Tech Support Forum - View Single Post

MoralTerror · 06-08-2006, 07:23 AM

Hi Dogge

Please print out or copy this page to Notepad in order to assist you while carrying out the following instructions. This page will not be available to you at some points during the fix. Please read the instructions carefully before you begin and if you have any questions then post them here before continuing. It is important you carry out the instructions in the exact order stated. Please make sure that all other windows (including browsers) are closed while carrying out the fixes.

To ensure you have the latest version of SmitfraudFix Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

I see you already have Ewido. You will need to update Ewido to the latest definition files.
Launch Ewido & click Update from the left pane
Then click on Start Update.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.If you have any files or programs stored in a temporary folder then please make backups before running cleanup. Do not run cleanup on XP 64-bit edition. If your not sure if you have 64-bit then you probably don't. You can make sure by downloading and running this tool http://www.mvps.org/marksxp/Download...p_whichcpu.vbs (download using IE)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and reboot when prompted into Safe Mode

Boot to Safe Mode (by repeatedly tapping F8 until the menu appears)

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

* "Perform action on all infections"
* Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

Reboot the system. Boot back into Safe Mode (by repeatedly tapping F8 until the menu appears)

Open Start > Control Panel > Add/Remove Programs and uninstall the following programs (If they still exist)

PurityScan by OIN
Snowball Wars by OIN
Yazzle by OIN
or any programs by OIN

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {F8EB4BDF-DB42-F2B4-6DA7-F25D37C34E9D} - C:\WINDOWS\System32\twux.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {F8EB4BDF-DB42-F2B4-6DA7-F25D37C34E9D} - C:\WINDOWS\System32\twux.dll (file missing)
O4 - HKLM\..\Run: [61231003.exe] C:\WINDOWS\System32\61231003.exe
O4 - HKCU\..\Run: [Kymhlhlt] C:\WINDOWS\system32\SMANTE~1\POOL32~1.EXE
O4 - HKCU\..\Run: [Stos] "C:\WINDOWS\DOBE~1\fast.exe" -vt yax
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\System32\scanregw.dll

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders in BLUE if they still exist.

C:\Program\Purity Scan
C:\Program\Yazzle
C:\Program\Snowball Wars
C:\WINDOWS\DOBE~1 <<< make sure NOT to delete the legit ADOBE folder
C:\WINDOWS\System32\scanregw.dll
C:\WINDOWS\System32\twux.dll
C:\WINDOWS\System32\61231003.exe
C:\WINDOWS\system32\SMANTE~1 <<< make sure NOT to delete the legit SYMANTEC folder

Reboot to Normal mode

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post the Panda Scan report and a new HijackThis log

Required Logs

Ewido report
rapport.txt (from the SmitfraudFix tool)
Panda report
new HijackThis log

06-08-2006, 07:23 AM	#3 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Hi Dogge Please print out or copy this page to Notepad in order to assist you while carrying out the following instructions. This page will not be available to you at some points during the fix. Please read the instructions carefully before you begin and if you have any questions then post them here before continuing. It is important you carry out the instructions in the exact order stated. Please make sure that all other windows (including browsers) are closed while carrying out the fixes. To ensure you have the latest version of SmitfraudFix Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! I see you already have Ewido. You will need to update Ewido to the latest definition files. Launch Ewido & click Update from the left pane Then click on Start Update. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Please download Cleanup! and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups.If you have any files or programs stored in a temporary folder then please make backups before running cleanup. Do not run cleanup on XP 64-bit edition. If your not sure if you have 64-bit then you probably don't. You can make sure by downloading and running this tool http://www.mvps.org/marksxp/Download...p_whichcpu.vbs (download using IE) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program and reboot when prompted into Safe Mode Boot to Safe Mode (by repeatedly tapping F8 until the menu appears) Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: * "Perform action on all infections" * Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. Reboot the system. Boot back into Safe Mode (by repeatedly tapping F8 until the menu appears) Open Start > Control Panel > Add/Remove Programs and uninstall the following programs (If they still exist) PurityScan by OIN Snowball Wars by OIN Yazzle by OIN or any programs by OIN Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - {F8EB4BDF-DB42-F2B4-6DA7-F25D37C34E9D} - C:\WINDOWS\System32\twux.dll (file missing) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {F8EB4BDF-DB42-F2B4-6DA7-F25D37C34E9D} - C:\WINDOWS\System32\twux.dll (file missing) O4 - HKLM\..\Run: [61231003.exe] C:\WINDOWS\System32\61231003.exe O4 - HKCU\..\Run: [Kymhlhlt] C:\WINDOWS\system32\SMANTE~1\POOL32~1.EXE O4 - HKCU\..\Run: [Stos] "C:\WINDOWS\DOBE~1\fast.exe" -vt yax O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123 O20 - AppInit_DLLs: C:\WINDOWS\System32\scanregw.dll Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders in BLUE if they still exist. C:\Program\Purity Scan C:\Program\Yazzle C:\Program\Snowball Wars C:\WINDOWS\DOBE~1 <<< make sure NOT to delete the legit ADOBE folder C:\WINDOWS\System32\scanregw.dll C:\WINDOWS\System32\twux.dll C:\WINDOWS\System32\61231003.exe C:\WINDOWS\system32\SMANTE~1 <<< make sure NOT to delete the legit SYMANTEC folder Reboot to Normal mode Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now** and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Post the Panda Scan report and a new HijackThis log Required Logs Ewido report rapport.txt (from the SmitfraudFix tool) Panda report new HijackThis log