[donna]

HI guys,

I seem to have downloaded something that looks like spyware... its constantly flashing on my bottom toolbar and saying its detected problems on my computer everytime i open something. When i click on the symbol it takes me to: *********************

but thats not all

now whenever i open my web browser i get *********************** even if i change my internet options to another home page such as google or msn its still defaults back to the besecuretoday page. After trying to set up my home page to google.co.uk it also diverts my to the besecuretoday page if i tyoe www.google.co.uk in my address bar, i have to use google.com all the time instead now..and its done the same to msn.

can anyone help me take this off?

[evilfantasy]

Go into add/remove programs and see if anything you know shouldn't be there has been installed that you can un-install.

Please do the following...
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Download HijackThis Here
Once you have it downloaded install/save it to it's own folder!!! This is important for it to work properly.
For example save in C:\program files\hijackthis
You can then create a shortcut on the desktop.
Once installed open the program and select Do a system scan and save logfile.
**Important DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Save the log to your desktop.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.

[donna]

im sorry for being dim...

ive started my pc in safe mode

ive opened the new folder on my desktop...but there is no options? just a number of files...

[evilfantasy]

After you have the zip folder on your desktop, Right click on it and select extract or open here.
It should produce one file named SmitfraudFix.
Then go to safe mode and doubleclick the SmitfraudFix folder.

[donna]

not quite as dim as i thought i was!! i realised what i had to click and have run the programme.

it seems to have sorted the problem.. my homepage is back to msn again yay!

this is what the txt file said when my comuter restarted:

thanks for your help!!!


SmitFraudFix v2.212
Scan done at 20:19:28.82, 15/08/2007
Run from C:\Documents and Settings\donna\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{4a9e875b-d032-45e4-8294-789fe3be5b19}"="atrichia"
[HKEY_CLASSES_ROOT\CLSID\{4a9e875b-d032-45e4-8294-789fe3be5b19}\InProcServer32]
@="C:\WINDOWS\system32\fshqaln.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4a9e875 b-d032-45e4-8294-789fe3be5b19}\InProcServer32]
@="C:\WINDOWS\system32\fshqaln.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

[evilfantasy]

Good job. We need to do a few more steps.

Now run CCleaner. Use the default options.
If you do not have CCleaner please install it. Here
Once CCleaner is open use the default options and click Analyze and it will show a log of what will be removed. Next click Run Cleaner to remove everything.
Next on the upper left of CCleaner select the Issues tab.
Next click Scan For Issues. Next click Fix selected issues.
It will prompt you to make a backup. For the first run I would suggest doing so.

Last. Remove infected restore points.
System Restore
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

[Dave Hybrid]

Good job EF!

Obviously a dab hand at this stuff.

[evilfantasy]

Sadly I learned mostly from real time experience.