SMART Check Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by flyer85, May 3, 2012.

  1. flyer85

    flyer85 Private E-2

    Windows XP Home Edition Version2002 SP3. I am sending this from my laptop, although I do have internet access.
    Not sure where to start, or if I am in the right Forum.
    2 days ago I picked up something called SMART Check. It started with cascading error messages, and when clicked off, started a phoney scan of some sort. I logged off and shut down and upon rebooting my desktop was a blank grey screen. :cry
    I Found a website with removal insructions (Malware Experts?) which seemed reasonable and proceeded. SMART seems to now be gone, but everything else was still hidden. I still had a blank grey desktop except for what was downloaded to remove it (Rkill & Malwarebytes) What was left showing was like an alternate computer with everything lost. Functional, but barren.

    However by right clicking START and opening Explore all my files were still here (somewhere). I was able to go into Folder Options, and under the View Tab I checked "show hidden files and folders" and unchecked "hide protected operating system files". I now have a new re-arranged desktop, minus my background picture. All seems to be here, except my favorites in Yahoo are gone, and my desktop icons seem to be ghosty & transparent.
    Is this the result of SMART Check, or something I did in removing it, and can it be repaired? Is it time to salvage what I can, while I can, and say goodbye?
     
  2. thisisu

    thisisu Malware Consultant

    Hello flyer85 and welcome to Major Geeks,

    [​IMG] Please download RogueKiller to your desktop.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the ShortcutsFix button
    When it is finished, there will be a log on your desktop called: RKreport[1].txt
    Attach RKreport[1].txt to your next message. (How to attach)
     
  3. flyer85

    flyer85 Private E-2

    thisisu,
    It seems as though while preparing to post my log files my problem is solved. The situation corrected after downloading and running ComboFix. SuperantiSpyware was negative as was Malwarebytes. I appologize for not including the logs in my first post, but I did not trust what I had to be accurate. I had 2 Malwarebytes, one on my "old" computer, and the newer one which I downloaded onto my "new" barren computer. I'm not 100% sure, as it's only been a few hours, but I think I'm OK.

    Would you like me to post my ComboFix log (and where can I find it?)
    And should I still download and run RogueKiller?
    I won't do anything until you say so.
     
  4. thisisu

    thisisu Malware Consultant

    You can experiment with the system for a few days if you'd like to make sure things remain in normal working order.

    If you'd like I could double-check your logs to make sure they are clean.

    You can skip RogueKiller if you aren't experiencing any problems.
     
  5. flyer85

    flyer85 Private E-2

    My Malwarebyte log is the only log I still have available. Not sure what happened to SuperAntiSpyware log, it is no longer in the folder where it was and I can't find ComboFix log? Where would I look?
    Should I run these again and post? I'm sure Malwarebye & SuperAntiSpyware are safe to do so, not sure about ComboFix
    Thanks!
     
  6. thisisu

    thisisu Malware Consultant

    Yes you can run MBAM and SAS again.
    ComboFix don't run again, try to find it at C:\ComboFix.txt
     
  7. flyer85

    flyer85 Private E-2

    Here is my ComboFix.
    I will run MBAM and SAS again and attach the new log files.
    That will take a little time
     

    Attached Files:

  8. flyer85

    flyer85 Private E-2

    Here are the new logs.
    The SAS threat was removed. There were several threats on the first scan which I no longer have. They were also removed.
    MBAM was clean on both scans
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

  10. flyer85

    flyer85 Private E-2

    Here you go
     

    Attached Files:

  11. thisisu

    thisisu Malware Consultant

    Hi,

    We're going to remove the remaining traces of malware and I would recommend reading Step #2 here.

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 20

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] Fixing items using ComboFix
    Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
    If it is not on your desktop, the below will not work.
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Open Notepad and copy/paste the text in the below code box into Notepad:
    Code:
    [COLOR="DarkRed"]KillAll::[/COLOR]
    [COLOR="DarkRed"]ClearJavaCache::[/COLOR]
    [COLOR="DarkRed"]Collect::[/COLOR]
    C:\Documents and Settings\Owner\Local Settings\Application Data\egizoza.inf
    C:\Documents and Settings\Owner\Local Settings\Application Data\xecomyxi.vbs
    [COLOR="DarkRed"]DDS::[/COLOR]
    uInternet Settings,ProxyServer = http=127.0.0.1:1032
    [COLOR="DarkRed"]DirLook::[/COLOR]
    C:\Documents and Settings\Owner\Local Settings\Application Data\tjnet
    [COLOR="DarkRed"]FireFox::[/COLOR]
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dk29as0n.default\
    FF - user.js: browser.cache.memory.capacity - 16000
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.max.tokenizing.time - 3000000
    FF - user.js: content.maxtextrun - 4095
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 1000000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 1000000
    FF - user.js: dom.disable_window_status_change - true
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 1000
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    [COLOR="DarkRed"]FCopy::[/COLOR]
    c:\windows\system32\dllcache\beep.sys | c:\windows\System32\drivers\beep.sys
    [COLOR="DarkRed"]FileLook::[/COLOR]
    c:\windows\system32\wininet.dll
    c:\windows\system32\licmgr10.dll
    c:\windows\system32\inetcpl.cpl
    c:\windows\system32\wintrust.dll
    c:\windows\system32\imagehlp.dll
    c:\windows\system32\html.iec
    C:\gdiplus.dll
    [COLOR="DarkRed"]Folder::[/COLOR]
    C:\Documents and Settings\Owner\Local Settings\Application Data\Conduit
    [COLOR="DarkRed"]Registry::[/COLOR]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
    "startup"=dword:00000000
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5333D745-DDFC-4A67-B8F1-A15D8022F930}]
    
    Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
    Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
    [​IMG]
    This will launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Allow ComboFix to update itself if prompted.
    When ComboFix finishes, a log will be produced at C:\ComboFix.txt
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  12. flyer85

    flyer85 Private E-2

    I just want to add that watching what you do and how things progress that you guys are truely awesome!
     

    Attached Files:

  13. thisisu

    thisisu Malware Consultant

    Thank you :)

    Your latest logs are clean. Feel free to test out the system until you are ready to proceed with the final cleanup steps below:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  14. flyer85

    flyer85 Private E-2

    So far so good, and I will start on the final cleanup soon.
    Is there any reason to keep the log files I saved, or will they confuse me should I need help again?
    Thanks again! :wave
     
  15. thisisu

    thisisu Malware Consultant

    No there is not any reason to save them.
    When you get to the MGclean.bat step, most if not all of our tools and logs should be automatically removed.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds