esafetypage.com - am I clean?

Peter Howard · Nov 21, 2006

Hello,

First of all thanks for a fantastically valuable and worthy resource.

My WinXP home machine got infected while browsing with IE. IE crashed. Immediate symptoms were IE ignoring home page set in tools->options and going to esafetypage.com instead, and frequent various pop ups claiming to warn about security problems.

I do not have SP2.

I followed the intructions on thread 35407 to the letter up to an including 6B.

As per instructions for non-SP2, used CounterSpy instead of Windows Defender.

All tools ran and appeared to work as expected.

All symptoms in normal computer use have disappeared, but is it now clean?

Logs attached - had to zip them into one to overcome the limit of 3 files attached - hope that is ok.

Thanks in anticipation.

Peter Howard

chaslang · Nov 22, 2006

Welcome to Majorgeeks!

Peter Howard said:

All symptoms in normal computer use have disappeared, but is it now clean?
Click to expand...

No! Not yet!

Peter Howard said:

Logs attached - had to zip them into one to overcome the limit of 3 files attached - hope that is ok.
Click to expand...

It's okay but all you had to do per the READ ME is create 2 messages to attach the 5 logs. You are going to be attaching another 5 after doing the below. Just use two messages to attach them.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

Peter Howard · Nov 26, 2006

Have followed steps 1 and 2 as suggested - here are logs.

Peter Howard · Nov 26, 2006

Additional message for extra 2 logs

chaslang · Nov 29, 2006

Some things do not look correct in one of your logs! Are you sure you followed the directions in step 2 of the READ & RUN ME exactly as requested? Please check again and make sure each item is set properly.

Also you did not install and rename HijackThis as requested in step 7 and your log was obtained in safe boot mode. Please install and rename HijackThis and only provide HJT logs from Normal Boot mode as requested in the READ ME. Attach a new log now.

Peter Howard · Nov 28, 2006

I did follow step 2 of READ & RUN ME exactly as requested first time round.
I just pulled up the screen again to double check, and the settings remain as set:
Explorer->tools->folder options->view:
...show hidden files and folders = checked
...hide extensions for known file types = unchecked
...hide protected operating system files = unchecked

I did fail to follow the instructions for HihackThis properly - apologies, it must be infuriating when you are trying to help someone.

In hindsight I can see the READ & RUN ME emphasises very strongly the need to follow these particular instructions. In the spirit of constructive feedback, I'm trying to work out why I skipped it. I guess it's because by this stage of the process you are on a roll, having downloaded and installed a whole bunch of software, and you tend to think you know what your are doing. You don't even perceive that you have skipped it - just not bothered to read something that wouldn't have told you anything you didn't know already. Perhaps you would get a better adherence rate with "don't skip these instructions - THIS IS DIFFERENT FROM THE STANDARD INSTALL PROCESS!".

I have now deleted the old installation of HijackThis and downloaded the zip file afresh to C:\installers\hijackthis.zip. I extracted to c:\installers\hijackthis\hijackthis.exe and renamed it to analyse.exe.
I ran analyse.exe in normal boot mode and have attached the log.

Thanks in anticipation.

chaslang · Nov 29, 2006

Peter Howard said:

I did follow step 2 of READ & RUN ME exactly as requested first time round.
I just pulled up the screen again to double check, and the settings remain as set:
Explorer->tools->folder options->view:
...show hidden files and folders = checked
...hide extensions for known file types = unchecked
...hide protected operating system files = unchecked
Click to expand...

Now that is strange because of the below lines in your runkeys.txt log.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002
"SuperHidden"=dword:00000000
Click to expand...

Do they still look the same if you get a new log from GetRunKey.

Peter Howard said:

Perhaps you would get a better adherence rate with "don't skip these instructions - THIS IS DIFFERENT FROM THE STANDARD INSTALL PROCESS!".
Click to expand...

It won't matter. In the last two years no matter how we write thinsg and no matter how much detail we put in, more than half the users do not read and follow the directions. Most people don't even click the below link which is required by the READ ME.

Downloading, Installing, and Running HijackThis

How do I know this??? Well two things:

The results of the logs being posted.

And the fact that the READ ME has been accessed 1,171,647 and the above link for HijackThis has only been accessed 50,248 . This makes it more than obvious that the majority of users are not clicking the link and it tells you in BIG BOLD RED LETTERS TO MAKE SURE YOU CLICK THE LINK.

Thus! No matter how we write things and no matter how much detail we put it. People will still ignore the instructions that are meant to help them resolve their problems and to make our job in helping them easier and less time consuming so we can help more people.

Now to get off my soap box!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - C:\WINDOWS\System32\ixt0.dll (file missing)

After clicking Fix, exit HJT.

You log is clean other than that! I assume things are working okay! Is that true?

However you still have big problems! You OS is way out of date and this is a major security risk. The below instructions should fix this (if followed).

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Peter Howard · Nov 29, 2006

chaslang said:

Now that is strange because of the below lines in your runkeys.txt log. Do they still look the same if you get a new log from GetRunKey.

extract from newly produced log:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001

Run HijackThis ... After clicking Fix, exit HJT.[/b]

You log is clean other than that! I assume things are working okay! Is that true?

Yes thanks.
Click to expand...

chaslang · Nov 30, 2006

Peter Howard said:

extract from newly produced log:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
Click to expand...

Okay that is how they should have been! I wonder why your first log showed them set differently. Did you run all steps in the READ ME in the correct order as written.

Log in or Sign up

esafetypage.com - am I clean?

Peter Howard Private E-2

Attached Files:

all-logs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Peter Howard Private E-2

Attached Files:

rapport1.txt

rapport2.txt

runkeys.txt

Peter Howard Private E-2

Attached Files:

newfiles.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Peter Howard Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Peter Howard Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member