Infected with Smitfraud and Vundo

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Are you downloading Spybot from one of our links??? Use the below and make sure you Save it to your PC. Do not try to Open.

MajorGeeks FL

Sounds like the problem is on your end. Are you using a Proxy Server? If so you need to enter that info into any program that needs to get updates.

Sometimes after a reboot after first installing, the logs will create fine.

It installed just fine. Look for the C:\MGlogs.zip file and attach it. We cannot help you until you attach the logs we need and this is about the most important one. But you also need to attach the ComboFix log now too.

You may have the most recent form of a Vundo infection that will infect all startup processes.

 

Okay now we need to use a new tool.

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Documents and Settings\Owner\Desktop\Buisness Folder\DLF\1\DVD 2 DivX  2 VCD Complete Package version 2\DVD 2 DivX  2 VCD Complete Package version 2\VCD - DivX to MPEG-1-VCD GUIDE v2.0\Programs\iFilmEdit 1.4c .exe
C:\Documents and Settings\Owner\Desktop\Buisness Folder\DLF\1\Playstation\PLAY playstion Games on the computer .exe
C:\Documents and Settings\Owner\Desktop\Buisness Folder\DLF\VideoConverters\DVD 2 DivX  2 VCD Complete Package version 2\VCD - DivX to MPEG-1-VCD GUIDE v2.0\Programs\iFilmEdit 1.4c .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\mcafee.com\Agent\mcupdate .exe
C:\Program Files\mcafee.com\Agent\MCUPDA~1 .EXE
C:\Program Files\mcafee.com\Agent\MCUPDA~2 .EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\SYSTEM\hpsysdrv .exe
C:\WINDOWS\SYSTEM32\ps2 .exe
C:\WINDOWS\SYSTEM32\usb .exe
C:\WINDOWS\SYSTEM32\USBIcon .exe

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log names Log.txt on your Desktop may or may not ask for this log later.

We clearly stated in step 1 of the READ & RUN ME that you must not use MSconfig to control startups. You ignored this. You must go back and run MSconfig now and select Normal Startup and then reboot your PC. Then continue on to the below.

Now uninstall Kazaa Media Desktop 2.0.2 as was requested in step 1 of the READ ME.

Now please download DelDomainsand unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Now you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adds.)


Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.


You are far from clean at this point but the above needed to be done and we had to get logs without MSconfig being used as the READ ME requested. Now we will be able to continue with your full cleanup.

 

Okay AVG Antispyware and McAfee were infected by the Vundo infection you have. In order to properly clean you PC you will have to uninstall AVG Antispyware and McAfee now.

Then reboot and delete the below folders if they still exist:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
C:\Program Files\mcafee.com


Do you really want Ad-Aware to run everytime you boot your PC? I wouldn't?
Do you really use all the Wild Tangent games junk?
Let's begin by removing a bad service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Microsoft cache control
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteMSControlService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\System32\mljjh.exe
O2 - BHO: Google Module - {A2487E9B-AAE5-4d21-ADDE-1F342354974A} - minstar1.dll (file missing)
O2 - BHO: (no name) - {D3832432-8F15-452F-9C83-13E27DF9DF5C} - (no file)
O4 - HKLM\..\Run: [Microsoft Cvrt] mscvrt32.exe
O4 - HKLM\..\Run: [loaddll] loaddll.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: winlogin.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

First you are using MSconfig to control startups which we specifically stated in the READ ME that you must not do! Now that you have been removing McAfee you have things stuck in MSconfig that can only be fixed by registry edits! Please do the below now:

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

You do still have McAfee Shredder showing. Uninstall it and just to be sure, run this: McAfee Consumer Product Removal Tool

What are you planning on using for an antivirus program? I see you have ZoneAlarm Security Suite installed. Is it also an antivirus?


I see WinMX running at startup? First I thought WinMX no longer existed. Second why would you always want this to load even if it does still exist?

Did you run the below as requested in msg # 7? If not run it now

Then run analyse.exe and fix the below lines if they still exist:

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\System32\windows (file missing)

Let me know if you get an error about the last line (the O23 - Service). This is what you should have removed with the steps back in msg # 9

What are the below files?

Code:

"C:\Documents and Settings\Owner\Desktop\"
130~1.txt     Jan 31 2008        1110  "1.30.txt"
401.xlr       Feb  8 2008       24064  "401.xlr"
4kiz.xlr      Feb  8 2008       34816  "4kiz.xlr"
 
"C:\Documents and Settings\Owner\My Documents\"
401k.xlr      Jan 28 2008       21504  "401k.xlr"

I just realized that you had a very outdated version of Ad-Aware. Uninstall this: Ad-aware 5.7

Also uninstall Kazaa Media Desktop 2.0.2 as rquested in step 1 of the READ ME.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

Did you have this installed while McAfee was still installed? If so, you should never do this. Only one antivirus should ever be installed at the same time. This could lead to permanent problems that can be hard to fix.

You did not answer my question about WinMX and I still see it running.

Also still see McAfee items in your logs. Did you run the removal tool I gave you a link too?

Also why is Spybot running when you ran Getlogs.bat?

 

You can use the below registry patch to remove the McAfee Shredder program form your uninstall list.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!