Trojan-Spy.Html.Smitfraud.c

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. You also must install HJT properly. You are running it from the ZIP file using WinRAR. Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
Also to get you started and to reduce the size of your HJT log. Do the following:

Also look in Add/Remove programs for P2P Networking and uninstall if found. Also uninstall anything related to Kazaa.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

After doing the above we will be able to work up a procedure to repair the Smitfraud problem.

 

Just finish the steps of my previous post (message # 2).

 

You have a few problems that we need to address. This may take a few sets of messages.

Fisrt, download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- When it finishes just reboot into normal mode and continue with my next message.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Open Control Panel and select Add/Remove Programs look for the below programs and uninstall them if found:
Search Maid
Security IGuard
Virtual Maid

Now exit Add/Remove Programs.


Some of the items mentioned in the below steps may or may not be there. If not found just ignore them and continue. These problems come in a variety of forms and different filenames can be used each time.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\popcorn64.exe
c:\windows\system32\vjdzpn.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O4 - HKLM\..\Run: [Hot_nz] C:\Program Files\GMSoft\Dialers\Hot_nz\Hot_nz.exe /dontdial
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [xcsrnuz] c:\windows\system32\vjdzpn.exe
O4 - Startup: PowerReg Scheduler V3.exe
I recommend not using this PartyPoker stuff but it is up to you.
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra button: Microsoft AntiSpyware helper - {F47BE04B-AABE-437D-A916-83A626A8ADB8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F47BE04B-AABE-437D-A916-83A626A8ADB8} - (no file) (HKCU)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\popcorn64.exe
c:\windows\system32\vjdzpn.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hp9980.tmp
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Program Files\Search Maid<--- the whole folder
C:\Program Files\Security IGuard<--- the whole folder
C:\Program Files\Virtual Maid<--- the whole folder
C:\Windows\System32\Log Files <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixwp.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixwp.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

Now please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Now post a new HJT log. And tell me how things are working.

 

As I said in my last message:

The other item you found c:\windows\system32\aonrxvn.exe is due to the fact that your system was rebooted since your log was posted and the O4 item I gave you renamed itself. You now need to look for aonrxvn.exe or whatever it may have renamed itself too. Also you need to look for other files being with the same letters (something starting with aonrxvn). There will probably be one that end with a .dll extension. You need to kill the running process then rename the files. Then fix the associated line in HJT. Then reboot and make sure it does not come back.

Edit: Actially your files have renamed themselves again in your last HJT log:
c:\windows\system32\nqabph.exe

O4 - HKLM\..\Run: [nltszgg] c:\windows\system32\nqabph.exe

If you rebooted since posting, they may have changed again.

 

If it is a bad process, you need to kill the process before trying to delete the file. Also you must find the DLLs that go along with these. Maybe you should post a new HJT log so we can see what you have right now. One of the keys to fixing these problems is to not reboot or experiment with killing processes of fixing items after posting the log. Otherwise it will definitely mutate before I can even answer your message.

 

Also you MUST get a firewall installed to protect you from these things talking in and out of your PC.

See the free ones in this link: How to Protect yourself from malware!