Smitfraud.c

garp · Jul 6, 2005

Hi

I have tried the steps in the HJT Tutorial but still can't get rid of this blue screen and security warning.

May I post a log?

bjgarrick · Jul 6, 2005

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

garp · Jul 7, 2005

Hi - I've tried everything I could. I couldn't get the online scans to work (Trend & Symantec) but I downloaded all the other stuff and ran them. None of them found anything suspicious.

I have attached my HJT log. Hope you can help.

bjgarrick · Jul 7, 2005

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, double click the file sysclean.com

When the system cleaner loads, click SCAN to start the scanner.

After you complete the above scan, reboot and attach a fresh HJT log.

garp · Jul 7, 2005

Hi - I've downloaded the files but when I double-click on sysclean, nothing hapeens.

bjgarrick · Jul 7, 2005

garp said:

Hi - I've downloaded the files but when I double-click on sysclean, nothing hapeens.
Click to expand...

Do you have both files in the same folder?

Did you extract the contents of the lpt719.zip file into the same folder?

garp · Jul 7, 2005

Yes - it's called lpt$vpn.719

bjgarrick · Jul 7, 2005

Delete the file, re-download and try once more. Never heard of it doing this before.

garp · Jul 7, 2005

Still the same. Can I run it from DOS?

bjgarrick · Jul 7, 2005

garp said:

Still the same. Can I run it from DOS?
Click to expand...

Yes you can!

garp · Jul 8, 2005

OK - tried that. It says "cannot execute c:\........\sysclean.com

Sorry to be a pain

bjgarrick · Jul 8, 2005

It's ok, lets see if you can run these online scans,

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan

If you complete these online scans reboot and attach a fresh HJT log, if you can't then let me know and we will go to plan F, LOL!

garp · Jul 8, 2005

Lol - thanks for your help - I've got to go to work now but I'll try them later

bjgarrick · Jul 8, 2005

garp said:

Lol - thanks for your help - I've got to go to work now but I'll try them later
Click to expand...

Okay!

Good Luck!

garp · Jul 10, 2005

Hi again,

I managed to run all the online scans except for Bitdefender. Lots of nasties were found and disinfected - but after rebooting, I've still got the Smitfraud.c blue screen and warning message.

Maybe we'll have to go to plan F after all.

I've attached the latest HJT log.

Garp

chaslang · Jul 11, 2005

garp said:

Hi again,

I managed to run all the online scans except for Bitdefender. Lots of nasties were found and disinfected - but after rebooting, I've still got the Smitfraud.c blue screen and warning message.

Maybe we'll have to go to plan F after all.

I've attached the latest HJT log.

Garp
Click to expand...

You still show PSGuard in your HJT log. Follow the steps below. These are Generic steps to cover all forms of problems with Smitfraud. So you may not find many of the things I mention. If you do not see them, don't worry about it, just continue to the next item or step and complete all steps.

It is very important that you remember to exit all browsers ( C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE ) before running HijackThis.

Do you have an Espon printer? It seems rather strange that Espon would put the below file in the root folder of drive C:

O4 - Startup: EPSON Background Monitor.lnk = C:\dload.exe

Make sure viewing of hidden files is enabled (per the tutorial).

Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
Search Maid
Security IGuard
Virtual Maid
PSGuard

Now exit Add/Remove Programs.

Some of the items mentioned in the below steps may or may not be there. If not found just ignore them and continue. These problems come in a variety of forms and different filenames can be used each time.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [PSGuard] C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\popcorn64.exe
c:\windows\system32\vjdzpn.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hp9980.tmp
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\PROGRAM FILES\PSGUARD<--- the whole folder
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Security IGuard<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsmit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixsmit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
"Use Search Asst"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]
[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}]
[-HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}]
[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]
[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]
[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]
[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]
[-HKEY_CLASSES_ROOT\VMHomepage]
[-HKEY_CLASSES_ROOT\VMHomepage.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-
"WindowsFZ"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]
Click to expand...

Now please download HOSTER and then follow the below steps.

Unzip Hoster to a convenient folder such as C:\Hoster

Run Hoster.exe, click Restore Original Hosts and then click OK.

Click the X to exit the program.

Now post a new HJT log. And tell me how things are working.

garp · Jul 13, 2005

Hi - thanks - I've done all that and it seems to have cleared the problem.

I've attached a new log, just in case.

Thanks for all your help - I really appreciate it

chaslang · Jul 13, 2005

You're welcome. Your log is clean. Now to help keep it that way, check out the steps in the below thread:

How to Protect yourself from malware!

Log in or Sign up

Smitfraud.c

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

Attached Files:

hijackthis.log.txt

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

bjgarrick MajorGeeks Admin - Malware Expert

garp Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

garp Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member