Trojan-Spy.HTML.Smitfraud.c

Discussion in 'Malware Help (A Specialist Will Reply)' started by nv178177, Apr 14, 2005.

  1. nv178177

    nv178177 Private E-2

    I've gone through all the spyware removers that were recommended before posting my hijack this log.

    I have a blue screen and a yellow flashing icon in the taskbar that says 4 exploits.

    I've tried to remove the wp.exe and wp.bmp files from my c:\. I've been told that the screen should go black, but it's not. I have no control of my background settings when I right click on my desktop.

    Here's a copy of my hjt log.

    Edit by chaslang: Unrequested, old version, inline log removed.

    Please help!!!
     
    Last edited by a moderator: Apr 14, 2005
    nv178177, Apr 14, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the sticky threads. No HJT logs should be posted without them being requested. And when they are, they must be posted as an attachment to your message not inline as you did. You also have a very old version of HJT and you did not exit your browser before running it.

    Did you run ALL the steps in the READ ME FIRST? If so, follow the steps below:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 14, 2005
    #2
  3. nv178177

    nv178177 Private E-2

    Sorry for the hjt log post on the forum. I've ran the updated version and have attached the log.

    Thank you for your help.
     

    Attached Files:

    nv178177, Apr 15, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are the two below lines valid (that is, do you know this URL)?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aisd.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aisd.net/


    Please download Pocket KillBox and extract it to its own folder somewhere.

    Please run Pocket Killbox. Select the option to Replace on Reboot.

    Now, Copy and Paste C:\Windows\popuper.exe into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No.

    Now, Copy and Paste C:\Windows\System32\intmonp.exe into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes!

    And allow your system to reboot but boot into safe mode.

    In safe mode run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions:
    F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL
    O9 - Extra button: Microsoft AntiSpyware helper - {2DBC7ED1-8CC4-4E9E-B767-3B406867A7D4} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2DBC7ED1-8CC4-4E9E-B767-3B406867A7D4} - (no file) (HKCU)

    After clicking Fix, exit HJT.

    I want to double check that the bad files are really gone so let's also do the below.

    While still in safe mode run Windows Explorer to delete
    C:\Program File\VIRTUA~1 <--- the whole folder
    C:\Windows\popuper.exe
    C:\Windows\System32\intmonp.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 15, 2005
    #4
  5. nv178177

    nv178177 Private E-2

    I've done what you've suggested and it looks like the files are removed. I have posted a new HJT log. I'll keep surfing and let you know if anything else "pop-ups."

    So far it seems to be working just fine.

    Thank you so much for all your help.
     

    Attached Files:

    nv178177, Apr 18, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 18, 2005
    #6
  7. flapjack007

    flapjack007 Private E-2

    I also have this problem and did the scan with hijackthis....I am adding the readme in order that I may be able to fix this problem. I can't believe how much of a pain this one is.


    Edit by chaslang: Unrequested log deleted, stickies not followed, not your thread
     
    Last edited by a moderator: Apr 27, 2005
    flapjack007, Apr 27, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post in your own thread. Read the announcement and the stickies. You must run the steps in READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
     
    chaslang, Apr 27, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds