SmitFraud-C.

You did not follow the directions in the READ & RUN ME properly! You are using a Spybot version that is two years out of date. Uninstall the old version of Spybot, then reboot, then after reboot delete the C:\Program Files\Spybot - Search & Destroy folder.

Now please follow the directions in the READ ME and install the version of Spybot in the READ ME. Make sure you update it, configure as requested and then do a full scan. Attach a new log from it.

Is CounterSpy only the free trial from the READ ME? If so, uninstall it to avoid conflicts with Windows Defender.

I see a folder for Spyware Doctor. Has Spyware Doctor been uninstall? If so, delete the folder for it (C:\Program Files\Spyware Doctor).

I see left over McAfee software? Did you uninstall it?

Delete the below folder:
C:\Program Files\Common Files\{AC9CFFDE-0D40-1033-0715-050405120001}

 

No MFinstall is not part of McAfee! We do need to clean up a bunch of left overs from McAfee. And also another malware component.


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee Real-time Scanner ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
McAfee SystemGuards
Microsoft WMI Performance Adapter AddOn

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McShield

Now repeat the Delete NT Service steps for:
McSysmon
WMIPerAddOn

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [0266611154340945mcinstcleanup] C:\DOCUME~1\Gloria\LOCALS~1\Temp\026661~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [0086701155900796mcinstcleanup] C:\DOCUME~1\Gloria\LOCALS~1\Temp\008670~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/cab/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\McAfee <--- the whole folder
C:\WINDOWS\wmiapsrv.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

Please complete all instructions! Remember I did say to ignore error messages.

If you were trying to attach images of messages, you did not attach anything.

 

Try fixing the below service one more time:

McAfee Real-time Scanner

And then have trying having HJT delete the McShield service. If this still does not work, look for the below folder and tell me if it exists.

C:\Program Files\McAfee

If it does exist, what files/folders are found in it. Does the below folder exist in it?

C:\Program Files\McAfee\VirusScan

What files are under the VirusScan folder? Try manually deleting all of these McAfee files and folders. Tell me what error message you receive (if you get any).

 

Well obviously their tools do not work!

Let's try a different approach.

Please run Notepad and copy the following text into a new file:

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode.
Once in safe mode, locate the remove.bat file on your Desktop and double click on it.
Let me know if you receive any error messages.
After running the remove.bat file, reboot and attach a new HJT log.

 

Yes but the fix still did not work.

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens enter the following:

McShield

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

 

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCSHIELD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\McShield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCSHIELD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\McShield
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCSHIELD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigateone at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then reboot your PC!

Now repeat the search using RegSrch and attach a new log.

Also attach a new HJT log

 

But did you get the error while taking ownership or while trying to delete?


Repeat the steps but this time we will take ownership at a higher level in the registry key path. Sometimes this is necessary.

So take ownership at these keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

If you get an error message while trying to take ownership, give me the message.

And then try to delete the below keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCSHIELD

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCSHIELD

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCSHIELD

If you get an error message while trying to delete, give me the message.


If the above fails, repeat the steps after booting in safe mode.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
3. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and enable System Restore to create a new clean Restore Point.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!