Tech Support Forum - View Single Post

tetonbob · 08-08-2006, 08:34 AM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Download Host.zip to your desktop.
From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
Click Next, click Next, select the option:
"Show Extracted files", click Finish
This will open the newly created hosts folder on your Desktop.
Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.

---------------------------------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\FOUND.001\FILE0001.CHK
C:\FOUND.005\FILE0266.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.013\FILE0014.CHK
C:\FOUND.013\FILE0032.CHK
C:\FOUND.015\FILE0000.CHK
C:\FOUND.015\FILE0004.CHK
C:\FOUND.015\FILE0009.CHK
C:\FOUND.015\FILE0019.CHK

---------------------------------------------------------------------------------------------

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Once back in normal mode:

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and post it in your next reply.

---------------------------------------------------------------------------------------------

Run combofix once again, and post it's log.

Also post a new HJT log.

---------------------------------------------------------------------------------------------

So, please provide results from:

SmitfraudFix
Online scan
combofix
HJT

08-08-2006, 08:34 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,795 OS: 2000 Pro; XP Pro; XP Home	You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. --------------------------------------------------------------------------------------------- Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\FOUND.001\FILE0001.CHK C:\FOUND.005\FILE0266.CHK C:\FOUND.006\FILE0001.CHK C:\FOUND.013\FILE0014.CHK C:\FOUND.013\FILE0032.CHK C:\FOUND.015\FILE0000.CHK C:\FOUND.015\FILE0004.CHK C:\FOUND.015\FILE0009.CHK C:\FOUND.015\FILE0019.CHK --------------------------------------------------------------------------------------------- Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Once back in normal mode: Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Go here and do the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. When the scan is finished, click on "Click here to export the scan results" Save the report to your desktop then come back here and post it in your next reply. --------------------------------------------------------------------------------------------- Run combofix once again, and post it's log. Also post a new HJT log. --------------------------------------------------------------------------------------------- So, please provide results from: SmitfraudFix Online scan combofix HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009