Trojan-Spy.HTML.suitfraud- DIRE NEED OF ASSISTANCE

I believe you mean SmitFraud! Since your problem appears to prevent normal cleanup. Make sure you follow the guidelines below and post your HJT log.



- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Whoever's PC this is and whoever has been using it, needs quite a few lessons in internet security. Users like this are commonly referred to as spyware collectors. This PC is loaded with problems.

I'm not sure how much of the below you will be able to do because of your problems, so whatever you cannot do, skip it, and continue. Tell me later what you could and could not do. This is going to take a bunch of messages since you are so badly infected. Before we can get some items fixed, you must get to a point where you can download some tools we may need.

Download LSP - Fix Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the fltmgr.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move fltmgr.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

Then reboot your PC.

Hopefully you can now download and continue with the below steps.

- Download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet. We will do that later when I have you boot into safe mode.

- Now download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- Now run the Microsoft Antispyware program we installed and let it fix everything it finds.

- Now reboot into normal mode and continue with my next message.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocpa.dll/blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsoD1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A06A5DD7-1866-427E-B48B-412772DF7FE3}\SVCHOST.EXE
O4 - HKLM\..\Run: [xblxkw] c:\windows\system32\snjkoth.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{A06A5DD7-1866-427E-B48B-412772DF7FE3}\SECURITY.EXE
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {FF1CB605-DECD-4450-BAE0-9FE801235254} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF1CB605-DECD-4450-BAE0-9FE801235254} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {FF1CB605-DECD-4450-BAE0-9FE801235254} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FF1CB605-DECD-4450-BAE0-9FE801235254} - C:\WINDOWS\System32\wldr.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: System - {3E4EBA01-EB52-4E27-9A3C-B30ADE25E12A} - vr_sys.dll (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\nsoD1.dll
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\svcnut32.exe
C:\WINDOWS\System32\paytime.exe
c:\windows\system32\snjkoth.exe
C:\WINDOWS\System32\Services <--- the whole folder
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\system32\wuclient.exe
c:\wp.exe
c:\wp.bmp
C:\winstall.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\wldr.dll
c:\windows\system32\fltmgr.dll
C:\WINDOWS\isrvs <--- the whole folder
c:\ex.cab
c:\ied_s7.cab
c:\x.cab
C:\WINDOWS\System32\vbsys2.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.
Let me know whether you can download now. If so, start running the steps in:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

I'm not sure what you mean by

You don't download anything when you run LSP-fix. Or did you mean that you ran LSP-fix to fix the file I gave you and now you still cannot download with your browser.

You need to get the follow program onto the problem PC and run it to fix a HaxDoor problem.


Now download: HSFix.zip

Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like C:\HSFix).

Now please boot to Safe Mode and DoubleClick hsfix.bat to run the tool.

Allow it as long as it takes to run, then Reboot to Normal Windows and look for a log at C:\hslog.txt . Please attach that log when you come back later after doing the steps below.

Also have HijackThis fix the below two lines:

O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)

And yes, get the tools we recommend onto a CD so you can run them on this PC.

 

Did you run HSfix in safe mode? It did not fix everything. Run it again. Make sure you boot into safe mode to run it. Save the log and post it here. In fact, while in safe mode look at the log yourself and make sure you do not see any "Unable to remove xxxxx" filenames in step 4 in the file. For example, your last log said:
unable to remove vdmt16.sys
unable to remove drct16.dll
unable to remove mszx23.exe

If you still see them, run the tool a couple more times. See if we can get those fixed. Try killing mszx23.exe using Task Manager first (if necessary).


Let's see if we can remove the TZ IP address.
Run IE, select Tools, Internet Options. Now select Security and then click the Trusted Sites circle. Then click the Sites button. Look for the 81.222.131.59 address in the Web sites box and select it. Then click Remove. Then at the bottom make sure there is a check mark in the box that says Require server verification...... blah blah. Now click OK. And OK again.


Please explain:

All you have to do is double click on the HijackThis.exe file that you unzipped. Open Windows Explorer, locate hijackthis.exe and double click on it. Do this in normal boot mode. Post the log.

 

You still have a HorseServer infection. Let's try some additonal steps.

Now please download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Also download HOSTERand then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (some may not exist):
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

After clicking Fix, exit HJT.

Please download the following tool: Pocket KillBox
Extract Pocket Killbox to its own folder! Then run Killbox.

Now, Copy and Paste C:\WINDOWS\System32\mszx23.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\drct16.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself.

Now get a new HJT log and post it here. And tell us how these steps went and how things are working.

 

Re: Trojan-Spy.HTML.smitfraud- DIRE NEED OF ASSISTANCE

You log does not show anything. That could be because you already fixed lines before posting. Did anything come back?

How are you (give exact details) attempting to run HijackThis? For example: are you using a shortcut, are you opening Windows Explorer and directly double clicking on hijackthis.exe?

 

You should not be running Hijackthis from the CD-Rom drive. Try directly downloading a new copy of HijackThis from HijackThis 1.99.1 right onto the problem PC. Then extract the executable from the ZIP file. Now run it, by double click on hijackthis.exe.

Does that work?

 

You're welcome.

That would mean that you do not have the current virus definitions for McAfee. Some older definitions were incorrectly identifying HijackThis to have a P2P worm.

Sounds like you are all fixed up now and you should check out the below to help keep you clean:

How to Protect yourself from malware!