nightowl
02-26-2006, 07:10 PM
SpyAxe Fix # 1
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!
Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
***
Download SpyAxeFix.exe © noahdfear. Save it to your desktop.
http://noahdfear.geekstogo.com/smitRem_filelist.htm
***
If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.(Link at the bottom of my message.)
Check Here on how setup and use it - please make sure you update it first.
http://russelltexas.com/malware/adawarese/adawarese.htm
***
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
***
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.
***
Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes. A text file named spyaxe.txt will be created in the SpyAxeFix folder. Post the contents of that log please.
***
Open Ad-aware and do a full scan. Remove all it finds.
***
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
***
Reboot back into Windows .
***
Run the Free use Panda Active Scan.
You will need to allow the popups for this site!
Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
A new window will open
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on scan my computer to start the scan
Save the Report to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the spyaxe.txt by using Add Reply.
SpyAxe 2nd Fix
Download smitRem.exe and save the file to your desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
http://rstones12.geekstogo.com/ewidosetup.htm
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions,
http://rstones12.geekstogo.com/adawareSE_setup.htm
otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.Now scan with HJT and place a checkmark next to each of the following items:
================================================== =
HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff.
================================================== =
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.You will need to step through the process of cleaning files one-by-one.If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections
"If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktopClose Ewido
Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
Part 2 if needed When Icons change. Users are now complaining of an explorer error and nothing loading on their system, and are often posting from another computer. If the user can use Ctrl+Alt+Del to open the Task Manager on the infected computer, proceed as follows.
It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
We'll need to transport some files from the computer you are now using, to your infected computer.
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.
On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.
In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.
Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy
Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.
Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.
When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.
Still Shows on Spybot
Download: deldomains.
http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also
The malware has mutated, but the tool has been updated to fight it.
Redownload smitrem and unzip it again.
Reboot to safe mode and run runthis.bat again.
Reboot back to normal mode and post back with the new smitfiles.t
This thread is Closed, If this doesnt fix your problem Please Post your HijackThis Log on the Message Board
http://forums.designtechnica.com/forumdisplay.php?f=94
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!
Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
***
Download SpyAxeFix.exe © noahdfear. Save it to your desktop.
http://noahdfear.geekstogo.com/smitRem_filelist.htm
***
If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.(Link at the bottom of my message.)
Check Here on how setup and use it - please make sure you update it first.
http://russelltexas.com/malware/adawarese/adawarese.htm
***
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
***
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.
***
Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will dissappear, and your computer will restart when the tool completes. A text file named spyaxe.txt will be created in the SpyAxeFix folder. Post the contents of that log please.
***
Open Ad-aware and do a full scan. Remove all it finds.
***
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
***
Reboot back into Windows .
***
Run the Free use Panda Active Scan.
You will need to allow the popups for this site!
Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
A new window will open
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on scan my computer to start the scan
Save the Report to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the spyaxe.txt by using Add Reply.
SpyAxe 2nd Fix
Download smitRem.exe and save the file to your desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
http://rstones12.geekstogo.com/ewidosetup.htm
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions,
http://rstones12.geekstogo.com/adawareSE_setup.htm
otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.Now scan with HJT and place a checkmark next to each of the following items:
================================================== =
HijackThis entries here if needed. Delete any other malware files not associated to the smitfraud variants and SpySherriff.
================================================== =
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.You will need to step through the process of cleaning files one-by-one.If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections
"If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktopClose Ewido
Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
Part 2 if needed When Icons change. Users are now complaining of an explorer error and nothing loading on their system, and are often posting from another computer. If the user can use Ctrl+Alt+Del to open the Task Manager on the infected computer, proceed as follows.
It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
We'll need to transport some files from the computer you are now using, to your infected computer.
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.
On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.
In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.
Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy
Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.
Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.
When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.
Still Shows on Spybot
Download: deldomains.
http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also
The malware has mutated, but the tool has been updated to fight it.
Redownload smitrem and unzip it again.
Reboot to safe mode and run runthis.bat again.
Reboot back to normal mode and post back with the new smitfiles.t
This thread is Closed, If this doesnt fix your problem Please Post your HijackThis Log on the Message Board
http://forums.designtechnica.com/forumdisplay.php?f=94