Solved

Rogue Program Hijacking IE

Posted on 2006-07-10
10
434 Views
Last Modified: 2010-05-18
Hi I Have got a real headache with this problem.
After surfing some P2P sights I have now got several problems in the form of adverts and hijackers. The Main prob seems to be a small prog called Spyware Quake 2.3. This program keeps directing me to a sight where I am invited to buy the full program. There are also more popups for varying types of software from the same sight. including anti virus.
I have done a full scan with AVG no virus detected.
I have done a full scan with AdAware cleaned everything out
I have emptied IE of cookies and internet files
I have used search to try and find anything I Can deleat, could only find a couple of IE files to deleat.
I found Spyware Quake hidden in the Windows program files, but not in Control Panel, and it would not let me deleate it from there.
Also after downloading Warez P2P I cannot get rid of that iether as the Uninstall shortcut is broken and will not repair.
Can anyone help please!!
0
Comment
Question by:Haroldine
  • 6
  • 4
10 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17072375
Hi,
Smitfraudfix will take care of it.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17072400
Haroldine,
After you finished running option #2 in SmitfraudFix, please run option #3 to delete the entries in your trusted zones.

When you've done those, let us see your hijackthis log to make sure that no bad entries are left behind.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:Haroldine
ID: 17072872
Hi again I have tried your instructions things seemed to go well till I got to
http:/www.ee-stuff.com I can't see the results on this page from the upload.
Haroldine
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17072914
Or just paste the Hijackthis log to either of these sites:

1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:Haroldine
ID: 17072917
I Keep getting invalid file type
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17073024
You can't upload your hijackthis log anywhere?
Okay, just post the log here then, it's not recommended but if you can't upload it, then no other option but to post it here.
0
 

Author Comment

by:Haroldine
ID: 17073025
Hi again
I have Sent the log file to Hijackthis.de, and daved the results
Everthing came back as safe except for one thing
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE    
Nasty   Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor ones actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers
Hit rate: 91,67 % (result)
   Must be fixed!
I take it this is not a dangerous prog. But it should be removed?

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17073053
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE    
The aboved entry is realtek's spy. No it is not dangerous, it just reports back to realtek.
You should fix it because it is unneccesary startup entry. Fixing that entry in Hijackthis only deletes the registry entry but it does not delete the file.
If you want to delete the file it is located in your Windows directory.

C:\Windows\ALCMTR.EXE    or C:\WinNT\ALCMTR.EXE    
0
 

Author Comment

by:Haroldine
ID: 17073100
Great stuff there rpggamergirl this has been a great help to me thakyou very much. I have to do sum stuff now will repost for my other problem when i get back .
Thanks again
Haroldine
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17073210
You're welcome Haroldine.
Glad I could help.

Thanks for the points and the "A" grade! :)
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question