Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Please right-click:
HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.
Locate "
smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click
YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
I need you to copy all of the Killbox file paths below and paste them into Notepad.
* Please download the
Killbox by Option^Explicit.
*In the event you already have Killbox, this is a new version that I need you to download.
* Unzip to your desktop.
* Please double-click
Killbox.exe to run it.
* Select "
Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click
FIX CHECKED
items to fix
Close HiJackThis.
Reboot into normal mode.
1.) Download
The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.
2.) Right-Click
HERE and Save As to download DelDomains.inf to your desktop.
To use:
RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
Logfile of HijackThis v1.99.1 Scan saved at 11:41:31 PM, on 6/19/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Be sure to look this solution over before you begin. There are a some item(s) I'm not familar with. If you recognze any, then just omit them from this fix.
Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.
REGEDIT4
*
Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the
Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe C:\Windows\System32\winnook.exe C:\Windows\desktop.html C:\Windows\screen.html *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Doubleclick the AVGoldfix.reg we made earlier.
And (still in safe mode) use the
DiskCleanup Tool to empty all your Temp folders.
Delete the entire folder C:\Program Files\AntiVirusGold
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"
Then boot back to normal, run HijackThis again and post a new log.
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Reboot and post back a new log, and let me know how everything goes.
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 2nd, 2005 18:00
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.
Locate " smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.
*IMPORTANT* CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES
I need you to copy all of the Killbox file paths below and paste them into Notepad.
* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
* Unzip to your desktop.
* Please double-click Killbox.exe to run it.
* Select " Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
* Return to Killbox, go to the File menu, and choose " Paste from Clipboard".
* Click the red-and-white " Delete File" button. Click " Yes" at the Delete on Reboot prompt. Click " No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Make sure you can view hidden files.
Using Windows Explorer, delete the following, if found, ( please do NOT try to find them by "search" because they will not show up that way)
FOLDERS to delete (in bold) if found:
C:\Program Files\ Search Maid
C:\Program Files\ Virtual Maid
C:\Windows\System32\ Log Files
C:\Program Files\ Security IGuard
While still in Safe Mode, do the following:
Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED
items to fix
Close HiJackThis.
Reboot into normal mode.
1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.
2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
3.) Download, install, and run CleanUp!
4.) Run this online virus scan: ActiveScan - Save the results from the scan!
Post a new HiJackThis log along with the results from ActiveScan.
Steve
Sir Lancelot du
5 Posts
0
June 16th, 2005 09:00
Sir Lancelot du
5 Posts
0
June 16th, 2005 09:00
Sir Lancelot du
5 Posts
0
June 16th, 2005 09:00
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 16th, 2005 17:00
Steve
Sir Lancelot du
5 Posts
0
June 26th, 2005 03:00
Dear Steve,
Pls see hijack log as well. Thanks for yr help.
Logfile of HijackThis v1.99.1
Scan saved at 11:41:31 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\winnook.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
D:\setup.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\is-K5NOL.tmp\is-8EPDE.tmp
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Daniel Foo\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.21.83.252:8080
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp62A2.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccitbcyfnafgf] C:\WINDOWS\System32\hkqkun.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-sg\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Microsoft AntiSpyware helper - {99200AAA-8F2D-415D-9DBA-D6F37B9055DC} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {99200AAA-8F2D-415D-9DBA-D6F37B9055DC} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {99200AAA-8F2D-415D-9DBA-D6F37B9055DC} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {99200AAA-8F2D-415D-9DBA-D6F37B9055DC} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.microsoft.com/controls/vb5/comdlg32.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
zbestwun2001
3 Apprentice
•
8.8K Posts
0
June 26th, 2005 12:00
-
Be sure to look this solution over before you begin. There are a some item(s) I'm not familar with. If you recognze any, then just omit them from this fix.
Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]
* Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Doubleclick the AVGoldfix.reg we made earlier.
And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.
Delete the entire folder C:\Program Files\AntiVirusGold
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"
Then boot back to normal, run HijackThis again and post a new log.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINDOWS\System32\winnook.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\is-K5NOL.tmp\is-8EPDE.tmp
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.21.83.252:8080
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp62A2.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccitbcyfnafgf] C:\WINDOWS\System32\hkqkun.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - Startup: PowerReg Scheduler.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\System32\winnook.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\is-K5NOL.tmp\is-8EPDE.tmp
C:\WINDOWS\System32\hkqkun.exe
Search for...
Scheduler.exe
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Reboot and post back a new log, and let me know how everything goes.
Steve