Help is GREATLY Appreciated. Smitfraud-C

Discussion in 'Malware Help (A Specialist Will Reply)' started by Beyond_Frustrated, Nov 18, 2008.

  1. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    I have a Windows XP, 2002 Version, SP3. Yesterday I was surfing the web, minding my own business when constant pop-up ads kept appearing...annoyingly might I add. Pop-up blocker is enabled, but it cannot contain these for some reason. Also, whenever I use search engines, (especially google) I cannot click on any searches because the internet will redirect me all the time to an advertisement page or something. Again, frustrating. Also, my internet was running extremely slow. Highly unusual. (I have both Firefox 3.0 and IE) Also, my laptop decided to stop listening to me whenever I wanted to shut it down. I could see the light below alerting me that it was trying to do something, but after the longest 23 minutes in my life, it finally shut down.

    I ran AVG virus scan and Spybot S&D and voila, up came something called Smitfraud-C (7 entries of it actually), something else called Zlob, and numerous other things. Now, I had spybot "fix" these issues, and 42 were supposedly removed. I also had over 150 warnings on my AVG report, (mainly tracking cookies), and those were supposedly removed as well. I attempted to restart my computer and run it in safe mode and re-scan (I also had disabled System Restore by this point), but when I repeatedly pressed F8 upon startup, the first time, it redirected me, but SAFE MODE was not an available option..(weird I thought.), then I tried it again, but it started to ignore me and just continue regular startup. {Blasted Laptop!}:mad

    Although my internet is running a little faster than before (Still not as it used to.) I still get pop-up ads, etc. I have done research on this "Smitfraud-C" and attempted to follow instructions to cases which were similar to mine. However, I ran Spybot again, and it, along with a "Zlob" keep appearing. *sigh*

    I am posting a HJT log, and my DDS and gmer log just in case one needs it. Thanks in advance. I'm at my wits end. :cry


    HJT LOG
     

    Attached Files:

    Last edited by a moderator: Nov 18, 2008
    Beyond_Frustrated, Nov 18, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your
     
    chaslang, Nov 18, 2008
    #2
  3. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    Thank you for responding. I have uploaded the SASlog, Combolog and Malwarelog. I am creating another post to upload the MGlogs.
     

    Attached Files:

    Beyond_Frustrated, Nov 18, 2008
    #3
  4. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    Here are the MGlogs.zip file. attached. Also, is it okay to uninstall the programs I needed for the Malware removal, since I have obtained the logs from them?
     

    Attached Files:

    Beyond_Frustrated, Nov 18, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We will take care of cleanup when we finish fixing your PC.

    Please disable Spybot's Teatimer as requested in the READ & RUN ME. See: How to disable Spybot's TeaTimer


    Do you know what the below files are for?
    Code:
    "C:\WINDOWS\"
dxt2d4.tmp    Oct 28 2008           0  "DXT2D4.tmp"
dxt43a.tmp    Oct 22 2008           0  "DXT43A.tmp"
dxt43b.tmp    Oct 22 2008           0  "DXT43B.tmp"
dxt43c.tmp    Oct 22 2008           0  "DXT43C.tmp"
dxt43d.tmp    Oct 22 2008           0  "DXT43D.tmp"
dxt473.tmp    Sep 25 2008           0  "DXT473.tmp"
dxt474.tmp    Sep 25 2008           0  "DXT474.tmp"
dxt475.tmp    Sep 25 2008           0  "DXT475.tmp"
dxt476.tmp    Sep 25 2008           0  "DXT476.tmp"
dxt477.tmp    Sep 25 2008           0  "DXT477.tmp"
dxt478.tmp    Sep 25 2008           0  "DXT478.tmp"
dxt479.tmp    Sep 25 2008           0  "DXT479.tmp"
dxt47a.tmp    Sep 25 2008           0  "DXT47A.tmp"
dxt47b.tmp    Sep 25 2008           0  "DXT47B.tmp"
dxt47c.tmp    Sep 25 2008           0  "DXT47C.tmp"
dxt47d.tmp    Sep 25 2008           0  "DXT47D.tmp"
dxt47e.tmp    Sep 25 2008           0  "DXT47E.tmp"
dxt47f.tmp    Sep 25 2008           0  "DXT47F.tmp"
dxt480.tmp    Sep 25 2008           0  "DXT480.tmp"
dxt481.tmp    Sep 25 2008           0  "DXT481.tmp"
dxt482.tmp    Sep 25 2008           0  "DXT482.tmp"
dxt483.tmp    Sep 25 2008           0  "DXT483.tmp"
dxt484.tmp    Sep 25 2008           0  "DXT484.tmp"
dxt485.tmp    Sep 25 2008           0  "DXT485.tmp"
dxt486.tmp    Sep 25 2008           0  "DXT486.tmp"
dxt487.tmp    Sep 25 2008           0  "DXT487.tmp"
dxt488.tmp    Sep 25 2008           0  "DXT488.tmp"
dxt489.tmp    Sep 25 2008           0  "DXT489.tmp"
dxt48a.tmp    Sep 25 2008           0  "DXT48A.tmp"
dxt48b.tmp    Sep 25 2008           0  "DXT48B.tmp"
dxt48c.tmp    Sep 25 2008           0  "DXT48C.tmp"
dxt48d.tmp    Sep 25 2008           0  "DXT48D.tmp"
dxt48e.tmp    Sep 25 2008           0  "DXT48E.tmp"
dxt48f.tmp    Sep 25 2008           0  "DXT48F.tmp"
tmpcpyis.bat  Oct 28 2008         124  "tmpcpyis.bat"
tmpdelis.bat  Oct 28 2008         122  "tmpdelis.bat"
winstart.bat  Oct 28 2008          26  "winstart.bat"

2008-09-29 11:44 153 ----a-w C:\DelUS.bat
2008-06-17 21:36 0 ----a-w c:\program files\temp01


    • Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

      Uninstall the below old versions of software:
      J2SE Runtime Environment 5.0 Update 4
      Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

      Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
      O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
      O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
      O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

      After clicking Fix, exit HJT.
      Now reboot! And after reboot install the current version of Sun Java from: Sun Java Runtime Environment

      Now run Ccleaner!

      Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

      Then attach the below logs:
      • C:\MGlogs.zip
      Make sure you tell me how things are working now!
     
    chaslang, Nov 20, 2008
    #5
  6. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    everything is working much better; however, there is still a "ZLOB" trojan that just will not go away. In fact, it appears 6 times. =[
     
    Beyond_Frustrated, Nov 23, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please complete all of my previous instructions. And also answer my questions.
     
    chaslang, Nov 23, 2008
    #7
  8. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    Oh yes I had already re-did the steps you've given me. However, ZLOB still appears. As for the files you asked if I knew, I have absolutely no clue what those are. Odd, if they came from my laptop. hmm..
    I would upload the logs from when I re-did the steps, but i've checked three times over and the logs are exactly the same as the first time I uploaded them. I even opened up NOTEPAD, copied and pasted the first batch of logs, and then attempted to copy the more recent logs over it, but that box popped up and asked if i wanted to Overwrite it, basically because everything was the same. But I had read them through just to be extra EXTRA sure. =D
     
    Beyond_Frustrated, Nov 24, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No you have not. Near the end of my last fix it said
    • You did not give me the new log. You need to run C:\MGtools\GetLogs.bat to create a NEW log and then attach it.
    Also where is it that you are seeing the reports of Zlob and from what program? If it is just in System Volume information then it is not a problem because that is just System Restore which will be fixed in in final instructions.


    Then delete them.
     
    chaslang, Nov 24, 2008
    #9
  10. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    I attached the MGlogs to this post....

    Okay, so since the last fix, here's what's been going on:

    Whenever I turn on (or restart) my laptop, a black screen pops up and im given the choice to choose either the RECOVERY CONSOLE or just WINDOWS XP HOME EDITION..(the windows xp home edition is always highlighted). I never click either one because the screen goes away in like 6 seconds flat. But I found it odd since it's never started doing that...

    Once I put in my password and am taken to my desktop, the AVG Resident Shield pops up twice. The first ones says:

    THREAT FOUND! C:/DOCUMENTS AND SETTINGS/ [MY NAME]/run1.exe
    and that is called a "Trojan Horse Downloader.Agent.AOCC"

    I am given the option to either HEAL or MOVE TO VAULT. Every time I click, HEAL, it states that the "Specified File Cannot Be Found".

    At this point, the second shield pops up stating:

    THREAT FOUND! C:/DOCUMENTS AND SETTINGS/ [MY NAME]/ run2.exe

    and it's called a Trojan Horse.Zlob.AGNS and this one appears multiple times on the same Shield. Again, I am given the choice to either HEAL or MOVE TO VAULT, and every time I try to "heal", it says the same thing as the Agent.AOCC one.

    I have gone into my documents and settings and located the run1.exe and the run2.exe..there is also a run3 and a run4. but these files are transparent, like they're meant to be hidden. I want to delete them, but I'd like your go-ahead before I do so.

    Also, do you happen to know what all of the:
    $N0ADE~1 Aug 14 2008 "$NtUninstallKB951072-v2$"
    $N18DC~1 May 28 2008 "$NtUninstallKB932823-v3$"
    $N1AD0~1 Sep 20 2008 "$NtUninstallKB951376-v2$"
    $N2173~1 Jun 20 2008 "$NtUninstallKB951376-v2_0$"

    are for? They appear way more than 4 times under my C:/WINDOWS and I don't know/understand what they are for...Thanks again for putting up with all of this. I know you guys get more frustrated than us. :)
     

    Attached Files:

    Beyond_Frustrated, Nov 25, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but now I want you to download, install and run the lastest version of MGtools which was just updated. Get it here: MGtools.exe Please attach the new log.

    This has been like this since you installed the Recovery Console in the ComboFix procedure. ;)

    These are all part of Windows Updates.
     
    Last edited: Nov 27, 2008
    chaslang, Nov 26, 2008
    #11
  12. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    okay. i uploaded latest version logs. so will the black screen at start-up always pop up and disappear like that? and is it okay to delete the "run1.exe and run2.exe" files i mentioned before? :-o
     

    Attached Files:

    Beyond_Frustrated, Nov 26, 2008
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes unless you uninstall the Recovery Console which I don't recommend. It could be a life save some day especially if you do not have a Windows Boot CD.

    You will only currently find the below files there which you should delete.
    Code:
    "C:\Documents and Settings\Taivesha\"
run3.exe      Nov 23 2008       20480  "run3.exe"
run3~1.htm    Nov 26 2008       20480  "run3.html"
    After deleting these, your logs are otherwise clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Nov 27, 2008
    #13
  14. Beyond_Frustrated

    Beyond_Frustrated Private E-2

    Thank you SO much for helping me and your quick responses! Everything is working perfectly now =]
     
    Beyond_Frustrated, Nov 27, 2008
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Nov 28, 2008
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds