The Department of Justice has recently become aware of fraudulent spam e-mail messages claiming to be from DOJ. Based upon complaints from the public, it is believed that the fraudulent messages are addressed “Dear Citizen.” The messages are believed to assert that the recipients or their businesses have been the subject of complaints filed with DOJ and also forwarded to the Internal Revenue Service. In addition, such email messages may provide a case number, and state that the complaint was “filled [sic] by Mr. Henry Stewart.” A DOJ logo may appear at the top of the email message or in an attached file. Finally, the message may include an attachment that supposedly contains a copy of the complaint and contact information for Mr. Stewart.THESE EMAIL MESSAGES ARE A HOAX. DO NOT RESPOND.

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at www.ic3.gov.

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html

Reference: http://www.usdoj.gov/opa/pr/2007/June/07_crm_465.html

Ultimate Defender is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase. Same application as 1stAntiVirus, KillSpy, SpyDeface, SpyContra, & XSRemover.

Download to your Desktop:
RougeRemover by MalwareBytes
VundoFix by Atribune

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Run VundoFix

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

The Vundo fix log is found at C:\VundoFix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Becuase some variants of Vundo can be difficult to remove it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. VundoFix log
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Ultimate Cleaner is a rogue security program that provides minimum or no protection and the false positives work as goad to purchase. Ultimate Cleaner is a Winfixer clone, and looks very much like System Doctor. Ultimate Cleaner is installed by means of an Internet Explorer hijack or directly from the vendor’s website.

Download to your Desktop:
RougeRemover by MalwareBytes
VundoFix by Atribune

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Run VundoFix

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

The Vundo fix log is found at C:\VundoFix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Becuase some variants of Vundo can be difficult to remove it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. VundoFix log
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

SpyVampire is a rogue security program that provides minimum or no protection and the false positives work as goad to purchase. It shows Poor scan reports and false Detection. The tool shows fake alerts and highly exaggerate low level threats as critical threats. It wont remove any threats until the copy of trial is purchased. SpyVampire is a variant of SpyLocked, SpywareLocked, SpyDawn and SpywareQuake. SpyVampire is considered a security risk and is recommended to be removed immediately.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Reported on SANS Internet Storm Center

If you receive an email with a subject of Microsoft Security Bulletin MS07-0065 - Critical Update, that appears to be from “Microsoft Corp.” update@microsoft.com. Ignore it, it’s a fake.

The body of the message will start like this:

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

An update has been released to fix this issue and can be downloaded from the following link :

You will be asked to download a patch:
Filename:MSOUTRC2007Update-KB863892.exe
File length: 20480 bytes
MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc

This appears to be a Downloader and installs Smitfraud.c.

Microsoft does not send email notifications to users about Windows Updates. If you receive emails of the nature, delete them immediately. Do not click on any links provided in the email.

If you have fallen victim to this scam it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. ISeeYouXp log
2. HijackThis log
3. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

VirusHeal is a rogue antispyware utility that uses false positives to lure the user into buying the product. Same application as SpyCrush, SpyDawn, SpywareQuake, VirusBurst, & VirusBursters, SpyHeal; associated w/ SpyAxe, SpyFalcon, SpywareStrike.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Additional Information:
SpyHeal becomes VirusHeal
A new fake codec and a new rogue antispyware app
Whois Record for Virusheal.com (Virus Heal)

By Mark Ward
BBC News Online technology correspondent

Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts.

Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft’s security business and technology unit.

In a keynote speech to the E-Crime Congress organised by Britain’s National Hi-Tech Crime Unit, Mr Aucsmith said the tools that hackers were producing were getting better and shrinking the time between patches being issued and exploits being widely known.

[Read the full Atrticle]

Security Focus
Class: Input Validation Error
Remote: Yes
Local: No
Published: Jun 25 2007 12:00AM Updated: Jun 25 2007 12:00AM
Credit: Clorox is credited with the discovery of this vulnerability.

e107 is prone to an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to upload PHP script code and execute it in the context of the webserver process.

This issue affects version 0.7.8; prior versions may also be vulnerable.

Solution: Patch available from e107.org.

This patch fixes a fairly major security flaw in e107’s upload handler. Extract the file and upload it to your e107_handlers/ directory, overwriting the old file.

Download Patch:

NOTE: This exploit does not effect the MalwareTeks main site. This appears to be more of an issue with server security on the host end, then with the e107 CMS. Anyway the vulnerability report did reveal a security flaw with e107’s Upload Handler.

This only reinforces that you must keep your software up2date. This applies to the software that powers your website as well as the OS that powers your computer and the software you use.

Users of the e107 CMS should update to v0.7.8 immediately if they are running older versions of the CMS and apply the Upload Handler patch. Users of e107 v0.7.8 or v0.7.8+ should apply the Upload Handler patch. Make sure that filetypes.php is configured correctly to disallow the upload of html, php and other script files by users.

SpyLocked is a rogue antispyware utility that uses false positives to lure the user into buying the product. SpyLocked uses aggressive, deceptive advertising; and stealth installs. Same application as AdwareDelete, AntiSpyZone, AntiVirus Gold, MalwareWiped, SpyAxe, SpyFalcon, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start the RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.

Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

SpyCrush is a rogue antispyware utility that uses false positives to lure the user into buying the product.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.