[Gary R]

Looking over your log, back ASAP.

 

[Gary R]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi jmelt99

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with it till you're given the all clear.
• Remember, absence of symptoms does not mean the infection is all gone.
• Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

If you can do these things, everything should go smoothly.

• If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
• If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

Please download ATF Cleaner by Atribune and save it to your Desktop. (Do not run it yet)

Please download SmitfraudFix (by S!Ri) and extract (unzip) it to your Desktop. (Do not run it yet)

Please download Malwarebytes' Anti-Malware to your Desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program. (Do not run it yet)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please boot your computer into Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account (as long as it is an account with Administrator privileges).

Note: if you cannot boot into safe mode using this method, DO NOT attempt to do so by using MSConfig, this could result in your computer becoming unbootable. Just let me know.

Once in Safe Mode

• Open the SmitfraudFix folder and double-click smitfraudfix.cmd
• Select option #2 - Clean by typing 2, then press Enter.
• You will be prompted with: Registry cleaning - Do you want to clean the registry?
• Type Y, then press Enter, to remove the Desktop background and clean infected registry keys.
• The tool will now check if wininet.dll is infected.
• You may be prompted to replace the infected file.
• If prompted, type Y, then press Enter.
• The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
• A text file will appear onscreen, with results from the cleaning process.
• Please copy/paste the content of that report into your next reply. The report can also be found at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Clean out your Temp files.

• 1st Ensure your Internet Browser is closed.
• Double click ATF-Cleaner.exe to run the program.
• Check the following boxes:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Recycle Bin
  • Java Cache
• The rest are optional - if you want to remove the lot, check Select All.
• Now click Empty Selected.
• When you get the Done Cleaning message, click OK.

Run a scan with Malwarebytes' Anti-Malware

• Click on the Malwarebytes' Anti-Malware icon to launch the programme.
  • Click the Updates tab.
    • Click Check for Updates and allow the programme to download the latest definitions.
  • Click the Scanner tab.
    • Check Perform Quick Scan.
    • Click Scan and wait for the scan to complete.
    • When the scan is complete, click OK, then Show Results.
    • Ensure all items are checked then click Remove Selected.
      • A box will pop-up telling you that files have been quarantined.
      • A log will pop-up.
    • Post the log in your next reply please.

You can also access the log by doing the following

• Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open

Open the SmitfraudFix folder again

• Double-click smitfraudfix.cmd
• Select option #3 - Delete Trusted zone by typing 3, then press Enter.
• You will be asked to "Restore Trusted Zone" click Y.

(Note: If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.)

Please post the following logs.

• c:\rapport.txt
• Malwarebytes' Anti-Malware log
• A new HijackThis log

Please post each log separately so they don't get cut off by the forum post size limiter.

 

[Gary R]

OK, looking much but still some work to do.

Run a scan with HJT and when finished check the following items (if found).

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)



Now close all open windows and click Fix Checked to remove them.

Next

I need you to run an online scan for me (this scan needs you to have Java installed).

If you don't already have Java

• Click here to visit Java's website.
• Scroll down to Java Runtime Environment (JRE) 6 Update 7.
• Click on Download.
• Select Windows from the drop-down list for Platform.
• Select Multi-language from the drop-down list for Language.
• Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
• Click on the jre-6u7-windows-i586-p.exe link to download, and save it to a convenient location.
• Double click on jre-6u7-windows-i586-p.exe to install Java.

After installing Java, or if you already have Java installed.

• Please go to Kaspersky Online Scanner.
• Read through the requirements and privacy statement and click on the Accept button.
• It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they're not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers and other potentially dangerous programs.
    [*]Archives.
    [*]Mail databases.
• Under Scan, click on My Computer.
• Once the scan is complete, it will display the results.
  • Click on View Scan Report.
• You will see a list of infected items.
  • Click the Save Report As... button (see red arrow below)
    
    
    
    
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KAVScan
  • In the Save as type prompt, select Text file (see below)
    
    
  • Copy and paste that information in your next post please, along with a new HJT log.

 

[Gary R]

OK looking good. The two "infections" found by Kaspersky are part of Smitfraudfix, they are not malicious, but are often flagged by anti-virus programmes because of their actions, which are similar to some trojans. We'll remove them to prevent them being flagged in future.

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately. Besides they're updated regularly so won't be of any use against future infections

• Download OTCleanIt.exe to your Desktop.
• Double click OTCleanIt.exe to run the programme.
• Click the CleanUp! button.
• When finished delete OTCleanIt.exe (if still present).

Malwarebytes' Anti-Malware is Freeware, so you can keep or remove it as you wish. Personally I think its one of the better Anti-Spyware scanners around at the moment. However if you wish to remove it, use Control Panel > Add/Remove Programs

ATFCleaner is a useful utility for cleaning out your Temp folders easily, however if you don't want it it's freestanding, so all you have to do is delete it.

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?

• If you are let me know about them.
• If not it's time to make your computer more secure.

Before I make any recommendations, I'd like to give a simplified overview of how your defensive systems work and what you can do to protect yourself better in future.

The average home computer has approximately 64,000 ports through which it can communicate. By default these ports are open and can be used by any programme which cares to access them, either from within the computer or from without. If you were to go online with a computer in this condition you would quickly be attacked and your computer would be infected.

To prevent this you install a Firewall. A firewall will close all open ports and you then open the ones you need by setting "rules" for them according to the instructions supplied with the Firewall programme. Usually you will have ports open for your Internet Browser, your e-mail client, and the update functions for various programmes.

These "open" ports will not be fully accessible, in that they will only allow a communication if it was instigated from within your computer. Any unsolicited communications from outside are blocked.

However if you are tricked into starting the communication, then as far as your Firewall is concerned it is a legit transaction and it will open the port. So by clicking on malicious links, replying to unsolicited e-mails and attachments, and downloading from unsafe sources, you are effectively bypassing any protection your Firewall supplies.

At this point your Anti-Spyware and Anti-Virus programmes take over. The real-time-protection in these constantly scan the data stream in your open ports looking for things that match with items in the database they have within them. If they find something then they will alert you, or quarantine it, or delete it, according to the rules set within the programme.

However as you can see, if the database does not contain details of the infection that's attacking you, then your Anti-Virus or Anti-Spyware programmes will not protect you. There are new infections (or new variations of old infections) created every day, which is why it's vital to keep your programmes up to date. Even with a fully updated database though, you are though still playing catchup, which is why your Firewall, Anti-Virus and Anti-Spyware programmes cannot ever give you 100% protection.

Adding more and more programmes will not give you more and more protection, it's up to you to take some responsibility for your online actions, and modify them to give your programmes the best chance of protecting you.

Be careful what you click on.

• Don't download anything from a site you do not know and trust. Remember, there's no such thing as a free lunch, if something seems too good to be true it is. Malware purveyors love to offer out freebies as bait knowing full well that one unguarded click is all it takes.
  
• Don't reply to unsolicited e-mails.
  
• Don't open e-mail attachments (even from friends) without checking with the source to ensure they actually sent them.
  
• Don't use P2P file sharing programmes. Even the ones that don't come bundled (and many do) are not safe. By using them you are effectively downloading from an unknown source, with all the dangers described above.

OK, so how do we set about protecting you.

You should definitely have one of each of the following programmes.

• Firewall
• Anti-Virus
• Anti-Spyware

You do not need more than one of each. More than one will cause conflicts, and will not improve your security.

If you don't already have them, then these are links to lists of free programmes.

• Firewalls
• Anti-Virus
• Anti-Spyware

You'll increase your chances of not getting infected if you don't land on an infected website in the first place.

There are a couple of ways to do this

• Block access to sites known to spread Malware.
• Give you clear indication of which they are, so that you can make choices.

To block access to known bad sites we use a Hosts file.

Download HostsXpert and unzip it to your computer, somewhere where you can find it.

• Double click on HostsXpert.exe to launch the programme.
• Check to see if top button on left hand side says Make Writable ?
  • If it does. click on it then proceed to next instruction.
  • If not, just proceed to next instruction
• Click on the Download button (lower left hand side)
  • Click on MVPs Hosts... button.
  • Click on Replace button.
  • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
• When finished.
  • Click on File Handling button.
  • Click on Make Read Only ? to secure it against infection.
• Exit the programme.

To give you an indication of which sites may contain bad links or suspect downloads I like to use Site Advisor.

• 
  This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit.

Remove known vulnerabilities

• Update your Java
  
  Older versions have vulnerabilities that malware can and are using to infect systems.
  
  

  Please follow these steps to remove older version Java components. This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.
  
  Download JavaRa by Prm753 and unzip it to your desktop.
  
  

  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted.
  • When JavaRa is done, a notice will appear that a logfile has been produced.
  • Click OK.
    • The logfile will pop up.
    • Please save it to a convenient location.

  • 
    This is important as it's still possible to get infected through an old install even if you're using the latest version of Java.
    
    Now download and install Java Runtime Environment (JRE) 6 Update 7.
  • Update Windows and Internet Explorer It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.
  • Use a "secure" browser Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
    Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.
  • Do not use P2P file sharing programmes I'd like you to read the Guidelines for P2P Programs where it's explained why it's not a good idea to have them.
    
    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs you have installed.
  • Obviously you have probably already taken care of some of the issues mentioned, but it is important that you read through them, and address any that you may have missed.

Here's links to a few articles which are worth reading

• The Spyware Warrior Guide to Getting help with Spyware
• Microsoft - Security at Home
• Top Ten excuses why people don't want to secure their computer and why they are wrong - by Budfred
• How did I get infected in the first place - by TonyKlein
• Prevent Re-infection
• Simple and easy ways to keep your computer safe and secure on the Internet
• Help! My computer is slow! - How to improve system performance after malware removal - by Miekiemoes

Finally

NOW is the time you can start to hit back at the people who infected you.

Please take the time to go and complain - that forum has a topic for your infection which is Smitfraud....... (if not, post in the Is your infection not listed here? topic). Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to government or government agencies that something will get done.

 

[Gary R]

You're welcome, glad we could help.

Keep safe.

Gary.


As this topic is now closed, I won't be subscribed to it any longer. If you have any future problems (not that I'm expecting you to :wink start a new thread and wait for help.