Problem - Trojan-spy.html.Smitfraud.c

There are some standard cleaning procedures we will need to follow and then we will get to a HijackThis log (which will be necessary to finish manual cleaning of Smifraud.c). Please follow the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
Download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

Now reboot into normal mode.



After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Your log shows a problem that MS Antispyware should have fixed. Are you sure you updated MS Antispyware (what version and reference file version are you using)? Also did you run it in safe mode?

 

Did you install and do you use the below:

O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll

 

Now download: HSFix.zip

Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like C:\HSFix).

Now please boot to Safe Mode and DoubleClick hsfix.bat to run the tool.

Allow it as long as it takes to run, then Reboot to Normal Windows and look for a log at C:\hslog.txt . Please attach that log when you come back later after doing the steps below.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\fixmxs.exe
C:\WINDOWS\System32\expmlog.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [cojuup] c:\windows\system32\cojuup.exe
O4 - HKLM\..\Run: [2soj34X] fixmxs.exe
O4 - HKCU\..\Run: [JB7tRQb3l] expmlog.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0F6861B7-F0C7-40CA-990C-4A93832F513C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0F6861B7-F0C7-40CA-990C-4A93832F513C} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\fixmxs.exe
C:\WINDOWS\System32\expmlog.exe
C:\WINDOWS\isrvs <--- the whole folder if MS Antispyware did not fix it.
c:\windows\system32\cojuup.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please remember to ALWAYS exit ALL browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before running HijackThis. Not doing so can make it impossible to fix certain problems.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
Search Maid
Security IGuard
Virtual Maid

Now exit Add/Remove Programs.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDaemOVu3Ev6cZrMseCNu+hT1MVli1QiwiiOFSUIcNtSiBOreCx0hCWMH/At8iJft//0NFqR0oQa6h627shONW047VPV2T/oE14BpL26ATE+g=
R3 - Default URLSearchHook is missing

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hpD167.tmp
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Security IGuard<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Now please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now post a new HJT log. And tell me how things are working.

 

You're welcome! You are clean now. To help keep you that way you should run the steps in the below thread ASAP:

How to Protect yourself from malware!