Malware Help

Welcome to Majorgeeks!

Please run the below procedure.

Now Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

Please only run steps that I'm giving you.

READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach this log along in your next reply.

Now reboot into normal mode and attach this new rapport.txt log here.

If you are still having problems now, you must compelete all the steps in the READ & RUN ME sticky thread and attach the 5 reqauested logs:
Bitdefender - from step 6
Panda Scan - from step 6
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis

 

Which scans say you are still infected and when were they run. This is why it is important to follow our directions only and in the order given. Otherwise confusion like this results. At this point I have no idea if the info (the logs) in you other thread that I closed are valid or not and if I work up a procedure based on those I may be telling you to fix things that don't even exist.

You never properly followed the directions in the READ ME. You have Symantec and McAfee installed. See step 3 of the READ ME and fix this now! Also you need to follow the directions properly for using GetRunKey and ShowNew! Your logs were incomplete and not useful. You must follow the directions exactly to get correct logs. Do this and attach new logs here and also get a current HijackThis log and attach it here. But this time follow the directions for using HijackThis. Logs must be from normal boot mode. And makes sure you are not using MSconfig to control startups!


Also does the below folder exist? If so, delete it.
C:\Program Files\VideosCodec

 

Just empty your quarantine however is appropriate for the version of Symantec that you have. The READ ME explains on how we want MSconfig to be setup. Perhaps it only showed in your HJT log because you were in safe mode instead of normal boot mode as required.

Follow the directions exactly and attach logs from GetRunKey, ShowNew, and HJT

 

The only infections showing up are still in your Symantec Quarantine folder and also in system restore. Disable System Restore (step 9 in the READ ME if you don't know how to do this). The empty your Symantec Quarantine!

Now let's remove the McAfee services that are still trying to load even though you now use Symantec.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee Real-time Scanner ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
McAfee SystemGuards

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McShield

Now repeat the Delete NT Service steps for:
McSysmon
If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Now Attach a new HJT log.
How are things running?

 

Try it again. Make sure ALL other processes are closed and no browser windows are open. Also shut down your antivirus program first. If it fails in normal boot mode, try booting in safe mode and then run the procedure.

Cookies are not problems as you will read when I give you my final steps (after we get the McAfee service fixed). You are clean otherwise.