Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud c and adware popups


  • This topic is locked This topic is locked

#1
wishnias

wishnias

    New Member

  • Member
  • Pip
  • 3 posts
I have run cleanup, adaware, cwshredder, spybot s&d, and stinger antivirus and got rid of a lot of garbage running on my pc, but there is one persistent bug running around somewhere. After running spybot, it tells me that it cannot remove Smitfraud-C, and once in a while a yellow blinking triangle with an exclamation point appears in my taskbar by the clock "informing" me that my computer is infected with spyware. Clicking on it sends me to adware removal software sites like spyware sheriff and a couple other shady looking sites. I am also getting other random popups also "informing" me of problems, these are clearly advertisements for adware/spyware removal tools and I have not followed their links.

Here's the Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 9:34:00 PM, on 7/31/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchtra...=protect1&term=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wilkes.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchtra...=protect1&term=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKLM\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKLM\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=health headaches+migraines&chnl=1&t=r&pb=1180">health headaches+migraines</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=health headaches+migraines&chnl=1&t=r&pb=1180">health headaches+migraines</a></font></center>
O4 - HKLM\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKLM\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKLM\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKLM\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKLM\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKLM\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKLM\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\BASEMENT\EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P37 "\\BASEMENT\EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [<frame src="http://apps5.oingo.c...=beneditutti.c] c:\WINDOWS\System32\<frame src="http://apps5.oingo.c...neditutti.com">
O4 - HKLM\..\Run: [<a href="http://apps5.oingo.c...utti.com">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://apps5.oingo.c...utti.com">Click here to go to beneditutti.com</a>.
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on BASEMENT] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P43 "Auto EPSON Stylus CX4600 Series on BASEMENT" /O27 "\\BASEMENT\basement printer" /M "Stylus CX4600"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe>');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer>');
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscript>
O4 - HKCU\..\Run: [ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font>] c:\WINDOWS\System32\ <center><font face='Verdana, Arial, Helvetica, sans-serif' size='2'><br><B>Search of the Day</B></font><br>
O4 - HKCU\..\Run: [ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=health headaches+migraines&chnl=1&t=r&pb=1180">health headaches+migraines</a></font></cen] c:\WINDOWS\System32\ <font face='Verdana, Arial, Helvetica, sans-serif' size='2'><A href="direc.asp?keywords=health headaches+migraines&chnl=1&t=r&pb=1180">health headaches+migraines</a></font></center>
O4 - HKCU\..\Run: [<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859] c:\WINDOWS\System32\<title>beneditutti.com</title><meta name="keywords" content="beneditutti.com"><meta name="description" content="Search the web at beneditutti.com"><meta name="robots" content="INDEX, FOLLOW"><meta name="revisit-after" content="10"><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
O4 - HKCU\..\Run: [<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://landing.domai...lter=off">Click here to go to beneditutti.com</a>.
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\</html>
O4 - HKCU\..\Run: [<frame src="http://landing.domai...&adultfilter=o] c:\WINDOWS\System32\<frame src="http://landing.domai...ultfilter=off">
O4 - HKCU\..\Run: [</frame] c:\WINDOWS\System32\</frameset>
O4 - HKCU\..\Run: [<nofra] c:\WINDOWS\System32\<noframes>
O4 - HKCU\..\Run: [<body bgcolor="#ffffff" text="#0000] c:\WINDOWS\System32\<body bgcolor="#ffffff" text="#000000">
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\</body>
O4 - HKCU\..\Run: [</nofra] c:\WINDOWS\System32\</noframes>
O4 - HKCU\..\Run: [<frame src="http://apps5.oingo.c...=beneditutti.c] c:\WINDOWS\System32\<frame src="http://apps5.oingo.c...neditutti.com">
O4 - HKCU\..\Run: [<a href="http://apps5.oingo.c...utti.com">Click here to go to beneditutti.com<] c:\WINDOWS\System32\<a href="http://apps5.oingo.c...utti.com">Click here to go to beneditutti.com</a>.
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...odel/index.html
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. Make sure you get XP SP1a installed now. When you are ready, post the HijackThis log here.
  • 0

#3
wishnias

wishnias

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
While trying to install SP1, a message comes up telling me that I have an invalid key for the software, and that my copy of Windows XP may be a pirated copy. I bought this computer from a friend a couple years ago and it already had XP in it, so I never bought the software myself. If it is indeed a pirated copy of XP, is there any way to install a service pack? And if there is no way to install a service pack, then what are my options as far as trying to clean up my system?
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It does sound like it's a pirated copy. OK, I want you to do this just to verify it:

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.
If it is pirated, we won't help you. There are a few reasons for this. But the two main ones are:

1. It's pirated, so it's illegal.
2. Since you said you can't install SP1, there's basically no point helping you clean it up because you will most likely get reinfected again very soon.

So if this is indeed a pirated copy, my suggestion is to go out and get the legal copy of XP. Install that instead. If you still have problems in the future, you may come back here and we will be glad to assist you.

Run that test I gave you above. See what that says.
  • 0

#5
wishnias

wishnias

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
"It appears that your Windows Product Key is not valid. Please contact your system administrator or retailer immediately to obtain a valid Product Key."

I never got any documentation from the guy I bought my system from, so I have no windows product key. The validation assistant site never asked me for a key, it just showed me the quote posted above. I guess it is an illegal copy, and I understand that I am vulnerable to infections. Using the software recommended on geekstogo I was able to get rid of a lot of garbage that was running on my pc, and I appreciate the help I have received...guess I'll just wait until I get a new computer or dig up the $300 or whatever it costs for a new copy of the os.

thanks
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, we're sorry but we won't be able to assist you in this case.

XP Home costs under $100 at eBay.

Topic closed.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP