Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

smitfraud-c infection [CLOSED]


  • This topic is locked This topic is locked

#1
sur

sur

    New Member

  • Member
  • Pip
  • 1 posts
Hi, could you help me please, I detect with Spybot S&D the smitfraud-c spyware but it can´t remove. The antivirus AVP detect the puper.ai virus but it can´t remove the virus...
I´ve used the tools you say before to post a log... but the situation is similar, perhaps other tools call the infection in different form... but can´t remove them.

Thanks in advanced some help,
I paste the hijack log and de unistal hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 14:51:56, on 11/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\usuario\Escritorio\RECUPERAR\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpBCEE.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Puerto Symantec Fax Starter Edition.lnk = C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
O9 - Extra button: Crear un favorito móvil - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crear un favorito móvil... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B898F3D-F42B-47D6-8B03-8BA63A3F6B54}: NameServer = 213.195.64.129,213.195.79.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABC94558-7D27-4917-9CCE-8929098F56F0}: NameServer = 195.235.113.3,195.235.96.90
O20 - Winlogon Notify: style2 - C:\WINDOWS\q156174_disk.dll (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)

and the UNISTALL LIST is:
Actualización para Windows XP (KB898461)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 6.0
Ahead Nero - Burning Rom
CleanUp!
Conexant AC-Link Audio
Conexant Soft 56K Modem
DVD Boy Player V2.14
DW-Exporter 1.0
ewido security suite
ffdshow (remove only)
HijackThis 1.99.1
IZArc 3.3.1
Kaspersky™ Anti-Virus Personal Pro 4.5
Macromedia Dreamweaver MX
Macromedia Extension Manager
Microsoft ActiveSync 3.5
Microsoft Office 2000 Premium
Microsoft SQL Server 2000
Outlook Express Q837009
ProSavageDDR and Utilities
PSGuard spyware remover
Revisión de Windows XP - KB810217
Revisión de Windows XP - KB823182
Revisión de Windows XP - KB824105
Revisión de Windows XP - KB824141
Revisión de Windows XP - KB824151
Revisión de Windows XP - KB825119
Revisión de Windows XP - KB826939
Revisión de Windows XP - KB828035
Revisión de Windows XP - KB828741
Revisión de Windows XP - KB833987
Revisión de Windows XP - KB834707
Revisión de Windows XP - KB835732
Revisión de Windows XP - KB837001
Revisión de Windows XP - KB840374
Revisión de Windows XP - KB840987
Revisión de Windows XP - KB841356
Revisión de Windows XP - KB841533
Revisión de Windows XP - KB842773
Revisión de Windows XP - KB867282
Revisión de Windows XP - KB871250
Revisión de Windows XP - KB873333
Revisión de Windows XP - KB873339
Revisión de Windows XP - KB873376
Revisión de Windows XP - KB885250
Revisión de Windows XP - KB885835
Revisión de Windows XP - KB885836
Revisión de Windows XP - KB888113
Revisión de Windows XP - KB888302
Revisión de Windows XP - KB889293
Revisión de Windows XP - KB890047
Revisión de Windows XP - KB890175
Revisión de Windows XP - KB891711
Revisión de Windows XP - KB891781
Revisión de Windows XP - KB892944
Revisión de Windows XP - KB893066
Revisión de Windows XP - KB893086
Revisión de Windows XP (SP2) Q811114
Revisión de Windows XP (SP2) Q819696
Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
S3Display
S3Gamma2
S3Info2
S3Overlay
Spybot - Search & Destroy 1.4
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
WinZip
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Open your Ewido and update the definitions to the newest files. Do NOT run a scan yet.

Update your adaware SE
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpBCEE.tmp
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Archivos de programa\PSGuard\PSGuard.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O20 - Winlogon Notify: style2 - C:\WINDOWS\q156174_disk.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.
Let us know if any problems persist.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.
  • 0

#3
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP