Tech Support Forum - View Single Post - A warning icon says i have spyware/malware but...

Sempurna · 09-18-2006, 07:38 AM

Hi winter,

You’re most welcome, winter.

OK, here’s what we do next.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

To disable Spybot’s TeaTimer function:

Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

1. Please download SmitfraudFix (by S!Ri).

Extract the content (a folder named SmitfraudFix) to your desktop.
Please do NOT run a scan yet!

NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Please download CCleaner (freeware) from HERE.

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Please do NOT run a scan yet!

3. Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30-day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need to run ewido and update the definition files.
On the main screen select the "Shield" icon, then under the "Resident shield is" section change the "Active" status of ewido’s resident shield to "Inactive".
On the main screen select the "Update" icon, then under the "Manual update" section select the "Start update" button.
The update will start and a progress bar will show the updates being installed.
Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the "Settings" screen click on "Recommended actions" and then select "Quarantine".
Under "Reports:"
- Select "Automatically generate report after every scan".
- Un-Select "Only if threats were found".
Close ewido anti-spyware. Please do NOT run a scan yet!

4. Please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

WARNING : Running Option #2 on a non-infected computer will remove your desktop background.

6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode)

Click the Windows tab.
Select the following:
- Check everything under the Internet Explorer section.
- Check everything under the Windows Explorer section.
- Check everything under the System section.
- Check ONLY Old Prefetch data under the Advanced section.
Next, click the Options icon, then click the Advanced button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours", click OK.
Next, click the Cleaner icon, then click the Run Cleaner button (bottom right), then Exit.

NOTE : Please do NOT use the Applications tab or the Issues icon. Keep to the Cleaner icon and the Windows tab.

7. Then please open ewido anti-spyware. (If a reboot is required, please boot BACK into Safe Mode)

IMPORTANT : Do NOT open any other windows or programs while ewido is scanning, it may interfere with the scanning process.

Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, then select the "Apply all actions" button, ewido will then display "All actions have been applied" on the right hand side.
- Next select the "Save Report" button at the bottom.
- Then select the "Save report as" button in the lower left hand of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
Close ewido.

Then please REBOOT normally into Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the ewido report and a new HijackThis log.

09-18-2006, 07:38 AM	#4 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi winter, You’re most welcome, winter. OK, here’s what we do next. I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following: To disable Spybot’s TeaTimer function: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any prompts NEXT: BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. 1. Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your desktop. Please do NOT run a scan yet! NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm 2. Please download CCleaner (freeware) from HERE. Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Please do NOT run a scan yet! 3. Please download ewido anti-spyware from HERE and save that file to your desktop. This is a 30-day trial of the program Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the setup program. Once the setup is complete you will need to run ewido and update the definition files. On the main screen select the "Shield" icon, then under the "Resident shield is" section change the "Active" status of ewido’s resident shield to "Inactive". On the main screen select the "Update" icon, then under the "Manual update" section select the "Start update" button. The update will start and a progress bar will show the updates being installed. Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the "Settings" screen click on "Recommended actions" and then select "Quarantine". Under "Reports:" Select "Automatically generate report after every scan". Un-Select "Only if threats were found". Close ewido anti-spyware. Please do NOT run a scan yet! 4. Please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter". 5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. WARNING : Running Option #2 on a non-infected computer will remove your desktop background. 6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode) Click the Windows tab. Select the following: Check everything under the Internet Explorer section. Check everything under the Windows Explorer section. Check everything under the System section. Check ONLY Old Prefetch data under the Advanced section. Next, click the Options icon, then click the Advanced button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours", click OK. Next, click the Cleaner icon, then click the Run Cleaner button (bottom right), then Exit. NOTE : Please do NOT use the Applications tab or the Issues icon. Keep to the Cleaner icon and the Windows tab. 7. Then please open ewido anti-spyware. (If a reboot is required, please boot BACK into Safe Mode) IMPORTANT : Do NOT open any other windows or programs while ewido is scanning, it may interfere with the scanning process. Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select the "Apply all actions" button, ewido will then display "All actions have been applied" on the right hand side. Next select the "Save Report" button at the bottom. Then select the "Save report as" button in the lower left hand of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!). Close ewido. Then please REBOOT normally into Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the ewido report and a new HijackThis log. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum