Micro A V and Smitfraud

cwchute · Sep 23, 2008

I know I'm being premature in posting now. I'm on my wife's computer, trying to get my rig back up and running. You guys helped me a while ago with a smitfraud issue, and unfortunately, I'm baaaaaack.

Yesterday I got whacked pretty bad (yes, I was STUPID). I knew I had a problem - Micro A V took over my pc. So I ran AVG and spybot. They found a bunch of problems. I quarrantined and removed. Did some research online. Downloaded and ran SuperAntiVirus and restarted a couple of times, manually deleted MicroAV and PCHealth folders in Program Files. SuperAntiVirus has run clean twice now. But my browsers (IE and Firefox) are having issues, and I am getting the dreaded Genuine Windows Validation error (I have a legit PAID FOR copy of WinXP Pro SP3). I cannot connect to the MS download pages (get the failed to connect message). I also cannot connect to THIS site (thank heavens for my wifes computer), among other anti-virus sites.

So, I haven't yet gotten to do the steps in the Read and Run Me First sticky yet, but after I print 'em out, that's what I'm gonna do.

>sigh<

cwchute · Sep 24, 2008

OK, ran through the Read and Run Me First last night. Everything appears to be cleaned up fine, except I still have the Genuine Windows Validation issue, and my graphics intensive games have just a wee bit of stutter/lag (not connected online). Otherwise, browsers working normally, etc.

So, this is the first of two posts with the log files attached. THANK YOU MAJOR GEEKS for doing what you do!

Chris

cwchute · Sep 24, 2008

Here is Part II with 3 more logs attached.

Chris

TimW · Sep 25, 2008

Please attach the C:\MGLogs.zip

cwchute · Sep 25, 2008

OK, here it is.....

TimW · Sep 26, 2008

Let's do this and then tell me if you can get to MS:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"=http://
Click to expand...

cwchute · Sep 27, 2008

Thanks! Done. I can get to MS, it checks for needed updates, wants to validate, fails, then offers to give help on resolving the issue. At this point, the MS page with the help on it will not load.......

Again, Major Thanks to Major Geeks!

Chris

TimW · Sep 27, 2008

Let's clean up from the scans and then you can post in the software section about the validation help

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you get a success message, then it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

cwchute · Sep 27, 2008

Success! Will do the follow up maint now.

TimW · Sep 27, 2008

Good to know....safe surfing.

Log in or Sign up

Micro A V and Smitfraud

cwchute Private E-2

cwchute Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 09-23-2008 - 21-39-06.log

mbam-log-2008-09-23 (22-34-09).txt

ComboFix log.txt

cwchute Private E-2

Attached Files:

runkeys.txt

newfiles.txt

GetUnKey.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

cwchute Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

cwchute Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

cwchute Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member