how-to block ads
|
| | | | FAQ Revisions | Editors: lilhurricane  , CalamityJane
Last modified on 2008-08-21 21:38:04
view: single page · printable | |
1.0 Forum Rules | 1.1 Posting Guidelines & Etiquette | 1.2 SCU Helpers | 2.0 Help - I'm Infected! | 2.1 Malware Removal | 2.2 White List Fixes | 3.0 Security Software Tutorials | 4.0 Prevention | 5.0 Additional Resources |
login and you can contribute to the FAQ
|
|
1.0 Forum Rules·What are the Rules of this Forum?
·So...What is this Forum all about?
| | (back) | •All "HijackThis" threads will be locked or deleted unless you follow these steps first.
•Direct links or executable files are NOT permitted. No exceptions.
•There is a forum "Approved WhiteList" you can point to in a post
•Posts that provide step by step instructions to various exploits are not allowed.
•We reserve the right to edit, move or remove any post or thread without explanation.
•Please do not start a new topic if you are currently receiving assistance in one.
•Make sure your topic has not been covered before. A forum search for the subject you are looking for may give you the answer faster than posting about it. Duplicate posts may be locked.
•Please post responsibly!
•These rules are subject to change without notice
 feedback form
 feedback form
by lilhurricane
last modified: 2007-11-11 14:53:47 | | (back) | This forum is dedicated to helping folks get help. It is different from the Security forum ....
When following the Posting Rules for starting a new topic...you allow for others to assist you in cleaning your computer. By eliminating the "pre-clean" requirements ...the helpers are able to tackle the root of your problem.
This may seem like work...and it is! For both yourself and those who help you.
But the satisfaction of knowing you've brought yourself to a level where the assistance is addressing the direct problem...that's paramount to the "cure". You can do it!
feedback form
feedback form
by lilhurricane
last modified: 2007-11-11 14:52:56 |
1.1 Posting Guidelines & Etiquette·What we'd like to see
·Site Posting Rules & ToS
·How to post for assistance
| | (back) | •Use Forum search. Your question or comment may have already been discussed, answered, or resolved.
•Stay on topic..add to existing threads only when it is applicable. Better to create a new thread for an unrelated post
•Please do not "cross-post". If you've posted to this forum, there's no need to post in another or vice versa.
•Note: As a matter of ettiquete, you should stick with one forum. If you are getting help in another forum then you should inform the other - this way there is never "duplication" of members time & efforts.
•Please do not use offensive language, nor launch personal attacks on another user.
•Be welcoming to new posters, we were all new at one time trying to learn 
•Please utilize the "Hey Mods" link on the bottom of any post for anything requiring Mod attention.
feedback form
feedback form
by lilhurricane
last modified: 2006-08-24 06:52:17 | | (back) | The site rules on posting can be found here along with our ToS
Another good read: How to Get Noticed
feedback form
feedback form
by lilhurricane
last modified: 2006-04-19 17:50:40 | | (back) | A good example of the proper way to post to the Security Clean-Up Forum:
•Will have descriptions of current symptoms.
•Will tell us what programs from the FAQ were utilized. (should be all), state what was found.
..and will look something like this (click then enlarge screenshot):
You can link to a thread elsewhere onsite for reference, but please create a new thread w/ all requested info for our SCU Forum
feedback form
feedback form
by lilhurricane
last modified: 2008-01-04 14:57:03 | | (back) | • CalamityJane BBR MVM & VIP; Microsoft MVP Windows Security 2003-2008; ASAP Member
•  TheJoker BBR MVM; ASAP Member
• LoPhatPhuud BBR MVM & VIP; Microsoft MVP Windows Security 2005-2008
• CajunTek BBR MVM, Malware Remover
• Zupe BBR MVM, Malware Remover
• Cudni BBR MVM; Microsoft MVP Windows Security 2006-2008
• bcastner BBR MVM; Microsoft MVP Windows Networking 2004-2008; ASAP Member
Subject to changes.
feedback form
feedback form
by lilhurricane
last modified: 2008-04-02 22:57:13 |
2.0 Help - I'm Infected!·Mandatory Steps Before Requesting Assistance
·Screenshots of Desktop Hijack
| | (back) | You must follow all these steps for posting to the forum! No shortcuts!
Scroll down and view all, please!
We want to help, really!
These instructions will tell you what we need you to run to pre-clean your computer, and what required logs to attach to your post.
This forum is for cleanup of symptomatic infections.
It is not to diagnose operating system applications, debate security issues or analyze just for the sake of analyzing. So please follow the instructions below so we may better assist you.
Those not following this carefully before posting, will find their topic closed, moved or removed.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
First make a copy (or print out) these instructions so you have them handy as some of the infection cleaning steps will need to be done offline and in Safe Mode.
1. Download, install, update all of these free antispyware programs.
This will remove the most commonly known types of spyware, hijackers and other common malware and will make our job easier.
After installing and updating each one, Do the Scan to clean in SAFE MODE, offline with IE closed
How to start the computer in Safe mode
Windows 98: »support.microsoft.com/kb/180902
Windows XP: »support.microsoft.com/kb/315222
Windows Vista: »windowshelp.microsoft.com/Window···033.mspx
Copy the instructions in the link above for easy use in safemode since you will not be able to access online information. (Note: Safe Mode with Networking is not recommended) Copy any other instructions you need to operate the programs you are using so you have them handy.
Download, Install, Scan instructions
1.a Spybot Search & Destroy 1.6 (free/donationware):
If you already have Spybot, make sure it is the latest version 1.6
Download it here:
»www.safer-networking.org/en/down···dex.html
(a) Download and install Spybot S&D.
(b) Click on "Update" in the left column.
(c) Click on "Search for Updates".
(d) Select a download location (usually one close to you).
(e) Click "Download Updates" and wait of the updating process to finish.
(f) Close all programs and reboot into safe mode. Do not open IE.
(g) Click "Search and Destroy" in the left column.
(h) Click "Check for Problems".
(i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
(j) Reboot to normal mode and scan again. Repeat until no more bad (red highlighted) items are found.
1.b Ad-aware 2008 Free (freeware version for personal use):
»www.lavasoft.com/products/ad_aware_free.php
Note: Windows 2000, XP, and Vista only!
(a) Download and install Ad-Aware 2008 Free. If you an had an older Ad-aware installed, grant the installer permission to uninstall it when it asks.
(b) As the installation ends, leave these boxes checked: (i) Perform a full scan now, (ii) Update definition file now, (iii) Open the help file now. Click "finish".
(c) Reboot to SAFE MODE. Scan again with Adaware (full system scan)
(d) Wait for the scanning process to complete.
(e) Click "Next".
(f) Click "Critical Objects" and select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
(g) Reboot your computer back into normal mode.
(h) Repeat steps (c) through (h) until no more Critical Objects are found
If you are running Windows 2000, WinXP, or Vista download and run these additional freeware scanners to clean for trojans and spyware (Note: These additional tools will not run on Win98/ME).
1.c Windows Defender (Microsoft) 1 (freeware)
»www.microsoft.com/athome/securit···ult.mspx
(a) Download and install Microsoft Windows Defender
(user the recommended settings on installation)
(b) Reboot to SAFE MODE
(c) Choose *Run Quick Scan Now*. Let it scan your system and choose to fix the infections found at the end.
(d) Reboot to normal mode and scan again. Repeat until no further bad items are found.
Complete instructions on using Windows Defender can be found here:
Using Windows Defender
»www.microsoft.com/athome/securit···ult.mspx
Q. Does the version of Windows Defender that is included in Windows Vista provide additional protection?
A. Yes. Windows Defender in Windows Vista offers additional performance and security enhancements including the ability to scan only files that have changed, to run under a security-enhanced account, and to scan files when you run them. Windows Defender will also allow you to scan files as you download them if you use Internet Explorer 7.
1.d Malicious Software Removal Tool
»https://www.microsoft.com/security/malwa···ult.mspx
(Just download and run it - it will remove any malicious malware found)
ONLINE AV SCANS
2. Get a free online Antivirus scan at one or more of the following. This is an important step to do even if you ran your resident AV program, as some malware can disable the program currently installed on your PC. The online AV scanners can sometimes reveal infections your present AV can not. Use both scanners. Do a full system scan, delete any infected files found, and choose to save the log at the end (we may need to see a copy)
Go here: »www.eset.eu/online-scanner to run an online scannner from ESET.
[*]Note: You will need to use Internet explorer for this scan
[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Click Start
[*]Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
[*]Click Scan
[*]Wait for the scan to finish
[*]Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
[*]Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
Trend Micro (PC-cillin) - Free on-line Scan
»housecall.trendmicro.com/
3. If the above steps have solved the problem, please skip the following step. You can refer to this FAQ for additional cleaning, fine-tuning recommendations:
»Security »I think my computer is infected or hijacked. What should I do?
If you are still having a problem: Create a Diagnostic log using HijackThis
(a) Instructions for HijackThis:
* Download Trend Micro Hijack This™
»download.bleepingcomputer.com/hi···tall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
4. Do this only if you are still having a problem and need your HijackThis log analyzed.
Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.
(a) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
(b) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? etc...
(c) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail". "I've followed all the steps.", may not be enough information for those who are here to help.
(d) The third paragraph should contain the HijackThis log you copied in step 3.
Also copy and paste in the logs from the online AV scan
..........................................................................
5. Special Problems?
If you can connect to the internet but are having a problem accessing certain security sites,such as those listed in this topic for downloading software and help, etc., you may have a Hijacker that has manipulated your HOSTS file.
To correct this situation, download this free tool called HostsXpert:
»www.funkytoad.com/content/view/13/
Unzip the HostsXpert file and doubleclick on HostsXpert.exe
(1). Press 'Restore Original Hosts' and press 'OK'
(2). Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
If you do not know what a HOSTS file is, you are most likely not using a custom one. If you are on a company computer, check with your system administrator first. For more information on HOSTS file hijacking, see here:
»Security »How do I recover from Hosts file hijacking?
Edit 07 Aug 2008 by CalamityJane:
Removed: Ewido - no longer available
Removed: winsockfix (outdated)- no longer recommended for operating systems XP SP2 and up
Edit 27 May 2008 by lilhurricane: Updated links to Safe Mode booting
Edit 24 April 2008 by CalamityJane:
1. Removed AVG antispyware, no longer available as a standalone spyware scanner.
2. Added Microsoft Malicious Software Removal Tool
3. Added Vista where it was missing in some places
Edit 03 Apr 2008 by CalamityJane: Updated for Ad-Aware 2007 and Hijackthis (installer version)
Edit 19 Nov 2007 by lilhurricane: References to MS Anti-Spyware removed (Defender)
Edit 16 Sep 2007 by CalamityJane: Updated Spybot v.1.5; and HostXpert (formerly "Hoster"); Added Ad-Aware
2007 Free for Vista
Edit 01 Sep 2007 by CalamityJane: Updated HijackThis instructions for Trend-Micro version.
Edit 08-20-07 by lilhurricane: Windows Defender info now includes Vista as a supported operating system
Edit 08 April 2007: Changed link for Safe Mode instruction to point to MS article. Using msconfig in WinXP is not recommended due to the fact that today's new malware sometimes deletes the safeboot key.
Edit 24 Oct 2006 by CalamityJane: Added eTrust online scanner; removed CWShredder and AboutBuster; Windows Defender is for XP only
Edit 07 Apr 2006 by CalamityJane: Microsoft Antispyware is now Windows Defender.
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2008-08-21 21:38:04 | | (back) | The following is a collection of screen shots of desktop hijackings, scams, fake alerts, and web based scare messages. These are indicative of a Vundo or Smitfraud infection. Please see these FAQ's for removal:
•Trojan Vundo/Virtumonde/Winfixer Removal
•SpywareQuake/SpyFalcon/Smitfraud Removal
If you still are having problems, refer to the instructions here
*Click on thumbnails to enlarge:
Credit to originating site: Webhelper's CWS Diaries
Newer variants added Nov 17 2006
April 25, 2007 - New screenshots of Antivirus Golden (Video AX Object variant)
Edit April 25, 2007 by CalamityJane: New screenshots added of Zlob/smitfraud variant Antivirus Golden (Video AX Object variant)
Edit Nov 17, 2006 by CalamityJane: New screenshots added
feedback form
feedback form
by Cudni edited by lilhurricane
last modified: 2007-12-28 17:32:13 |
2.1 Malware Removal·AproposRootkit Removal
·Aurora / Nail Removal
·E2Give Malware Removal
·EliteBar / PokaPoka Removal
·SpyAxe/Spyware Strike Removal
·Zlob/Smitfraud Removal
·Trojan Vundo/Virtumonde/Winfixer Removal
| | (back) | Symptoms
Unexplained Popups even after all steps in the following FAQ come up "clean"
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
No apparent signs in a HijackThis log.
No entries visibile under "Device Manager" or "Network Places"
This pest is adware that is hidden by a rootkit. It produces various popups from a number of advertisers, all generating from adchannel.contextplus.net
The best way to tell if you've got it is to run this diagnostic tool:
Download Rootkit Revealer (free tool)
»technet.microsoft.com/en-us/sysi···445.aspx
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
We may need to request a copy of it later.
If you see 200-300 or so entries that are similar to the following, you can try running the AproposFix posted further down.
Sample entries in the RootkitRevealer log showing Apropos infections have a random named folder in the Programs Folder and some of the highlighted file names see below for example. The ace.dll file is frequently seen as well.
quote:
C:\Program Files\Holt_old Note: Random Named Folder in Program Files 13/11/2005 17:37 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\ace.dll 26/10/2005 15:46 568.00 KB Hidden from Windows API.
C:\Program Files\Holt_old\AI_07-11-2005.log 07/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_08-11-2005.log 08/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_09-11-2005.log 09/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_10-11-2005.log 10/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_11-11-2005.log 11/11/2005 00:05 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_12-11-2005.log 12/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_13-11-2005.log 13/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache 13/11/2005 17:58 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436ee411_0000b71b 07/11/2005 00:20 3.81 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436fd078_000ec82e 07/11/2005 17:08 5.38 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435febb3_0007270e 26/10/2005 15:48 2 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435fed33_0002dc6c 13/11/2005 19:07 3.54 KB Hidden from Windows API. quote:
etc. The log itself will be very long with lots of entries similar to the above)
The Fix
Please download AproposFix from here:
»Security Cleanup FAQ »Security Clean-Up Approved White List
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the aproposfix folder into a New Topic.
Thanks to Swandog46 for developing this fix tool :)
1/6/07 --- fixed broken link to RootkitRevealer ~lil~
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2008-01-06 11:18:38 | | (back) | Aurora/Nail fix
By racooper w/SwanDog46 & miekiemoes
PLEASE READ AND FOLLOW THESE INSTRUCTIONS CAREFULLY; YOU MAY WANT TO PRINT OR SAVE THESE INSTRUCTIONS LOCALLY BEFORE STARTING.
1. Please download, install, and update the free version of Ewido AntiMalware:
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Exit Ewido. DO NOT scan yet.
Download CCleaner and install, but do not run it yet.
2. Please download this revised installer for the Nailfix utility.
DO NOT run it yet.
Alternate download links here:
http://www.spywareedge.net/nf/nailfix.exe
http://www.spywareaid.com/index.php?file=s...22&softtype=exe
3. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
5. Next, run Ewido again.
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
6. Then run HijackThis, click Scan, and place a checkmark by the following item (if found):
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [random] c:\windows\system32\random.exe r
Close all open windows except for HijackThis and click Fix Checked Note that the 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.
Locate and delete the following File in BOLD:
c:\windows\system32\random.exe (or whatever the name may have changed to, as noted above).
6. Now, run CCleaner.
[*]Uncheck "Cookies" under "Internet Explorer".
[*]If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
[*]Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
7. Please start a new topic if you need help. Do not post your logs in someone else's threads. Please NOTE: If you have not done so already, follow the Manadory Steps first before post a HijackThis log. The rules are here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
Edited for new version of Nailfix 22Jul2005
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2006-01-02 23:49:29 | | (back) | E2TakeOut version 1.00
by: RubbeR DuckY
This program removes the E2Give and PTech malware. Simply download, unzip, and run the E2TakeOut.exe file. Follow the onscreen directions and be sure to restart your computer when prompted.
Main indicators in a HijackThis log:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll
O20 - AppInit_DLLs: inicfg32.dll
How to Use
Please download E2TakeOut by Rubber Ducky from here:
»www.malwarebytes.org/E2TakeOut.zip
* Extract the file to your Desktop
* Double click E2TakeOut.exe
* Click the Begin Removal button
* Wait until the program is finished scanning
* Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
* Reboot your computer
* Once your computer has rebooted E2TakeOut will open and produce a report
* Please copy/paste that report into your next reply
feedback form
feedback form
by CalamityJane | | (back) | LQfix by miekiemoes (free tool) is used for the latest variants of Elitebar including the pokapoka strains.
You can download it here:
»users.pandora.be/bluepatchy/miek···Qfix.exe
Download it to your desktop
Double-click LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen. Your system will reboot afterwards.
Your system may take longer than usual to start up this one time; please be patient.
.................
And the free version of Ewido Security Suite can also remove most of the variants of pokapoka and Elitebar safely, including the Qoologic Trojan that often accompanies EliteBar
»www.ewido.net/en/download/
feedback form
feedback form
by CalamityJane edited by lilhurricane
last modified: 2006-01-09 00:18:18 | | (back) | Please see:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
Edit: 16 April 2006 New tool now fixes all Smitfraud variants. FAQ combined into one:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
feedback form
feedback form
by CalamityJane
last modified: 2006-04-16 21:36:02 | | (back) | These removal tools only work for the following operating systems:
1. SmitfraudFix: Windows 2k, 2003 and XP ONLY
2. RogueRemover: Vista
Windows 98/ME users will need to follow the complete pre-cleaning FAQ here:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
SpywareQuake and SpyFalcon are just two of many examples of the Zlob/Smitfraud family of desktop hijackers that pop up over the desktop or gives an alert from the taskbar near the clock and displays a warning message that your computer is infected with spyware and telling you to buy/download/install their program. These warnings are fake and try to trick you into buying the commercial version of software. The many versions of this pest can vary with the warning message shown. A list of example screenshots can be seen here:
»Security Cleanup FAQ »Screenshots of Desktop Hijack
Other Zlob/Smitfraud variants include:
AlphaCleaner
AdwarePunisher
AntiVirusGold
AntispywareSoldier
PSGuard
RazeSpyware
Search Maid
Security IGuard
SpyAxe
SpyFalcon
SpySheriff
SpywareStrike
Virtual Maid
VirusBurst
WinHound
{This list of names has become to long to list all of the possibilities)
Zlob/Smitfraud Removal
Note: Not for Vista users. If you are running Windows Vista, please use the RogueRemover tool described in the next section.
The following steps may not clean all of it, but should be a good start and will restore the desktop to default at least so you can proceed with complete removal using various tools.
1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)
2. {WinXP, 2k only!) Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop.
How to extract (decompress) zipped or compressed files
»www.lvsonline.com/tut-compresstu···ex.shtml
A folder named SmitfraudFix will be created on your Desktop.
Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
3. Reboot into Safe Mode
How to start the computer in Safe mode:
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press Enter to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter
5. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
6. Now please scan with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier (or the Adaware log) and the Panda report. We will also need the log from SmitFraudFix called rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your new topic. Logs needed in your post are:
rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed
Fresh HijackThis log
...........................................
VISTA users, please use this tool instead
Please download Rogue Remover from here: [code]
»www.malwarebytes.org/rogueremover.php
[/code] & save it to your desktop.
[*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
[*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
[*]Once the program runs, select Check for Updates.
[*]When prompted, select Check for Updates.
[*]If prompted again, click Download to receive the latest updates.
