Tech Support Forum - View Single Post

**amateur** · 12-01-2006, 07:37 PM

Hi Jools,

You seem to be using several P2P file sharing programs like Kazaa, BitTorrent, Utorrent, Shareaza and LimeWire. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. Please note that as long as you're using any form of peer-to-peer networking and downloading files from non-documented sources, the cleanliness of which has not been verified, you can expect infestations of malware to occur.

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\B724F8875B.sys
Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

==========================================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

==========================================

Please print the following instructions so that you'll have access to them when you're disconnected from the internet later.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive. This is important, please do not miss it.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Open AVG AS and click the Scanner icon at the top and then click the Settings Tab.
Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

==============================================

Open the SmitfraudFix folder you downloaded earlier and double-click smitfraudfix.cmd
Press "4" and then Enter to check for updates.
Don't forget to allow SmiUpdate.exe access through your firewall.
Once it has updated, or if there are no updates available, close the window and the folder.

==============================================

Make sure that you can still see hidden files as instructed before

==============================================

Log off from the internet and disconnect your modem cable for the duration of the fix.

==============================================

Now boot into Safe Mode.

==============================================

Scan with HijackThis and put a checkmark against the following entry and click on "fix checked".

O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11

Exit HijackThis.

===============================================
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "2" and then Enter to start the cleaning process.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then Enter.
The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then press Enter.
Your PC now needs to be rebooted - if this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE.

===============================================

From Safe Mode run Ccleaner

Click on Options,
Select Advanced
Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected.
Do not use the "Issues" block . It's meant for professionals.
Choose the Windows tab.
Check everything EXCEPT Advanced part of the Menu.
Click on "Analyze". This process could take a while.
If you don't want to loose your login passwords to certain sites, click on Options
Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
Choose Run Cleaner.

When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

================================================

Still in Safe Mode:

Make sure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware.

**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

==============================================

Reboot into Normal Mode.

==============================================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "3" and then Enter to "Delete Trusted Zone".
When prompted "Restore Trusted Zone ?", press "Y" and then Enter.

* Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *

==============================================
Please post back:
Jotti's results
The AVG A-S log
The text file rapport.txt which can be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
For most, this file can be found by double-clicking My Computer and then Local Disk (C:)
A fresh HijackThis log

12-01-2006, 07:37 PM	#6 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,450 OS: XP SP3	Hi Jools, You seem to be using several P2P file sharing programs like Kazaa, BitTorrent, Utorrent, Shareaza and LimeWire. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware. Please note that as long as you're using any form of peer-to-peer networking and downloading files from non-documented sources, the cleanliness of which has not been verified, you can expect infestations of malware to occur. Submit a file to Jotti Please go here : http://virusscan.jotti.org/ On top of the page there is a field to add the filepath, copy and paste this filepath: C:\WINDOWS\system32\B724F8875B.sys Then hit Submit The scan will take a while before the result comes up so please be patient. Then copy the result and post it here in this thread. If Jotti's service load is too high, you can use the following scanner instead: http://www.virustotal.com/xhtml/index_en.html ========================================== Please download Ccleaner and save it to your desktop. Tutorial for CCleaner During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it ========================================== Please print the following instructions so that you'll have access to them when you're disconnected from the internet later. Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder. http://www.ewido.net/en/download/ Install AVG Anti-Spyware by double clicking the installer. Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. This is important, please do not miss it. Click on Change state next to Automatic updates. It should now change to inactive. Next to Last Update, click on Update now. (You will need an active internet connection to perform this) Wait until you see the Update succesfull message. Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. AVG Anti-Spyware manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Open AVG AS and click the Scanner icon at the top and then click the Settings Tab. Under "How to act?" click Recommended actions and select "Quarantine" from the menu. You can now close AVG A-S. ============================================== Open the SmitfraudFix folder you downloaded earlier and double-click smitfraudfix.cmd Press "4" and then Enter to check for updates. Don't forget to allow SmiUpdate.exe access through your firewall. Once it has updated, or if there are no updates available, close the window and the folder. ============================================== Make sure that you can still see hidden files as instructed before ============================================== Log off from the internet and disconnect your modem cable for the duration of the fix. ============================================== Now boot into Safe Mode. ============================================== Scan with HijackThis and put a checkmark against the following entry and click on "fix checked". O17 - HKLM\System\CCS\Services\Tcpip\..\{642CC269-B0F6-46FE-9BEE-19402AED8BBF}: NameServer = 85.255.114.39 85.255.112.11 Exit HijackThis. =============================================== Open the SmitfraudFix folder and double-click smitfraudfix.cmd Press "2" and then Enter to start the cleaning process. Wait for the tool to complete and disk cleanup to finish. You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then Enter. The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then press Enter. Your PC now needs to be rebooted - if this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE. =============================================== From Safe Mode run Ccleaner Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours" Make sure the Cleaner block on the left is selected. Do not use the "Issues" block . It's meant for professionals. Choose the Windows tab. Check everything EXCEPT Advanced part of the Menu. Click on "Analyze". This process could take a while. If you don't want to loose your login passwords to certain sites, click on Options Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle. Choose Run Cleaner. When CCleaner shows how much has been removed, cleaning is finished. Click Exit. If you have more than one users, run Ccleaner for every user ================================================ Still in Safe Mode: Make sure that ALL open Windows / Programs / Folders are closed and then run AVG A-S. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, Please ensure it is set to Quarantine then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware. AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. ============================================== Reboot into Normal Mode. ============================================== Open the SmitfraudFix folder and double-click smitfraudfix.cmd Press "3" and then Enter to "Delete Trusted Zone". When prompted "Restore Trusted Zone ?", press "Y" and then Enter. * Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection * ============================================== Please post back: Jotti's results The AVG A-S log The text file rapport.txt which can be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. For most, this file can be found by double-clicking My Computer and then Local Disk (C:) A fresh HijackThis log __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006