Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! I Have A Trojan


  • Please log in to reply
11 replies to this topic

#1 grendelvamp

grendelvamp

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 02:54 AM

Hello

I have run Spybot S&D and found that I'm infected with Smitfraud C. I have run the automatic smitfraud removal program but to no avail. Please help me figure out how to remove this from my computer. I'm not sure if it comes bundled with Virtumondo but that is showing up on Spybot's results too. Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 PM

Posted 05 August 2007 - 03:16 AM

See these two Bleeping Computer removal guides:

How to remove the Smitfraud / Generic Zlob / Quicknavigate / Virtual Maid

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 05 August 2007 - 09:26 AM

Quote Papakid:
" Just for everyone's information, Smitfraud.C is Spybot S&D's name for a type of Vundo/Conhook infection. I wish they would call it something else because it is confusing. Smitfraud is a generic description of any application/trojan that hijacks the desktop to give fake warnings that you are infected or have errors and need to download their program to fix it, only telling you later you have to pay for the fix. Vundo is associated with the rogue app Winfixer, among others, but it is a completely different infection from what is more commonly known as Smitfraud and SmitfraudFix is not designed to fix it."

If the Vundofix as suggested by Budapest doesn't fix your problem, use Super Antispyware. Let us know the results please.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 03:42 PM

I followed the instructions that you posted Budapest, but Spybot is still showing that Smitfraud C. is still on my computer as well as virtumondo. Next, I am going to run SuperAntiSpyware and post my results. Any other suggestions on how to remove it?

#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:11:21 PM

Posted 05 August 2007 - 04:22 PM

Do your superantispyware scan in safe mode, please be sure to run a full scan.
Post a log back here so we can see what SAS found and removed, please.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#6 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 05:33 PM

Hi there,

Here is my SAS log, whew, it found a lot of junk.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/05/2007 at 04:45 PM

Application Version : 3.9.1008

Core Rules Database Version : 3279
Trace Rules Database Version: 1290

Scan type : Complete Scan
Total Scan Time : 00:56:59

Memory items scanned : 168
Memory threats detected : 0
Registry items scanned : 6188
Registry threats detected : 24
File items scanned : 35420
File threats detected : 55

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{57F4D784-BC82-497D-B880-EC846A78C610}
HKCR\CLSID\{57F4D784-BC82-497D-B880-EC846A78C610}
HKCR\CLSID\{57F4D784-BC82-497D-B880-EC846A78C610}
HKCR\CLSID\{57F4D784-BC82-497D-B880-EC846A78C610}\InProcServer32
HKCR\CLSID\{57F4D784-BC82-497D-B880-EC846A78C610}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\COMMON FILES\MEVOZ83122.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F4D784-BC82-497D-B880-EC846A78C610}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A4CD1E53-45A5-41A1-9A64-A5B0FEDD9DB5}
HKCR\CLSID\{A4CD1E53-45A5-41A1-9A64-A5B0FEDD9DB5}
HKCR\CLSID\{A4CD1E53-45A5-41A1-9A64-A5B0FEDD9DB5}\InprocServer32
HKCR\CLSID\{A4CD1E53-45A5-41A1-9A64-A5B0FEDD9DB5}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKLM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4CD1E53-45A5-41A1-9A64-A5B0FEDD9DB5}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F4002052-AB29-4B33-8C8D-0E99084564EC}
C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMP\RAXHMDHU.DLL
C:\VUNDOFIX BACKUPS\PPKFWSQJ.DLL.BAD

Trojan.Rootkit-TnCore
HKLM\System\ControlSet001\Services\core
C:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS
HKLM\System\ControlSet003\Services\core
HKLM\System\CurrentControlSet\Services\core

Adware.Tracking Cookie
C:\Documents and Settings\Lord Corey\Cookies\lord corey@msnportal.112.2o7[1].txt
C:\Documents and Settings\Lord Corey\Cookies\lord corey@cpvfeed[3].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.k8l[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
C:\Documents and Settings\Guest\Cookies\guest@buzznet.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@cpvfeed[2].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@drivecleaner[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ehg-maniatv.hitbox[1].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
C:\Documents and Settings\Guest\Cookies\guest@revsci[2].txt
C:\Documents and Settings\Guest\Cookies\guest@stats1.reliablestats[1].txt
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[2].txt
C:\Documents and Settings\Guest\Cookies\guest@toplist[1].txt
C:\Documents and Settings\Guest\Cookies\guest@winantivirus[2].txt
C:\Documents and Settings\Lord Corey\Cookies\lord corey@cpvfeed[2].txt
C:\Documents and Settings\Lord Corey\Local Settings\Temp\Cookies\lord corey@empornium[1].txt

Adware.WhenU
C:\Program Files\Save\store.db
C:\Program Files\Save

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Trojan.Downloader-Gen/WinPop
C:\Program Files\WinPop

Adware.RAC
C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\W5IBWPUF\83122[1].EXE
C:\DOCUMENTS AND SETTINGS\LORD COREY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QXCVI9OJ\83122[1].EXE

Trojan.ZQuest-Installer
C:\DOCUMENTS AND SETTINGS\LORD COREY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E596J69W\TK58[1].EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE

Trojan.Downloader-Gen/Blah
C:\VUNDOFIX BACKUPS\IIFCYVW.DLL.BAD
C:\VUNDOFIX BACKUPS\TUVWUTS.DLL.BAD

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B104.EXE
C:\WINDOWS\B122.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\index[1].htm
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5IBWPUF\CA0XQB8H.htm
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SHMNGXAR\test[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\top1_menu[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\checksoft[1].js
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\CAEJWX2H.js
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\top1[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5IBWPUF\styles[1].css
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5IBWPUF\logo[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\arrow[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SHMNGXAR\ico2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5IBWPUF\ico1[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\CA2NQB2H.gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\top_pic2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\banner3[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\CAXNZX48.gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\wav_banner[1].swf
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\728x90-warning-2buttons-v1-a-s-en[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\download2[1].htm
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\button2[1].gif
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\SHMNGXAR\728x90-warning-v2-f-s-en[1].gif


I ran Spybot again, just cuz, and they are both still showing up on the scan. I'll be awaiting your response, and thanks for taking the time.

#7 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 05 August 2007 - 06:00 PM

Looks like SAS removed a lot of malware. Run the online scan for Bit Defender then post a Hijack This log in the Hijack This Forum. Scroll down to #9 in the link below for the download link for HJT. DO NOT post the log in this forum.
Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 07:17 PM

Hello

Should I have deleted/removed the things that SAS quarantined? I didn't do anything to them from the "manage quarantine" option.

Bit defender is running right now, I will post the HJT log here as soon as it's finished.

#9 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:21 AM

Posted 05 August 2007 - 07:22 PM

Yes, of course. Bit Defender is probably going to find some of the same things. You will need to rerun the scans for SAS and Bit Defender.
Sorry I misread your last post to mean you didn't quarantine the items SAS found. You can delete those and no need to rerun the scans.

Edited by buddy215, 05 August 2007 - 07:41 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 09:59 PM

Okay buddy, or whoever is watching, I've posted my HJT log in that forum after rescanning with SAS and Bitdefender. Thank you for your continued help on

this matter. I'll be awaiting your response.

#11 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:11:21 PM

Posted 05 August 2007 - 10:07 PM

Great, thanks for listening to us.

Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#12 grendelvamp

grendelvamp
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 05 August 2007 - 10:28 PM

Hey guys, I really appreciate your help. Thanks for taking the time to guide me through all of this. Take it easy.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users