NewDotNet & Smitfraud-C

Welcome to Majorgeeks!

There are 8 required steps (steps 0 to 7) in the READ ME that must be run. You need to run them ALL.before attach a HijackThis log.

 

And to help keep you moving along, you need to run the below! But only after completing the rest of the steps in the READ & RUN ME.

Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
• Please attach the Blacklight log file here.

Now download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• Post the contents of the txt.log which will open wen the scan is finished.

 

Why not? Explain what happened! We are really may need the log from Blacklight to find other hidden processes. Without it we may not succeed in removing your Qoologic infection.

I'll try to work something up anyway and we will see what happens.

 

Are you logged in to an account with administrator priviledges?

 

Try running the below! It may be able to restore the debug priviledge.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Then attach the above log and then try Blacklight again.

 

Start by downloading - Pocket KillBox

Extract it to ts own folder somewhere that you will be able to locate it later.

Look in Add/Remove programs and uninstall WeatherBug if found.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files".Once you have saved it double click it and allow it to merge with the registry.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\didduid.ini
C:\WINDOWS\keyboard5.exe
C:\WINDOWS\UGF0aGlrIFBhdGVs\o3IXu35OKI11x3pP.vbs
C:\WINDOWS\system32\lgckljl.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Now run HijackThis using the special .bat file method and select any of the following lines (if they still exist) but and then click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lgckljl.exe
O4 - HKCU\..\Run: [Dcbl] "C:\Program Files\mocs\owbr.exe" -vt yazb
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\qndsregs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll

Now exit HJT

Run Windows Explorer and double check to make sure the below files are all deleted:
C:\Program Files\mocs <--- the whole folder
C:\Program Files\Common Files\VCClient <--- the whole folder
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon <--- the whole folder
C:\Documents and Settings\Pathik Patel\Application Data\Lycos <--- the whole folder
C:\Documents and Settings\Pathik Patel\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SideStep.lnk
C:\Documents and Settings\Pathik Patel\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\didduid.ini
C:\WINDOWS\keyboard5.exe
C:\WINDOWS\UGF0aGlrIFBhdGVs\o3IXu35OKI11x3pP.vbs
C:\WINDOWS\system32\lgckljl.exe


Then reboot into normal mode and attach a new HJT log and a new log from FindQool

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!