Different (Worse) Smitfraud Problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

drlars

Thread Starter
Joined
Jun 5, 2005
Messages
5
My mother-in-laws computer has the Smitfraud virus. It had no Anti-virus protection at all at the time.

I, unfortunately, immediately loaded and ran McAfee from AOL. After the scan was complete, it reported deleting several files. It also requested quarantining a file, which I did. I then restarted to see if the (I now know) ubiquitous Smitfraud background went away.

Not only did the background not go away, the desktop icons and task bar were gone! Several restarts: no change. Safe mode: no change. The system is running to the extent that ctrl/alt/del works and allows me to bring up Task Manager. From that I can run AOL, Word, and some other things. However, I have no Start button to access control panel to add/remove programs as the Smitfraud instructions indicate.

So, should I perform the Smitfraud removal instructions that I can without the control panel? I should be able to do everything except add/remove programs.

Or what? Any guidance would be great.

Thanks!
 
Joined
Jul 8, 2003
Messages
55,984
First Name
Mike
Well, go ahead and try the removal procedures with either aol or add/remove.. But,
this is a tricky piece of malware...Have you tried an online scan? Such as:
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/


I'm not sure that OS 2K has a system restore. Does it? (In case, this is recent).

Otherwise, you might want to post a log that can help..

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

Download and post a log so we can look at..
 

drlars

Thread Starter
Joined
Jun 5, 2005
Messages
5
Thanks for the reply. I've tried MacAfee and AOL sypware zapper to no avail. I'll try these others. Is there any of the three that's more likely to have an effect?

Afterwards I'll post the log from hijack.
 

drlars

Thread Starter
Joined
Jun 5, 2005
Messages
5
I didn't run any of the online scans yet that you suggested, but I have some new information. At the suggestion of a person from work, I tried to start explorer from Task Manager. The thought was that explorer wasn't starting and thus no desktop appeared.

Trying to run explorer in this way resulted in a message that explorer or one of it's components was not found. Is there a chance that when I ran the virus scan that some windows components were deleted by McAfee? If so, do you know what they are so I could try copying them from a working machine. Am I way off base?

Also, the HiJack log from the current situation is attached.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:52:41 PM, on 6/6/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\System32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
O4 - HKLM\..\Run: [hgfbmmga] C:\WINNT\System32\vzyoaioe.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINNT\System32\Tmntsrv32.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B21F4DCF-0310-4BF6-B820-394A2C2F4A51}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 
Joined
Jul 8, 2003
Messages
55,984
First Name
Mike
McAfee probably didn't cause the problem. And, as I recall win2k checks correct
registry entries at reboot....However, you should run those online scans if you can.
And, go ahead and fix these in Hijackthis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffer...omeLeftPane.htm
{7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)

And, if you have time, check out the help here:
http://forums.techguy.org/t110854.html

It's a good learn...
 
Joined
Feb 15, 2004
Messages
12,302
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg


Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

hotbar
Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



do a ctr/alt/del and in taskmanager stop these processes if running.



C:\WINNT\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msole32.exe
C:\WINNT\System32\SMSSU.EXE
C:\WINNT\System32\Tmntsrv32.EXE
C:\WINNT\System32\vzyoaioe.exe



Doubleclick smitfraud.reg and confirm you want to merge it with the regsitry.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php



Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box. With the last entry
click Yes to reboot. If killbox reports that some of the files are missing
then just continue with the rest until all pasted into the killbox.



C:\WINDOWS\Golden Palace Casino Setup.exe
C:\wp.exe
C:\wp.bmp
C:\bws.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\SMSSU.EXE
C:\WINNT\System32\Tmntsrv32.EXE
C:\WINNT\System32\vzyoaioe.exe


after your computer starts up, boot into safe mode


How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


Run HijackThis and put checkmarks in front of the following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINNT\System32\Tmntsrv32.EXE
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\Bin\4.6.1.0\HbOEAddOn.exe
O4 - HKLM\..\Run: [hgfbmmga] C:\WINNT\System32\vzyoaioe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7566A662-EBE7-4433-B8DB-31C2F5B9746C} - (no file) (HKCU)

Make sure you can view hidden files.


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=



Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
C:\Program Files\hotbar

Reboot into normal mode.

1.) Download the Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

www.funkytoad.com/download/hoster.zip

2.) Download: DelDomains.inf

http://www.mvps.org/winhelp2002/DelDomains.inf

Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) download and run ccleaner.

http://www.ccleaner.com/


Post back with a new HijackThis log when you are done.
 

drlars

Thread Starter
Joined
Jun 5, 2005
Messages
5
Hey khazars,

Thanks for the note. The problem I have with following the instructions is that the system does not have the start button! The start button and task toolbar are gone along with the desktop.

My plan, I guess, is to run the on-line scans suggested by ekim68, run hijack against the one entry suggested, and post another hijack log. If my start button comes back in the process I think I'll be home free. If you have any other ideas about getting the start button/task toolbar back let me know.

Thanks!
 
Joined
Feb 15, 2004
Messages
12,302
you don't need the start button to run my instructions, just right click my computer if you want to get about the pc into say explorer to run programs.

Go to your hijack this folder in C:\programs by right clicking my computer/then click explore/click C:\ and program files. You can run hijack this from there to delete the entries I have highlighted above. Save the killbox to the desktop and run it from there.

The killbox should take care of most of these infections and hopefully along with hijack this should free up your pc? If you can run these programmes you should be able to get rid of the infection.

You can also use ctrl/alt/del and use taskmanager as I've said previously to stop those exes from running if they are there.
 
Joined
Feb 15, 2004
Messages
12,302
just do as Much as you can with the killbox, hijack this and using ctlr/alt/del. download all tools to a folder in c:\
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top