SmitFraud issues

Burning_Monkey · Jun 18, 2007

Ran into some issues with SmitFraud and some other stuff. Just want to make sure that every thing is cleaned up and looking ok. I followed the regular read-me and then went through the SmitFraud removal also. Please let me know if there is anything else I should or need to do.

Post 1 of 3 to get all the log files attached

Burning_Monkey · Jun 18, 2007

Post 2 of 3 to get all the log files attached.

Burning_Monkey · Jun 18, 2007

Post 3 of 3, and now all the log files are attached. Finally

TimW · Jun 18, 2007

Please uninstall and reinstall HJT and rename it as instructed in the Read and RUn First!

Download and install Registrar Lite

Then run Registrar Lite.

Copy and paste the below into the Address box of registrar lit and hit the Enter key.

HKEY_LOCAL_MACHINE\SYSTEM

Then click the Security pull down ont the top menu and choose Take Ownership. Click OK in the next window to approve it. Now exit Registrar Lite and continue.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-28BB-14BC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-28bb-14bc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-28bb-14bc\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-28bb-14bc\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-28BB-14BC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windev-28bb-14bc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windev-28bb-14bc\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windev-28bb-14bc\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-28BB-14BC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\windev-28bb-14bc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\windev-28bb-14bc\Security]
Click to expand...

Now attach new logs:
ShowNew
GetRun
HJT ---> properly renamed.

Burning_Monkey · Jun 19, 2007

Thank you for the help Tim and here is a new set of log files.

Sorry about blowing it on the HijackThis. I knew I was forgetting something, just couldn't figure out what I was forgetting.

TimW · Jun 19, 2007

Please use add/remove programs to uninstall:
Java 2 Runtime Environment, SE v1.4.2_03

Search Assist ----->? Did you install this? Is it something you use?

Are you networked through this domain?
Domain = pinnacle.local?

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now(not malware, just a resource hog):

O4 - Global Startup: Office Startup.lnk = C:\access97\Office\OSA.EXE
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-28BB-14BC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-28BB-14BC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-28BB-14BC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-28BB-14BC
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach the avenger log.

Burning_Monkey · Jun 20, 2007

The Search Assist can go.

That registry key is needed by one of the programs that gets run on this computer.

Pinnacle is the proper domain name.

The Avenger log is attached.

TimW · Jun 20, 2007

That looks good ....
The HJT line was not a nasty ....just a resource hog and does not need to run at startup.

Attach new logs for:
GetRun
ShowNew
HJT

I think we're done, but I want to check before you do the final cleanup.

Log in or Sign up

SmitFraud issues

Burning_Monkey MajorGeek

Attached Files:

Activescan.txt

bdscan.txt

CounterSpy.txt

Burning_Monkey MajorGeek

Attached Files:

hijackthis.log

newfiles.txt

runkeys.txt

Burning_Monkey MajorGeek

Attached Files:

smitfiles.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Burning_Monkey MajorGeek

Attached Files:

hijackthis.log

newfiles.txt

runkeys.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Burning_Monkey MajorGeek

Attached Files:

avenger.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member