Trojan-Spy.HTML.Smitfraud.c

Hello, I am new to the forum. I have a Trojan desktop hijacker. The main symptoms are the Blue background screen with the error message, interesting musical notes when I logon, and pop-ups from iSecurityGuard after logon. Before getting to your website I had run Ad-Aware, Microsoft, Trend and Symantec. I believe Symantec actually found it, at least it told me I had a Trojan desktop hijack file at C:\wp.exe but it couldn't remove it.

I have followed all your instructions on "How to", but nothing got rid of it.

Then I downloaded Hijack This, ran it and analyzed the log file at Help2Go Detective. It found two more adware files to remove, plus I removed the iSecurityGuard file. But nothing helped. I can send you the logfile if you want it.

What do you suggest?
Thanks

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Okay. Attached is the HijackThis log I ran yesterday.

 

Just want to check something before we continue.

Download Generic Detection Tool - NT/2000/XP

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Okay, I ran the requested progam, output file attached. I'll be back
this evening for more instructions. thanks.

 

First:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file vx2fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the vx2fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Second:
Please look in Add or Remove Programs for the following and Uninstall them if found:

Media Access

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O9 - Extra button: Microsoft AntiSpyware helper - {1F97ED68-2BA0-4084-B811-084CF5D862F9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1F97ED68-2BA0-4084-B811-084CF5D862F9} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c7.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://jtschirgi.squarespace.com/universal/activex/XUpload.ocx
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O20 - AppInit_DLLs: unxcv91vl7i7x.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Media Access ←–– Delete this whole folder if it exist!

C:\wp.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

I need more than luck -- it didn't work.
I followed all the instructions.
Added vx2fix.reg
Removed Media Access
Ran HijackThis and Fixed everything except 016-DPF: {15AD67.... which wasn't there. I did get an error message which said it couldn't make a back up of the O20 AppInit_DLL but I don't think that mattered.
I rebooted in Safe Mode; couldn't find Media Access or wp.exe to delete.
Ran CCleaner and Spybot S&D.
I was going to run cleanmgr, but the analysis said I'd gain no space (not surprising since everything was clean) so I scrapped it.
I rebooted to Normal but the blue screen and hijacker were back, so I ran
HijackThis again and have attached it for your reading pleasure.

Good Luck,
see you tomorrow
jtschirgi

 

Are you familiar with MySoftware NewFlash?

Also, look in Add/Remove Programs for the following and uninstall if found:

iSecurityGuard

Now lets run SpySweeper:
Download, install, update, and run Spy Sweeper
Let me know what it finds. Save a log and post it if you can.

 

Okay, I'm not familiar with MySoftware NewsFlash nor have I seen it
in any of the logs. I removed iSecurityGuard in the very first HijackThis Fix I ran, but lo and behold Spy Sweeper found it again, and four other adware thingies. Attached is the saved log from the run of SpySweeper. I took its
advice to reset the settings on IE to default - within the tool - nothing has changed yet, but I haven't rebooted. Here's the log. I'll reboot now and see if anything has improved. If it has I'll let you know.

jtschirgi

 

One more thing, I rebooted and the desktop blue screen of death with the smitfraud.c error message is now GONE!!! hurray.
However, I still get the strange beeping noises when I boot, so something is still there, and the system is very slow (although with all the anti-spyware programs running it could be slowing it down I suppose). Also, not being that computer savvy, my desktop background is now black and I seem to have lost the ability to change backgrounds. The "change displays" icon on the control panel does not have any tab for backgrounds anymore, just for screensaver and resolution.

Big progress, however.
thanks for this much, do you see anything else?

 

Please post one last HJT log to confirm everything is clean.

 

Here's the latest HJT log.
I also ran Spy Sweeper and it came back clean.
So it all looks good, except for the funny noises when it boots and the
fact that I can't customize backgrounds on my desktop; it's just black now. Why doesn't Display Properties under Control Panel have a tab that allows me to do that anymore?
thanks.

 

If you are going to run TrendMicro Internet Security then you need to uninstall Symantec AntiVirus and anything else referring to Norton as this will cause conflicts.

As far as the other problems, I would post them in the Software Forum for best results.

Good Luck!

 

Thanks to bjgarrick (and chaslang for the final suggestion) I think I am rid of the Trojan-Spy.HTML.Smitfraud.c desktop hijacker and everything appears to be back to normal.

THANKS SO MUCH FOR ALL YOUR HELP!

 

Glad to hear everything is better!

You should see this article on How to Protect yourself from malware!