Smitfraud and who knows what else!

I've followed all the steps, run all the programs, and beat my head into the wall multiple times. The problem is with a HP laptop running Windows XP which belongs to my mother. Around 10pm last night (that's June 10th) she was "just checking her e-mail" when the computer went haywire. Red, evil screen, "VIRUS ALERT!" by clock, and inability to access most of the items normally found in the Start menu and such. Programs opening without permission, fake Microsoft messages about viruses, etc, etc. I ran Spybot on the advice of another forum initially, which turned up 97 problems. It crashed while trying to repair them, and a new scan (with Spybot) showed up around 16. It was after that that I found this forum (doing a google on Smitfraud) and followed the steps with all the recommended programs. Th programs have suggested anywhere between 2 and 20 (or so) problems. None have given a clean scan, yet, but I haven't scanned again since using MGtools. I'm not sure if the issue is fixed now, as I seem to be able to access everything fine and the alerts and such have stopped, but I'm worried that there's a nasty beastie still lurking and waiting to pounce. So, any feedback would be most welcome. An all-clear would be best, obviously, but if there's more I need to do for that to be the case, I'll happily do it!

Thanks in advance for the help. Also, I'm very sorry if I've done anything wrong. It's been a long day since last night, and I'm a bit short on sleep and focus now!

- TLF

 

Again, sorry if I'm doing this wrong, but here's the last log from MGtools.

 

Hi twoleggedfeline!

Can you walk? (imagines a cat with two left legs) :-D
Welcome to Major Geeks!

Yes, the Beastie still has a few claws in there. Tell your mother not to take candy from strangers.

I've started looking at your logs. It can take some time to read through them and put together a set of instructions for you, so thanks for being patient. While you're waiting, please avoid using the computer unnecessarily and avoid any unnecessary reboots.

Thanks.
abri

 

Hi TwoLeggedFeline,

Here are the instructions:


1) Please rename the following file by adding .zzz to the end of the file:

C:\WINDOWS\system32\mmf.sys -----> mmf.sys.zzz


2) Please disable your guest account if this hasn't already been done.


3) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {03DF7C23-6BBE-42FF-86A5-C898B685C5DE} - C:\WINDOWS\system32\xxyayVnM.dll (file missing)
O2 - BHO: (no name) - {32E2BDF2-1770-4AB8-A641-84E4DDF0DBF4} - C:\WINDOWS\system32\iifgGwwx.dll (file missing)
O2 - BHO: (no name) - {5141806F-CC36-4BCA-A3AE-E55A116B57FC} - (no file)
O2 - BHO: (no name) - {A30B575B-0E87-446B-BB58-DD22D0F61DE0} - C:\WINDOWS\system32\ljJCuRJD.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: rtsplgob - {65059A5D-7EBF-41DC-8A37-B30F87021E22} - C:\WINDOWS\rtsplgob.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: ljJCuRJD - ljJCuRJD.dll (file missing)
O21 - SSODL: rnopbfgt - {42915F77-DCB3-4482-9EE9-CCE9D825DDCD} - C:\WINDOWS\rnopbfgt.dll (file missing)
O21 - SSODL: xkefqtgs - {742BC519-4637-479D-8C6E-8A2B6CBFD29E} - C:\WINDOWS\xkefqtgs.dll (file missing)


Does the following program need to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe


After you click fix, just close hijackthis.

6) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
Winsv71

FILE::
C:\WINDOWS\system32\xxyayVnM.dll
C:\WINDOWS\system32\iifgGwwx.dll
C:\WINDOWS\system32\Drivers\Winsv71.sys
C:\WINDOWS\system32\ljJCuRJD.dll
C:\WINDOWS\xkefqtgs.dll
C:\WINDOWS\rnopbfgt.dll
C:\WINDOWS\system32\ljJCuRJD.dll
C:\WINDOWS\rtsplgob.dll

REGISTRY::

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03DF7C23-6BBE-42FF-86A5-C898B685C5DE}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32E2BDF2-1770-4AB8-A641-84E4DDF0DBF4}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5141806F-CC36-4BCA-A3AE-E55A116B57FC}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A30B575B-0E87-446B-BB58-DD22D0F61DE0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{65059A5D-7EBF-41DC-8A37-B30F87021E22}"=-
[-HKEY_CLASSES_ROOT\clsid\{65059a5d-7ebf-41dc-8a37-b30f87021e22}]
[-HKEY_CLASSES_ROOT\rtsplgob.1]
[-HKEY_CLASSES_ROOT\TypeLib\{C4A5E4E5-722A-4718-8CB1-44134B0C912B}]
[-HKEY_CLASSES_ROOT\rtsplgob]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A30B575B-0E87-446B-BB58-DD22D0F61DE0}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rnopbfgt"=-
"xkefqtgs"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCuRJD]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsv71.sys]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


7) Now run CCleaner at the default setting with the Windows tab as the top one.


8) Install the current version of Sun Java from: Sun Java Runtime Environment


9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

It's just a nickname from a friend who commented that I walk "like a feline. A two-legged feline" (given that I'm human and, thusly, have only two legs).

I've told her before not to open weird e-mails or attachments, but she does anyway. She just doesn't tell me about it anymore. I've always been able to fix any problems before this one.. rolleyes

I'm at work just now, so I won't get to follow your instructions until tonight. I just have a few questions, if you're able to answer them before then that's great, if not I'll just assume...

1. Should I use normal or safe mode for this? (I assume normal)
2. You say disable the guest account... as far as I know, there isn't one. Of course, I could just be an idiot about this. Any way to check?

I think that's it. Thanks so much for the help. I'll let you know how it works out as soon as I can!

 

I thought I might be talking to a human, but you just never know anymore. LOL

normal

Go to Start / Control Panel and click on User Accounts. There should be one called Guest. It is usually disabled by default, but our logs don't always show it that way. If it's not disabled, click on it, edit it and change it to disabled. This is a precaution against malware. Most people don't use this account.

abri

 

It says mmf.sys is in use and cannot be renamed. I'm currently removing the J2SE programs. Guest account is disabled. Should I just continue with the other steps without renaming the file?

Edit:

To add to this-- I've removed all the programs from step 3, as well as Windows Messenger. As for mmf.sys, it still refuses to be renamed. I'm hesitant to try to halt any processes or disable startups and reboot in order to rename it, at least without advice. So, advice would be most welcome, as always! Or, if it simply refuses to be renamed no matter what, knowing what to do instead would be great.

- TLF

 

Following a reboot, mmf.sys is still "in use" and can't be renamed.

 

Don't worry about the driver for now. How is your computer doing?

Actually, if you attach the logs, I'll know more.

 

As I couldn't rename the file, I didn't follow the rest of the steps yet since I wasn't sure how vital that part was. I'll do them now.

- TLF

 

Combofix gave me an error that it "cannot be renamed to cf.exe" and needs a name composed of both alpha and numeric characters when I dragged CFscript.txt onto cf.exe. Both are saved to the Desktop. So, do I need to change the name to run it? Also, when using analyse.exe I could not find

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

 

No luck with Combofix still. Installed the new Java. Here's the new (current) MGtools log.

 

Hi TwoLeggedFeline,

Please go to Using Combofix and reinstall it to the desktop. Try it without renaming it. Allow it to install over the old one. Then try running the instructions I gave you in post 4 step 6 again.

Thanks.
abri

 

Oh-kay!

So, I redownloaded Combofix and ran it according to the normal instructions. I used the CFscript, and it worked this time (That's CFlogStep6.txt). Then I re-ran the MGtools .bat to get the logs. So here are the logs from Combofix, both the re-run and the Step 6 CF script log, and the newest MGtools log.

The computer is behaving pretty well, though it does seem slow on startup/shutdown. Since I don't normally use this computer I can't say for sure that it's slower than normal. But that's about it.

Oh, and it took about 10 minutes to get to this forum page just now. But my other computer couldn't do it either, so I figure it's not related to this viral problem.

Also, the clock is currently in 24 hour format. Prior to all these issues, it wasn't. I haven't changed it back yet since I'm not sure if it's related to one of the programs (I know one of them, at least, mentioned it would change the clock format) or if it's a symptom of something.

Thanks again so much for the help.

- TLF

 

Hi TwoLeggedFeline,

1) Your logs look good. While you still have the tools installed, please open the C:\MGTools folder and double-click on analyse.exe. The click on the button that says Run a system scan and put a checkmark next to the following entries. Close any browser windows you have open and then click on Fix.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

2) The clock is changed by Combofix. About 8 out of 10 times it gets changed back. To change it back manually, go to Start / Control Panel / Regional and set the time back in there.

3) For that one driver, I don't know that it's malware, but I don't know that it's not. It could belong to any number of programs. Please give the rename one last try by going into Safe Mode and seeing if you can rename it there. The name of the file is:

C:\WINDOWS\system32\mmf.sys -----> mmf.sys.zzz

If you can't get it to change, just leave it.

4) Then please go ahead with the final cleanup instructions in the box below. This computer does not have SP3 on it yet. It needs to be updated after running the final cleanup instructions, because you should have a clean restore point before downloading and installing SP3 so that if you need a point to return to you'll have one. I'm going to give you the final cleanup instructions which allow you to keep the copy of HijackThis and the backups on the computer. If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri

 

I managed to rename the file in safe mode. However, rebooting in normal mode showed a new version of the file, named mmf.sys as well as the file mmf.sys.zzz.

I have followed all the other steps thus far, except for the system restore toggle, which I am about to do.

What, exactly, is SP3? (I haven't read the file about preventing malware yet, so if the answer is in there, feel free to disregard this question!)


Thank you so very, very much for all the help.

- TLF

 

Hi twoleggedfeline,

Microsoft sends out updates for Windows operating systems around once a month. For the third time, they've bundled alot of these updates all together into one big package. Your computer currently shows as being XP SP2, but on April 14th, if your updates were turned on, it should have downloaded and installed SP3. This negates the necessity of downloading all these corrections and patches one at a time and makes your computer more secure. There are sometimes difficulties with the installation if your computer has malware, because malware tries to prevent security updates, but at the moment, where your computer is clean, after you set a clean restore point, this would be a good time to see if you can get this update.

The mmf.sys file is a bit of a mystery. I've been able to track it down somewhat, but I still don't know what it does or what it belongs to. It's probably part of something you downloaded and if your computer is running well, I would not worry about it. After you set the new restore point, you can delete the one you renamed with the .zzz

If your computer is running okay, then go ahead with clearing all your previous restore points and setting a clean one as described in the link.

If nothing else comes up, then best of luck and enjoyment with your computer.
abri

 

Nope, nothing else has come up. The laptop is behaving perfectly, and all virus scans and malware scans and the like have turned up clean since following your instructions.

Thanks again so very, very much for all your help.

- TLF

 

You're welcome twoleggedfeline!
Good luck to you and enjoy your computer!