Pop-up "Visa Advanced Verification"

I also need the logs from running:
ComboFix
SAS
MalwareBytes

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Drivers::
hpdj00

File::
C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Tell me what this is.....if you don't know, delete it:
C:\WINDOWS\SG9tZQ

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

 

You still did not tell me what these are:
C:\Program Files\sz8051
C:\Program Files\THQ

If you don't know, I want you to copy and paste them with the other folders to delete in Avenger.

Download and install Registrar Lite

Now run Registrar Lite.

Copy and paste the below into the Address box of registrar lit and hit the Enter key.

HKEY_LOCAL_MACHINE\SYSTEM

Then click the Security pull down on the top menu and choose Take Ownership. Click OK in the next window to approve it. Now exit Registrar Lite and continue.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

No need to delete the kids folder -- > I just wanted to know what it was.

Now on to the hard part ( since those reg keys will not go away):
Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

To take ownership of the key do the following:

* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.


Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone

Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

That should not be happening.....however, go ahead and do as much of it as you can.

 

<Tears hair out> .....Please download DelCmdService, and save it to your Desktop.

* Unzip the content to your Desktop (a folder named delcmdservice)
* Double-click on the delcmdservice folder
* Double-click on delreg.bat to launch the tool
* When the tool has finished, please reboot your computer

Now once more, Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

 

We at least got rid of one of them....please re-run SAS and attach that log when finished.

 

If didn't find the reg key...HUmmmm.....

Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the RunKeys log within the MGLogs.zip

 

• Please go to this link:http://live.sysinternals.com/
• find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
• Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
• For you the prompt should show C:\Documents and Settings\Owner>
• Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\Owner\Desktop\>
• Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
  • psexec -s -i regedit
• In the Registry Editor click File, Import and then navigate to the fixme.reg file on your Desktop from the previous fix in message # 10 and double click on it to import it into your registry. If it works properly you should get a success message.
• If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below log:

• C:\MGlogs.zip

 

According to your own MGlogs.zip file from message # 10 it is there. The below is a piece of the listing of files on your Desktop. Notice the last one

Code:

"C:\Documents and Settings\Owner\Desktop\"
08_clo~1.zip  Feb  8 2008      288245  "08_clock_rat.zip"
2007          Apr 23 2008              "2007"
4thqua~1.doc  Mar 23 2008       59392  "4th quarter week 1 lesson plans.doc"
ARCADE        Apr 27 2006              "arcade"
AUDIO         Jul 23 2006              "audio"
avenger.exe   May 30 2008      731136  "avenger.exe"
avenger.zip   Sep  7 2008      724952  "avenger.zip"
bungni~1.zip  Apr 25 2006       13022  "bungnipper.zip"
calend~1.id_  Jul 29 2007      308736  "calendar.id="
combofix.exe  Sep  9 2008     2847322  "ComboFix.exe"
convert.lnk   Aug 16 2008        1990  "Convert.lnk"
DELCMD~1      Sep 10 2008              "delcmdservice"
delcmd~1.zip  Sep 10 2008      135938  "delcmdservice.zip"
discus~1.url  Feb 17 2006         186  "Discussion Board.url"
disney~1.lnk  Sep  6 2008        1683  "Disney's Toontown Online.lnk"
divxmo~1.lnk  Dec 22 2007        1403  "DivX Movies.lnk"
docume~1.shs  Aug 26 2008       26112  "Document Scrap 'That can't be ri...'.shs"
EBAY          Apr 16 2008              "ebay"
FILESF~1      Mar 24 2006              "Files From old Hard drive"
FINEPI~1      Mar 24 2006              "FinePixViewer"
FIRECA~1      Jan 22 2008              "firecat[1]"
fix.bat       Sep  7 2008          33  "fix.bat"
fixme.reg     Sep 10 2008         172  "fixme.reg"

You need to make sure you are navigating to your Desktop which is C:\Documents and Settings\Owner\Desktop

You can simplify things by just copying and pasting in the below text into the Registry Editor after you click Import.

C:\Documents and Settings\Owner\Desktop\fixME.reg

You don't have to browse or navigate when you know the name and path of the file. If this tells you it cannot find the file then look at your Desktop and see if the fixME.reg still shows on your Desktop. If not, perhaps you deleted it and will need to recreate it.

 

Yes, it did work!

Now to clean up from all the scans:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you get a success message, then it is time to do our final steps: