[RedZer0x]

Alright this is my 2nd post after once giving it a go again to try and remove SmitFraud-C. It still is stuck on my computer turned the background blue and is opening popups. I just cant seem to get rid of it and now im begging for some help.

Ive ran numerous scans and perofrming file deletions in safe mode. Ive ran adaware SE, spybot, cwsshdredder, hijackthis, killbox, ccleaner, SMITrem, and ewido. Nothing is working and my hijackthis log doesnt seem to look tacky with the exception of 1 or two things which I try and delete but wont GET DELETED so now I really need some help please ive tried and use the other link admin gave to try and do it myself and its not working.

Heres my new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:54 AM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\RedZer0x\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by RedZer0x, 03 December 2005 - 12:13 PM.

[Advertisements]

I also have another symptom where a exclamation point in a yellow triangle pops up on the botton right and corner of my screen displaying im infected with the latest "Iworm_attck_v12.202a" when i click on the box it takes me to a website called spyAXE. I was infected with a spyaxe malware earlier and it made an even more annoying redcheck mark pop up saying I was infected but I managed to stop that using some alternate program to remove spyaxe. Spybot cannot remove the program for some reason I need something more suffisticated or some instructions on manual deletion 0_0

Well guys im still browsing other threads to see if I can do it before you guys get to me Im still going at it FYI Spybot is the only thing that can seem to detect it and EWIDO.

Heres my latest scan trying a different program from a related thread using SPYSWEEPER:

********
10:23 AM: | Start of Session, Saturday, December 03, 2005 |
10:23 AM: Spy Sweeper started
10:23 AM: Sweep initiated using definitions version 577
10:23 AM: Starting Memory Sweep
10:24 AM: Memory Sweep Complete, Elapsed Time: 00:01:31
10:24 AM: Starting Registry Sweep
10:24 AM: Found Adware: security2k hijacker
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
10:24 AM: Found Trojan Horse: trojan-downloader-zlob
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
10:24 AM: Registry Sweep Complete, Elapsed Time:00:00:10
10:24 AM: Starting Cookie Sweep
10:24 AM: Found Spy Cookie: atwola cookie
10:24 AM: [email protected][1].txt (ID = 2256)
10:24 AM: redzer0x@atwola[1].txt (ID = 2255)
10:24 AM: Found Spy Cookie: 2o7.net cookie
10:24 AM: [email protected][1].txt (ID = 1958)
10:24 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:24 AM: Starting File Sweep
10:31 AM: File Sweep Complete, Elapsed Time: 00:07:00
10:31 AM: Full Sweep has completed. Elapsed time 00:08:50
10:31 AM: Traces Found: 6
10:32 AM: Removal process initiated
10:32 AM: Quarantining All Traces: security2k hijacker
10:32 AM: Quarantining All Traces: trojan-downloader-zlob
10:32 AM: Quarantining All Traces: 2o7.net cookie
10:32 AM: Quarantining All Traces: atwola cookie
10:32 AM: Removal process completed. Elapsed time 00:00:00
********
10:21 AM: | Start of Session, Saturday, December 03, 2005 |
10:21 AM: Spy Sweeper started
10:22 AM: Your spyware definitions have been updated.
10:23 AM: | End of Session, Saturday, December 03, 2005 |

Right when I thought it might have worked I performed another spybot scan and smitfraud-c. is still there.....

Edited by RedZer0x, 03 December 2005 - 12:42 PM.

[RedZer0x]

I also have another symptom where a exclamation point in a yellow triangle pops up on the botton right and corner of my screen displaying im infected with the latest "Iworm_attck_v12.202a" when i click on the box it takes me to a website called spyAXE. I was infected with a spyaxe malware earlier and it made an even more annoying redcheck mark pop up saying I was infected but I managed to stop that using some alternate program to remove spyaxe. Spybot cannot remove the program for some reason I need something more suffisticated or some instructions on manual deletion 0_0

Well guys im still browsing other threads to see if I can do it before you guys get to me Im still going at it FYI Spybot is the only thing that can seem to detect it and EWIDO.

Heres my latest scan trying a different program from a related thread using SPYSWEEPER:

********
10:23 AM: | Start of Session, Saturday, December 03, 2005 |
10:23 AM: Spy Sweeper started
10:23 AM: Sweep initiated using definitions version 577
10:23 AM: Starting Memory Sweep
10:24 AM: Memory Sweep Complete, Elapsed Time: 00:01:31
10:24 AM: Starting Registry Sweep
10:24 AM: Found Adware: security2k hijacker
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
10:24 AM: Found Trojan Horse: trojan-downloader-zlob
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797370)
10:24 AM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
10:24 AM: Registry Sweep Complete, Elapsed Time:00:00:10
10:24 AM: Starting Cookie Sweep
10:24 AM: Found Spy Cookie: atwola cookie
10:24 AM: [email protected][1].txt (ID = 2256)
10:24 AM: redzer0x@atwola[1].txt (ID = 2255)
10:24 AM: Found Spy Cookie: 2o7.net cookie
10:24 AM: [email protected][1].txt (ID = 1958)
10:24 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:24 AM: Starting File Sweep
10:31 AM: File Sweep Complete, Elapsed Time: 00:07:00
10:31 AM: Full Sweep has completed. Elapsed time 00:08:50
10:31 AM: Traces Found: 6
10:32 AM: Removal process initiated
10:32 AM: Quarantining All Traces: security2k hijacker
10:32 AM: Quarantining All Traces: trojan-downloader-zlob
10:32 AM: Quarantining All Traces: 2o7.net cookie
10:32 AM: Quarantining All Traces: atwola cookie
10:32 AM: Removal process completed. Elapsed time 00:00:00
********
10:21 AM: | Start of Session, Saturday, December 03, 2005 |
10:21 AM: Spy Sweeper started
10:22 AM: Your spyware definitions have been updated.
10:23 AM: | End of Session, Saturday, December 03, 2005 |

Right when I thought it might have worked I performed another spybot scan and smitfraud-c. is still there.....

Edited by RedZer0x, 03 December 2005 - 12:42 PM.

[RedZer0x]

Ok so Im still going at this and my computer is seems to be getting better and the exclamation pop up hasnt shown up for some time now. For some reason I cant leave this alone as I know it will bite me in the [bleep] in the end. SpyBot can still detect Smitfraud-C. Im still scared to touch the smitfraud registry edit again since it keeps making my desktop go blue again and present more problems. So I dont know whats going on heres a new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:10 AM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\RedZer0x\LOCALS~1\Temp\Rar$EX00.156\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Alright guys ive done all I can for now I have to go out and do some stuff ill be back later I hope someone replies soon for now ill give it a rest.

Edited by RedZer0x, 03 December 2005 - 01:46 PM.

[RedZer0x]

Ok I just got home and its still present even though I ran further scans in safe mode. I performed another SmitRem scan and heres the log for that:


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 12/03/2005
The current time is: 15:50:05.45

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

It says clean but everytime I run this program it turns my background back to blue again and Smitfraud-c. is still detected on my spybot.

[RedZer0x]

mmm i hope you guys dont forget about me ive noticed that its slowing down my processor speed =(

[RedZer0x]

Alright guys if you finally get to my thread go ahead and close and put resolved on it cause i came MOTHA FN victorious.

For anyone else who has problems with removing smitfraud-c. heres what to do after you calm it down.

After you run your scans, smitrems, adaware, and so forth youll notice that your computer seems to run fine but with periodical slow downtime on processor and download speed or anything similar to that. Youll also notice your popups are gone but yet SMITFRAUD is still detected on your spybot. The rest of the C R A P that follows it will be other minor adware stuff you can easilly remove with adware. Youll also need SmitFraud registry edit if you dont already have it you can get it from this link (http://www.bleepingc...g/smitfraud.reg) This is a registry change thats suppose to set your settings back to normal for your desktop Dont use this yet untill you deleted all of the smitfraud garbage.

Heres the thing now to remove Smitfraud-C. in my case go into Safe Mode, Run a Scan using Spybot youll notice it shows up in there click on the + sign to show the files involving it and it will have to do with a HKey Users type registry change. Right CLick on it and go to more options and click on the Go to Path. Basically it will open your regedit and take you to that key youll notice you cant delete the [bleep] folder which should be something like S-9183287/ something similar to that delete everything or whatever you can in that folder. Im not being quite specific on it because I dont know what other aliass it may take but if you do the show path option that you get when you right click the file and click more options it will take you there automatically Just delete those files. Run Another Scan with spybot try and actually fix it if it still doesnt fix try and locate that folder once again to see if the files show up delete again. Even if it still shows go ahead and click on the SmitFraud Reg file you just downloaded and rerun another Scan. From that point either A) Its not being detected anymore or B) youll need to go do the show path again and delete the files if they reappear. Dont be afraid to use the smitfraud reg more than once if necessary all it does is sets it back to normal. MAKE SURE YOU DO ALL OF THIS IN SAFE MODE normal mode for some reason will not cooperate GEE I WONDER WHY!? SO USE SAFE MODE YES THAT IS SARCASIM so use safe mode. After that run a scan using Adaware SE delete all of the criticals and trackin cookings. Re boot your computer and go back into normal mode run a 2 test scanusing spybot. THe only things you should see nce you scan are either A) Minor Tracker adaware programs which are easy to remove using a adremover scanner or B)Nothing if you get C) Finding smitfraud again you might want to try again as you prob did not delete the files all the way in the registry. I hope this helps anyone else with this problem NOTE: This fix worked for me fighting SMITFRAUD-C. should you have a different version such as smitfraud-g. or html smitfraud-C they are completely different but the same in terms of them being PAIN IN THE Arse trojans.

Lastly if you havent considered using any of these programs do so as they may help you:

SmitRem
Smitfraud.reg
Autoruns <---- THis program is quite nice it will show you all of the startup programs and allow you to delete the MAIN source that makes them boot up. you can get it from this link(http://www.sysintern...s/Autoruns.html) When you use this program it is more effective in Safemode.

On another note when your a amatuer like me dont be dumb and delete or shut of programs without doing some research in looking them up. A way to do so is to find the file name example lsass.exe type it up in google and look for references if it is a trojan/virus/etc or a legitimate program. Best of luck to you guys my battle is finally done and all my [bleep] valuable files are saved so I dont need to reformat WOO [bleep] I feel good. If you want to talk to me directly my aim is RedZer0x.

Edited by RedZer0x, 03 December 2005 - 10:33 PM.