Help with Malware, Popups and Virus Burst

markdex · Oct 23, 2006

Thanks so much for your website.

I am having trouble with pop-ups, "Critical System Error" balloons, Virus Burst and Hijacked Home Pages. I have followed all the instructions in the Read Me First. Also, I have run the first procedure of the SmitFraudFix and attached the log.

Thanks again.

Mark

markdex · Oct 23, 2006

Second set of files

chaslang · Oct 25, 2006

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

markdex · Oct 26, 2006

Here is the log from the first step. I was not sure whether I was supposed to go on to the second step or wait until you look at this log. Thanks.

Mark

chaslang · Oct 28, 2006

markdex said:

Here is the log from the first step. I was not sure whether I was supposed to go on to the second step or wait until you look at this log. Thanks.
Click to expand...

Yes! You were just supposed to attach the first "rapport.txt" log and then continue on to do all of the next steps given. If you did not attach the first report before doing the second step, it would be overwritten. That is why I asked for it to be attached before continuing.

markdex · Oct 28, 2006

Sorry. Here are the new logs, two parts. Thanks.

markdex · Oct 28, 2006

Second part with HJT log.
Thanks.

chaslang · Oct 29, 2006

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"TkBellExe"=-
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/windec32.dll]
Click to expand...

Tell me how things are working now!

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Help with Malware, Popups and Virus Burst

markdex Private E-2

Attached Files:

Activescan.txt

bdscan.txt

runkeys.txt

markdex Private E-2

Attached Files:

newfiles.txt

hijackthis.log

rapport.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

markdex Private E-2

Attached Files:

rapport.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

markdex Private E-2

Attached Files:

rapport.txt

runkeys.txt

newfiles.txt

markdex Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member