Tech Support Forum - View Single Post

fredmh · 09-19-2006, 09:30 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

----------------------------------------

DOWNLOADS

ATF CLEANER

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

EWIDO

Please download Ewido Anti-Malware

Install Ewido Anti-Malware.
Double-click the icon on Desktop to launch Ewido
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.

----------------------------------------

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware applications, as it may hinder the removal of some entries. They may be re-enabled upon completion of the fix.

Prevx:

Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console".
On the Management Console click the Protection Level drop-down menu. You will see three levels:
- Maximum
- Off
- User Defined
To disable all protection set the level to [b]Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.

Windows Defender

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
After you uncheck this, click on the Save button and close Windows Defender.

----------------------------------------

COMBO FIX

1. Download this file - You MUST save it to your desktop

http://download.bleepingcomputer.com/sUBs/combofix.exe

or

http://www.techsupportforum.com/sectools/combofix.exe

2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v awtqn

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

RUNNING SCANNERS

ATF CLEANER

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program

EWIDO

Run Ewido with it's updated definitions: (...it's important that all windows must be closed)
This scan can take quite a while to run, so be prepared.
Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine.
Then click Apply all actions.

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SMITFRAUD

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

ComboFix log
SmitFraud log
Ewido scan
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

09-19-2006, 09:30 PM	#5 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. Absence of symptoms does not mean that everything is clear. So lets do this to the end! ---------------------------------------- DOWNLOADS ATF CLEANER Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only EWIDO Please download Ewido Anti-Malware Install Ewido Anti-Malware. Double-click the icon on Desktop to launch Ewido On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware applications, as it may hinder the removal of some entries. They may be re-enabled upon completion of the fix. Prevx: Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console". On the Management Console click the Protection Level drop-down menu. You will see three levels: Maximum Off User Defined To disable all protection set the level to [b]Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes. Click the X on the upper right hand corner to exit the Management console. Windows Defender Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools>Options. Scroll down and uncheck "Use real-time protection (recommended)". After you uncheck this, click on the Save button and close Windows Defender. ---------------------------------------- COMBO FIX 1. Download this file - You MUST save it to your desktop http://download.bleepingcomputer.com/sUBs/combofix.exe or http://www.techsupportforum.com/sectools/combofix.exe 2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK "%userprofile%\desktop\combofix.exe" /v awtqn 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file) O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\ *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- RUNNING SCANNERS ATF CLEANER Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program EWIDO Run Ewido with it's updated definitions: (...it's important that all windows must be closed) This scan can take quite a while to run, so be prepared. Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once finished, click the Save report button, then click Save Report As and save it to your desktop. ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- SMITFRAUD Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items: ComboFix log SmitFraud log Ewido scan Panda scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode