1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Different (Worse) Smitfraud Problem

Discussion in 'Virus & Other Malware Removal' started by drlars, Jun 5, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. drlars

    drlars Thread Starter

    Joined:
    Jun 5, 2005
    Messages:
    5
    My mother-in-laws computer has the Smitfraud virus. It had no Anti-virus protection at all at the time.

    I, unfortunately, immediately loaded and ran McAfee from AOL. After the scan was complete, it reported deleting several files. It also requested quarantining a file, which I did. I then restarted to see if the (I now know) ubiquitous Smitfraud background went away.

    Not only did the background not go away, the desktop icons and task bar were gone! Several restarts: no change. Safe mode: no change. The system is running to the extent that ctrl/alt/del works and allows me to bring up Task Manager. From that I can run AOL, Word, and some other things. However, I have no Start button to access control panel to add/remove programs as the Smitfraud instructions indicate.

    So, should I perform the Smitfraud removal instructions that I can without the control panel? I should be able to do everything except add/remove programs.

    Or what? Any guidance would be great.

    Thanks!
     
  2. drlars

    drlars Thread Starter

    Joined:
    Jun 5, 2005
    Messages:
    5
    PS: The OS is 2K.
     
  3. ekim68

    ekim68

    Joined:
    Jul 8, 2003
    Messages:
    53,280
    First Name:
    Mike
    Well, go ahead and try the removal procedures with either aol or add/remove.. But,
    this is a tricky piece of malware...Have you tried an online scan? Such as:
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/


    I'm not sure that OS 2K has a system restore. Does it? (In case, this is recent).

    Otherwise, you might want to post a log that can help..

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    Download and post a log so we can look at..
     
  4. drlars

    drlars Thread Starter

    Joined:
    Jun 5, 2005
    Messages:
    5
    Thanks for the reply. I've tried MacAfee and AOL sypware zapper to no avail. I'll try these others. Is there any of the three that's more likely to have an effect?

    Afterwards I'll post the log from hijack.
     
  5. drlars

    drlars Thread Starter

    Joined:
    Jun 5, 2005
    Messages:
    5
    I didn't run any of the online scans yet that you suggested, but I have some new information. At the suggestion of a person from work, I tried to start explorer from Task Manager. The thought was that explorer wasn't starting and thus no desktop appeared.

    Trying to run explorer in this way resulted in a message that explorer or one of it's components was not found. Is there a chance that when I ran the virus scan that some windows components were deleted by McAfee? If so, do you know what they are so I could try copying them from a working machine. Am I way off base?

    Also, the HiJack log from the current situation is attached.

    Thanks!

    Logfile of HijackThis v1.99.1
    Scan saved at 9:52:41 PM, on 6/6/2005
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINNT\System32\taskmgr.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\Common Files\Aol\aoltpspd.exe
    C:\WINNT\System32\cmd.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
    O4 - HKLM\..\Run: [hgfbmmga] C:\WINNT\System32\vzyoaioe.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
    O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINNT\System32\Tmntsrv32.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B21F4DCF-0310-4BF6-B820-394A2C2F4A51}: NameServer = 205.188.146.145
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
     
  6. ekim68

    ekim68

    Joined:
    Jul 8, 2003
    Messages:
    53,280
    First Name:
    Mike
    McAfee probably didn't cause the problem. And, as I recall win2k checks correct
    registry entries at reboot....However, you should run those online scans if you can.
    And, go ahead and fix these in Hijackthis:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffer...omeLeftPane.htm
    {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)

    And, if you have time, check out the help here:
    http://forums.techguy.org/t110854.html

    It's a good learn...
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg


    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    hotbar
    Security IGuard
    Virtual Maid
    Search Maid

    Exit Add/Remove Programs.

    *IMPORTANT* Be sure you know how to VIEW HIDDEN FILES


    How to show hidden files in Windows

    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



    do a ctr/alt/del and in taskmanager stop these processes if running.



    C:\WINNT\System32\shnlog.exe
    C:\WINDOWS\popuper.exe
    C:\WINNT\System32\intmonp.exe
    C:\WINNT\System32\msole32.exe
    C:\WINNT\System32\SMSSU.EXE
    C:\WINNT\System32\Tmntsrv32.EXE
    C:\WINNT\System32\vzyoaioe.exe



    Doubleclick smitfraud.reg and confirm you want to merge it with the regsitry.

    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php



    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box. With the last entry
    click Yes to reboot. If killbox reports that some of the files are missing
    then just continue with the rest until all pasted into the killbox.



    C:\WINDOWS\Golden Palace Casino Setup.exe
    C:\wp.exe
    C:\wp.bmp
    C:\bws.exe
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\WINNT\System32\helper.exe
    C:\WINNT\System32\intmonp.exe
    C:\WINNT\System32\msmsgs.exe
    C:\WINNT\System32\ole32vbs.exe
    C:\WINNT\system32\msole32.exe
    C:\WINNT\System32\shnlog.exe
    C:\WINNT\System32\intmon.exe
    C:\WINNT\system32\hhk.dll
    C:\WINNT\System32\wldr.dll
    C:\WINNT\System32\SMSSU.EXE
    C:\WINNT\System32\Tmntsrv32.EXE
    C:\WINNT\System32\vzyoaioe.exe


    after your computer starts up, boot into safe mode


    How to boot to safe mode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    Run HijackThis and put checkmarks in front of the following items.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINNT\System32\Tmntsrv32.EXE
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
    O4 - HKLM\..\Run: [hgfbmmga] C:\WINNT\System32\vzyoaioe.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)

    Make sure you can view hidden files.


    How to show hidden files in Windows

    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



    Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

    FOLDERS to delete (in bold) if found:

    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Windows\System32\Log Files
    C:\Program Files\Security IGuard
    C:\Program Files\hotbar

    Reboot into normal mode.

    1.) Download the Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

    Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
    the file and press "Restore Original Hosts" and press "OK". Exit Program.

    www.funkytoad.com/download/hoster.zip

    2.) Download: DelDomains.inf

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
    To use: right-click and select: Install (no need to restart)
    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    3.) download and run ccleaner.

    http://www.ccleaner.com/


    Post back with a new HijackThis log when you are done.
     
  8. drlars

    drlars Thread Starter

    Joined:
    Jun 5, 2005
    Messages:
    5
    Hey khazars,

    Thanks for the note. The problem I have with following the instructions is that the system does not have the start button! The start button and task toolbar are gone along with the desktop.

    My plan, I guess, is to run the on-line scans suggested by ekim68, run hijack against the one entry suggested, and post another hijack log. If my start button comes back in the process I think I'll be home free. If you have any other ideas about getting the start button/task toolbar back let me know.

    Thanks!
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you don't need the start button to run my instructions, just right click my computer if you want to get about the pc into say explorer to run programs.

    Go to your hijack this folder in C:\programs by right clicking my computer/then click explore/click C:\ and program files. You can run hijack this from there to delete the entries I have highlighted above. Save the killbox to the desktop and run it from there.

    The killbox should take care of most of these infections and hopefully along with hijack this should free up your pc? If you can run these programmes you should be able to get rid of the infection.

    You can also use ctrl/alt/del and use taskmanager as I've said previously to stop those exes from running if they are there.
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    just do as Much as you can with the killbox, hijack this and using ctlr/alt/del. download all tools to a folder in c:\
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Different (Worse) Smitfraud
  1. TrilokRoshan
    Replies:
    2
    Views:
    445
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/368761

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice