1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Smitfraud for Christmas

Discussion in 'Virus & Other Malware Removal' started by Avalon Polo, Jan 1, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    I came home today to find a "spyware infection" desktop and several things in the vein of spysherriff. I always thought that these sort of things do not infect fully-updated windows versions, so this is strange. I also have Windows Anti-Spyware, which detected the spyware immediately and ran a scan. It found two dozen things, which I told it to delete. It seemed to get rid of the worst offenders - spysherriff is gone, there are no intrusive popups and noahdfear is no longer blocked. The problem is that the annoying smitfraud desktop is still in place. I'd like to get rid of it as well as anything else that Windows Anti-Spyware hadn't noticed. Here's my HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:33:25 PM, on 1/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Canon\BJPV\TVMon.exe
    C:\Program Files\Canon\BJCard\BJLaunch.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Canon\BJCard\Bjmcmng.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Igor\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
    O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135479905953
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2626302C-A46E-4F53-8020-0FC87F6618CD}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{346C5557-2730-45C5-BD1E-B4E3A0A416B9}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{547EA0B5-B4AE-4C3A-8128-57AFAEF1ED34}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2626302C-A46E-4F53-8020-0FC87F6618CD}: NameServer = 85.255.116.136,85.255.112.184
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SWdvcg\command.exe (file missing)
    O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You have no anti-virus protection.
    Get AVG (it's free): http://free.grisoft.com/doc/1
    Install it and run a scan.

    Click here to download the trial version of Ewido Security Suite:
    http://www.ewido.net/en/download/

    · Install Ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido.
    · It will prompt you to update click the OK button and it will go to the main screen.
    · On the left side of the main screen click update.
    · Click on Start and let it update.
    · DO NOT run a scan yet.

    Restart your computer into Safe Mode now.
    (Start tapping the F8 key at Startup, before the Windows logo screen).
    Perform the following steps in Safe Mode:

    * Run Ewido:
    Click on scanner
    Click Complete System Scan and the scan will begin.
    During the scan it will prompt you to clean files, click OK.
    When the scan is finished, look at the bottom of the screen and click the Save report button.
    Save the report to your desktop.

    Reboot.

    Post a new Hijack This log and the results of the Ewido scan.
     
  3. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    I downloaded both the virus scan you recommended and ewido. Both returned infected files. I also did something I'm not sure I should have - I went in and deleted the files in quarantine, using Delete in AVG and Remove Finally in ewido. Should I not do that or does it not really matter?

    Anyhow, here is the HijackThis log.

     
  4. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    The ewido scan is too long to post in one. I'll do a two part post.

     
  5. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    Here's part 2 of the ewido scan.

     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Click Start – Run - and type in:

    services.msc

    Click OK.

    In the services window find: Command Service

    Right click and choose Properties. On the General tab under Service Status click the Stop button to stop the service. Beside Startup Type in the dropdown menu select Disabled. Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2626302C-A46E-4F53-8020-0FC87F6618CD}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{346C5557-2730-45C5-BD1E-B4E3A0A416B9}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CCS\Services\Tcpip\..\{547EA0B5-B4AE-4C3A-8128-57AFAEF1ED34}: NameServer = 85.255.116.136,85.255.112.184
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2626302C-A46E-4F53-8020-0FC87F6618CD}: NameServer = 85.255.116.136,85.255.112.184
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SWdvcg\command.exe (file missing)


    Boot into Safe Mode.

    Find and delete this folder: C:\WINDOWS\SWdvcg

    Also in Safe Mode navigate to the C:\Windows\Temp folder.
    Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box.
    The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    It's normal if some files don't delete!

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot, post a new log.
     
  7. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    Thanks for your help. I completed all the steps, but couldn't find "O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SWdvcg\command.exe (file missing)" in HijackThis.

    The computer seems to be running alright, but the intrusive desktop is still in place, although I can now right-click it to bring up the properties, which I couldn't do before.

    Anyway, here's the new log:


     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.
     
  9. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    I've done it, but the desktop is still locked.
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download and save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

    It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

    If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

    If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

    If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

    It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

    It will restart Explorer.

    Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

    I have included another vbs to do this. It is named Other Profiles Regfix.vbs

    Have each User sign in and run Other Profiles Regfix.vbs
    Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

    Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

    To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5.

    You will need to do this step for every user account.
     
  11. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    I ran the executable you sent and the Desktop is now clean. It looks fine. However, I may have stupidly run into antoher problem. After I turned on "show hidden files", I noticed an ini file on the Desktop that contained the following two lines:

    I decided to see the location of this file, but I accidentally copied the entire location into the address bar and the executable ran. A search for unregmp2.exe on google that told me that it was dangerous. Have I re-infected myself? What should I do with the desktop.ini file?
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I actually think it's OK. I have the same file on my system.
    If you do a search for unregmp2.exe, right click on the file and choose Properties.
    Go to the tab that says Version.
    Under Description, it should be labeled as a Microsoft file.
    It should say Microsoft Windows Media Player Setup Utility.
     
  13. Avalon Polo

    Avalon Polo Thread Starter

    Joined:
    Dec 24, 2005
    Messages:
    11
    Looks like you're right. Thanks for helping. This laptop feels like it's healthy again.
     
  14. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're welcome :)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Since this problem has been solved, I'm closing this thread. If you need it re-opened please PM me or one of the other Mods.

    Anyone else with a similar problem please start a "New Thread".
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430198

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice