Run Smitfraudfix -print these out or save them in notepad to your desktop
- Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
- Double-click SmitfraudFix.exe
- Select 2 and hit Enter to delete infected files.
- You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
- A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Navigate to
C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
For Internet Explorer 7
* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.
For Mozilla 1.x and Up
* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.
For Opera
* Click File from the Opera menubar.
* Click Preferences... from the File menu.
* Click the History and Cache menu.
* Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
* Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Afterwards attach rapport.txt and a fresh Hijackthis log
----------------------------------------------------------------------------------------------------------
Download and Run ATF Cleaner
Download
ATF Cleaner by Atribune to your desktop.
Double-click
ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the
Empty Selected button.
Firefox or Opera:
Click
Firefox or
Opera at the top and choose:
Select All
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
NO at the prompt.
Click
Exit on the
Main menu to close the program.
Reboot computer to
Normal Mode
------------------------------------------------------------------------------------------------
FindAWF
Click here to download FindAWF.exe and save it to your desktop.
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to Press any key to continue.
- Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
- It may take a few minutes to complete so be patient.
- When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
- Attach AWF.txt file in your next reply.
------------------------------------------------------------------------------------------------------
In your reply do not attach the logs as .doc files, please rename them as .txt or .log, I don't open .doc files so could not see if anything specific needs to be done.
Your reply should include:
1)C:\rapport.txt (from smitfraud fix option 2 in safe mode)
2)AWF.txt
3)Hijackthis log scanned after the fix