[*]When completed, close the update window.
[*]Finally, select Scan and the program will walk you through the remaining steps.
.................................................................................................
Additional Instructions
a. How to Post a new Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem.
b. Instructions for HijackThis:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
Download HijackThis
»www.trendsecure.com/portal/en-US···this.php
Unzip/decompress the file and save the contents (HijackThis.exe) to the new folder you made and doubleclick on HijackThis.exe to open the program. On the Main Menu page, Choose *Do a system scan and save a log*
When the scan finishes, you will get a popup to save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results here.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
................................................................................
Edit 01 Sep 2007 by CalamityJane : Added additional instructions for Vista
Edit: 08 Aug 2007 by CalamityJane: Adjusted HJT instruction for new ver. 2.02 by Trend-Micro
16 Oct 2006 by CalamityJane. Removed Ewido and Panda scan instructions as SmitfraudFix can do the whole job.
Edit 16 Jul 2006 by CalamityJane: Adjusted instructions for Ewido new ver 4.0
Edit 16 April 2006 by CalamityJane: Added SmitfraudFix tool to replace SmitRem and roguescanfix tools.
feedback form
feedback form
by CalamityJane
last modified: 2007-09-01 22:12:04 | | (back) | Vundo/VirtuMonde is an adware program that downloads and displays popup advertisements, often seen as Winfixer. Please see important note at the bottom regarding a vulnerabilty in Sun Java that may have be the source of this infection. It may also hijack the browser to unwanted advertising related sites. If you know that you have the Vundo/Virutumonde trojan and other programs have not been able to remove it, please take the following steps using the free tools below.
VundoFix v.6 by Atribune
Please download VundoFix.exe from here:
»www.atribune.org/ccount/click.php?id=4
and save it to your desktop
•Double-click VundoFix.exe to run it.
•Click the Scan for Vundo button.
•Once it's done scanning, click the Remove Vundo button.
•You will receive a prompt asking if you want to remove the files,
click YES
•Once you click yes, your desktop will go blank as it starts removing
Vundo.
•When completed, it will prompt that it will reboot your computer,
click OK.
•Please post the contents of C:\vundofix.txt and a new
HiJackThis log.
•Please post the contents of C:\vundofix.txt into a New Topic in the Security Cleanup Forum
Go to this link:
»Security Cleanup
Start your own thread by pressing the *New Topic* button. Do not interrupt other similar threads with your problem. Include the vundofix.txt contents and a fresh HijackThis log (instructions below) Please put in the Title of your topic: Vundo Removal.
We will also need to see a diagnostic log from the free tool HijackThis
Create a Diagnostic log using HijackThis
• Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed.
See here for specific instructions and screen shots to help:
»russelltexas.com/malware/createhjtfolder.htm
•Download HijackThis here
»www.trendsecure.com/portal/en-US···this.php
• Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose *Do a system scan and save a log*
• When the scan finishes, you will get a popup to Save the logfile. Please make note of the location you will be saving it to and click *save*. This should save the file and open the log in Notepad. Copy the contents and post the results into your New Topic when you are ready to post for help.
Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
...................................................................................
Important Note: Possible Vulnerability in Sun Java versions may be responsible for Vundo/Winfixer infections
Check your installed Sun Java versions
We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed
Please see this topic:
»Potential Vulnerability with Sun Java auto update
Important Note: Autoupdate of Sun Java does not uninstall previous (vulnerable) versions of the program.
Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.
To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download/windows···atic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software
Or you can get the manual download here:
»www.java.com/en/download/manual.jsp
And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.
Update: From the SANS Handler's Diary at the Internet Storm Center posted Handler's Diary January 13th 2006
CERTs warn about java bug being exploited
»isc.sans.org/diary.php?storyid=1039
quote:
According to the bulletins you need at least:
* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)
to be safe.
AND you still need to manually uninstall old verisons of Sun Java after updating! quote:
Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.
Edit 16 Sep 2006 by CalamityJane: Updated HijackThis version, removed obsolete Symantec removal tool
Edit 15 Aug 2006 by CalamityJane: VundoFix is now 6.0
Edit 15 July 2006 by CalamityJane: VundoFix is now v.5
Edit 20 Jan 2006 by CalamityJane: Added warning about Sun Java Vulernability
Edit 18 Jan 2006 by CalamityJane: Updated for new v. 4 VundoFix by Atribune
feedback form
feedback form
by CalamityJane
last modified: 2007-09-16 14:16:35 | | (back) | The following items are approved direct links to a few executable files. These are tools that do not have a download page on the original site for us to link to. Please note that while helping members clean up their computers, you may only link to the menu items below and not directly to the files. If you believe we have missed a tool that deserves to be on this list, feel free to contact the forum moderator.
•l2mfix
•FixWareout
•AproposFix
•VundoFix
•SmitRem
•FxIstbar
•LQfix
•nailfix
•PeperFix
•Win32delfkil
•Startdreck
•SpSeHjfix (Win 98/ME)
•SpSeHjfix (XP/Win2K)
•Look2Me-Destroyer
•Roguescanfix
•FindQool
•SmitfraudFix
•Brute Force Uninstaller
•Qoofix
•E2TakeOut
•ATFCleaner
l2mfix by Shadowwar
www.atribune.org/downloads/l2mfix.exe
www.downloads.subratam.org/l2mfix.exe
FixWareout by LonnyRJones
swandog46.geekstogo.com/Fixwareout.exe
downloads.subratam.org/Fixwareout.exe
AproposFix by Swandog46 (for Apropos Rootkit)
swandog46.geekstogo.com/aproposfix.exe
VundoFix by Atribune (for vundo.b)
www.atribune.org/downloads/VundoFix.exe
SmitRem by noahdfear (for Trojan-Spy.HTML.Smitfraud.c, SpyAxe, WinHound)
noahdfear.geekstogo.com/smitRem.exe
FxIstbar by Symantec (for ISTbar)
securityresponse.symantec.com/avcenter/FxIstbar.exe
LQfix by miekiemoes (for EliteBar / PokaPoka Removal)
users.pandora.be/bluepatchy/miekiemoes/tools/LQfix.exe
nailfix by noahdfear (for Aurora/Nail)
www.noidea.us/easyfile/file.php?download=20050711214630636
www.spywareedge.net/nf/nailfix.exe
www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=22&softtype=exe
PeperFix by Option^Explicit (for Peper trojan)
downloads.subratam.org/PeperFix.exe
Win32delfkil by Marckie
users.telenet.be/marcvn/tools/win32delfkil.exe
Startdreck
nicksoft.at/startdreck.zip
SpSeHjfix(Win98, ME)
www.derbilk.de/SpSeHjfix109.zip
SpSeHjfix(XP, Win2K)
www.derbilk.de/SpSeHjfix112.zip
Look2Me-Destroyer by Atribune (XP, Win2K)
http://www.atribune.org/ccount
Roguescanfix by Beamerke (XP, Win2K)
http://www.martijnc.be/tools/roguescanfix.exe
FindQool by LonnyRJones (XP, Win2K)
http://downloads.subratam.org/Lon/FindQool.zip
SmitfraudFix by by S!Ri (XP, Win2K)
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Brute Force Uninstaller by merijn (XP, Win2K)
http://www.merijn.org/files/bfu.zip
Qoofix by LonnyRJones (XP, Win2K)
http://downloads.subratam.org/Lon/qooFix.bat
E2TakeOut version 1.00 by RubbeR DuckY (XP, Win2K)
http://www.malwarebytes.org/E2TakeOut.zip
ATFCleaner by Atribune (98/ME/2000/XP/2003/Vista)
http://www.atribune.org/ccount/click.php?id=1
Special thanks to TheJoker & CalamityJane for their contributions and assistance.
feedback form
feedback form
by Wildcatboy edited by lilhurricane
last modified: 2007-12-27 17:40:52 | | (back) | I. HijackThis is not a stand-alone clean tool. It does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you give the infected user a full system scan tool like Adaware or Spybot (or both) for spyware issues and an online AV scan for virus, worm or trojan infections. Preferably the fix should START with those steps and finish the cleanup of strays or undetected items with HJT. It is not unusual to have Adaware or Spybot find hundreds of infected files and registry items HJT does not target. Additional infected files need to be removed by online AV scans also.
Just because you "fixed" it in HJT doesn't mean it's clean.
Note:
A. Use the Mandatory Steps prerequisite for post a HijackThis log first:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
B. If a user has scanned with Adaware, SpyBot and/or Windows Antispyware and returns with many infections it means either:
1. They are using an outdated version of the program (you need to have them check this).
2. They did not get the updates (have them check for latest update)
3. They did not reboot the PC and scan again. Many infections require removal on reboot and a subsequent followup scan to completely remove the pest. I have seen it take as many as 7 repeated scans with Adaware to remove particularly hard variants.
....................................
II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
How to Enable and Disable System Restore in Windows ME
http://support.microsoft.com/default.aspx?...kb;en-us;264887
..........................
III. Please don't delete all the 016 items as a rule. I see this being done and it is very sloppy HJT work as the harmless, even helpful ones, should remain on the user's PC. You can check 016 items in SpywareBlaster's Database by rightclicking on the Database list in the program and choose *find* (you can find by name or by CSLID). Then, if found, you can click on *more information* and find by name to see what that item is and if there are any special instructions needed (Javacool provides information links to many of those items). With the ones that remain, if you are not sure you can check the website if you are using Eric Howe's IESPYAD. If the site shows up in the restricted zone - best to remove it. But I see too many helpers removing perfectly harmless 016 items.
..................................
IV. About (file Missing) and what it means. It doesn't always mean the file is really missing!!
You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)
When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)
Except for the 02 & 03 Sections, good items listed in other sections with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.
Links for looking up 023 and 09 items
http://castlecops.com/O9.html
http://castlecops.com/O23.html
.................................
V. Don't begin fixes until you have an updated HJT version and it is located in the proper folder!!
quote:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
................................
VI. Back up the Registry Don't even think about giving instructions to edit the Registry unless you have them backup the Registry first
How to backup and restore the entire registry:
http://service1.symantec.com/SUPPORT/tsgen...c_nam#_Section2
...........................
VII. Don't wrap up a thread until you have given your user some prevention advice and tools.
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
Give a man a fish and he will eat for a day. Teach a man to fish and he will eat for a lifetime
Remember that part of our mission is educating our visitors! Each one should not leave here without some good free antispyware tools and instructions to be able to clean their PC and prevent future infections.
................................
VIII Remember to check for Windows Critical Security Updates Remind your victims to check Windows Update and get all the latest updates recommended for their OS and IE. The first defense against infection is a properly patched system and browser.
http://v5.windowsupdate.microsoft.com/en/default.asp
Encourage them to set their PC for automatic updates so that they won't miss any.
................................
IX DO lookup what type of malware you are dealing with where possible.
Many times, the user might have a nasty that requires extra instruction due to registry changes, lowered security system changes, or other considerations. Especially in the case of a dangerous nasty like a trojan, keylogger, password stealer or RAT. Most of the databases used to lookup HJT items have links for reference to the file names - very useful in these cases :)
In other words, just finding out a file is bad is NOT ENOUGH. you must find out why it is bad and how to clear out the entire infection. plus any cautions your user may need to know about changing passwords, accounts, etc.
...................................
X DO identify unknown files where possible and submit undetected nasties to the AT/AV/AS vendorswhere possible. You can scan single files at one of these:
Jotti Malware Scan
http://virusscan.jotti.org/
or here:
Virus Total
http://www.virustotal.com/
Those sites will submit your file to any vendors they are using at their site that do NOT detect a particular nasty (unless none of them detect it, then you need to submit manually to the Vendors)
Here
Submit Malware
Edited 21 Aug 2008: To remove reference to Malware Archive Forum ~lil~
Edited 10 Apr 2005: To add Section IV - About missing files.
Edited 15 Nov 2005: Added Sections IX and X
feedback form
feedback form |
|
