Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud-C problem [resolved]


  • This topic is locked This topic is locked

#1
okucu

okucu

    Member

  • Member
  • PipPip
  • 66 posts
Hi ,

Ever since Spybot detected 38 or so entries of Smitfraud-C , I've been trying all the different solutions in Geeks to Go ( solutions involving HiJack This,Adaware ,ewido,etc ). It just won't go away;Spybot still detects it . The thing is , I am not really having any problems or the " blue screens" everyone seems to be having . I just get blinking and beeping selfstarting toolbar once in a while but I relate to it some problems with my MSN messenger .

Should I be worried or not ? I do use my pc for online banking ; should I worry about Smitfraud-C ?? Or is it only a problem if I respond to one of its screens ( which I do not get ) asking for personal info ??

Thanks ,

Ugur
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome okucu to Geeks to Go!

Please post me one of those findings and a HijackThis log to check.
  • 0

#3
okucu

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi ,

Below are Spybot and HiJackThis logs :
--- Search result list ---
Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.niger.ru\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.6o9.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webpidor.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\veryeasysearch.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\v-224.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracking.allposters.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\toprefsys.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terra.hcworld.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\t34rulit.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s2.kav.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.remove.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rf104.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\new.8ad.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\meetyourfriend.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\love-catalog.net\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greg-tut.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ga31.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\[bleep]-[bleep].org\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ewizard.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\e-finder.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dl.ad-ware.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crl.thawte.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bin.wordsx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adulthell.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\75tz.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\20x2p.com\*!=W=4

CoolWWWSearch.BadZoneMap: Ayarlar (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windupdates.com\*!=W=4

CoolWWWSearch.BadZoneMap: Ayarlar (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1547161642-839522115-854245398-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com\*!=W=4


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-26 Includes\Dialer.sbi
2005-08-26 Includes\Hijackers.sbi
2005-08-16 Includes\Keyloggers.sbi
2005-08-26 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-08-25 Includes\Security.sbi
2005-08-16 Includes\Spybots.sbi
2005-08-26 Includes\Trojans.sbi
2004-11-29 Includes\LSP.sbi
2005-02-17 Includes\Tracks.uti
2005-08-12 Includes\PUPS.sbi

------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:19:03, on 03.09.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hurriyetim\Haber Alarmi\hurAlarm.exe
C:\Palm\hotsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\ugur1\My Documents\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKCU\..\Run: [win update] wupda32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rswo] C:\Documents and Settings\ugur1\Application Data\ertm.exe
O4 - HKCU\..\Run: [Hurriyetim] C:\Program Files\Hurriyetim\Haber Alarmi\hurAlarm.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0465835E-95A0-4EDF-B0B6-44B44FD4B84D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0465835E-95A0-4EDF-B0B6-44B44FD4B84D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {D653CF0A-DCB2-4B4C-8045-E0764844E106} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D653CF0A-DCB2-4B4C-8045-E0764844E106} - (no file) (HKCU)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {2FF18E30-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.02) - http://www.ntvmsnbc....load/nm0321.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamloa...oad/XUpload.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF) - Unknown owner - C:\WINNT\sdkkr32.exe (file missing)

-----------------------

As I indicated before , my PC works OK...No blue/blanks screens or anything ...Just self opening toolbar and beeping once in a while ....But Smitfraud-C keeps coming up in Spybot checks ....

Thanks ,

Ugur
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Your PC may work ok for you, you do have trouble in there.

Please download and install these programs - don't run them yet!!

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box. Don't run it yet.

***

Check here on how setup and use AdAware SE - please make sure you update it first.

***

Download and unzip cwsserviceremove to your desktop. Use either link below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip

***

Download http://cwshredder.ne.../CWShredder.exe

***

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Don't use it yet.

***

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Remote Procedure Call (RPC) Helper


leave the other Remote Procedure Call (RPC) services, they are legit

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINNT\system32\wupda32.exe
C:\Documents and Settings\ugur1\Application Data\ertm.exe
C:\WINNT\sdkkr32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

O4 - HKCU\..\Run: [win update] wupda32.exe

O4 - HKCU\..\Run: [Rswo] C:\Documents and Settings\ugur1\Application Data\ertm.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0465835E-95A0-4EDF-B0B6-44B44FD4B84D} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0465835E-95A0-4EDF-B0B6-44B44FD4B84D} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {D653CF0A-DCB2-4B4C-8045-E0764844E106} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D653CF0A-DCB2-4B4C-8045-E0764844E106} - (no file) (HKCU)

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Run AboutBuster. This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Scan with AdAware and let it remove any bad files found.

***

Double click on the cwsserviceremove and when asked to merge say yes.

***

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
***

Reboot into normal mode.

***

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Enter the directory to search"
    • Enter Drive eg.. C:\
  • In the box labeled "Enter the file to search"
    • Enter msgfix.exe
  • Now click on the "Find" button
  • Once the utility has found the files click on "Export"
  • This will save a text file to your C:\ drive as "Export.txt"
  • Double click on Export.txt, copy and paste this information in your next post

***

Then post me:
a fresh Hijack This log
the About:Buster logs
the Ewido log
the smitfiles.txt
the export.txt

You may need to post them in more than one post.
  • 0

#5
okucu

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Downloaded and unzipped About:Buster , but can not open it ..It says " database is either corrupted or missing . Please download a new one " ..

I tried 3 times . No luck ...I will continue with the rest

Ugur
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You may want to disable your virusscanner for just that download and run. Could be the virusscanner corrupting the file.
  • 0

#7
okucu

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hello g2i2r4 ,

I did all you said except tAbout:Buster - it still says " database corrupt or missing even with virus scanners off . But guess what ?? I ran Spybot , and I'M CLEAAANNN ! !

I really can not thank enough;you're all doing a great job . I will make a small donation .....

Below is my latest HiJackThis . The rest that you wanted - Ewido,smitfiles txt.,and export txt. all came out CLEAN so there's nothing to post ..

Thanks again ,

Ugur


Logfile of HijackThis v1.99.1
Scan saved at 16:29:54, on 04.09.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hurriyetim\Haber Alarmi\hurAlarm.exe
C:\Palm\hotsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\ugur1\Desktop\HijackThis.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hurriyetim] C:\Program Files\Hurriyetim\Haber Alarmi\hurAlarm.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {2FF18E30-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.02) - http://www.ntvmsnbc....load/nm0321.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.streamloa...oad/XUpload.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Just one more thing to do:

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

I'm glad everything is ok.

If so, shall I post you some tips for the future and close this topic?
  • 0

#9
okucu

okucu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
OK , did that , too .

You may close the topic .Please do send tips for future .

Thanks

Ugur
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Re-enable system restore with the instructions from the tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP