Trojan-Spy.HTML.Smitfraud.c

Discussion in 'Malware Help (A Specialist Will Reply)' started by allieb4, May 1, 2005.

  1. allieb4

    allieb4 Private E-2

    This is my first time posting, but I also have the same message and have followed the hijackthis and will attach a log file if you will help me as well.
     

    Attached Files:

    allieb4, May 1, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not post requests for help in a thread that belongs to someone else. Also read the announcement and sticky threads. HJT logs should only be posted when requested. HJT should also be run in normal boot mode. You posted in the following thread: http://forums.majorgeeks.com/showthread.php?t=60473

    I'm moving you to your own thread. Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 2, 2005
    #2
  3. satingar

    satingar Private E-2

    Hey guys I picked up this trojan this weekend and I followed all your steps in this thread and got rid of it. I just wanted to thank you guys for the directions you provided. I also had to this as well to finalize and get my display properties back to normal.

    Fix the registry settings that have been changed.

    Go to : Start ---> Run, type regedit. Click ok.

    Expand the following directories:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    The following keys (if present) must have their values (hex) changed to 0 or deleted.

    NoDispBackgroundPage
    NoDispSettingsPage
    NoDispScrSavPage
    NoDispAppearancePage

    To change a key's hex value to 0, simply right click and click modify. Change the 1 to a 0 and click ok.

    Also, I deleted the REG_SZ named Wallpaper. The key that directed the wallpaper to C:\WP.bmp.

    after I did this I turned the computer off and rebooted it. After that I went to display properties and all my tabs were back!! :D

    Listen I followed every direction to a T and didn't deviate a bit. I think if you do this as well you can get every thing back to normal. Also I suggest going the safe mode route if you can.

    Thanks again guys!

    Satingar- :D
     
    satingar, May 3, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! But if you check around in the forum threads you would see I have posted a quick and easy registry patch to take care of those entries you mentioned. Also the wp.bmp and wp.exe files are covered too. For one example (there are many more) see:

    http://forums.majorgeeks.com/showthread.php?t=61368

    You do not want to change the registry values to 0, you do not even want them in your registry.

    We have fixed many of these already.
     
    chaslang, May 4, 2005
    #4
  5. satingar

    satingar Private E-2

    Hey Guys, just wanted to post my findings after running all the steps to removing Smitfraud this weekend. I want to let you guys know I have XP. I first ran steps 1-4 in the getting prepared. In step 3 I had none of the services running (ie.Network Security Sevice, Workstation Netlogon Service or Remote Procedure Call). Then I moved on to the scanning and cleaning steps. Here are my results:

    Step 1 results:
    Trends Micros's Online Virus Scan- Congrats Housecall did not find any Virus
    Symantec Security Check-Windows Vulnerability found 3 items @ risk
    Advert Stinger- nothing found

    CCleaner- cleaned
    ad aware se-1 critical object
    spybot-No Immediate Threats
    CW Shredder-
    Kill2me
    Hsremove

    After I ran the scanning & cleaning steps, I went into normal boot mode. I immediatly got a windows popup messege. So I went into the Windows task manager and noticed popuper.exe was still there. So I went to the Hijack tutorial read it and downloaded HJT. So I then ran HJT and saved my logfile. I then uploaded my logfile to the HJT logfile checker, and it cameup with 16 things that were either uneccesary or nasty. I had HJT fix these things or delete but it was not able to delete popuper.exe. I am still getting popups, and now when I first boot up my windows messenger tries to log on, it never used to even come up in my browser, because I don't use it. Also every time I boot up the windows update in the tool bar says I have new updates to download. Ok guys this is what I have done let me know if there is somthing I did wrong or somthig else I can do to fix these problems. Thanks for your time.

    satingar
     
    satingar, May 8, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post in your own thread. This thread is for wrking Allieb4's problem. And also note those are generic cleaning steps. They are not steps to fix Smitfraud. There are several dozen threads here that have specific steps for cleaning Smitfraud. Part of which includes deleting c:\wp.exe and c:\w.bmp and a registry patch as I indicated
     
    chaslang, May 8, 2005
    #6
  7. allieb4

    allieb4 Private E-2

    Thank you for your help so far. I have completed all the scans and have done/found the following:

    Trend Micro's scan - removed 7
    Symantic Security Check - all ok
    McAfee AVERT Stinger done
    CCleaner - removed hundreds of files/items
    Ad-Aware SE - couldn't determine if the VX2 plug in was done, but I did download and install it. I've used this in the past and there was a CoolWeb search item that causes my ad-aware to freeze and doesn't delete it. So, I've removed everything but that one file.
    Spybot found no threats.
    CWShredder done and removed 1 file
    Kill2me done and removed 1 file
    I also did the about:Buster and HSRemove and HSRemove did remove 10 items.

    I have attached my final HJT log file that I completed after doing all these steps. Can you check it over to see if I should do anything else? I have gotten the blue screen removed with the error message that was originally showing up on as my wallpaper background.

    Thank you so much!
     

    Attached Files:

    allieb4, May 14, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We need HijackThis logs to be posted from normal boot mode as indicated in the READ ME FIRST and in the HijackThis tutorial.

    Where did you download your CWShredder from and how did you install it? I have never seen CWShredder installed as a service and there is no reason for it to be installed that way. In your HJT log it looks like.

    O23 - Service: CWShredder Service - InterMute, Inc. - C:\Spyware Tools\CWShredder\cwshredder.exe

    Please double check Properties and Version info on cwshredder.exe to make sure it is really from Intermute.
     
    Last edited: May 14, 2005
    chaslang, May 14, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a lot of problems that we need to work on. We are going to be taking this slowly. So do not expect everything to be fixed all at once. I need some more info from an additional scanning tool I will post at the end of this message.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
    Search Maid
    Security IGuard
    Virtual Maid

    Now exit Add/Remove Programs.

    Note in the next step you may not find many of these processes running (I needed a log from normal boot mode so I just guessing what could be running).
    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\dnsping.exe
    C:\WINDOWS\System32\mptsgsvc.exe
    C:\WINDOWS\System\MSMSGSVC.exe
    C:\Documents and Settings\Administrator\Application Data\urpo.exe
    C:\WINDOWS\msxmidi.exe
    C:\WINDOWS\System32\barint.exe
    C:\WINDOWS\System32\sound64.exe
    C:\WINDOWS\System32\msag.exe
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\wp.exe
    C:\bsw.exe
    C:\Windows\popuper.exe


    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find-more.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.find-more.net/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
    R3 - URLSearchHook: (no name) - {0E0D30A8-BC3E-4557-FB66-45B7A9A5A207} - (no file)
    O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp688D.tmp
    O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll (file missing)
    O4 - HKLM\..\Run: [DNSCacheBoost] C:\WINDOWS\System32\dnsping.exe
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
    O4 - HKLM\..\RunOnce: [mptsgsvc.exe] mptsgsvc.exe
    O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
    O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Administrator\Application Data\urpo.exe
    O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
    O4 - HKCU\..\Run: [mstask] C:\WINDOWS\System32\mstask.exe
    O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [DCC_send] barint.exe
    O4 - HKCU\..\Run: [sbin] sound64.exe
    O4 - HKCU\..\Run: [borlandg] msag.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Microsoft AntiSpyware helper - {474159E4-4EAA-4572-BF22-DA5A32666671} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {474159E4-4EAA-4572-BF22-DA5A32666671} - (no file) (HKCU)
    O15 - Trusted Zone: http://aimexpress.aol.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
    O16 - DPF: {D35B74F6-E099-4CDD-91E0-9EA7C30059D1} (Main Class) - http://www.dialer-shop.com/webdial/webdial24106.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\WareOut <--- the whole folder
    c:\freescan <--- the whole folder
    C:\WINDOWS\System32\dnsping.exe
    C:\WINDOWS\System32\mptsgsvc.exe
    C:\WINDOWS\System\MSMSGSVC.exe
    C:\Documents and Settings\Administrator\Application Data\urpo.exe
    C:\WINDOWS\msxmidi.exe
    C:\WINDOWS\System32\barint.exe
    C:\WINDOWS\System32\sound64.exe
    C:\WINDOWS\System32\msag.exe
    C:\WINDOWS\system32\msmsgs.exe
    C:\WINDOWS\system32\shnlog.exe
    C:\WINDOWS\system32\intmonp.exe
    C:\Windows\System32\helper.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\WINDOWS\System32\hp688D.tmp
    C:\wp.exe
    C:\wp.bmp
    C:\bsw.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\Program Files\Search Maid<--- the whole folder
    C:\Program Files\Security IGuard<--- the whole folder
    C:\Program Files\Virtual Maid<--- the whole folder
    C:\Windows\System32\Log Files <--- the whole folder


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and continue with the below.

    Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.
    Now please download HOSTER and then follow the below steps.

    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Download and the below file to your computer where you can find it.

    RemV3.Zip

    Extract all the files to a folder (make it a folder for only these tools).
    Then boot into safe mode and run the remv3.bat file.

    Now reboot and you must not reboot again until you hear from me because the problem DLL will mutate.

    Now post a new HJT log (from normal boot mode).
     
    Last edited: May 14, 2005
    chaslang, May 14, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds