Jump to content

Trogan

Trusted Malware Techs
  • Content Count

    156
  • Joined

  • Last visited

Posts posted by Trogan


  1. Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

     

    Please update Ewido as we will scan with it again soon.

    ______________________________

     

    Reboot your computer in Safe Mode.

    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________

     

    Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.

    Select option #2 - Clean by typing 2 and press Enter.

    Wait for the tool to complete and disk cleanup to finish.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

     

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

     

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    ______________________________

     

    Navigate to C:\Windows\Temp

    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

     

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

     

    Clean out your Temporary Internet files. Proceed like this:

    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start, click Control Panel, and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

     

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

    ______________________________

     

    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.

      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)

        Posted Image

    • When done, click the Save Scan Report button.
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.

    ______________________________

     

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #3 - Delete Trusted zone by typing 3 and press Enter.

    Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

     

    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    ______________________________

     

    Re-scan with Panda Activescan, and save the log.

    ______________________________

     

    Please post:

    • c:\rapport.txt
    • Ewido log
    • Panda Report
    • A new HijackThis log
    You may need several replies to post the requested logs, otherwise they might get cut off.

  2. yoyocool2, there is still some work to do.

     

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    This program is for XP and Windows 2000 only!

     

    Double-click ATF Cleaner.exe to open it.

     

    Under Main select the following: Windows Temp

    Current User Temp

    All Users Temp

    Cookies

    Temporary Internet Files

    Prefetch

    Java Cache

    *The other boxes are optional*

    Then click the Empty Selected button.

     

    Click Exit on the Main menu to close the program.

     

    =====

     

    Download SmitfraudFix (by S!Ri) to your Desktop.

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

     

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press Enter

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

     

    IMPORTANT: Do NOT run any other options until you are asked to do so!


  3. Hi again yoyocool2! You should get a Firewall for computer's protection, but I cannot force you. I recommend you get SP2 once we have finished because it has a built in Firewall, which is better than nothing at all.

     

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

     

    Updating Java:

    • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement."
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
      • J2SE Runtime Environment 5.0 Update 6
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
    =====

     

    Open HijackThis

    - Click the Do a system scan only button

    - Check the following entries (below)

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

     

    O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe

     

    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect.roseonlinegame.com/nProtec...Crypt/npkcx.cab

    O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...96401dafb6b5e1d

    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

     

    O20 - Winlogon Notify: win_systernn - C:\WINDOWS\

     

    - Close ALL open windows (especially Internet Explorer!)

    - Click Fix Checked

    Close HiajckThis

     

    =====

     

    Find and Delete the following:

     

    C:\Documents and Settings\YoYoCool2\Desktop\Xinstall.exe << this file

    C:\Program Files\ToolBar888 << this folder

     

    =====

     

    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • A C:\vundofix.txt file will be created, please keep it safe as I'll need to see it soon.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

     

    =====

     

    Please do an online scan with Panda ActiveScan

     

    - Once you are on the Panda site, click the Scan your PC button

    - A new window will open...click the Check Now button

    - Enter your Country

    - Enter your State/Province

    - Enter your e-mail address and click send

    - Select either Home User or Company

    - Click the big Scan Now button

    - If it wants to install an ActiveX component allow it

    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

    - When download is complete, click on Local Disks to start the scan

    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

     

    Please post the following:

     

    1) Contents of C:\vundofix.txt

    2) Panda report

    3) New HijackThis log

     

    Also, let me know how things are please.


  4. Hi yoyocool2! Can you do the following please.

     

    I don't see any indication of a Firewall in your HijackThis log. This may be because:

     

    (1.) You are using Windows Firewall or a hardware Firewall.

    (2.) You are using a Firewall of an unknown vendor.

    (3.) You are using a Firewall, but it is disabled for unknown reasons

    (4.) You don't use any firewall at all.

     

    In the case you don't have a Firewall, please download one from the list below - They are Free!

     

    Zone Alarm << I recommend this

    Sunbelt Kerio PF

    Outpost Firewall

     

    =====

     

    You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

     

    Please download Ewido to your Desktop or to your usual Download Folder.

    http://www.ewido.net/en/download/

    • Install Ewido by double clicking the installer.
    • Follow the prompts. Make sure that Launch Ewido is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.

      Note: If the Update now option is grayed out, follow the steps below.

    • Click on Update on the toolbar.
    • Under Manual update, click on the Start Update button.
    • Wait until you see the Update succesfull message.
    [*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

    If you are having problems with the updater, you can use this link to manually update ewido.

    Ewido manual updates.

    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

     

    Reboot your computer in Safe Mode.

    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Once in Safe Mode:

     

    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.

      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)

        Posted Image

    • When done, click the Save Scan Report button.
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    =====Reboot back into Normal Mode=====

     

    I would like to see another log from HijackThis.

    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button. It will open a Notepad file.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.
    =====

     

    Can you post the following please:

     

    1) Ewido log

    2) Uninstall list

    3) New HijackThis log

     

    You may need several posts incase the logs get cut off


  5. Hi LJK! Thanks for the logs, can you do the following pleae...

     

    I don't see any indication of a Firewall in your HijackThis log. This may be because:

     

    (1.) You are using Windows Firewall or a hardware Firewall.

    (2.) You are using a Firewall of an unknown vendor.

    (3.) You are using a Firewall, but it is disabled for unknown reasons

    (4.) You don't use any firewall at all.

     

    In the case you don't have a Firewall, please download one from the list below - They are Free!

     

    Zone Alarm << I recommend this

    Sunbelt Kerio PF

    Outpost Firewall

     

    =====

     

    Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

     

    My Web Search (Cursor Mania)

     

    Next, find and delete the following folder:

     

    C:\Program Files\My Web Search << this folder

     

    =====

     

    Please Download NoLop to your desktop from one of the links below...

    Link 1

    Link 2

    Link 3

    • First close any other programs you have running as this will require a reboot
    • Double click NoLop.exe to run it
      • Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here. Include the {}:

         

        {5CF6DE82-E459-0269-2EB5-20B91EB95C46}

    • Now click the button labelled "Search and Destroy"

      <<your computer will now be scanned for infected files>>

    • When scanning is finished you will be prompted to reboot only if infected, Click OK
    • Now click the "REBOOT" Button.
    • A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--

  6. Hi LJK! Welcome to PC Pitstop! :)

     

    I need to see some logs if we are able to help you.

     

    Click here to download HJTsetup.exe

    Save HJTsetup.exe to your desktop.

    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    • Copy and paste the log here
    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

     

    =====

     

    Also, I would like to see another log from HijackThis.

    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button. It will open a Notepad file.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.
    =====

     

    Please post the HijackThis log, and the Uninstall list. :)


  7. Hi blacken77, thanks again for the info and logs.

     

    First, Kaspersky is detecting SmitfraudFix to be a threat, which it isn't really. It also found an infection hiding in your restore point, but following the "For XP users." instructions below will take care of that.

     

    Second, your HijackThis log is clean - Good Job! :)

     

    With that said, you can delete SmitfraudFix as it is not needed anymore.

     

    Here are some measures you can take to stay more secure online:

     

    Secure your Internet Explorer by going here and following the instructions there.

     

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

     

    Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here

     

    Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here

     

    Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.

    Run them both on a regular basis, following the manufacturer's recommendations.

     

    Install and keep updated, SpywareBlaster and SpywareGuard

     

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

     

    Clear your Temp folders.

    Go to Start > Control Panel > Internet Options.

    Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

     

    Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked

    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
    and then press "OK" to remove:

     

    Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

     

    Empty/delete the entire contents from within the following folders:

    C:\Windows\temp

    C:\temp <-- if you have one.

    Note: Empty the contents but do not delete the folder(s).

     

    Clear out temp files from the following location. Change "username" to whatever you have on your computer.

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

     

    Empty the Recycle Bin!

     

    Hide system files

    It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...

     

    Windows XP

    * Click Start.

    * Open My Computer.

    * Select the Tools menu and click Folder Options.

    * Select the View Tab.

    * Under the Hidden files and folders heading, uncheck Do not show hidden files and folders

    * Check the Hide protected operating system files (recommended) option.

    * Click Yes to confirm.

    * Click OK.

     

    For XP users.

    It's a good idea to Flush your System Restore points after ridding yourself of malware: You can clean this by doing the following:

    • Click Start | Help and Support | Undo changes to your computer with System Restore.
    • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
    • Close the Help and Support Center box.
    • Click Start | Run and type Cleanmgr
    • Select (C: ) then click OK.
    • Click the More Options tab.
    • Click Clean Up in the System Restore Section.
    This will remove all previous restore points except the newly created one.

     

    ===============

     

    If you have any more problems, post back. Otherwise, respond once more so we may archive this thread. :)


  8. Hi blacken77! Thanks for doing as requested. :)

     

    Please do following...

     

    Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

     

    J2SE Runtime Environment 5.0 Update 6

     

    =====

     

    We need to DISABLE Windows Defender as it may interfere with the fix.

     

    1) Open Windows Defender.

    2) Click on Tools > General Settings.

    3) Scroll Down and Uncheck Turn on real-time Protection (recommended).

    4) After you uncheck these, click on the Save button and close Windows Defender.

    5) Right click on the Windows Defender icon on the taskbar and select Exit.

     

    Note: You can enable real-time protection once we have finished the cleanup process!

     

    =====

     

    Open HijackThis

    - Click the Do a system scan only button

    - Check the following entries (below)

     

    O20 - Winlogon Notify: winhfn32 - winhfn32.dll (file missing)

     

    - Close ALL open windows (especially Internet Explorer!)

    Click Fix Checked

     

    =====

     

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

     

    Double-click ATF Cleaner.exe to open it

     

    Under Main choose:

    Windows Temp

    Current User Temp

    All Users Temp

    Cookies

    Temporary Internet Files

    Prefetch

    Java Cache

    *The other boxes are optional*

    Then click the Empty Selected button.

     

    Firefox:

    Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

     

    Click Exit on the Main menu to close the program.

     

    =====

     

    You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

     

    Please download Ewido to your Desktop or to your usual Download Folder.

    http://www.ewido.net/en/download/

    • Install Ewido by double clicking the installer.
    • Follow the prompts. Make sure that Launch Ewido is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.

      Note: If the Update now option is grayed out, follow the steps below.

    • Click on Update on the toolbar.
    • Under Manual update, click on the Start Update button.
    • Wait until you see the Update succesfull message.
    [*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

    If you are having problems with the updater, you can use this link to manually update ewido.

    Ewido manual updates.

    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

     

    Reboot your computer in Safe Mode.

    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Once in Safe Mode:

     

    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.

      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)

        Posted Image

    • When done, click the Save Scan Report button.
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    =====Reboot back into Normal Mode=====

     

    Please do an online scan with Kaspersky WebScanner

     

    Click on Kaspersky Online Scanner

     

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.

    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT

    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)

      • Scan Options:
      Scan Archives

      Scan Mail Bases

    • Click OK
    • Now under select a target to scan:Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    =====

     

    Please post the following:

     

    1) Ewido log

    2) Kaspersky log

    3) New HijackThis

     

    Also, let me know if F-Prot is still detecting anything. If it is, please post the full location to the file(s) being detected. :)


  9. Hi again blacken77,

     

    I don't see any indication of a Firewall in your HijackThis log. This may be because:

     

    (1.) You are using Windows Firewall or a hardware Firewall.

    (2.) You are using a Firewall of an unknown vendor.

    (3.) You are using a Firewall, but it is disabled for unknown reasons

    (4.) You don't use any firewall at all.

     

    In the case you don't have a Firewall, please download one from below - They are Free!

     

    Zone Alarm << I recommend this

    Sunbelt Kerio PF

    Outpost Firewall

     

    =====

     

    Run HijackThis and click on Open the Misc Tools section.

    Click on Delete a file on reboot...

    Copy and paste the following into the "File name:" text box and then click Open:

     

    C:\WINDOWS\SYSTEM32\winhfn32.dll

     

    When you are asked "Do you want to restart your computer now?", click OK.

     

    Your PC MUST reboot to delete the file!

     

    =====

     

    Download SmitfraudFix (by S!Ri) to your Desktop.

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

     

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press Enter

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

     

    IMPORTANT: Do NOT run any other options until you are asked to do so!

     

    =====

     

    I would like to see another log from HijackThis.

    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button. It will open a Notepad file.
    • Copy & Paste the entire contents of that file in your in your next post.
    =====

     

    Please post the following:

     

    1) Contents of C:\rapport.txt

    2) Uninstall list

    3) New HijackThis log


  10. Hi DamageInc,

     

    I'm glad your PC is back to normal. :)

     

    There is one or two more things to do, so don't go just yet. Please do the following...

     

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

     

    Updating Java:

    • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement."
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
      • J2SE Runtime Environment 5.0
      • J2SE Runtime Environment 5.0 Update 2
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
    =====

     

    If you had problems with removing the files found by AVG, you may want to read this link...

     

    http://free.grisoft.com/softw/70free/doc/a...ref_en_71_5.pdf

     

    =====

     

    With that said, your HijackThis log is clean. Good job! :)

     

    Here are some measures you can take to stay more secure online:

     

    Secure your Internet Explorer by going here and following the instructions there.

     

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

     

    Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here

     

    Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here

     

    Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.

    Run them both on a regular basis, following the manufacturer's recommendations.

     

    Install and keep updated, SpywareBlaster and SpywareGuard

     

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

     

    Clear your Temp folders.

    Go to Start > Control Panel > Internet Options.

    Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

     

    Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked

    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
    and then press "OK" to remove:

     

    Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

     

    Empty/delete the entire contents from within the following folders:

    C:\Windows\temp

    C:\temp <-- if you have one.

    Note: Empty the contents but do not delete the folder(s).

     

    Clear out temp files from the following location. Change "username" to whatever you have on your computer.

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

     

    Empty the Recycle Bin!

     

    Hide system files

    It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...

     

    Windows XP

    * Click Start.

    * Open My Computer.

    * Select the Tools menu and click Folder Options.

    * Select the View Tab.

    * Under the Hidden files and folders heading, uncheck Do not show hidden files and folders

    * Check the Hide protected operating system files (recommended) option.

    * Click Yes to confirm.

    * Click OK.

     

     

    For XP users.

    It's a good idea to Flush your System Restore points after ridding yourself of malware: You can clean this by doing the following:

    • Click Start | Help and Support | Undo changes to your computer with System Restore.
    • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
    • Close the Help and Support Center box.
    • Click Start | Run and type Cleanmgr
    • Select (C:) then click OK.
    • Click the More Options tab.
    • Click Clean Up in the System Restore Section.
    This will remove all previous restore points except the newly created one.

     

    ===============

     

    If you have any more problems, post back. Otherwise, respond once more so we may archive this thread. :)


  11. Hi again DamageInc!

     

    You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

     

    Preparation

     

    1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.

    If you already have this program installed, skip to Updating Ewido: below.

     

    * Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:

    • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
    • free version - you will need to uninstall it and reboot before installing the new version.
    Double click the ewido-setup file to begin installation and follow the prompts.

    When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.

    • Updating Ewido:

       

      By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:

    • Click the Update icon at the top and under "Manual Update" - click the Start update button.
    • Either Ewido will update or inform you that no update was available.

       

      Disabling the Resident Shield:

    • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.

      (When the PC has been cleaned you can activate the shield again, if you wish.)

    • Click the Shield icon at the top and under "Resident shield is..." - click active.
    • This should now change to inactive.

       

      Changing Recommended Actions

    • Click the Scanner icon at the top and then click the Settings Tab.
    • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
    You can now close Ewido anti-spyware.

     

    Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.

    Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.

    Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

     

    2) You will need to know how to boot into Safe Mode.

    Instructions can be found here.

     

    3) You will need to set Windows to show All Hidden Files and Folders.

    Instructions can be found here.

    ** These files are hidden to stop you accidentally removing something important.

    It is advisable to hide them again after fixing your computer. **

     

    4) Log off from the internet and disconnect your modem cable for the duration of the fix.

     

    Removal

     

    1) Run HJT and click on Open the Misc Tools section.

    Click on delete a file on reboot...

    Copy and paste the following into the "File name:" text box and then click Open:

     

    C:\WINDOWS\SYSTEM32\winmqx32.dll

     

    When you are asked "Do you want to restart your computer now?", click OK.

     

    Your PC MUST reboot to delete the file!

     

    2) Once your PC has fully rebooted, continue below:

     

    Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

     

    Cowabanga by OIN

    Need2Find Bar

    Safety Bar

     

    I strongly advise that you also uninstall the following programs, as they are likely to be the culprits of your problems.

     

    BitComet 0.70

    eDonkey2000

    eMule

    P2P Networking

     

    3) Boot into Safe Mode.

     

    4) Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Press "2" and then <ENTER> to start the cleaning process.

    • Wait for the tool to complete and disk cleanup to finish.
    • You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>.
    • The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>.
    Your PC now needs to be rebooted. If this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE.

     

    5) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.

    Place a checkmark in the boxes to the left of the following entries, by clicking on them:

     

    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\2.bin\ND2FNBAR.DLL (file missing)

    O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)

    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll

     

    O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll

     

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

     

    O16 - DPF: {00000000-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/88d165a268...e27fee89_35.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

     

    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

     

    O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll

     

    CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

     

    6) Find and Delete the following, if present:

     

    C:\WINDOWS\system32\ixt0.dll << this file

    C:\Program Files\Need2Find << this folder

    C:\Program Files\InstantFinder << this folder

    C:\Program Files\Safety Bar << this folder

    c:\Program Files\altnet << this folder

    C:\Program Files\RXToolBar << this folder

     

    7) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.

    Do this for all Usernames.

     

    8) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.

    Do this for all Usernames.

     

    9) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...

    Check the box to the left of 'Delete all offline content' and then click on OK.

     

    10) Go to Start > Control Panel > Display.

    Select the Desktop Tab, click on Customise Desktop... and then select the Web Tab.

    Under Web pages: you should see a checked entry called Security info - or similar. Highlight this entry and then click the Delete button.

    Finally click OK > Apply > OK.

     

    11) Empty the Recycle Bin.

     

    12) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.

    • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
    • Click "Complete System Scan"
    • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
    • When the scan has completed, any threats that Ewido has detected will be displayed.
    • Click the Apply all actions button at the bottom.
    • When Ewido has finished, it will display the message "All actions have been applied".

       

      Saving a report:

    • Click the Save Report button at the bottom left and the "Reports" window will open.
    • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
    • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:

      Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.

    Close Ewido Anti-Spyware.

     

    13) Reboot into Normal Mode.

     

    14) Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Press "3" and then <ENTER> to "Delete Trusted Zone".

    When prompted "Restore Trusted Zone ?", press "Y" and then <ENTER>.

     

    * Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *

     

    Will you then post the following:

    • A new HJT log,
    • The Ewido log,
    • The text file rapport.txt that will be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

      For most, this file can be found by double-clicking My Computer and then Local Disk (C:)

    • A description of how your PC is behaving.

  12. Hi again DamageInc! Sorry for the long delay. I'l try to make sure it won't happen again. :)

     

    Lets start! :)

     

    I don't see any indication of an Anti-Virus or Firewall protection. Before we go any furhter, Please download one of each - They are Free!

     

    Firewall

    Zone Alarm << I recommend this

    Sunbelt Kerio PF

    Outpost Firewall

     

    AV

    AVG Free Edition << I recommend this

    AntiVir

    avast! 4 Home Edition

     

    Update the Anti-Virus of your choice, and run a full system scan. Make a note of any files that could not be deleted, and post them here.

     

    Post a new HijackThis log, along with a new Uninstall list. :)


  13. Hi again DamageInc! Can you do the following please:

     

    Download SmitfraudFix (by S!Ri) to your Desktop.

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

     

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #1 - Search by typing 1 and press Enter

    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

     

    IMPORTANT: Do NOT run any other options until you are asked to do so!

     

    Also, I would like to see another log from HijackThis.

    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button. It will open a Notepad file.
    • Copy & Paste the entire contents of that file in your in your next post.
    =====

     

    Please post the following in your next reply:

     

    1) Contents of C:\rapport.txt

    2) Uninstall list

×
×
  • Create New...