smitfraud-c.MSVPS

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gdblackthorn, Feb 19, 2008.

  1. gdblackthorn

    gdblackthorn Private E-2

    I am working on a friends computer. This is one of the worst cases of trojans, viruses, and spyware I have ever seen. The CPU always ran at 100%, windows task manager constantly flickered because of the changes in what was running in the background, Spydawn (the nasty culprit), msconfig would not run, safemode would not work, and it always attempted to connect to the internet (I kept the internet disconnected and ran older versions of software & tools to start the cleanup since it was so bad). It had Spydawn and a host of nasties (close to 300 of em). Once Spydawn and some others were wiped out I updated the software and anti-virus files.

    After the smoke cleared I was stuck with:
    rootkit - forgot which one it had
    pws.LDPinchIE - password stealer - removed with Combofix!!!
    smitfraud-c
    smitfraud-c.MSUPS
    Zlob.VideoAccessActive-XObject - finally removed by SuperAntiSpyware!!!

    I have worked more than a week to get the computer clean and have run a plethora of Antivirus, Trojan, antispyware, and special tools to clean it up. I followed your instructions on running MGtools.

    Ad-Aware 2007 7.0.2.6
    ATF Cleaner
    ComboFix
    Hijack this 1.99 (though I did nothing but look at the results)
    MGtools
    Portable Rootkit Revealer
    Rootkit 386 removal
    Smitrem 3.2
    Spybot - Search & Destroy 1.5.2
    SmitfraudFix.exe (to remove Spydawn, and smitfraud)
    SUPERAntiSpyware Professional v3.9.0
    Trojan Remover v6.6.5 Build 2509


    As part of an esperiment I also ran the following. I wanted to see if they could find or remove what the others could not.

    Aries Rookit Remover 1.0
    Avast! 1.0.209
    AVG Anti-Spyware 7.5
    CCleaner 2.02.525
    Clam Win 1.1.4.3
    CWShredder 2.19
    Ewido micro
    Kaspersky AntiVirus 6.0.1.41
    McAfee Stinger 2.6
    McAfee Virus Scan 1.0.3
    NOD32 v2.70.39
    Portable Antivirus 2007 - 15in1
    Portable Spyware Doctor
    RootKit Revealer 1.56.0.0
    Trend Micro Sys Cleaner
    XoftSpySE v4.31.245

    To make a long story shorter, I have been stuck with smitfraud-c.MSUPS which was found by Spybot - Search & Destroy. After many attempts to remove it (including safe mode), it is the only thing I cannot remove, even with the SmitfraudFix.exe & Smitrem 3.2 tools.

    NOTE: I could not find any SUPERAntiSpyware log file by the name of SASlog.txt (I did a search), but I did upload the latest SUPERAntiSpyware log file I could find.
     

    Attached Files:

    gdblackthorn, Feb 19, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    First please put your PC into normal startup mode as requested in step 1 of the READ ME. You are currently using MSconfig to control startups.

    You have a service from Kaspereky trying to load but you are using Symantec, so let's fix this.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to AVP
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKUS\S-1-5-18\..\Run: [Ujisdfns89fu98ndf] C:\WINDOWS\TEMP\svchast.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Ujisdfns89fu98ndf] C:\WINDOWS\TEMP\svchast.exe (User 'Default user')
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
RKL3.tmp
 
File::
C:\WINDOWS\system32\drivers\RKL3.tmp.sys
C:\WINDOWS\TEMP\svchast.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ujisdfns89fu98ndf"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=-
"Btn_Search"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Documents and Settings\Owner\Local Settings\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 21, 2008
    #2
  3. gdblackthorn

    gdblackthorn Private E-2

    Thanks for the Welcome!

    I figure I better update you on what I did with the computer while you were going over my request for assistance. I ran Spybot one last time, right clicked on the smitfraud-c.MSVPS and went directly to the registry key. I copied it and tried RegASSASSIN to delete it. It gave me a permissions error. I then went into msconfig and manually deleted the registry key for smitfraud-c.MSVPS. I had to change the authorization settings to delete it. I re-ran Spybot and it was clean! I then uninstalled Java J2SE 5.0 & update 3. I was going to do a few other things, but I noticed you had a chance to reply to me and I figured I had better wait so as not to mess up where we were on this.

    Here is what I did since I read your reply:
    1. I put my PC into normal startup mode - (sorry I missed this somehow the first time). :eek:
    2. I disabled AVP in services - (weird- I no longer had it installed).
    3. I removed Windows Messenger with the tool you linked to.
    4. (I have already uninstalled Java -see above).
    5. I ran MGtools\analyse.exe - I did a scan only. I selected the lines you suggested and clicked fix. (I hadn't noticed that the spybouncer was in there).
    6. I placed combofix.exe on the desktop, copied the code into a text file and named it CFscript.txt and saved it on the desktop along with it. I had no browsers open, so I dragged CFscript.txt onto the ComboFix.exe icon and let it run all the way through.
    7. I installed Sun Java Runtime Environment from the link you gave me.
    8. I checked the folder
    C:\Documents and Settings\Owner\Local Settings\Temp
    for any files not from the current day. There weren't any.
    9. I ran Ccleaner.
    10. I ran C:\MGtools\GetLogs.bat
    11. I attached the files below.
    C:\ComboFix.txt
    C:\MGlogs.zip

    Note: I reran spybot and it was clean!

    I noticed the computer is a bit slow, but I think that it may just need a little maintenance tweaking. Please let me know if it looks clean to you. This has been about the nastiest I have seen.

    Thanks! I appreciate you time and help. :)
     

    Attached Files:

    gdblackthorn, Feb 22, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The only thing that remains that concerns me is the below.

    The below two files are the correct size but their date is strangely rather new and possibly was around the time of the infection.
    Code:
    "C:\WINDOWS\system32\ws2_32.dll" 82944 02/13/2008 02:48 PM 
"C:\WINDOWS\system32\dllcache\ws2_32.dll" 82944 02/13/2008 02:48 PM
    I would like to see these two files replaced by a backup on the system that is stored here:
    Code:
    "C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll" 82944 08/03/2004 11:56 PM
    You will more than likely not be able to do this in normal boot mode. Safe mode without Networking may work. Otherwise safe mode with command prompt will be necessary.

    Do you think you can do this without additional instructions? Both the files in system32 and in dllcache must be replace.
     
    chaslang, Feb 23, 2008
    #4
  5. gdblackthorn

    gdblackthorn Private E-2

    I booted into safe mode and gave it a try, but since the file was being used I booted into safe mode with the command prompt. I copied the file:
    C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll

    and attempted to copy it into both of the folders, but only one copied successfully. It was the cache folder:
    C:\WINDOWS\system32\dllcache\ws2_32.dll

    I checked to see what was using the system32 file and I found that a ton of stuff was using it. I looked closer and saw that the system was using it and I needed a way to access the hard drive without running win XP on it. Well, I could make it a slave and boot into it with another hard drive, or try my portable USB XP windows- but I couldn't find it. So I needed another alternative to change this file.
    C:\WINDOWS\system32\ws2_32.dll

    I then booted into dos from a floppy to give it another go, but I could not access the C drive. Then it dawned on me... It was formatted as NTFS! :eek:

    Ok, so then I had to remember a way to boot into dos, but at the same time have access to the files on an NTFS drive. Finally, it dawned on me! Winternals! I had Winternals Administrator's pack! Within the pack was NTFSDOS Professional. It allows reading and writing to an NTFS from a dos booted floppy!

    It worked like a charm! ...and for the fun of it I redid the other one again. It was sort of fun getting back into dos again! :)

    So I copied the file into both folders!
    C:\WINDOWS\system32\ws2_32.dll
    C:\WINDOWS\system32\dllcache\ws2_32.dll

    Hey thanks again for the help! Any other suggestions are quite welcome! :)
     
    gdblackthorn, Feb 24, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Another easy way to have accomplished this was to boot to the Recovery Console using your bootable Windows XP CD (if you have one).

    So do the two files:
    C:\WINDOWS\system32\ws2_32.dll
    C:\WINDOWS\system32\dllcache\ws2_32.dll

    Now say the size is: 82944
    and the date is: 08/03/2004 11:56 PM

    If you said yes, then we are finished with your malware cleanup.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Feb 25, 2008
    #6
  7. gdblackthorn

    gdblackthorn Private E-2

    I had already tried the recovery console earlier. I had no disc that would allow me to use it.

    I appreciate the cleanup tips. I tweaked the computer and now it is fast like it is supposed to be. The link you gave on "How to Protect yourself from malware!" is a great read. I think everyone should read it, regardless of how much they think they know. I am trying out the Sunbelt (Kerio) firewall on the computer (as I mentioned before it belongs to a friend of mine). Hopefully with that and some other stuff I put on his computer he will be able to keep it clean!

    Thanks again for all your time and help! I would like to mention that I have visited here often for solutions to problems without having to ever put in a request for help. Great site!
     
    gdblackthorn, Feb 25, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome and thanks for the kudos! :)

    Surf safely.
     
    chaslang, Feb 27, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds