Smitfraud problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by Fosdyke, Sep 20, 2007.

  1. Fosdyke

    Fosdyke Private E-2

    Hi

    Hope you can help - it's a while since I needed to ask - but this one is proving to be a bit of a problem.

    I have run as much of the 'Read & run me first' as I can - but because IE is foobarred I can't run the online scans, and as soon as I re-boot out of safemode the problem re-installs itself!

    Spybot identifies smitfraud-c msvps which fits with the symptoms of a message popping up in windows saying it has identified a serious threat and then directing IE to a 'softwarereferral.com' page to load PSGuard or some other bogus program.

    I have trawled the HJT logs after running scans and I can't see anything that shouldn't be there with the possible exception of an MSVPS entry - but on studying other forums I am loathe to remove this entry.

    I attach my HJT log and the smitrem logs, I have run AVG but it didn't seem to produce a log - anyway any help gratefully appreciated.

    PS Internet connection drops after about 10 mins even in safemode so I have had to reboot 3 times to send this message!!!
     

    Attached Files:

    Fosdyke, Sep 20, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you had done the Read and RUn First, you would have renamed HJT to analyse.
    C:\Program Files\HijackThis\HijackThis.exe --> C:\Program Files\HijackThis\analyse.exe

    Also you would have downloaded either counterspy or avganti-spyware which you could have done with a different browser (assuming that part of the issue is with Internet Explorer).

    You would have also attached the ShowNew and GetRUn logs.

    In the meantime:
    Download this file - Combofix.exe
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach logs for:
    ComboFix
    Avenger
    ShowNew
    GetRun
    HJT
     
    TimW, Sep 20, 2007
    #2
  3. Fosdyke

    Fosdyke Private E-2

    OK

    Thanks for the info.

    I have run combofix and HJT as 'analyse' (instructions could be a little more prominent when you are trawling through reams of stuff) and attach logs - none of the entries you suggested required a 'fix' were present. I have also run the other programs and attach logs - with the exception of AVG (which I had already run several times) and Avenger as neither of these managed to produce a log even after several attempts.

    Thanks
     

    Attached Files:

    Fosdyke, Sep 26, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Things look much better.
    Please download and install:
    Java Runtime 6

    Then attach the RunKeys log, please.
     
    TimW, Sep 26, 2007
    #4
  5. Fosdyke

    Fosdyke Private E-2

    OK

    Have installed Java and attach runkeys log as requested.

    Can you tell me how this problem has been resolved as I have only run the combofix program since I originally posted - and since then the computer has been reasobaly well behaved. I have some experience in removing malware including smitfraud and using HJT, (though I was unaware that there are now nasties which hide themselves if you do not rename HJT) and thought I had dealt with all the bugs - but it just kept coming back! So I would be interested to know what was missed in the original scans.

    Thanks
     

    Attached Files:

    Fosdyke, Sep 26, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Combo Fix removed the roque programs .....and their associated files.
    You do not have hidden files showing so please:
    copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach new logs for:

    * GetRunKey
     
    TimW, Sep 27, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds