Smitfraud removal

Welcome to MajorGeeks!

I'm waiting for your logs to be attached so I can begin reviewing them.

HOW TO: Attach Items To Your Post

dr.m

 

I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

 

The below fixes and advice are specific to this member's problem and should be used for issue(s) on this machine only.

Hello, DeniseSchindler - please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

* You didn't save MGTools.exe to the directory instructed in our Vista Cleaning Procedure

Using Windows Explorer - please delete "C:\Users\Public\Downloads\Computers, Windows & Infections Demystified\MGTools\MGtools.exe"

*Also - Disable "Spybot Tea Timer" as instructed in that same guide.

# Please attach the scan log from Avira AntiVir Personal that shows SmitFraud being detected.


Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Step 2:
Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box

Code:

:Processes
explorer.exe
avgnt.exe
SUPERAntiSpyware.exe
AAWTray.exe

:Files
C:\rapport.txt
C:\ProgramData\tmp43F5.log
C:\ProgramData\tmp43F5.tmp
C:\ProgramData\tmp6077.log
C:\ProgramData\tmp6077.tmp
C:\ProgramData\tmp6CAC.log
C:\ProgramData\tmp6CAC.tmp
C:\ProgramData\tmp74D4.log
C:\ProgramData\tmp74D4.tmp
C:\ProgramData\tmp76C7.log
C:\ProgramData\tmp76C7.tmp

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.


Step 3:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 4:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip
• Avira AntiVir Personal scan log

* Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

 

Hi, Denise

All but one of the files Avira AntiVir Personal detected and quarantined are False Positives, and were from known anti-malware tools that we sometimes use. I also use Avira - it even flags MGTools.exe!

NOTE: If that last file "Chancey Presentation.ppt" is something you know - there are steps given in Avira's "Help" section that shows how to restore such a file.

Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
   
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif