Smitfraud? Pop up window issue...

Hello,

Past couple weeks i have been having an issue with Popups's. I have run Spybot and it keep coming up with Smitfraud-c.CoreServices. I have read and tried running almost every program thats recommended.. Ad-Aware, Spybot, CCleaner..etc. I changed my AV from AVAST! to Kaspersky.. yet still I have an issue. Looking at all the posts it looks like i need your help in review all my logs and getting your advice as to my next step...

Hopefully i have done all this correctly.. here are the first 3 logs...

 

and here is the 4th log...

Thank you very much! I look forward to hearing from you.

 

Hi smash1297,
Welcome to Major Geeks!

Let's try the following and see how it goes.

1) Go to add/remove programs and uninstall the below:

Java 2 Runtime Environment, SE v1.4.2_06
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

After you click fix, just close hijackthis.

4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
usbehcii

FILE::
C:\WINNT\system32\drivers\usbehcii.sys
C:\WINNT\system32\drivers\core.cache.dsk

FOLDER::
C:\Temp\maxsv15
C:\Temp\tn3
C:\WINNT\system32\in3

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please Reboot your computer if this has not occurred since you first uninstalled the old Java versions in step 1. It needs to have been rebooted once before you install the new java in the next step.

7) Install the current version of Sun Java from: Sun Java Runtime Environment

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Thanks Abri!

I followed all your direction, I did get an error when i tried to move the CFscript.txt over the CF.txt. I said the CFscript was not a reg file so i couldn't import it. I clicked OK and the ComboFix started to run, ran, rebooted my PC and the CFscript.txt was gone from my desktop so i "assume" it ran....

Unfortunatly I am still getting some pop ups... so maybe something didn't run correctly.

Here are my logs you requested.

Thanks again!

john

 

Hi Smash1297,

The reason you're still getting popups is because the malware is still there. I would like for you to try a new tool and see if this works better. It's important that you download and install the tool, but then only run it after you've physically disconnected your computer from the internet and disabled all your security software. Sometimes security software can block a fix and you do not want to be connected to the internet while your security programs are turned off. Do NOT run this program in safe mode. It needs to be run in normal boot up mode. To follow the instructions while disconnected from the internet, you may need to print them out.

Now download The Avenger by Swandog46, and save it to your Desktop. Then disconnect from the internet and shut off your security programs.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please run CCleaner after you complete the above. Then make sure all of your security programs are running again and then reconnect to the internet.

Attach the Avenger log with your next post.

abri

 

Abri,

I followed your directions and here are the resulting logs.

thanks for your help,

john

 

Hi Smash1297,

Avenger shows as not having found any of the files I wanted you to delete. Therefore, I need to look at your MGlogs again to see if those files are still there. Please run C:\MGtools\GetLogs.bat and attach a new MGlogs.zip.

Thanks.
abri

 

Here you go!

thanks again..
john

 

Hi Smash1297,

The entries we wanted to remove are gone. There are some temp files I would still like to try getting rid of. Please do the following:


Run CCleaner at the default setting with the Windows tab as the top one, but before you do, I want you to add two folders. To do this go to settings / custom / files and folders to be cleaned. Add:

C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
C:\WINNT\Temp\*.*

Then click on Run Cleaner.

After you've run CCleaner, please remove the two above folders by going to settings / custom / files and removing the two folders you added.

After this I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

If your temp files are clean, then I'll post you the final cleanup instructions that will remove all the tools and logs we had you put on your computer and get you to set a clean restore point.

abri

 

done and done... thanks!

 

Hi Smash1297,

Are you still getting the popups? If so, I will need more specific information about them like a screen shot. If they are no longer there, then I would like for you to go through the final cleanup instructions in the box below:

Thanks!
abri

 

Thank you for all your help!

So far so good. If i ever have any type of issue again i will make sure i make this site my first stop and i will recommend it to anyone i know that has an issue from now on.

thanks again!

john

 

Great to hear!
And thanks for recommending us.
Good luck and enjoy your computer!