Archive for February, 2008

How To Remove VirusHeat rogue antispyware

Monday, February 25th, 2008

WHAT IS THIS
VirusHeat is a rogue antispyware, that uses deceptive means for installation and purpose, may display fake scan results. This program usually installed itself onto your PC without your permission, through Zlob Trojan, Virus, fake audio/video codecs.

YOU SHOULD HAVE FOR FIX
Avenger
CCleaner
SmitfraudFix (by S!Ri)

UNINSTALL PROGRAMS
VirusHeat 3.9
VirusHeat 4.3

REGISTRY ITEMS
[-HKEY_CLASSES_ROOT\clsid\{e94eb13e-d78f-0857-7734-5e67a49ffff1}]
[- HKEY_CLASSES_ROOT\interface\{0979850f-6c3e-4294-b225-b3d3c4a6f2a1}]
[- HKEY_CLASSES_ROOT\interface\{1bb2da5f-b78f-44ea-bda1-771cbe1dec68}]
[- HKEY_CLASSES_ROOT\interface\{2a4e73c5-ba3c-4391-b7e5-ffe8d3bd6245}]
[- HKEY_CLASSES_ROOT\interface\{44a923ca-f430-4f85-9f84-5153ecdb882e}]
[- HKEY_CLASSES_ROOT\interface\{4e6e21ec-9d72-4164-8a53-74786a467872}]
[- HKEY_CLASSES_ROOT\interface\{631e9e48-b066-43da-92ac-6dadf61b173b}]
[- HKEY_CLASSES_ROOT\interface\{65c1361c-e696-4af0-9e21-81910193f352}]
[- HKEY_CLASSES_ROOT\interface\{77dce805-c8ce-48aa-a47f-bfa6cc7704b3}]
[- HKEY_CLASSES_ROOT\interface\{8d42769f-07d8-494d-aab4-aa1652c541fa}]
[- HKEY_CLASSES_ROOT\interface\{a1922071-390c-418d-916d-91209e95d286}]
[- HKEY_CLASSES_ROOT\interface\{a1f8cd95-cfb3-43d1-a956-63441cc058c1}]
[- HKEY_CLASSES_ROOT\interface\{a63b46ad-96a7-4a2c-bd8f-8cd097e1593a}]
[- HKEY_CLASSES_ROOT\interface\{a65f98dd-2360-468c-b76e-b1b84c0d547c}]
[- HKEY_CLASSES_ROOT\interface\{ae2aeed0-be1b-4ba2-826e-20d1991081b8}]
[- HKEY_CLASSES_ROOT\interface\{d7f73787-6206-4bba-bdc0-7cfa9940dbcb}]
[- HKEY_CLASSES_ROOT\interface\{e770f739-2968-4ed9-a63c-dc1938dc82a2}]
[- HKEY_CLASSES_ROOT\typelib\{cfafa83c-855b-4e3d-92b9-a587995b675a}]
[- HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\virusheat 3.9.exe 3.9]
[- HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\virusheat 3.9]
[- HKEY_LOCAL_MACHINE\software\virusheat 3.9]

REMOVE FILES
%program_files%\virusheat 3.9\msvcp71.dll
%profile%\application data\microsoft\internet explorer\quick launch\virusheat 3.9.lnk
%profile%\desktop\virusheat 3.9.lnk
%profile%\start menu\programs\virusheat 3.9\uninstall virusheat 3.9.lnk
%profile%\start menu\programs\virusheat 3.9\virusheat 3.9 website.lnk
%profile%\start menu\programs\virusheat 3.9\virusheat 3.9.lnk
%profile%\start menu\virusheat 3.9.lnk
%program_files%\virusheat 3.9\blacklist.txt
%program_files%\virusheat 3.9\lang\english.ini
%program_files%\virusheat 3.9\virusheat 3.9.exe
%program_files%\virusheat 3.9\virusheat 3.9.url
%program_files%\virusheat 3.9\msvcr71.dll
%program_files%\virusheat 3.9\uninst.exe
%program_files%\virusheat 3.9\vht.dat
%program_files%\virusheat 3.9\msvcp71.dll
%program_files%\virusheat 3.9\msvcr71.dll
%program_files%\virusheat 3.9\virusheat 3.9.exe
%program_files%\virusheat 3.9\uninst.exe

REMOVE FOLDERS
%profile%\start menu\programs\virusheat 3.9
%program_files%\virusheat 3.9
%program_files%\virusheat 3.9\lang
%program_files%\virusheat 3.9\logs
%program_files%\virusheat 3.9\quarantine

RUN SMITFRAUDFIX

HOW TO DO IT

Remove core.cache.dsk/core.sys [Smitfraud-c.coreservices]

Sunday, February 17th, 2008

WHAT IS THIS
It makes random IE ads popup. The popups had several ad networks: url.cpvfeed.com, xads.zedo.com, searchlocal.ws, aavalue.com, upspiral.com

Spybot found Smitfraud-c.core and and cant remove it, file core.cache.dsk. comes back every time when you reboot.

YOU SHOULD HAVE FOR FIX
Combofix by sUBs
Avenger

REMOVE FILES
C:\WINDOWS\system32\byxxuvu.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\urqnnmk.dll
C:\WINDOWS\system32\wnstsitr32.exe

REMOVE MALWARE SERVICES
core

RUN COMBOFIX

HOW TO DO IT

How to reboot my computer in the safe mode

Saturday, February 16th, 2008
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Note: for more information, read the article: How to reboot computer in Safe mode.
if your machine cannot enter Safe Mode then download and run SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

webcry.com hijacker

Wednesday, February 13th, 2008

WHAT IS THIS
When you do any kind of search, the search results come up like normal, however when you click on a link under the results the page goes blank and you keep getting re-directed to webcry.com

YOU SHOULD HAVE FOR FIX
CCleaner
SmitfraudFix (by S!Ri)

HIJACKTHIS ITEMS
O2 – BHO: (no name) – {4A4CB994-9A38-DF0F-2760-0708BFE8F63A} – C:\Program Files\****\****.dll
O2 – BHO: (no name) – {52EA2AED-161F-45A5-EBAC-0293CA8C771C} – C:\Program Files\****\****.dll
O4 – HKLM\..\Run: [*****] regsvr32 /u “C:\Documents and Settings\All Users\Application Data\*****.dll”

HOW TO REMOVE

Video Add-on and antispyware/security toolbar 7.1

Wednesday, February 13th, 2008

WHAT IS THIS
Security Toolbar 7.1 is an adware program that also installs rogue security applications and display false alert on compromised computer.

YOU SHOULD HAVE FOR FIX
Avenger
SDFix

HIJACKTHIS ITEMS
O4 – HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 – HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O17 – HKLM\System\CCS\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 – HKLM\System\CCS\Services\Tcpip\..\{54D4F041-4839-4858-A10E-F62F0AB1AD05}: NameServer = 202.188.0.133,202.188.1.5
O17 – HKLM\System\CS1\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O17 – HKLM\System\CS2\Services\Tcpip\..\{15E06EB7-0F4F-401A-8EF1-81ADF145DC22}: NameServer = 202.188.0.133,202.188.1.5
O22 – SharedTaskScheduler: caribi – {8b87dcc7-9b89-4205-aa82-076b2a1edfe0} – (no file)

REGISTRY ITEMS
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8249E69-A809-4544-832F-64EB65747A92}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”=-
“{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}”=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{efaf6ea3-615d-4f83-8748-2f7a576fcea6}]

HOW TO REMOVE

cyberstoll.com, search-daily.com hijackers

Wednesday, February 13th, 2008

WHAT IS THIS
When you do a Google search, you got a search results, but if you click on one of the results, you got redirect to cyberstoll.com or search-daily.com

YOU SHOULD HAVE FOR FIX
SmitfraudFix (by S!Ri)
CCleaner
LspFix

HIJACKTHIS ITEMS
O2 – BHO: (no name) – {F71D25F6-E9F6-401B-AD3D-AB9F7D36E6C7} – C:\WINDOWS\system32\dinpu.dll

HOW TO REMOVE

CID popups

Wednesday, February 13th, 2008

WHAT IS THIS
The CiD pop-up is an optional sponsor for Windows Live! Plus! (messenger addon). Upon installation it will ask you if you whould show your support by allowing it to install intergrated sponsor support (Adware sanctioned my microsoft).

If you have this installed on your PC just go to Control Panel – add/remove programs – and select Microsoft Live Plus and you’ll get the option of removing the sponsor support only.

YOU SHOULD HAVE FOR FIX
SmitfraudFix (by S!Ri)
NoLop
CCleaner
SuperAntiSpyware Home Edition Free Version

HIJACKTHIS ITEMS

HOW TO REMOVE

Self instructions – how to remove malware

Tuesday, February 12th, 2008

Whats your should to have:
1. anti spyware programs
2. hijackthis items and/or registry items for removing
3. files / folders for removing

Your steps:

1. Uninstall programs
Go to Start > Control Panel > Add or Remove Programs and remove the PROGRAM_NAME, if found.

2. Reboot your computer in Safe Mode.
3. Fix hijackthis items.

Start HijackThis. Click “Do a system scan only.” and put a checkmark next to the ITEMS. Click ‘Fix checked’.

4. Reboot your PC in the normal mode.
5. Fix registry items.

Open notepad and copy/paste the text in the quotebox below into it:

REGEDIT4

REMOVE THIS LINE AND INCLUDE REGISTRY ITEMS

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.).
Double-click on the fix.reg. When it asks if you would like to merge the information, press the Yes button and then the OK button when it is done.

6. Remove malware service.

Open notepad and then copy and paste the lines below into it.

@echo off
sc stop SERVICE_NAME
sc delete SERVICE_NAME

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
Double-click on fixes.bat file to execute it.

7a. Remove folders.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Folders to delete:
FOLDERS FOR REMOVING, ONE FOLDER IN ONE LINE

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

7b. Remove files.

Run Avenger.
Check the ‘Input script manually’ option. Click the Magnifying Glass icon. In the box that opens, copy,then paste the following text:

Files to delete:

FILES FOR REMOVING, ONE FILE IN ONE LINE

Then click on ‘Done’.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

8a. Run combofix

Close any open browsers. Double click on combofix.exe and follow the prompts.

8b. Run SmitfraudFix

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.
The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

8c. Run SuperAntiSpyware

On the main screen click on ‘Scan your computer’. Check: ‘Perform Complete Scan’. Click ‘Next’ to start the scan.

Superantispyware will now scan your computer,when it’s finished it will list all/any infections found. Make sure everything found has a checkmark next to it,then press ‘Next’. Click on ‘Finish’ when you’ve done.

8d. SDFix

Open the SDFix folder and double-click RunThis.bat.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

9. Run ccleaner

Click Analyze button. After scan your system, click Run Cleaner.

10. Reset system restore
Disable system restore to flush out infected restore points. Reboot your computer again. Turn on Windows System Restore. After that click START > ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > SYSTEM RESTORE. click on “create new restore point” > click on NEXT and follow the prompts.