Run Smitfraudfix
- Download Smitfraudfix by S!ri from HERE
- Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
- Double-click SmitfraudFix.exe
- Select 2 and hit Enter to delete infected files.
- You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
- A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Navigate to
C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to
C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
For Internet Explorer 7
* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.
For Mozilla 1.x and Up
* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.
For Opera
* Click File from the Opera menubar.
* Click Preferences... from the File menu.
* Click the History and Cache menu.
* Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
* Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
Afterwards attach rapport.txt
Download and Run ATF Cleaner
Download
ATF Cleaner by Atribune to your desktop.
Double-click
ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the
Empty Selected button.
Firefox or Opera:
Click
Firefox or
Opera at the top and choose:
Select All
Click the
Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
NO at the prompt.
Click
Exit on the
Main menu to close the program.
Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting
ALL of them and pressing
CTRL + C (or, after highlighting, right-click and choose copy):
"C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
"C:\Program Files\DNA\bak\btdna.exe"
"C:\Program Files\Napster\bak\napster.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Steam\bak\steam.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Bellsouth\HelpCenter\bin\bak\sprtcmd.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- Press 2 then Enter
- Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
- Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
- The program will proceed to move the legit files and will perform another scan for bak folders.
- It may take a few minutes to complete, so please be patient.
Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Digital Media Reader\bak
C:\Program Files\DNA\bak
C:\Program Files\Napster\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Steam\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Bellsouth\HelpCenter\bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
- Double-click on the FindAWF.exe file to run it.
- It will open a command prompt and ask you to "Press any key to continue".
- You will be presented with a Menu.
- Press 3, then press Enter.
- Press any key to continue.
- A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
- Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
- The program will proceed to remove the bad folders and will perform another scan for .bak folder
- It may take a few minutes to complete so be patient.
- When it is complete, it will open a text file in notepad called AWF.txt.
- Please attach the AWF.txt file in your next reply.
Run another Hijackthis scan and attach here after.
So
1)Report.txt from Smitfraudfix
2)AWF.txt after completing above
3)hijackthis after everything else
This thread is for the use of Raiden528 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.