Another smitfraud victim...

wpaladin · Oct 15, 2008

Overview/Intro:

Smit won't let Firefox run at all! Disgusting little thing. Refuses to die.

All required logs have been put into the MGLogs.zip file - only one attach.

I've run SpyBot which finds smitfraud and removes 'svchost.exe' from
C:\Windows where it 'resides' (hides) after booting into Windows XP. SAS
does the same. Logs echo the find and removal of svchost in scans.

The 'good' version of svchost.exe I have is dated 2001 and the file size is
smaller than the infected file that is found and deleted. Combofix finds and
deletes it too.

----------------------------------------------------------------------
"C:\WINDOWS\svchost.exe" 22528 10/13/2008 07:48 PM !!!

"C:\WINDOWS\system32\svchost.exe" 12800 08/23/2001 08:00 AM
"C:\WINDOWS\system32\dllcache\svchost.exe" 12800 08/23/2001 08:00 AM
----------------------------------------------------------------------

I have tried rebooting into Safe Mode with a command prompt so I can check
if svchost.exe is there.

svchost.exe is gone from c:\Windows in Safe Mode with cmd-prompt.

Once Windows XP is loaded and 'settles' down:

(1) The infected svchost.exe file is back,
(2) Firefox will not run or comes up and exits after a few seconds.

I also tried the online scanner that was suggested.

Thanks,

Bill

dr.moriarty · Oct 15, 2008

Welcome to MajorGeeks, wpaladin

Please be patient while I review your logs.

Note: One of the mods will edit out your e-mail addy - not a good idea to post it in the open forums.

wpaladin · Oct 15, 2008

Thanks for looking at my stuff. OK to remove the email address. Quick question:

Would re-installing WinXP wipe it out? Thanks - BPal, Long Island

dr.moriarty · Oct 15, 2008

wpaladin said: ↑

Would re-installing WinXP wipe it out? Thanks - BPal, Long Island
Click to expand...

Yes - a "clean install" would.... that's quite a bit of work - to reload everything, IMO. Please advise me if this is what you intend to do.

TNX

wpaladin · Oct 15, 2008

No, not ready to re-install WinXP. 'Sides, it does not have SP2 (long story). I do have a large flash drive and a very small hard drive.

TBC,

BPal

TimW · Oct 16, 2008

Code:

Memory Processes Infected:
C:\WINDOWS\svchost.exe (Heuristics.Reserved.Word.Exploit) [COLOR=DarkRed]-> No action taken.[/COLOR]

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\svchost.exe (Trojan.Agent) [COLOR=DarkRed]-> No action taken.[/COLOR]

Please re-run MWB's and have it fix those items.

wpaladin · Oct 18, 2008

Two files from MalWare Bytes runs are attached. It seems that each time I run MWB, it finds smithfraud. I request removal, it goes ahead and deletes it.
Does not show in C:\Windows where it usually hides. Then when I re-boot its back.

Thanks for your help,

Bill

TimW · Oct 18, 2008

Have you disabled your av programs and esp. disabled TeaTimer when you run the SAS and MWB's scans?

dr.moriarty · Oct 18, 2008

Hello, wpaladin

Step 1:
First you need to disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

After rebooting from disabling Teatimer, continue with the below.

Step 2:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed

J2SE Development Kit 5.0 Update 6

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

J2SE Runtime Environment 5.0 Update 9

Spybot - Search & Destroy 1.4

Click to expand...

Step 3:
Now we need to use ComboFix to remove a bunch of malware files.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\WINDOWS\system32\atlcom374_705.dll
C:\WINDOWS\System32\BCB80684.EXE 
C:\WINDOWS\svchost.exe

Folder::
C:\WINDOWS\Gameeeeee.vbs
C:\Documents and Settings\All Users\Application Data\Viewpoint 

Driver::
wowsystemcode
5BB6D41E

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=- 
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Run Ccleaner, then re-boot into normal mode

Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

C:\combofix.txt

Make sure you tell me how things are working now!

wpaladin · Oct 19, 2008

Another smitfraud victim...continued

to Dr M

Thanks for the latest suggestions. Latest run is attached. I included the ComboFix log in the zip file.

Thanks

Bill

wpaladin · Oct 19, 2008

Deleting the Java jre's, re-running Combo Fix, disabling TeaTimer etc., seems to have fixed Firefox! Svchost is gone and never comes back. I'd like to make a PayPal contrib.

How do I do that?

Bill

dr.moriarty · Oct 20, 2008

Hello, wpadalin

Alittle more work to do....

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now we need to use ComboFix again.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\smithf.bat 
C:\WINDOWS\Gameeeeee.vbs 
C:\WINDOWS\syscheck
 
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Run Ccleaner, then re-boot into normal mode

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file along with the C:\Combofix.txt log.

*Also tell me how your pc is running now.

wpaladin · Oct 20, 2008

PC is running fine - very quiet; only 5% CPU utilization or less. I will run the last bat-file you suggested and send logs late today/tonite.

BTW, smithf.bat I created so that I could look for all copies of svchost. Not a threat:

dir /s svc*exe

Thanks for the help,

Bill

dr.moriarty · Oct 20, 2008

:-D

Thanks for letting me know - newly created files named as such, will draw attention.

Will give you the final cleanup if there's nothing found in your next logs.

dr.m

wpaladin · Oct 20, 2008

Windows Messenger util. did not run. Only asked for setup info.

Logs are in attached zip file.

The batfile to collect and zip log files was not there so I zipped
them myself along with the ComboFix log.

PC still runs smoothly. No popups.

Thanks,

Bill

chaslang · Oct 21, 2008

wpaladin said: ↑

The batfile to collect and zip log files was not there so I zipped
Click to expand...

Yes it is there. It is right where the procedure said it would be. The below is taken right from your logs and it shows the file.
Code:
"C:\"
mglogs.zip    Oct 19 2008       13748  "MGlogs.zip"

dr.moriarty · Oct 24, 2008

Hello, wpaladin

Please visit this link for removal of Windows Messenger using the VBS version.
http://www.dougknox.com/xp/tips/xp_messenger_remove.htm

And here are your final clean-up instructions:

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing! :cool

Log in or Sign up

Another smitfraud victim...

wpaladin Private E-2

Attached Files:

MGLogs.zip

dr.moriarty Malware Super Sleuth Staff Member

wpaladin Private E-2

dr.moriarty Malware Super Sleuth Staff Member

wpaladin Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

wpaladin Private E-2

Attached Files:

MWB-Logs-1017.ZIP

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

dr.moriarty Malware Super Sleuth Staff Member

wpaladin Private E-2

Attached Files:

MGlogs.zip

wpaladin Private E-2

dr.moriarty Malware Super Sleuth Staff Member

wpaladin Private E-2

dr.moriarty Malware Super Sleuth Staff Member

wpaladin Private E-2

Attached Files:

MGlogs_10-20.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dr.moriarty Malware Super Sleuth Staff Member