Tech Support Forum - View Single Post

**src2206** · 10-07-2006, 01:24 AM

Hello teevee and welcome to TSF

.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You may like to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools located near the top of this page, then click Subscribe to this Thread. Make sure it is set to Instant email Notification, then click Subscribe.
________________________________________________________________

Downloads

1. Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

2. Please download Cleanup! and install it. You will use this later. Do not install if you are using the 64 bit version of windows.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

3. You need to download AVG Anti-Spyware (the renamed latest version of Ewido). Before that you need to uninstall the older version of the Ewido that you are using.
To uninstall, click > Start > Control Panel > Add / Remove Programs, and from this panel uninstall Ewido.

Download AVG Anti-Spyware

Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

4. i) Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

ii). Double click combofix.exe & follow the prompts.

* Please disable your Antivirus' Script Blockers for they would interfere with combofix

iii). When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
________________________________________________________________

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.
_______________________________________________________________

Fix

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

SpySheriff

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKLM\..\Run: [{D2-29-9A-AB-ZN}] C:\windows\system32\rodsregm.exe DRCA02
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwinpsaw.exe DRCA02
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\windows\system32\rodsregm.exe
C:\WINDOWS\system32\mwinpsaw.exe
C:\WINDOWS\z00096.exe
C:\Program Files\Common Files\VCClient
________________________________________________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply
________________________________________________________________

Cleanup!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.
Do not logoff or reboot when prompted.

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Reboot your system in Normal Mode.
___________________________________________________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
________________________________________________________________

Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear.*Please ensure that your pop up blocker doesn't block it*
Enter your e-mail address, country, and state & click Scan Now *The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Then post the following logs in your next reply...

ComboFix Log
Panda log
Hijackthis log (A Fresh One)
AVG Anti-Spyware log
C:\rapport.txt (log from the tool)

Please let me know about your systems overall behaviour

.

10-07-2006, 01:24 AM	#3 (permalink)
src2206 TSF Enthusiast Join Date: Apr 2006 Location: Kolkata, India Posts: 2,068 OS: WinXP Pro SP3 My System	Hello teevee and welcome to TSF . Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. You may like to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools located near the top of this page, then click Subscribe to this Thread. Make sure it is set to Instant email Notification, then click Subscribe. ________________________________________________________________ *Downloads* 1. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! 2. Please download Cleanup! and install it. You will use this later. Do not install if you are using the 64 bit version of windows. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. 3. You need to download AVG Anti-Spyware (the renamed latest version of Ewido). Before that you need to uninstall the older version of the Ewido that you are using. To uninstall, click > Start > Control Panel > Add / Remove Programs, and from this panel uninstall Ewido. Download AVG Anti-Spyware Install AVG Anti-Spyware Double-click the icon on Desktop to launch AVG Anti-Spyware You will need to update AVG Anti-Spyware to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly. 4. i) Download this file - http://download.bleepingcomputer.com/sUBs/combofix.exe http://www.techsupportforum.com/sectools/combofix.exe ii). Double click combofix.exe & follow the prompts. * Please disable your Antivirus' Script Blockers for they would interfere with combofix iii). When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ________________________________________________________________ Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. _______________________________________________________________ *Fix* Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): SpySheriff Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O4 - HKLM\..\Run: [{D2-29-9A-AB-ZN}] C:\windows\system32\rodsregm.exe DRCA02 O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\mwinpsaw.exe DRCA02 O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00096.exe O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\system32\rodsregm.exe C:\WINDOWS\system32\mwinpsaw.exe C:\WINDOWS\z00096.exe C:\Program Files\Common Files\VCClient ________________________________________________________________ Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply ________________________________________________________________ *Cleanup!* Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program. Do not logoff or reboot when prompted. Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. *AVG Anti-Spyware* Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Reboot your system in Normal Mode. ___________________________________________________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ________________________________________________________________ *Online Scan* Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear.Please ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan. Then post the following logs in your next reply... ComboFix Log Panda log Hijackthis log (A Fresh One) AVG Anti-Spyware log C:\rapport.txt (log from the tool) Please let me know about your systems overall behaviour . __________________ Registered Linux user #426065