smitfraud and poper.exe help

satingar · May 9, 2005

Sorry for not posting on my own thread.

Hey Guys, just wanted to post my findings after running all the steps to removing Smitfraud this weekend. I want to let you guys know I have XP. I first ran steps 1-4 in the getting prepared. In step 3 I had none of the services running (ie.Network Security Sevice, Workstation Netlogon Service or Remote Procedure Call). Then I moved on to the scanning and cleaning steps. Here are my results:

Step 1 results:
Trends Micros's Online Virus Scan- Congrats Housecall did not find any Virus
Symantec Security Check-Windows Vulnerability found 3 items @ risk
Advert Stinger- nothing found

CCleaner- cleaned
ad aware se-1 critical object
spybot-No Immediate Threats
CW Shredder-
Kill2me
Hsremove

After I ran the scanning & cleaning steps, I went into normal boot mode. I immediatly got a windows popup messege. So I went into the Windows task manager and noticed popuper.exe was still there. So I went to the Hijack tutorial read it and downloaded HJT. So I then ran HJT and saved my logfile. I then uploaded my logfile to the HJT logfile checker, and it cameup with 16 things that were either uneccesary or nasty. I had HJT fix these things or delete but it was not able to delete popuper.exe. I am still getting popups, and now when I first boot up my windows messenger tries to log on, it never used to even come up in my browser, because I don't use it. Also every time I boot up the windows update in the tool bar says I have new updates to download. Ok guys this is what I have done let me know if there is somthing I did wrong or somthig else I can do to fix these problems. Thanks for your time.

satingar

chaslang · May 9, 2005

Okay! Now that we have you in your own thread. Let me ask a question. Did you find and delete:
c:\wp.exe
c:\wp.bmp
c:\windows\web\desktop.html <--- may not exist

Did you run the registry patch that I gave in all the other threads:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Click to expand...

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

satingar · May 9, 2005

Yes, I did find and delete
C:\wp.exe
C:\wp.bmp

C:\windows\web\desktop.html -was not there.

I have ran the Regedit 4 patch that you have posted in this thread. I have also downloaded and ran HiJackhis 1.99.1 . Below is the log file from HJT.

chaslang · May 10, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
If the R1 & R0 lines below with qfind.net are valid, just skip them.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
O4 - HKLM\..\Run: [Upsfctl] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gpginst.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Microsoft AntiSpyware helper - {1AE9B87B-0D9A-41E7-8EA8-3E26E886E53C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1AE9B87B-0D9A-41E7-8EA8-3E26E886E53C} - (no file) (HKCU)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/toolbar.CAB

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\Docments and Settings\MICHAE~1\Local Settings\Temp\gpginst.exe
c:\bsw.exe
C:\Program Files\Security iGuard <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

satingar · May 12, 2005

Ok here is what I have done:

Ran HJTand killed
C:\windows\popuper.exe (when I did this my mcfee virus scan notified me that it was being deleted from system) This is the first time virus scan has even recognized Popuper.exe

C:\windows\system32\intmonp.exe was not there

I then went back and ran a scan in HJT and seleced all 15 lines you asked me to select. After closing down browsers, I clicked fix and then exited HJT.

Then I booted into safe mode and used windows explorer to delete

C:\windows\popuper.exe- not there
C:\windows\system32\intmonp.exe- deleted it
C:\documents and settings\MICHAE~1\Local Settings\Temp\gpginst.exe- not there
C:\bsw.exe-not there
C:\program Files\security IGuard folder-not there

Next I ran CCleaner, and since I am running XP I went C:\windows\Prefetch and deleted all files in this folder.

Next I rebooted into normal mode and ran HJT again and saved my log file. The first thing That I could tell that was not back to normal was the windows messenger popped up after boot up and tried to log on. Other than that it seems to running fine. I checked the Proccesses in the Task Manager and popuper.exe is gone. I will attatch my new log file as your request. Like I said so far so good you have no idea how much I appreciate your help bro. Let me know what you think.

Thanks a million

Satingar-

chaslang · May 12, 2005

Looks clean now but I just want you to double check for some other things that sometimes come with this infection. Run Windows Explorer and look for the below and delete if found:
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hpD167.tmp
C:\Windows\sites.ini
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder

Let me know what you find!

satingar · May 12, 2005

The only ones I could find were;

C:\windows\sites.ini -deleted it
C:\windows\system32\log files - deleted the whole folder

I'm still getting the windows messenger trying to log in when I boot up. Can I just delete the whole messenger? I went into the setting and try to disable it at boot up but I could not find the option. The rest of the files you asked me to look for were not there.

Satingar-

chaslang · May 13, 2005

If you do not use or want Windows Messenger, try this: Disable/Remove Windows Messenger

satingar · May 18, 2005

Thanks Chaslang, that seemed to have worked I went in and disabled Windows messenger. And my computer seems to running like normal again. Thanks for all your help in getting rid of smitfraud and popuper.exe!!

Satingar

chaslang · May 18, 2005

You're welcome. Make sure you check out the below thread to help keep things clean:

How to Protect yourself from malware!

Log in or Sign up

smitfraud and poper.exe help

satingar Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

satingar Private E-2

Attached Files:

hijackthis5905.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

satingar Private E-2

Attached Files:

hijackthis51105.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

satingar Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

satingar Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member