Tech Support Forum - View Single Post

Ried · 12-01-2006, 07:52 PM

Hello Socha_62,

Please humor me here for a moment. I'm seeing entries in the ComboFix.txt that normally should be showing in the HJT log. We already know how a particular infection interferes with HijackThis to hide itself--I'm wondering if they've now changed their tactics which would ultimately affect how we deal with future logs.

**Note** Before we begin, please move HiJackThis to it's own folder, like c:\HJT or even your desktop would be fine. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

You may need to download HijackThis again as combofix does clean the temp directory:

Download HijackThis 1.99.1. Double-click on the file you just downloaded. Click on the "Unzip" button to install. Please ensure it is not set to unzip into the Temp directory--By default it should install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

-------------------------------

Next, I'd like you to rename HijackThis.exe to Socha.exe.

Navigate to the location you've placed HijackThis.
Right click on HijackThis.exe
Select 'Rename'
Type in Socha.exe
Press Enter.

Please run another scan with Socha.exe .

Please post that log here before you carry out the next set of instructions:

-------------------------------

I don't want to keep you waiting to begin cleaning the system, so we'll go after Virus Bursters, etc., first--we'll get the rest in the next round.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download SmitfraudFix (by S!Ri) and extract the content (a folder named SmitfraudFix) to your Desktop.

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------------------

Reboot into Normal Mode.

----------------------------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------------------

Run combofix.exe once again.

----------------------------------------------------

Run another scan with Socha.exe and save the log.

----------------------------------------------------

Then post the following logs in your next reply...

c:\rapport.txt
ComboFix.txt
Hijackthis log (Socha.exe)

12-01-2006, 07:52 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,030 OS: WinXP and Vista	Hello Socha_62, Please humor me here for a moment. I'm seeing entries in the ComboFix.txt that normally should be showing in the HJT log. We already know how a particular infection interferes with HijackThis to hide itself--I'm wondering if they've now changed their tactics which would ultimately affect how we deal with future logs. Note Before we begin, please move HiJackThis to it's own folder, like c:\HJT or even your desktop would be fine. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later. You may need to download HijackThis again as combofix does clean the temp directory: Download HijackThis 1.99.1. Double-click on the file you just downloaded. Click on the "Unzip" button to install. Please ensure it is not set to unzip into the Temp directory--By default it should install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ ------------------------------- Next, I'd like you to rename HijackThis.exe to Socha.exe. Navigate to the location you've placed HijackThis. Right click on HijackThis.exe Select 'Rename' Type in Socha.exe Press Enter. Please run another scan with Socha.exe . Please post that log here before you carry out the next set of instructions: ------------------------------- I don't want to keep you waiting to begin cleaning the system, so we'll go after Virus Bursters, etc., first--we'll get the rest in the next round. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ************************************************* Download SmitfraudFix (by S!Ri) and extract the content (a folder named SmitfraudFix) to your Desktop. ----------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. ----------------------------------- Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter*. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes* by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ---------------------------------------------------- Reboot into Normal Mode. ---------------------------------------------------- Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ---------------------------------------------------- Run combofix.exe once again. ---------------------------------------------------- Run another scan with Socha.exe and save the log. ---------------------------------------------------- Then post the following logs in your next reply... c:\rapport.txt ComboFix.txt Hijackthis log (Socha.exe) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."