Performed the Special Removal Procedure

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by PCneedsHelp, Dec 26, 2005.

  1. PCneedsHelp

    PCneedsHelp Private E-2

    This morning, I got spyware and that took me to needupdate.com and used a bunch of spyware removal programs but only Spybot S&D found 6 entires for Smitfraud-c. I have since followed your special removal directions for Smitfraud-c. I no longer go to needupdate.com when launching IE. However, when I ran the PandaScan, it found 3 entries which appear to be quarantined. Afterwards, I ran Spybot S&D and again, and it found 5 entries for Smitfraud-c this time.

    Should I just run the special removal procedure 5 more times or until they entries dissapear? I assume the next step would be to use the READ & RUN ME FIRST PROCESS. The PC seems to run well as of this posting. The smitfiles.txt says it is clean but those 5 Smitfraud-c entries worry me. Thank you very much for your time!!

    Inline logs attached!
     

    Attached Files:

    Last edited by a moderator: Dec 26, 2005
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Post the log from Spybot
     
  3. PCneedsHelp

    PCneedsHelp Private E-2

    Here is the Spybot S&D log file. Sorry about not posting those files as attachments. Thank you very much!
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download DelDomains and unzip it to your desktop. Do not run it yet.

    • Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.
    After you complete the above, reboot and procede with the below...

    Please see the below thread on how to install and run Ewido Security Suite.

    Running Ewido Security Suite ...
     
  5. PCneedsHelp

    PCneedsHelp Private E-2

    I performed that operation. After EWIDO finished scanning, a window came up and said that EWIDO cannot remove one of those file (shown in the panda log) because it is embedded in another of one of those files (shown in the panda log), and asked if I just want to delete the archive. I clicked no, because I am not sure what to do. Sorry about not writing down shich file it was, but I think it was the .dll file embedded in the shorter one(not the .inf).

    Thank you very much for your help! The EWIDO log is attached below.
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download ADS Spy, save to your desktop.

    Once you have downloaded this utility, extract the contents and double click "ADSSpy.exe" to run the utility. Once the utility has loaded, make sure the first 2 boxes are checked. Now click ""Scan the system for alternate data streams" and remove any that are found.
     
  7. PCneedsHelp

    PCneedsHelp Private E-2

    I opened the utility, and when I made sure the two boxes, "ingore safe system info data streams..." and "Calculate MD5 checksums..." were checked. I performed both the quick scan and full scan 4 times. There were no alternate data streams. Thank you very much for your time!
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Did you have Ewido remove the entire package it found? If not, have that fixed and let me know how things are running.
     
  9. PCneedsHelp

    PCneedsHelp Private E-2

    When I first ran EWIDO, it found something around 30% and listed it as detected. A window popped up which I clicked OK as it had selected Remove in it by default which agreed with the EWIDO guide. When EWIDO was finished another window popped up and said some file could not be removed because it was embedded in some other file, and asked if I wanted to delete the archive. I clicked no. After that, the ticker displayed a 1 in the Cleaned section.

    I will go run EWIDO again. Thank you very much for your time!
     
  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome, after you run Ewido have it cleaned anything that is found.
     
  11. PCneedsHelp

    PCneedsHelp Private E-2

    I ran EWIDO again. It came up with the same file around 30% "C:\.quarantine\enter[1].cab.Vir/inst2.dll" which I clicked OK to remove. Then at the end, this message popped up as it did in the first scan.

    Warning
    The file "C:\.quarantine\enter[1].cab.Vir/inst2.dll" cannot be removed because it is embedded in the archive "C:\.quarantine\enter[1].cab.Vir" Dou you want to remove the whole archive?

    I clicked yes this time and EWIDO then listed that 1 file had been cleaned.


    I attached the new EWIDO log below. Thank you very much for your time!!!
     

    Attached Files:

  12. PCneedsHelp

    PCneedsHelp Private E-2

    I ran ADS Spy again and no streams were found. I ran Spybot S&D this morning and it came up clean. However, the PandaScan has not changed. Other than that, there have been no problems. Thank you very much for your time!
     
  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Be sure the viewing of hidden files and folders is enabled per the tutorial. Reboot into Safe Mode and navigate to the following folder and delete it.

    C:\.quarantine

    Reboot and run the Panda scan again and see if it returns.
     
  14. PCneedsHelp

    PCneedsHelp Private E-2

    I removed both "C:\.quarantine" and "C:\QUARANTINE". The PandaScan came up clean.

    Thank you very much for your time and have Happy New Year.
     
  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds