Smitfroud-C!Help me plz! I'm novice

Discussion in 'Malware Help (A Specialist Will Reply)' started by Mysorchid, Apr 10, 2007.

  1. Mysorchid

    Mysorchid Private E-2

    Hi all

    I have had a recent attack of the spyware, I had run some antivirus programs such Ad-Aware SE and S-S&D but I couldn't remove them. They are smitfroud-C(according Ad-Aware SE, but it can't clean), I also have tried some guides in http://forums.majorgeeks.com/showthread.php?t=107562
    about remove smitfroud, but I couldn't remove them again
    I also tried http://forums.majorgeeks.com/showthread.php?t=35407
    but I lose again... It automated sending more than 10 emails in 2 sec from different senders to another receivers(according to ZoneAlarm) and show an Icon in my taskbar suggest me buying RegCleaner

    And I have another problems: I can't view hidden files.
    I click Tools-->Folders Option--->View Tab--->Show hidden files and folders
    But when I click OK nothing happen, and when I check Folders Option again, It automated choosing Do not show...

    Hoping someone can help me
    I attach some logs and some pics...

    Finally, sorry very much about my English, I'm a Vietnamese and my English is very bad.

    Thanks before
     

    Attached Files:

    Mysorchid, Apr 10, 2007
    #1
  2. Mysorchid

    Mysorchid Private E-2

    Aha, It also automated installing RegCleaner on my computer too.
    I can't run bitdefender and Panda Active scan too, Bitdefender didn't run, Panda Scan started to scan and don't scan for 30min(I upload the images)
    so I can't upload its log...
    More logs...
     

    Attached Files:

    Mysorchid, Apr 10, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeek!

    What about CounterSpy or AVG AntiSpyware? You did not attach a log from one of them.


    Also you did not install GetRunKey or ShowNew properly. You tried to run it from D:\ISO-8859-1 which I assume is a CD drive. You must extract ALL files from the GetRunKey.zip and ShowNew.zip files into a folder on your C drive. Use a folder named C:\MGTools as suggested. Neither of the two programs ran properly because they were not installed properly. So you need to re-reun them and attach new logs.

    Also attach (don't take a snapshot) a log from a new run of Spybot. You just need to right click in the scan window to create a log.

    What are the below processes? Are they something you installed?
    O4 - HKLM\..\Run: [OnlineCafe] C:\Program Files\VDC\InternetOnline\OnlineCafe.exe
    O4 - HKLM\..\Run: [WebFilter] C:\PROGRA~1\VDC\INTERN~1\webfil.exe

    Why are you running your PC with no protection???? You have no antivirus, no firewall, and had no antispyware program until you install CounterSpy which is only a trial.



    I really need the other logs to make a complete fix, but I will give you a bunch of steps to do below.

    This should help to improve your situation somewhat, but it will probably not fix everything since more could be hiding.

    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.


    Make sure you have rebooted in Normal Mode (do not open any other processes)
    Also make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winzzc32.dll once and then click the kill button. After you have killed all of the winzzc32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
    ddcyvww.dll
    gebcccd.dll
    rpcc.dll
    vtutu.dll

    Next double click on explorer.exe and again click once on each instance of winzzc32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    ddcyvww.dll
    gebcccd.dll
    rpcc.dll
    vtutu.dll
    Next double click on iexplore.exe and again click once on each instance of winzzc32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    ddcyvww.dll
    gebcccd.dll
    rpcc.dll
    vtutu.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\tcpipmon.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {483CC496-D041-4545-8D9E-2D64294F97B2} - C:\WINDOWS\system32\gebcccd.dll
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\xfaklyfa.dll
    O2 - BHO: (no name) - {A416D604-EAA3-4618-958C-2ECA22414616} - C:\WINDOWS\system32\ddcyvww.dll
    O2 - BHO: (no name) - {B8E376B1-7A95-4B4F-A048-8254567EA2BA} - C:\WINDOWS\system32\vtutu.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BkavFw] C:\Program Files\Bkav2006\Bkav2006.exe TASKBAR
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\cajjsxgl.dll",setvm
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
    O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\system32\clcl3.exe
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O20 - Winlogon Notify: ddcyvww - C:\WINDOWS\SYSTEM32\ddcyvww.dll
    O20 - Winlogon Notify: gebcccd - C:\WINDOWS\SYSTEM32\gebcccd.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll
    O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\gebcccd.dll
    C:\WINDOWS\system32\xfaklyfa.dll
    C:\WINDOWS\system32\ddcyvww.dll
    C:\WINDOWS\system32\vtutu.dll
    C:\Program Files\Bkav2006\Bkav2006.exe
    C:\WINDOWS\system32\cajjsxgl.dll
    C:\WINDOWS\system32\svehost.exe
    C:\WINDOWS\system32\clcl3.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\SYSTEM32\winzzc32.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot locate the below folder and delete if found:
    C:\Program Files\Bkav2006

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey - make sure you have installed it properly
    2. ShowNew - make sure you have installed it properly
    3. HJT


    Make sure you tell me how things are working now!
     
    Last edited: Apr 10, 2007
    chaslang, Apr 10, 2007
    #3
  4. Mysorchid

    Mysorchid Private E-2

    At first, thank you very much about your guide and sorry about my delay.

    I don't understand you. I download them from the README and the extracted folders are (ISO-8859-1''ShowNew) and (ISO-8859-1''GetRunKey), and in those folders, it has GetRunKey.bat and ShowNew.bat, so I run them, their logs files were created in C:. How to install them properly? In the guides README, it doesn't show how to install ShowNew and GetRunKey.So I redownload these files and extract them. The files don't have any changes, but when I run GetRunKey.bat and ShowNew.bat, nothing happen (no logs was saved, so I can't upload).
    I can't find any folder with that name.
    Yes, they are my programs and I trust them, but I also removes them anyway...
    At first, I have Kaspersky Antivirus v6 and ZoneAlarm, but when I got some viruses, every times I opened them, my computer got crash immediately, so I had to remove them.

    From yesterday, I have performed AVG, and luckily, I have performed completely Bitdefender Online Scan (I have attached these logs). About CounterSpyv2, I have run it twice and logs also are attached.

    About your guides, I have finished all without any errors but I can't do with these:
    rpcc.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    because they don't exist. I performed CS, AVG, BDOC before do your guides so perhaps they are killed by CS, AVG, BDOC
    (because when I do them, I didn't visit this pages, I visit here when I have finished)
    And there are my HJT, Bit and AVG logs...( Notes that I have run these CS, AVG, S-S&D, Bit Online before do your guides)
     

    Attached Files:

    Mysorchid, Apr 11, 2007
    #4
  5. Mysorchid

    Mysorchid Private E-2

    and they are some more logs...
    And I have another problem:
    To see hidden files as in README guides I click Tools---> Folders Options---> View Tab--->Show hidden and system files...
    But when I click OK, nothing happen, the hidden files are still hidden
    Now, when I Scan with CounterSpy, AVG, Bit Online, the Folders Options was disappeared in Tools and Control Panel too, how to recover it?

    Thanks very much about your help and sorry about my bad English.
    Best Regards.
     

    Attached Files:

    Mysorchid, Apr 11, 2007
    #5
  6. Mysorchid

    Mysorchid Private E-2

    Another one, I have just downloaded MGTools inyour post at:
    http://forums.majorgeeks.com/showthread.php?t=122576
    After I extracted all, I tried to run GetRunKey.bat and ShowNew.bat again, but nothing was happened, no logs was created in C: or anywhere...

    When I have just booted my computer, CS found some malware and do a search, so I attached this new log...
     

    Attached Files:

    • CS3.txt
      File size:
      1.3 KB
      Views:
      1
    Mysorchid, Apr 11, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below is a direct quote right out of the READ & RUN ME.

    Because you have to create it.



    Note: You should not be downloading and using that MGTools.zip file from the other thread. You should only follow the directions given to you in your thread.
     
    chaslang, Apr 12, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What files do you see in the folder you first extracted GetRunKey to? Tell me the file names you see?

    What files do you see in the folder you first extracted ShowNew to? Tell me the file names you see?
     
    chaslang, Apr 12, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\SSVICHOSST.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
    O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSVICHOSST.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)


    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\windows\system32\winzzc32.dll
    C:\WINDOWS\system32\autorun.ini
    C:\WINDOWS\system32\setting.ini
    C:\WINDOWS\system32\SSVICHOSST.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Apr 12, 2007
    #9
  10. Mysorchid

    Mysorchid Private E-2

    OK The ZIP files I have downloaded from README are ISO-8859-1''ShowNew.zip and ISO-8859-1''GetRunKey.zip. when I extracted them, I have two folders with those name.
    In ISO-8859-1''ShowNew folder, there are grep.exe, locate.com, ltime.exe and ShowNew.bat.
    In ISO-8859-1''GetRunKey folder, there are grep.exe, locate.com, ltime.exe and GetRunKey.bat
     

    Attached Files:

    • SG.JPG
      SG.JPG
      File size:
      17.9 KB
      Views:
      1
    • SG2.JPG
      SG2.JPG
      File size:
      18 KB
      Views:
      0
    Mysorchid, Apr 12, 2007
    #10
  11. Mysorchid

    Mysorchid Private E-2

    Thank you about your help, chaslang!
    Luckily, I could run GetRunKey.bat and ShowNew.bat, so now I can upload their logs files, I have done your guides too and have no problem.
    And there are logs...
     

    Attached Files:

    Mysorchid, Apr 12, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those are not valid folder names and this is a good example of why you should put them in the folders as recommended. You should not put quotes in folder names. And why you want them in a folder name that begins with ISO-8859-1 anyway?
     
    chaslang, Apr 12, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They still are not running properly and that may be due to the choice of folder names.


    Are you having any malware problems?
     
    chaslang, Apr 12, 2007
    #13
  14. Mysorchid

    Mysorchid Private E-2

    Uhmm, I don't know... when I click on link to download GetRunKey.zip and ShowNew.zip in README the zip files was saved with those name, so when I extracted it by Winrar, the folders got the same name. Anyway, I redownloaded them again and extracted in C:\MGTools as the README suggested, and there are the new logs...

    "Are you having any malware problems?"
    Yes, certainly (I have just performed a scan with S-S&D, it found 5 malwares, but it can't clean)
     

    Attached Files:

    Mysorchid, Apr 12, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And now they ran correctly since you installed them properly in to folders with valid names.

    Not helpful! You need to either give me a log from Spybot or tell me exactly word for word what is being found and not fixed.

    What are the below files and folders? Especially the aaaaa.reg file? DO NOT double click on the aaaaa.reg file!!!!!! If you want to see what is in it, you will have to load it into Wordpad.
    Code:
    "C:\Documents and Settings\GAME3\My Documents\"
aaa.rtf       Apr  8 2007        2378  "AAA.rtf"
aaaaa.reg     Apr  8 2007     3346406  "aaaaa.reg"
cs.txt        Apr 10 2007        8885  "CS.txt"
cs2.txt       Apr 11 2007        8885  "CS2.txt"
cs3.txt       Apr 12 2007        1326  "CS3.txt"
fix.rtf       Apr 11 2007        9345  "fix.rtf"
help.txt      Apr 12 2007        2233  "help.txt"
 
 
"C:\Documents and Settings\GAME3\Application Data\"
COWON         Apr 12 2007              "COWON"
 
"C:\Program Files\Common Files\"
COWON         Apr  5 2007              "COWON"
 
"C:\WINDOWS\system32\"
tukernel.exe  Feb 16 2007     2288128  "TUKernel.exe"


    When you run the below fixME.reg patch, take notice of the message you get from Windows and tell me exactly what it says.


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now please download F-Secure's BlacklightBeta
    • Download fsbl.exe and save it to the Desktop.
    • Once saved... double click fsbl.exe to install the program.
    • Click accept agreement and Click scan
    • This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\awvtu.dll
    C:\WINDOWS\system32\lbivksyq.dll
    C:\WINDOWS\system32\ydqnasnf.dll
    C:\WINDOWS\system32\18E.tmp
    C:\WINDOWS\system32\gjkkj.ini
    C:\WINDOWS\system32\lgxsjjac.ini
    C:\WINDOWS\system32\oeminfo.ini
    C:\WINDOWS\system32\ututv.ini
    C:\WINDOWS\system32\utvwa.ini
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT
     
    Last edited: Apr 12, 2007
    chaslang, Apr 12, 2007
    #15
  16. Mysorchid

    Mysorchid Private E-2

    Thank you very much, Chaslang! Everythings looks good for me. Anyway...
    CS.txt, CS2.txt and CS3.txt are CounterSpyv2 logs.Fix.txt and help.txt are your post in this thread, I have copy to notepad for doing easily especially when I have to close browser such as when running HJT:
    "DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now"
    Last month, I have made some changes in registry following my friends guides to accelerate my computer, For that, I export registry (Files--->Export) to recover if I have any problem (Luckily, I haven't any problems) and aaaaa.reg is that backup (I forgot deleting it when finished), aaa.rtf is my friends guide.

    I don't regconise three last files, perhap they are malwares
    ok, there are no improtant messenge (according to me) they said:
    "Are you sure you want to add the information in C:\Documents and Settings\GAME3\My Documents\fixME.reg to the registry?"
    And I click Yes. The second:
    "Information in C:\Documents and Settings\GAME3\My Documents\fixME.reg has been successfully entered into the registry."
    That all, for detail, I have uploaded snapshot so you can see it.

    uhmm, I can't take new logs of ShowNew and GetRunKey, it gets error

    "Registry editing has been disabled by your administrator"
    GetRunKey gets the same error Although I still ran it completely yesterday, so I can't upload their logs

    And there are new logs...
     

    Attached Files:

    Mysorchid, Apr 13, 2007
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The file name was fix.rtf which is not a true text file. You probably created it with WordPad not notepad.

    Try to get in the habit of using useful filenames so that there is no question as to what something is. Randomly named files are commonly used by malware programs.

    What do you see in those two COWON folders.

    Do you also have a c:\windows\system32\ntoskrnl.exe file (in addition to the TUKernel.exe file) and are they the same size?

    Yes there was. The part that said has been successfully entered into the registry was the important part and was what I need to know.

    Run this ChodeFix - How download and run and then check to see if you can get logs from GetRunKey and ShowNew.
     
    chaslang, Apr 13, 2007
    #17
  18. Mysorchid

    Mysorchid Private E-2

    Thank you very much about your help.
    The first folder C:\Documents and Settings\GAME3\Application Data\COWON is empty.
    But I can't find the second folder C:\Program Files\Common Files\COWON. In Common Files folder, there isn't any COWON folder, so I paste above link into Address bar of Windows Explorer and enter, it get error:
    "Cannot find 'file:///C:/Program%20files/Common%20files/COWON'. Make sure the path or Internet address is correct."
    No, ntoskrnl.exe is 2.04MB, and TUKernel.exe is 2.18MB, uhmm, I see that their tag are
    "NT Kernel & System_Microsoft Corporation"
    so I think they aren't malware files

    I have sucessfully taken ShowNew and GetRunKey logs...
     

    Attached Files:

    Mysorchid, Apr 14, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so then delete the below folder:

    C:\Documents and Settings\GAME3\Application Data\COWON


    Yes I know ntoskrnl.exe is valid. I just wanted to make sure it was there and see if the file sizes were similar. I believe TUKernel.exe is part of TuneXP 1.5 that you have installed. I did not notice it earlier. So it is okay. Many people (even some antispyware programs believe it is malware, but that is probably due to where they installed it and the name they gave it.


    Uninstall CounterSpy since we are finished with it now!


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O1 - Hosts: ECHO is off.
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now reboot in normal mode

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. HJT


    Are you having any more malware problems?
     
    chaslang, Apr 14, 2007
    #19
  20. Mysorchid

    Mysorchid Private E-2

    Thank you very much about your help

    All steps was finished successfully and there are new logs
    Uhmm, I don't see any symtoms more when finished your last guides, I think that all malwares has been removed but I'm not sure...
     

    Attached Files:

    Mysorchid, Apr 14, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not get the step with the fixME.reg patch performed properly. Try it again. Tell me if you receceive a message after running it that says that it was successfully added to the registy.

    Did you change any of your hidden files settings? They seem to have changed!
     
    chaslang, Apr 14, 2007
    #21
  22. Mysorchid

    Mysorchid Private E-2

    Ok, I have tried to merge it, and it has been added successfully
    Information in C:\Documents and Settings\GAME3\Desktop\fixME.reg has been successfully entered into the registry
    Oh no, I don't change anything, if I wanted, I couldn't changed, as I have posted, when I open folder options, click View tab and then check
    "Show and hidden files and folders" and Ok
    Nothing happened, and when I check Folder Option again, it automatically changes to
    "Do not show hidden files and folders"
    There are new logs after I had merged fixME.reg
     

    Attached Files:

    Mysorchid, Apr 14, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! This time it worked. Last time it did not. You must always make sure you get a success message when doing these registry patches and let us know whether it succeeded or you receive an error message.

    Nothing happened, and when I check Folder Option again, it automatically changes to
    "Do not show hidden files and folders" [/quote]Yes! I can see it in the GetRunKey log! Search thru it and you will see a value the looks like this:

    "Hidden"=dword:00000002

    it should be

    "Hidden"=dword:00000001

    And back in message # 18 it was correct. I'm not sure why it changed back, but it does not appear to be malware because your logs are all clean. Perhaps you have locked something within one of your applications.


    Thus, if you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 14, 2007
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds