smitfraud.c needs removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by norm44, May 12, 2005.

  1. norm44

    norm44 Private E-2

    My computer is infected with smitfraud.c System is running Windows 98

    Symptom is text on first screen that says Security warning
    A fatal error in IE hsa occured etc Error was caused by Trojan-spy.HTML.Smitfraud.c etc ....

    I have followed instructions and have run the following:

    Trend Micro's Free Online Scan - found nothing
    Symantec Security Check - all safe

    Gone to safe mode
    ran Avert Stinger - clean
    ran CCleaner - cleaned

    Ad-Aware SE found 4 critical objects - quarantined and removed

    Spybot - Fixed 9 problems 1 - Alexa Related 4 CoolWWWSearch bootconf
    1 -Element 3 - Security IGuard

    About.Buster stalled at 6% scanned (several times)

    I have run HIJACKthis

    attatched is log file

    Thanks norm44
     

    Attached Files:

    norm44, May 12, 2005
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Might need the man, Chaslang, but I can see some obvious problems and will get you started. I also like checking add remove programs for anything you didnt install. I am having you remove items that are not needed as well. Remove these from safe mode:

    C:\BSW.EXE (delete this file as well)

    NOTE: Trojan.Win32.Agent.ct. When run this file (BSW.EXE) extracts a bmp file to the c:\ folder and sets it as your desktop background.

    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\MSMSGS.EXE
    C:\AMERICA ONLINE 5.0\AOLTRAY.EXE
    O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
    O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149/5/s1//q.chm::/file.exe

    I can not be sure if this will completely remove it, so do some scans while in safe mode again to see what happens.
     
    Last edited: May 12, 2005
    Major Attitude, May 12, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We have dozens of these going on. There are multiple issues including the below:

    O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
    O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE

    You really ned to run the steps in in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal first. And then post a new HJT log.

    If you take a look at message number 9 in the below thread, you will see some of what is going to be required:
    http://forums.majorgeeks.com/showthread.php?p=574712
     
    chaslang, May 12, 2005
    #3
  4. norm44

    norm44 Private E-2

    Thanks for looking at this problem for me.

    I did go through all the "read me first" actions before I posted the previous hijack log. See msg 1 below. Since then I acted on Major Attitudes reply (msg 2) below.

    I deleted all the things in his list to me that started with c:\
    exception: I uninstalled Real Player rather than delete realplay.exe.
    The other exception: when I attempted to delete
    c:\windows\system\nzdd.dll i got the message: "cannot delete. The specified file is being used by Windows"

    Then I ran hijackthis and checked all of the items he suggested and then ran "fix".

    After your reply, i ran hijack again and fixed the IGUARD.EXE entry. The BSW.exe entry did not come up in that scan.

    Now I have run hijack again and I am enclosing the log file.
    Thanks
     

    Attached Files:

    norm44, May 13, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you having any problems with Desktop still?

    Your IE version is way out of date and I would bet you need a bunch of Windows 98 updates too. After fixing your current problems you will need to visit Windows Update and get all the patches for your system.


    Have HijackThis fix the below 4 entries (with no browsers opened) unless you wanted them to be about:blank.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    Do you want the below settings to be your default Search and Start pages each time web settings are reset? If not, fix the below two lines.
    O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

    Now that you fixed the O2 BHO line - you should be able to delete C:\WINDOWS\SYSTEM\NZDD.DLL
     
    chaslang, May 13, 2005
    #5
  6. norm44

    norm44 Private E-2

    I used hijack to Fix the items you suggested. Thanks for taking time to look at this problem.

    I deleted c:\windows\system\nzdd.dll

    However, the security warning on the screen which tells me about

    "A fatal error in IE has occured .... Error was caused by Trojan-Spy.HTML.Smitfraud.c etc ...." is still there.

    The latest HIjack log (which I have attached to this post) doesn't look suspicious to me.

    After posting this, I will run some more scans. Are there more things I should try?

    Thanks.
     

    Attached Files:

    norm44, May 14, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some the items in the below steps may not exist, if not just skip them and continue.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
    Search Maid
    Security IGuard
    Virtual Maid

    Now exit Add/Remove Programs.

    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\WINDOWS\system32\msmsgs.exe or C:\WINDOWS\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe or C:\WINDOWS\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe or C:\WINDOWS\intmonp.exe
    C:\Windows\System32\helper.exe or C:\Windows\helper.exe
    C:\Windows\System32\ole32vbs.exe or C:\Windows\ole32vbs.exe
    C:\Windows\system32\msole32.exe or C:\Windows\msole32.exe
    C:\WINDOWS\system32\hpD167.tmp or C:\WINDOWS\hpD167.tmp
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\Program Files\Search Maid<--- the whole folder
    C:\Program Files\Security IGuard<--- the whole folder
    C:\Program Files\Virtual Maid<--- the whole folder
    C:\Windows\System32\Log Files or C:\Windows\Log Files <--- the whole folder


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and continue with the below.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

    Now please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now post a new HJT log. And tell me how things are working.
     
    chaslang, May 14, 2005
    #7
  8. norm44

    norm44 Private E-2

    Thank you. Success. We seem to have rid this compter of that trojan.

    From your last instructions, the following were the objects which existed and which I deleted:

    shmlog.exe, intmonp.exe, msole32.exe, wp.bmp, sites.ini, popuper.exe, log files folder.

    All of these were dated May 7 which was when the trojan msg first appeared.

    So thanks again for your assistance. You guys are heroes.

    I am attaching the latest hijack log.

    Norm44
     

    Attached Files:

    norm44, May 15, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Your log is clean now to help keep it that way you must complete the steps in the below link (the first of which is Windows Update - as I mentioned earlier, you need this):

    How to Protect yourself from malware!
     
    chaslang, May 15, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds