Tech Support Forum - View Single Post

**TexRanger** · 06-14-2006, 08:15 AM

Hi hanoihancock,

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

Please also note that it is very important that you follow all of the steps below, and on each post I make. You may want to subscribe to this thread so that you'll know when I post; to do that click thread tools then subscribe to this thread. We'll get through this infection, but I'll need you to stay with me and make sure to keep checking if I've posted. Only when it's time will we consider this issue resolved. Thanks!
-----------------------------

Downloads and Updates

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.
Click on Start.
The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido. If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and install CleanUp! but do not run it yet. *WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
-----------------------------

Ewido Suite's Guard Disable

Please disable Ewido Security Suite's Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Open ewido by double-clicking the yellow 'e' icon in the system tray.
In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

-----------------------------

Show hidden and system files

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.
-----------------------------

Reboot

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

-----------------------------

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

PurityScan by OIN
Snowball Wars by OIN
Yazzle by OIN
...or any programs by OIN

In case Purityscan or OINS is not listed, download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
-----------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {22AA2F28-C8BB-9F3D-999D-96FC2EF5E095} - C:\WINDOWS\system32\lwzsj.dll
O2 - BHO: (no name) - {22AA2F28-C8BB-9F3D-999D-96FC2EF5E095} - C:\WINDOWS\system32\lwzsj.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll
O20 - Winlogon Notify: winetz32 - winetz32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.
-----------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\system32\lwzsj.dll
C:\Program Files\Common Files\??sks\ <----- This may be Tasks
C:\WINDOWS\system32\regsvr32.dll <----- Be sure to delete this exact file. It resembles another legit windows file.
-----------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed.
-----------------------------

Clean out your Temporary Internet files

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later.
-----------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
-----------------------------

Clear Java Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

-----------------------------

Run Ewido

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner
Click on Settings
- Under How to scan all boxes should be checked
- Under Unwanted Software all boxes should be checked
- Under What to scan select Scan every file
- Click on Ok
Click on Complete System Scan to start the scan process.
Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Click Save Report button
Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
-----------------------------

More SmitfraudFix stuff

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
-----------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

-----------------------------

Generate An Uninstall List

Open HijackThis
Click on the "Configure" button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"

Please save a copy and paste the contents with your next reply.
-----------------------------

Then post the following logs in your next reply...

1. Panda log
2. Hijackthis log <---- Please get a new HJT log after you run the last Panda Scan
3. Ewido log
4. C:\rapport.txt <---- log from the smitfraudfix tool
5. Uninstall List from HJT

06-14-2006, 08:15 AM	#3 (permalink)
TexRanger TSF Enthusiast Join Date: Feb 2006 Location: NW Territory ca. 1859 Posts: 1,251 OS: Windows XP, Mac OSX.4	Hi hanoihancock, Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. Please also note that it is very important that you follow all of the steps below, and on each post I make. You may want to subscribe to this thread so that you'll know when I post; to do that click thread tools then subscribe to this thread. We'll get through this infection, but I'll need you to stay with me and make sure to keep checking if I've posted. Only when it's time will we consider this issue resolved. Thanks! ----------------------------- Downloads and Updates You will need to update Ewido to the latest definition files. On the left-hand side of the main screen click the Update Button. Click on Start. The update will start and a progress bar will show the updates being installed. Once finished updating, close Ewido. If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Make sure to close Ewido before installing the update. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. ----------------------------- Ewido Suite's Guard Disable Please disable Ewido Security Suite's Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean. Open ewido by double-clicking the yellow 'e' icon in the system tray. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup. ----------------------------- Show hidden and system files Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ----------------------------- Reboot Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ----------------------------- Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): PurityScan by OIN Snowball Wars by OIN Yazzle by OIN ...or any programs by OIN In case Purityscan or OINS is not listed, download and use this uninstaller: http://www.outerinfo.com/OiUninstaller.exe ----------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {22AA2F28-C8BB-9F3D-999D-96FC2EF5E095} - C:\WINDOWS\system32\lwzsj.dll O2 - BHO: (no name) - {22AA2F28-C8BB-9F3D-999D-96FC2EF5E095} - C:\WINDOWS\system32\lwzsj.dll O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll O20 - Winlogon Notify: winetz32 - winetz32.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* ----------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\lwzsj.dll C:\Program Files\Common Files\??sks\ <----- This may be Tasks C:\WINDOWS\system32\regsvr32.dll <----- Be sure to delete this exact file. It resembles another legit windows file. ----------------------------- Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. ----------------------------- Clean out your Temporary Internet files Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later. ----------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ----------------------------- Clear Java Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. ----------------------------- Run Ewido Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan. Click on Scanner Click on Settings Under How to scan all boxes should be checked Under Unwanted Software all boxes should be checked Under What to scan select Scan every file Click on Ok Click on Complete System Scan to start the scan process. Let the program scan the machine. If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok. Once the scan has completed, there will be a button located on the bottom of the screen named Save Report. Click Save Report button Save the report to your Desktop Close Ewido and Reboot in Normal Mode. ----------------------------- More SmitfraudFix stuff Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ----------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report ----------------------------- Generate An Uninstall List Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please save a copy and paste the contents with your next reply. ----------------------------- Then post the following logs in your next reply... 1. Panda log 2. Hijackthis log <---- Please get a new HJT log after you run the last Panda Scan 3. Ewido log 4. C:\rapport.txt <---- log from the smitfraudfix tool 5. Uninstall List from HJT __________________ TexRanger Roundhousing Viruses, Infections, Spyware, Trojans, and Adware since 2006. If you feel I've been helpful please donate to keep this site free for everyone.