[miekiemoes]

Hello,

Great news!! Now let's deal with smitfraud.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...GB_ZSzeb029AXGB
O9 - Extra button: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {00203AA7-BCC8-4009-9716-6509F28DA918} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {00203AA7-BCC8-4009-9716-6509F28DA918} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {14771B69-2503-4BE3-9014-CAC285AC3B4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {14771B69-2503-4BE3-9014-CAC285AC3B4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file) (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab

* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\MyWebSearch <== folder

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
Click on scanner
Make sure the following boxes are checked before scanning:
Binder
Crypter
Archives

Click on Start Scan
Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
[*]Click Save Report
[*]Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[Advertisements]

- that was impressive - a set of instructions that quick is incredible.

Thanks very much for those instructions - I'm sure smitfraud will be no more once these instructions are implemented.

It's going to sound strange and probably annoying for you guys but I wont be able to fix smitfraud.c for around 4 weeks (I've got holidays etc).

I definately will fix it and post a correct hijackthis log afterwards and give details of the sympoms experienced while smitfraud infected the system.

Thank you all very much - you all run a fantastic service here!!

J-alexander

[j-alexander]

- that was impressive - a set of instructions that quick is incredible.

Thanks very much for those instructions - I'm sure smitfraud will be no more once these instructions are implemented.

It's going to sound strange and probably annoying for you guys but I wont be able to fix smitfraud.c for around 4 weeks (I've got holidays etc).

I definately will fix it and post a correct hijackthis log afterwards and give details of the sympoms experienced while smitfraud infected the system.

Thank you all very much - you all run a fantastic service here!!

J-alexander

[miekiemoes]

Ok. Success... and have a nice holiday!!
We'll read you within 4 weeks then.

[j-alexander]

This has been a long, long time coming but I finally got round to fixing this old laptop.

I cant thank the geekstogo staff enough for their help - very much appreciated and appologies for the long wait.

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 13:54:54, on 11/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\john stephen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F920A57-5116-4CEB-8C93-46AB3A2D429F}: NameServer = 194.168.4.100,194.168.8.100
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe


And the ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 01:04:47, 11/10/2005
+ Report-Checksum: 5C9A92FD

+ Scan result:

C:\Documents and Settings\john stephen\Cookies\john [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\john stephen\Cookies\john [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\john stephen\Cookies\john [email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\john stephen\Cookies\john stephen@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\john stephen\Cookies\john stephen@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\john stephen\Cookies\john [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\john stephen\Local Settings\Temporary Internet Files\Content.IE5\MDJ4X4VA\$file[1] -> TrojanDropper.Agent.ii : Cleaned with backup
C:\Documents and Settings\john stephen\Local Settings\Temporary Internet Files\Content.IE5\PC0ZTXSP\website[1].ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\n.exe -> TrojanDropper.Agent.ii : Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0001082.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0001090.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0002097.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003101.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003102.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003106.DLL -> Spyware.FunWeb : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003107.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003108.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003109.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003110.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003111.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003112.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003113.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003114.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003115.DLL -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003116.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003117.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003118.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003119.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003120.EXE -> Spyware.Wesbar : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003122.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003131.dll -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0003132.exe -> Trojan.Agent.eo : Cleaned with backup
C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\MTC.dll -> TrojanDownloader.Agent.ga : Cleaned with backup
C:\WINDOWS\SYSTEM32\spoolsrv32.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\wp.exe -> Trojan.Agent.ct : Cleaned with backup


::Report End



Again, cant thank you enough - special thanks goes to miekiemoes and coachwife6 - couldnt have done it without your patient help!

J-alexander

[miekiemoes]

Hi, welcome back.

I see a clean log, but I want you to download and run smitrem again to get rid of the leftovers, because I want to be sure also that your wininet.dll is not infected. Smitrem can deal with this as well.

I already asked you to download smitrem, but this is an old version now, so delete that version and perform next:

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

REBOOT Important!! And post the smitfiles.txt log in your next reply.
You'll find smitfiles.txt on your C:\

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

[j-alexander]

No problem - I'll do that on Friday (as I have a course in the next 2 days) and post back with the smitrem logs.

Thanks once again,

J-alexander

[miekiemoes]

Ok, I'll read you Friday then.

[j-alexander]

Sorry to bother you - but I decided to do it now...had some time.

Smitrem doesnt seem to leave a logfile. The diskcleanup starts once its finished though..not sure why.

Do you want me to send in a hijackthis log or an ewido?

Thanks again,

j-alexander

[miekiemoes]

Can't you find a smitfiles.txt on your C:\ ??

[miekiemoes]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.