Alright luckily i have access to another computer to figure out how to fix my comp.

:-[ I’m ashamed to say that i do not have any protection software on at the moment except Ad-Aware. Did download Avast from this borrowed comp but am not sure if its safe to transfer to my regular comp if i should send it over an USB in safe mode or in normal more. I do now want to corrupt Avast upon install.

I first got suspicious of it half an hour ago when i noticed while browsing in my computer that about a dousen or so files appeared since the last time i passed that folder (between the two checks it was 5 minutes no more)
Files that appeared:
1:
E:\sqmdata00.sqm (all the numbers from 00 to 19) E:\sqmdata19.sqm
E:\sqmnoopt00.sqm ( again all the files ranging from -00.sqm to -19.sqm)
(note that my E:\ is what is normally C:\ on normal computers …its complicated to explain why just thrust me on this one :P)

2:
I noticed that my computer started going ridiculously slow and pressed CTRL ALT DEL to see the processes that clogged my comp. But all i got was a warning “Task manager has been disabled by your administrator” allowing only an ok button to close it …and i am the administrator and did no such thing …(( although there are 3 other accounts (all family) no one except me uses this computer ))

Note: After it got this far i immediately plugged out my internet cable knowing i probably got into a mess here.

I ran up my Ad-aware while downloading avast on my other comp since its the only diagnostic tool i have (i use only firefox with strong limitations and blockers and have a strong firewall on my router so i didn’t see the point in having any antiviruses on)

Soon after that i got a very odd message from my computer

—"Spyware Alert
Security Warning!

Worm.Win32.NetSky detected on your macine. This is a virus distribute via the Internet through e-mail and Active-X objects. The worm has its own SMTP engine with means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer stealing passwords and personal data.
This process should be removed from your system.
Type: Virus
System affected: Windows 2000, NT, Me, XP, Vista
Security Risk (0-5): 5
Recomentations: Click yes to remove it from your PC immediately"—

PS: I am not very good at English it being only my 2nd foreign language but i think recomentations shuld have a double mm in it.

I found it very odd since it had a strange symbol in my taskbar (red circle with a cross in it) and it was impossible to close via ALT+F4 and right clicking it only allowed the move option. Which made me doubt in it. And i did nothing not clicking yes or no.

A few moments after that it opened an explorer ( luckily i plugged out the cable ) so i asked me to connect or work offline. If i press work offline i see for a very very brief moment at the top of the explorer window a res\windows\system (and i forgot exactly because it flashed too fast i will try to photograph it and send the picture it was another file in s though)
the page then follows http://www.safnenvweb.com/index.php?sid=502&said=0&pn=5&aid=454&pid=0
I also noticed that my explorer has some odd tools installed: The ensfolr (remove popups, scan spyware,security test,spam protection) (i never use Iexplorer and i also never added any tools to it ever.)

After another moment i noticed that on my desktop 3 new icons appeared 2 of them very neatly done if i may add. (in properties all 3 are internet shortcuts 4KB size on disk and about 270B size)
Error Cleaner (URL:http://viruswebprotect.com/shandler.php?sid=502&said=0&pn=5&aid=454&sg=1)
Spyware&Protection(URL:http://viruswebprotect.com/shandler.php?sid=502&said=0&pn=5&aid=454&sg=2)
Privacy Protector (URLhttp://viruswebprotect.com/shandler.php?sid=502&said=0&pn=5&aid=454&sg=0)

My desktop wallpaper is still the same thought and the other icons on my desktop are ok

Just now i also got a Windows Security Alert
“Windows has detected an Internet atack attempt…
Somebody’s trying to infect your PC with spyware or harmfull viruses. Run full system scan now to protect your PC from internet attacks,hijacking attempts and spyware. Click here to download spyware remover for total protection.”
this one can actually be closed.but i did not do that so far

I also noticed that my computer keeps automatically jumping from one window to the other like if using ALT+TAB all the time. and windows flash as if something new happened on them while they where minimised. And my computer is going impossibly slow right now, taking forever to enter a folder.

My Ad-Aware found a few slightly insignificant trackers and a reg key (still wondering about avast how to install it safely) Reg key: HKEY_USERS:S-1-5-21-1993962763-842925246-1957994488-1003\software\microsoft\windows\currentversion\policies\system"DisableTaskMgr"()

(should i quarantine the things Ad-ware found or delete them or leave them alone for further study with better programs…also should i turn off my infected and now internetless computer? )

Can you please help :-\ I have way way too much studying material and collage things on this copmuter to Format everything and reinstall everything.

Help pweety pweety please with lots of shugar on top and a marshmellow and pickles :-\

-Hibiki

Hi HibikiKano,

First give this computer a good av scan, download DrWeb CureIt from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Give it a swirl, and see what it finds with a full scan.
Report what it has found.
Because you have also other malware problems do a full Hitman Pro from www.hitmanpro.nl , this is a shell program consisting of multi anti-malware programs against viruses, spyware, adware, rootkits etc. After installation the program is started automatically, click and tag “Controleren van updates” that means “Check for updates”, and let the program download all the updates, sometimes you have to restart a few times to update all, than via Start have all of your computer scanned. The total scan can take quite some time, click the Option “Gevaren automatisch verwijderen” what means in English (Delete dangers automatically), so the malware is deleted immediately. Sometimes during the routine other software is being downloaded needed for further cleansing, sometimes you have to accept a licence, click “Ja”= “Yes” for all instances, and let Hitman Pro have its way, it is being used by Professional Cleaners of Malware in The Netherlands and South-Africa, and is among the best multi-anti malware programs I know of.
After this has done what it should do, post a hijackthis logfile here,

polonus

un …i know its a very very noobish request T.T but can i have a safe link to hijackthis …this is my fathers comp and i dont want to mess this one up the same way i messed mine (yes i went to a unsafe link …i thought the firefox+router firewall would block everything)

and hsuld i run those programs from safe more or normal?

Thank you

Hi the safe link is in Firefox with NoScript add-on activated, and download from here:
http://www.spychecker.com/download/download_hijackthis.html

Sometimes a hjt log txt is longer than goes in 1 post, use more than 1 then,

And then print the instruction of the above posting out, and do exactly as I told you, and your father will be proud of you, nihon iti!

polonus

Sorry Hitman pro is taking ages :-[ i kinda have alot of data on. I did notice though that it atacked my explorer so my computer was utlra slow untill i found it out and disabled exporer all together. :-\

Hi HibikiKano,

Can’t you post a hijackthis log just to see what is making your computer that slow?

You can also do a scan with this scanner:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

polonus

It is going pretty well now Hitman is already at the Ewido one so i guess it wont take long anymore. I just have to go everything with my explorer killed i noticed that every 5 minutes it spiked up and used 99% of my comp. So i hope that ewdigo wont take too long and that i can send the HJT log today ^^; does HJT take long?

Just popping in to comment on "sqmdata00.sqm " Window live messenger data files

HJT runs in seconds.

out the door I go.

._. …they are??
Come to think of it, I really DID download something from my friend over live messenger and it really DID act alil awkward during the download and it was all 10 minutes before the whole copmuter dieing scene started :-\
I never did like that new live messanger come to think of it.

I will send all the logfiles first thing in the morning. ^^; I’m very sorry to keep you waiting so long for them.

Alright here are the logs :-\ for now things run smooth on my comp and it was running idle for an hour without anything strange happening. So for now thank you a lot ^^

I added the Ad-aware log too ran that a little before i ran Hitman.
My brother advised me to use Trinity Rescue Kit and BackTrack both are live CD’s. Can i get any comments on those please.

Oh, i read somewhere here that about the hiberfil.sys and i noticed that mine is over 500 MB by now. And this is a desktop machine so i don’t really use hibernation. And i cant find that topic again on how to delete it , is going to your Power Option and disabling hibernation and then just deleting it enough?

Hi HibikiKano,

Now first download ATF Cleaner from here: http://www.atribune.org/ccount/click.php?id=1
Choose select all, tag it, Click “Empty Selected”, and that is all your temp files clean…

HitmanPro cleansed and protected your OS, and found various tracking cookies,
push Control+Shift+Delete keys at once in Firefox clears Private Data (a.o. cookies);

There are still things in your Hijackthislog that point at an spyware infection: ensfollr.dll.
So we are going to clear that from your computer with the SmiFraudFix.tool

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment.

IMPORTANT: Do NOT run any other options until you are asked to do so!

[i]Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”;
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm[/i]

polonus

P.S. Trinity Rescue Kit is good freeware, but is too heavy artillery for your spyware problem,
it needs expert guidance and is a means of last resort,

Damian

Alright, i got this from it :-\

I am also sending todays Hijackthis log.

Hi HibikiKano,

Please download the OTMoveIt by OldTimer from: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

* Save it to your desktop.
* Please double-click OTMoveIt2.exe to run it.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\bklgvsf.dll
  C:\WINDOWS\ampkfst.dll
  

* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
* Click the red Moveit! button.
* Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
* Close OTMoveIt

If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:_OTMoveIt\MovedFiles*_.log
(where “**_” is the “date_time”)

Click “Exit” to close OTMoveIt.

Then we return to Smitfrauffix again:
Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe again.
Select option #2 - Clean by typing 2 and press “Enter” to delete infected files.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?”; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart anyway into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report along with all others into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : Running option #2 on a non-infected computer will remove your Desktop background.

polonus

Hi im posting MoveIt log first before restarting.

DllUnregisterServer procedure not found in E:\WINDOWS\bklgvsf.dll
E:\WINDOWS\bklgvsf.dll NOT unregistered.
E:\WINDOWS\bklgvsf.dll moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\ampkfst.dll
E:\WINDOWS\ampkfst.dll NOT unregistered.
E:\WINDOWS\ampkfst.dll moved successfully.

OTMoveIt2 v1.0.5 log created on 01072008_210705

On the side note :-\ my desktop background is normal. And i kinda like it since i made it myself so is it safe to make a copy of it?

Hi HibikiKano,

Post a new HJT log, maybe all is OK, and your comp is clean now, make a copy of your desktop background, that is OK. We still have to unregister these dll’s.

polonus

Alright this is what i got out of it. My desktop is gone like you said it would. And so far it seems alright.
Except i checked my IExplorer and i still have the Ensfolr toolbar there o_o

hmm but what did you mean with unregister those dll’s ? :-\

Hi HibikiKano,

We are going to clean them now with HijackThis, this is what it means.
So start HijackThis, tag the following two lines

O21 - SSODL: ampkfst - {7E7515E4-E1AC-4B88-94BA-FD8790CF1354} - E:\WINDOWS\ampkfst.dll (file missing)
O21 - SSODL: bklgvsf - {04AFF8EB-AF95-4DAD-98AA-E02010A02598} - E:\WINDOWS\bklgvsf.dll (file missing)

Then give enter, and that is it,

polonus

you mean fix checked?

Sorry for the late reply i had to eat something

Hi HibikiKano,

That is what I meant, only these two lines:
O21 - SSODL: ampkfst - {7E7515E4-E1AC-4B88-94BA-FD8790CF1354} - E:\WINDOWS\ampkfst.dll (file missing)
O21 - SSODL: bklgvsf - {04AFF8EB-AF95-4DAD-98AA-E02010A02598} - E:\WINDOWS\bklgvsf.dll (file missing)

That will must have rid you of the ensfolr toolbar malware.

polonus