smitfraud-c.generic/ svchost.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by edenelaine, Jan 27, 2012.

  1. edenelaine

    edenelaine Private E-2

    Wow, getting here has been a journey, to say the least. But first off, just wanted to say thank you for what you, and your team/site does! I have always considered myself fairly computer savvy; but I am learning that, "fairly" doesn't cut it in some situations. So I repeat, THANK YOU!

    I suppose I will start from the top. I suppose I first started noticing my computer slowing down maybe six weeks ago. It wasn't anything I felt was significant enough to keep watch on, so I continued regular usage. Over the past six months, I have rarely turned my computer off (always hibernate, maybe shut down once a week), so when it started shutting off for no apparent reason, that is when I began to worry. That was about a month ago. I would leave my computer up and running, and when I would return (sometimes I wasn't gone for more than an hour), it would be off. Upon restart the system would appear normal, but when it began to load the windows files, the Startup Repair window would pop up stating "Your computer was unable to start." Then it gave me the list of tools to use, in which I always did a system restore to the latest available date. Once I went through this process (at least a 30 minute process), my computer would restart and work normally (a little slow at first, but after about a week, was noticibly slower). Once I left my computer undattended for too long however, I had to repeat this process. In addition, I tried to turn to Norton for help, come to find out that for some unknown reason, no scan will run (potentiall registry error, but at the same time I fixed registry, I also updated version of Norton) ------- (needless to say, I didn't use my computer very often during this time).

    At this point, I asked my dad to take a look at the computer, and it was returned to me a couple days later. I believe what he said was, "the registry just had to be updated." He also mentioned that he thought my computer was slow. So when I got it back, I cleaned it out (Deleted programs, defragmented/disc cleanup, deleted temps, recycle bin, full Norton scan yadda yadda yadda.. That was about three weeks ago. My computer appeared to be smooth, but I started noticing alerts that were notifying me of both high CPU usage, and memory usage. After a few days of this, I knew I was ready to tackle whatever was wrong with my computer.

    I began by researching every running program and process (entering in to google), and couldn't find any program that screamed virus (SVCHOST is sneaky! Hides in the windows folder, not cool!) So after going through that for a couple days, I did some research on high CPU/memory usage. I came across a forum (outside of majorgeeks) that suggested Malwarebytes, and Spybot. I ran both of them (had some difficulties with the software "freaking out" and not running properly. My guess is that it's due to whatever is infecting my computer). After some time however, I got both of them to run successfully (3-4 days ago). Smitfraud-C.generic came up on both scans, and both said that they successfully removed all unwanted programs. Upon a restart and a re-scan, it is clear that it was still there.. It was after installing Malwarebytes however that I noticed what an issue I have; because, every few minutes, a pop up from MWB pops up saying "successfully prevented access to a potentially malicious website." Process: svchost.exe.

    And so my search began on how to get rid of this for good. I tried to avoid forums at all costs, but started to realize the following: this is pretty serious, and I can't really afford to try things that I am not sure of. This is when I stumbled upon your site, and a forum that discussed smitfraud-C.generic. After reading a little ways through it, I realized that if I wanted any help, I would have to do it your way.. and so came the READ ME FIRST. Lets just say, whatever is messing with my system, doesn't like the READ ME FIRST instructions. :) However, not everything was unsuccessful.

    Upon following the instructions, the first problem I faced was when I looked in to making sure all the old versions of Java Sun were removed from the system. I tried running Secunia (PSI) and JavaRa. - JavaRa wouldn't complete, and Secunia's scan wouldn't even start. At this point, I just made sure all old versions were out of the add/remove programs list.

    1)SuperAntiSpyWare installed and ran succesfully. Attached is the log.
    2)MalWareBytes was already installed, but I reinstalled, and that appeared to be successful. Attached is the log.
    3)Combofix. This got really intersting. Slightly embarassed to say so because there is such an emphasis on being careful, and doing exactly as the directions say. So forgive me if I did something incredibly stupid (I'll elaborate). From the link provided in the instructions (step 1), I downloaded combofix. It would not download, and I figured out why: Norton was preventing it from doing so. It would get to the end of the download, then a window would pop up with the prompt : "youll need to provide administrator permission to copy this file." Once "ok" was pressed, "You need Permission to perform this action" "You require permission from the computer’s administrator to make changes to this file" appeared. When "Ok" was pressed on this window, that's when Norton came in and quarantined what was trying to download. I knew that the problem was Norton so i tried tweaking Norton, and trying again several times. (Had not learned yet that I should disable Anti-Virus Auto Protect). But I came across this option, and it successfully saved to the desktop. I wish this is where it stopped with combofix.......... when it came time to follow the instructions, and scan, the scan that was pictured in the tuturiol, and the one that was on my screen looked very different. So I stopped the scan with the task manager, and downloaded the one that was listed at the top of the instructions page. This download went smoothly, and the scan started as normal. I watched the computer scan for approximately twenty minutes, and then left my computer momentarily. When I returned the computer was off, and upon restart it said that "the computer shut down unexpectedly, yadda, yadda yadda." Well, because I didn't know what happened, I decided that I shoud know what was occuring during the scan so that I could tell you. So, I ran the scan one more time. Of course, after watching the scan for thirty minutes, I fell asleep. Not even sure if it shut down or not. When I woke up this morning, I searched what feels like the entire C: drive for the logs, and honestly, I don't think they exist. Which is likely, now that I think about it.

    There was probably several things that I just mentioned that I shouldn't have done :(( I didn't realize this until I started searching for the logs, and noticed that there is MANY system coppies under the "Combofix computer icon" I'm thinking you might know what I mean? If not, I will explain. A little embarassed about it, and hopeing that such a thing happens to anyone that uses combofix. But, something tells me that may not be the case =-x Praying you can assist me if that's the case!

    4)RootRepeal- Did not run because I am running 64x
    5)MGTools ran smoothly, and the zipped file is attached

    When it was all said and done, I ran Spybot again to make sure that the initial problem I was trying to get rid of still remained. Smitfraud-C.generic is still present.

    Really hoping I didn't bable too much, or give you an excess of unneeded information. rolleyes

    But most of all, I'm hoping that I didn't make my computer worse in the midst of trying to fix it :cry

    Hope you can help! Thank you again!
     

    Attached Files:

    Last edited by a moderator: Jan 27, 2012
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
  3. edenelaine

    edenelaine Private E-2

    Attached are the logs from TDSSkiller and MBRcheck.

    Thank you for you time!
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Rescan with Malware Bytes and attach the new log.
    • Re-run TDSSKiller and attach the new log from that too.
    • Is combofix able to run now at this stage?
    • How are things running?
     
  5. edenelaine

    edenelaine Private E-2

    I haven't noticed any problems. Stopped recieving alerts from Malwarebytes about svchost.exe! That's exciting :-D.

    All scans were successful, including Combofix.

    I have attched the log reports from Malwarebytes, TDSSkiller, and Combofix.

    You're awesome!
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re-run TDSSKiller and have it fix these that you had it skip before.
    • Either cure, delete or quarantine them.
    • Attach new log.
    • Everything still running okay?
     
  7. edenelaine

    edenelaine Private E-2

    Yup, everything seems to be running smoothly still :)

    Attached is the TDSSkiller log.

    Thank you!
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  9. edenelaine

    edenelaine Private E-2

    Thanks for all your help! :)
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. Safe surfing! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds