then reinstall
0
 
mycomputerisrubbishAuthor Commented:
Well the second one hasn't changed anything, and the first one still isn't giving me an install option, only open and run as, neither of which seem to do anything.
0
 
mycomputerisrubbishAuthor Commented:
my apologies, I'm an idiot. I wasn't right-clicking the right file, I chose the one with the prettier icon. I'll see if this has helped then...
0
 
jasfoutCommented:
This is a list of all available software for your model:

http://uk.computers.toshiba-europe.com/cgi-bin/ToshibaCSG/download_drivers_bios.jsp?service=UK

perhaps you can find one that sounds familiar

I feel obligated to help you on this because I told you to remove the wrong file. :(
0
 
mycomputerisrubbishAuthor Commented:
Don't worry about it, it's not necessarily your doing anyway as I've displayed my capabilities to screw up with the media player thing!

It's only an annoying pop-up really anyway, as I don't use the keys as I never bothered to learn how to!
0
 
mycomputerisrubbishAuthor Commented:
http://www.techspot.com/vb/all/windows/t-11246-TouchEd-Error.html


Is the answer by SBriggs right? Can I just try that?
0
 
mycomputerisrubbishAuthor Commented:
http://forums.pcworld.co.nz/archive/index.php/t-45373.html

a better answer perhaps. Apparently it's common module I want from your list :-)
0
 
jasfoutCommented:
ok then for now just remove it from the startup list...that will get rid of the popup

did you already run Spybot again to check the startup programs?
is 00THotkey.exe still listed? if so uncheck it

start SpyBot S&D >>Mode>>Advanced>>Tools>>System Startup
TOGGLE offthe one that calls 00THotKey.exe

0
 
jasfoutCommented:
...should have refreshed first...

cool
Common Module is in the list
go get it
0
 
mycomputerisrubbishAuthor Commented:
hmm, that didn't work! Can i recover the two programmes I just deleted easily?

I'll quit then while I'm ahead and close this!
0
 
jasfoutCommented:
perhaps you could try uninstall completely then reinstall Common Module
is it in the Add/Remove Progs list?
0
 
mycomputerisrubbishAuthor Commented:
No it's not. It was a bit strange when supposedly installing itself as I got a warning that Microsoft didn't recommend installing it as it didn't have some necessary thing to be safe.

Anyway, I reinstalled the two files, and will live with the pop up!


Thanks again for all of your time and help getting rid of spyfalcon and the other rubbish it installed on me, it's much appreciated!
0
 
jasfoutCommented:
that popup error would drive me nuts in a hurry

I would climb into spybot and play with your toggle settings for startup items until it is right

you might even try re-enabling the 00THotKey.exe one aqain
0
 
mycomputerisrubbishAuthor Commented:
Well it only comes on startup, so I just won't reboot too often!!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 27
  • 26
Tackle projects and never again get stuck behind a technical roadblock.
Join Now