Unsolved
This post is more than 5 years old
9 Posts
0
3698
June 11th, 2006 18:00
Titan Shield Scam
Need help please. Every 30 seconds or so ..am getting popup from Windows Security System that says that I am infected with Spyware and entices me to buy this TitanShield program. Also other popups all with warnings and all leading to this TitanShield. How can I stop this?. All xing out just leads to this Titan Shield scam. Is there a way without paying to cure this? Thanks,
Gerard(Goc)
0 events found
No Events found!
bamajim
10.4K Posts
0
June 11th, 2006 20:00
Goc
Go here and download Hijackthis
http://dsvs.org/5/HijackThis.exe
Save it in a convenient permanent folder such as C:\\HJT\\, double click HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents AT THE LINK BELOW
http://forums.us.dell.com/supportforums/board?board.id=si_hijack
and include a description of the problem along with your log
Please do not be tempted to "fix" on your own. Hijackthis is a very powerful tool, if used incorrectly can cause system problems
bamajim
Training at Malware Removal University
bamajim
10.4K Posts
0
June 11th, 2006 21:00
Goc
The logfile should be in Notepad on your desktop. Just open the file, place your mouse pointer anywhere in the open feild
Then press the Ctrl & A at the same time the background of the text, should be highlited with a blue background.
Then Rt click your mouse, select copy. Then paste it in the window you will reply in. Just place the mouse cusor in the text field->>Rt click and selct paste
bamajim
Training at Malware Removal University
bamajim
10.4K Posts
0
June 11th, 2006 21:00
Goc
No problem
You can do this by going to My Computer (Windows key+e) then double click on C:
then right click and select New then Folder and name it HJT.
Once you have the folder then down load Hijackthis to that new folder, and Run the program from that folder.
thanks bamajim
Training at Malware Removal University
Goc
9 Posts
0
June 11th, 2006 21:00
Thank you.
But..excuse my ignorance ..how do I .."save in a permanent folder such as C:\\HJT\\"
Appreciate your assistance.
Goc.
Goc
9 Posts
0
June 11th, 2006 21:00
Hi,
Actually I have it figured out to the point where you say copy its contents at the link below. That part I need instruction. How to copy to that link. I have the log file how do I send it to the link.
Thanks,
Goc
Goc
9 Posts
0
June 11th, 2006 22:00
bamajim
10.4K Posts
0
June 11th, 2006 22:00
Goc
Try this; First open your reply box, Minimize your explorer widow so you see your desktop screen
Rerun Hijackthis, click sacn and save logfile, once it scans the logfile should auto open.
Place cursor again in text area of logfile->> press Crtl & A key , then rt click->>Copy.
Then maximize your Intenet Explorer again, move your mouse cursor in the reply text area->>Rt click->> paste. (Don't left click your mouse first)
bamajim
Training at Malware Removal University
bamajim
10.4K Posts
0
June 11th, 2006 23:00
Goc
When you open the smitfraud folder, out of the items you see, you will see one that has a little gear in the midlle of it .
Under it it will say Smitfraudfix c.md.
Double click it, then select run
bamajim
Training at Malware Removal University
Goc
9 Posts
0
June 11th, 2006 23:00
Scan saved at 7:55:01 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\users32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\asdfe57\SPBS.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gerard O\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LBq3RiJ6e] C:\Program Files\asdfe57\SPBS.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {121AC498-3F3A-4C39-9BEA-CFC4EA809FDF} - http://www.xlocator.com/download/xlocatorlight.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
bamajim
10.4K Posts
0
June 11th, 2006 23:00
Goc
Please go here
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
And Download SmitFraudFix by S!ri
Simply click save, and save it to your desktop
Once on your desktop, rt click->>extract All
Extract all the archive content to your desktop
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread
Do Not run option 2 until instructed to do so
Just copy and paste like you did before
bamajim
Training at Malware Removal University
Goc
9 Posts
0
June 11th, 2006 23:00
Hi,
Got as far as Extract all archive content to desktop and I have 8 Smithfraudfix files there.
Dont see smitfraudfix."CMD " Select '1'?
Goc
Goc
9 Posts
0
June 11th, 2006 23:00
Run from C:\Documents and Settings\Gerard O\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\bg.gif FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\ZServ.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\adobepnl.dll FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\parad.raw.exe FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\users32.exe FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gerard O\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GERARD~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
!!!Attention, following keys are not inevitably infected!!!
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Goc
9 Posts
0
June 12th, 2006 00:00
Bamajim,
Thanks for help. Is there another step?
Goc.
Bugbatter
3 Apprentice
•
20.5K Posts
0
June 12th, 2006 02:00
Yes, here is the next step:
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
If you have not done so already, please download the trial version of Ewido Anti-malware 3.5 from here:
http://www.ewido.net/en/download/
- Install Ewido Anti-malware.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
You will need to update Ewido to the latest definition files.- On the left-hand side of the main screen click the Update Button.
- Click on Start.
The update will start and a progress bar will show the updates being installed.If you are having problems with the updater, you can use this link to manually update Ewido.http://download.ewido.net/ewido-signatures-full-current.exe
Once finished updating, close Ewido.
Make sure to close Ewido before installing the update.
Reboot your computer in Safe Mode.
* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.
______________________________
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:
* Quit Internet Explorer and quit any instances of Windows Explorer.
* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete Files under Temporary Internet Files.
* In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
* On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
* Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
* Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
* Click on Scanner
* Click on Settings
o Under How to scan all boxes should be checked
o Under Unwanted Software all boxes should be checked
o Under What to scan select Scan every file
o Click on Ok
* Click on Complete System Scan to start the scan process.
* Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.
Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
* Click Save Report button
* Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.
Rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or whatever)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.
double-click on HijackThis and run a new scan.
Please post the HJT log in this topic along with:
c:\rapport.txt and your Ewido log
Let me know how things are running.
Goc
9 Posts
0
June 12th, 2006 21:00
Bamajim,
Safe Mode rebooting ??? and f8 key. When I tapped f8 key after turning laptop back on nothing happens ?? Is a Safe mode option supposed to appear. How do I reboot in Safe Mode? Also Ewido did not give me the warning"database could not etc" and just continued on fine. Do I need to do the updates instruct you gave as it did not prompt me to update. I may not have closed Ewido before installing. Should I start again?
Regards,
Goc