frostmourne 1 Report post Posted May 6, 2007 Assalamualaikum..aku scan pc aku spybot:search&destroy dan detect Smitfraud-C Toolbar888..masalahnya spybot tak dapat delete smitfraud ni..aku dah guna beberapa lagi software lain untuk delete pon tak leh gak.. antaranya aku dah guna avg anti-spyware(tak detect) dan lavasoft ad-aware se (tak detect)..aku dah search kat google cara2 nak delete pon tak leh gak+aku tak paham.. so, harap member2 kat putera ni tau cara nak solve.. Quote Share this post Link to post Share on other sites
civ3 9 Report post Posted May 6, 2007 1) matikan system restore2) download software SmitfraudFix3) boot ke safe mode kemudian run SmitfraudFix & ikut arahan yang diberikan.4) cuba scan kembali dengan spybot. Quote Share this post Link to post Share on other sites
frostmourne 1 Report post Posted May 7, 2007 1) matikan system restore2) download software SmitfraudFix3) boot ke safe mode kemudian run SmitfraudFix & ikut arahan yang diberikan.4) cuba scan kembali dengan spybot.thansk..cara ni aku dah cuba lepas aku search kat google ari tu.. tapi, smitfraud tu still ada lagi sampai skarang.. Quote Share this post Link to post Share on other sites
johnburn 6 Report post Posted May 7, 2007 (edited) boleh tak ko scan pakai hijackThis dan paste lognye sini.. Edited May 13, 2007 by johnburn Quote Share this post Link to post Share on other sites
OkEsh 1 Report post Posted May 8, 2007 eNcik ProsMon..baNyaKnye viRus dLm pC kO sGt MerBaHaya Quote Share this post Link to post Share on other sites
frostmourne 1 Report post Posted May 10, 2007 ok.. ni scan hijackthis aku..harap sape2 bleh tolong k Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 11:23:09 PM, on 5/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\HandyCafe\Client\_hndguard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\HandyCafe\Client\hndclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\PROGRA~1\HANDYC~1\Client\hndfw.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\All Users\Documents\HiJackThis_v2.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.leeman-automatisering.nl/startpaginaO2 - BHO: (no name) - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {3C947718-039F-4D20-9A7A-BFC619BA9367} - C:\WINDOWS\system32\vtutq.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)O2 - BHO: (no name) - {E496C27C-A366-4D63-BED7-20234E4FAE62} - C:\WINDOWS\system32\fjrcmidx.dll (file missing)O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [hndclient] C:\Program Files\HandyCafe\Client\_hndguard.exe -rungrdO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ixgbmqvu.dll",realsetO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176046814796O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{AE42C88C-3CE9-4E5A-8DA0-1C4FF80A1094}: NameServer = 202.188.0.133,202.188.1.5O20 - Winlogon Notify: gebcyww - gebcyww.dll (file missing)O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 4623 bytes Quote Share this post Link to post Share on other sites
johnburn 6 Report post Posted May 12, 2007 (edited) buat sementare waktu nih,ko fix kan entry2 yang ade missing file ni dulu..yang lain2,ptg ni..Tp dari ape yg aku tengok sekilas nih, PC ko kene infect ngan trojan vundo..Untuk solutionnyer, pasni..O2 - BHO: (no name) - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - (no file) O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file) O2 - BHO: (no name) - {E496C27C-A366-4D63-BED7-20234E4FAE62} - C:\WINDOWS\system32\fjrcmidx.dll (file missing) O20 - Winlogon Notify: gebcyww - gebcyww.dll (file missing)********************************************************************1. donlod VundoFix dan save ke desktop2. runkan aplikasi tuh, dan click butang "Scan for Vundo"3. dah siap scan click butang "Remove Vundo", kat prompt yg kuar, click "YES"4. pas siap, yer akan shutdown PC.5. on balik PC dan scan balik gune hijackThis dan paste log baru sini.. Edited May 12, 2007 by johnburn Quote Share this post Link to post Share on other sites
frostmourne 1 Report post Posted May 16, 2007 ok..aku dah guna vundofix.. banyak gak die detect.. so ni hijackthis terbaru pc aku:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 11:12:35 PM, on 5/16/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\HandyCafe\Client\_hndguard.exeC:\Program Files\HandyCafe\Client\hndclient.exeC:\PROGRA~1\HANDYC~1\Client\hndfw.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\msiexec.exeC:\Documents and Settings\PC 01\Desktop\HiJackThis_v2.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.leeman-automatisering.nl/startpaginaO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5C53CDEF-6D0F-4CEB-9BD6-D9428A0BA344} - (no file)O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [hndclient] C:\Program Files\HandyCafe\Client\_hndguard.exe -rungrdO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176046814796O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{AE42C88C-3CE9-4E5A-8DA0-1C4FF80A1094}: NameServer = 202.188.0.133,202.188.1.5O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 4387 bytes Quote Share this post Link to post Share on other sites
johnburn 6 Report post Posted May 17, 2007 Vundo tuh da ilang cume entri registri nyer ade lg..Care nak fix:1. Jalankan hijackThis dan scan2. Tandakan kotak entri-entri berikut:O2 - BHO: (no name) - {5C53CDEF-6D0F-4CEB-9BD6-D9428A0BA344} - (no file) O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll (file missing) 3. Tekan butang "Fix checked" Satu lg entri yg aku rase patut di fixkan adelah O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXENih merupakan file Realtek AC97 Audio, tp leh dianggap spyware gak lar.. So, depend kat ko ler nak fix tak.. Quote Share this post Link to post Share on other sites
frostmourne 1 Report post Posted May 18, 2007 Vundo tuh da ilang cume entri registri nyer ade lg..Care nak fix:1. Jalankan hijackThis dan scan2. Tandakan kotak entri-entri berikut:O2 - BHO: (no name) - {5C53CDEF-6D0F-4CEB-9BD6-D9428A0BA344} - (no file) O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll (file missing) 3. Tekan butang "Fix checked" Satu lg entri yg aku rase patut di fixkan adelah O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXENih merupakan file Realtek AC97 Audio, tp leh dianggap spyware gak lar.. So, depend kat ko ler nak fix tak..ok.. aku dah buat sume yang ko suruh tu.. cuma yang ALCMTR.EXE tu je yang aku tak buang.. tapi, kalau buang, sound ada ke tak..? kang aku buang saje je tak bunyi.. satu lagi, ALCMTR.EXE tu ada kat startup, bleh tak aku buang dan ada apa2 effect tak..?pasal masalah spyware tu, lepas aku buat sume cara yang ko kasi kat atas ni, aku scan balik guna spybot : search & destroy tapi still detect lagi Smitfraud-C Toolbar888.. camne yek nak buat..? Quote Share this post Link to post Share on other sites
johnburn 6 Report post Posted May 18, 2007 (edited) ok.. aku dah buat sume yang ko suruh tu.. cuma yang ALCMTR.EXE tu je yang aku tak buang.. tapi, kalau buang, sound ada ke tak..? kang aku buang saje je tak bunyi.. satu lagi, ALCMTR.EXE tu ada kat startup, bleh tak aku buang dan ada apa2 effect tak..?pasal masalah spyware tu, lepas aku buat sume cara yang ko kasi kat atas ni, aku scan balik guna spybot : search & destroy tapi still detect lagi Smitfraud-C Toolbar888.. camne yek nak buat..?Pasal Smitfraud-C Toolbar888 tuh mungkin false positive spybot s&d..Sbb dulu penah gak berlaku bende nih..Rujuk sini..Tp, jike ko still rase PC ko masih diinfect dan seperti post mule2 ko yg ko kate dah pakai SmitfraudFix tuh, pe kate ko pakai balik s/w tuh dan paste lognye sini untuk kepastian.. Edited May 18, 2007 by johnburn Quote Share this post Link to post Share on other sites