Smitfraud and Others I think, please help!

Had the smitfraud wallpaper, was infected with this once before, ran smitfraudfix and was ok. This time it does not work. Keep getting popups from task bar, and can not down load anything as IE is being redirected. Loaded superantispyware from flash drive. Had spybot search and destroy on computer, ran this also. I am unable to do alot because I can't download anything, it seems when I donwnload on another computer and move with a flash drive, I can't get program to run on laptop. Also keep getting Data Exectution Prevention shutting down windows explorer and notepad. Below is the hijack this log copied from my laptop, I hope this is right, as notepad keeps shutting down. Any help would be great.

Thanks in advance!

 

Hi brianz37,
Welcome to Major Geeks!

If you still have the HJT log and can attach it, that would be helpful. Also, see if you can get us a copy of the scan from USING MG TOOLS. This scan doesn't attempt any changes to your computer so it might be possible to get it to run. Try it in normal mode if possible, in safe mode if normal mode isn't possible. Let me know how this goes.

abri

 

Thanks for the help abri. I work 12 hr night shifts, so sometimes it will take awhile between replys.
I have attached the files that you requested, not sure which of the MGtools logs that you need. If you need more, I will get what you need.

Thanks again.
Brian

 

Here are the rest of the MG logs.

Brian

 

Hi brianz37,

You have a lot of malware. I hope the following set of instructions will allow you to go back to the READ & RUN ME FIRST when you're finished, as we can't see all the files without the rest of the logs.

Please begin by doing the below instructions. If something doesn't work, make a note of it and tell us what happened, then just continue on. Your computer is not in normal startup mode with msconfig. How to set this correctly is described in the instructions.



1) Please look at the contents of this folder and remove anything that Windows will allow you to remove and that is not something you need to keep:


C:\Documents and Settings\All Users\Application Data\TEMP



2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3a) Go to start> control panel> administrative tools> services> scroll down to " Windows Action Scriptl" and double click it. In the window that opens look for startup type, use the arrow on the right to get the selections and select disable. Click apply> ok. Exit administrative tools.

3b) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: ddcDvVlL - ddcDvVlL.dll (file missing)
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

After you click fix, just close hijackthis.



4) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 6"
J2SE Runtime Environment 5.0 Update 9"
J2SE Runtime Environment 5.0"
Java(TM) 6 Update 3"
Java(TM) SE Runtime Environment 6 Update 1


5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.



7) Install the current version of Sun Java from: Sun Java Runtime Environment


8) Before you go back to begin the instructions in the READ & RUN ME FIRST, first please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip. You do not have to find and post these files individually as you did the first time. They will be located as a zip file called MGlogs.zip and you can find them directly under C:\ with the files (not folders). When you come here to post and click on the Manage Attachments buttons, look for them in that location.


I also want you to attach the Avenger log.


Please note when you start the instructions in the READ & RUN ME, that your computer is not in normal startup mode. You need to change this. There are instructions in the READ ME with regard to msconfig. Please take note of those.


Let me know how things are running now? (I will not be here for several days. Either someone else will help you or I'll get back to you as soon as I'm back. Thanks for your patience.

abri

 

Thanks abri,

I made it through to step #7, my internet is still being redirected. Anything that I type into the address bar or any link that I click is redirected. My favorites seem to be fine, they go were they are supposed to. Also, note pad is still being shut down, (Data Execution Prevention message). I used microsoft word to copy the text that you wanted me to copy. I have attached the logs that you wanted. Some of the files did not show up when I ran C:\MGtools\analyse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

I had already removed all of the java files after I posted the first set of logs, and I belive I used the norton logs for the xwusuhzh.exe to repair that.

The laptop seems to be running a bit faster now, as when opening files and windows. I'll go back and start with the READ & RUN ME FIRST now.

As a note, I know where I was infected, it was at:

www.cmt.com/shows/series/can_you_duet/series.jhtml

It looked as though norton tried to do something, I got alot of messages from norton and a bunch of pop-ups, the computer froze for a couple of minutes while the site loaded and that was that, and here I am.

Thanks again for your help!
Brian

 

Hello,

Thanks again for the help, I have run everything in read and run me. It seems that every thing is pretty much back to normal. Machine taking quite awhile to boot. Running in normal startup mode. All logs are attached.

Thanks,
Brian

 

MG logs attached.

 

OK, made it through all that you requested.
Did not find the following line:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
I did receive a success message about adding text to the registery.
How long does it normally take for combo fix to reboot? Machine was at "Windows is shutting down" for 45min. and then I powered off. Combofix continued at power up.
Computer seems to be running pretty smoth. Still slow on boot, get just a black screen for up to a couple of minutes before windows splash screen.
I have attached the requested logs.

Thanks again,
Brian

 

Thank you for your help. It has been much appreciated. Running much better now.

Brian