Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SmitFraud cleaned....I think

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

system.ini

Unread postby cptz » January 3rd, 2006, 6:24 am

Kim,
The only file that was on the computer from your list here was the ibm00005.dll. Nothing else was found.

Here is the system.ini you requested:

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[Windows]
load=


virtualguy2.exe I will have to check on. This computer blongs to an acquantance that asked me to help clean. I just assumed it was something he put on the computer since he is gay. And I have had no desire to invetigate it, since I am not.
cptz
Active Member
 
Posts: 14
Joined: January 1st, 2006, 2:58 pm
Advertisement
Register to Remove

Unread postby Kimberly » January 3rd, 2006, 10:17 am

Hello cptz,

System.ini is clean, the keylogger usually adds a line in the load section. Maybe you didn't get the full install or Ewido did already delete some files the first time. Something I would like you to check :

Using windows explorer, navigate to c:\windows and look for a folder that starts with inet and some numbers - example : C:\WINDOWS\inet20001 - Delete the folder if found.
______________________________

Keep all browsers closed. Click on Start then Control Panel
Double click on the Java plug-in icon (there may be more than one). The Java Control Panel appears.
  1. Click Settings under Temporary Internet Files. The Temporary Files Settings dialog box appears.
  2. Click the Delete Files. The Delete Temporary Files dialog box appears.
    Put a checkmark next to the three options on this window to clear the cache.
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  3. Click Ok on the Delete Temporary Files window.
  4. Click Ok on Temporary Files Settings window.
If there are other Java plug-in icons... perform the same action on all of them. That should clean out the infected files.
______________________________

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}"=-
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}"-
"{2D51D869-C36B-42BD-AE68-0A81BC771FA5}"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx76E.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx76F.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx780.tmp"=-
"C:\\Documents and Settings\\skip\\Local Settings\\Temp\\dmx7A2.tmp"=-
"C:\\WINDOWS\\system32\\sachostw.exe"=-
"C:\\WINDOWS\\system32\\sachostc.exe"=-
"C:\\WINDOWS\\system32\\sachosts.exe"=-


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

A small cleanup ...

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

If Spybot - S&D 1.4 is already installed on your system, skip to Update Spybot - S&D before using it. Otherwise download Spybot - S&D from the following link:
Spybot - Search and Destroy

When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, pressing the Next button until you get to the Select Additional Tasks screen.

Under Permanent protection, make sure to uncheck the following items for now:
  • Use Internet Explorer Protection
  • Use system settings Protection (TeaTimer)
Press the Next button and then the Install button to start the installation process. When the installation process is complete, make sure that Run Teatimer is unchecked.

Launch Spybot - S&D

If you told Spybot to launch when it was done installing, the program should now be open. Otherwise find the icon on your desktop and double-click on it. When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the Next button. Click on the button labeled Start using this program to begin using Spybot - Search & Destroy.

Update Spybot - S&D before using it

Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them.
______________________________

Run Ad-Aware and Click on the Scan Now Button
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Reboot to complete the removal of what Ad-Aware SE found.
______________________________

Run Spybot - S&D

Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________

Let me know how the computer behaves please. The virtualguy2.exe is probably just like the virtualgirl thingie. I fully understand that you don't want to find out more about it. Asking him about the program may make him feel embarrassed too.

Kim
Last edited by Kimberly on January 12th, 2006, 2:02 pm, edited 1 time in total.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Kimberly, you are awesome.

Unread postby cptz » January 3rd, 2006, 10:58 pm

Thank you for all your help.

I have completed SpyBot, Ad-aware, Kaspersky, and AVG with all clean results. I was ready to say it is clean but decided to run panda active scan as another test.

It gave me two errors. Do we need to do anything about them?

dware:adware/ist.istbar Not disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/comet Not disinfected Windows Registry


Thanks,
Tom
cptz
Active Member
 
Posts: 14
Joined: January 1st, 2006, 2:58 pm

Unread postby Kimberly » January 4th, 2006, 12:33 am

Hello Tom,

You're welcome, glad we could assist you. :)

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\Common Files\Totem Shared

We will see if we can find the entry in the registry. It might be a harmless entry because Panda flags very often the Uninstall keys.

Download Bobbi Flekman's RegSearch from
http://www.bleepingcomputer.com/files/regsearch.php

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

comet

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe. Please post the results.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby NonSuch » January 14th, 2006, 4:14 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27215
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware