Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • Please log in to reply
38 replies to this topic

#1 brenmel123

brenmel123

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 30 January 2008 - 12:47 PM

I have been trying to remove this malware that I have on my computer. I have tried PcTools Spydoctor, Adaware 2007, Spybot. It keeps popping up again and again. I recently got a new program that found a lot more, but then wouldn't remove it unless I paid to register it. Spyhunter is what it is. I NEED HELP! Been working on this for 5-6 days!
Thanks!

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,711 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:09 AM

Posted 31 January 2008 - 12:55 AM

Hello brenmel123 and welcome to BC :flowers:

For now I would suggest scanning with SUPERAntiSpyware Free in safe mode. Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply. Also, please tell us what operating system you have: Windows XP, Vista etc.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 11:26 AM

Here is the log.
I am using Windows XP.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2008 at 11:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3392
Trace Rules Database Version: 1384

Scan type : Complete Scan
Total Scan Time : 02:51:34

Memory items scanned : 758
Memory threats detected : 0
Registry items scanned : 10754
Registry threats detected : 10
File items scanned : 119683
File threats detected : 3

Adware.SXGAdvisor
HKLM\Software\Classes\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\InprocServer32
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\InprocServer32#ThreadingModel
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\ProgID
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\Programmable
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\TypeLib
HKCR\CLSID\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}\VersionIndependentProgID
C:\WINDOWS\DPVTPORSDQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDBDB732-01E7-4B56-A995-6AD36DF1E32B}

Adware.Tracking Cookie
C:\Documents and Settings\Brent Melvin\Cookies\brent_melvin@rambler[1].txt
C:\Documents and Settings\Brent Melvin\Cookies\brent_melvin@ads.techguy[1].txt

#4 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 02:40 PM

I don't know if this worked. Am I supposed to send you a log of what happened?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 31 January 2008 - 02:48 PM

Did BitDefender find/remove anything?
Are you getting any more alerts about smitfraud or other malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 03:16 PM

BitDefender is finishing up now. It says it has found viruses and my computer may be affected. I have not run anything else, yet.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 31 January 2008 - 03:23 PM

You can post the BD scan results or let us know what it finds which cannot be removed/fixed. Normally BD does a good job of cleaning what it finds.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 04:36 PM

How do I get the report from BitDefender?
:thumbsup:

#9 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 04:43 PM

Also, do you have suggestion on what I need to have running to avoid this in the future? I have Spybot, Ad-aware, SpyDoctor, and Norton. Any better? Which should I use or use all?
Thanks again!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 31 January 2008 - 05:52 PM

I will give you some prevention tips when done.

How is your computer running?
Any more signs of malware?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 06:06 PM

BD has found 10 infections and did not delete all. I closed it out and cannot figure out how to get the log. I just ran it again and it has 2 Trojans that it found Zlob.ABIO. But I cannot cut and paste it. It is in a directorty c:/recyclers.
It tried to update it and says 'update failed.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 31 January 2008 - 07:34 PM

Please download SDFix by AndyManchesta and save it to your desktop.
alternate zipped version
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Disconnect from the Internet before running SDFix.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs before connecting to the Internet.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 31 January 2008 - 08:20 PM

Ok, here is what I have.

SDFix: Version 1.134

Run by Administrator on Thu 01/31/2008 at 08:02 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted





Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 20:09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2C1D5B43-49AC-05F6-7F0A-B429BA424AEE}]
"oaeaahgeaalgeacidchgcihjeibnoa"=hex:63,61,65,6b,6d,6d,00,7c
"oainikgjefnmcefhdbielonppkpnnm"=hex:6a,61,64,6b,67,6d,6b,6b,65,6a,66,66,6a,67,6a,66,6e,61,63,68,00,..
"nacakefeiioieifafboccibimdel"=hex:6a,61,64,6b,6f,6d,63,67,65,6b,64,62,6d,63,6f,6c,69,68,65,67,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5638F1D-A74B-58FB-D01D-5941C47B6E0C}]
"oajjbokldajgcpgphcdpcdbdhaocnn"=hex:63,61,6a,70,70,6c,00,7c
"oafebnlapekhgnpjdaepnnnjkaapba"=hex:6a,61,65,70,6f,6c,65,61,66,70,6d,6d,62,68,69,68,66,69,65,61,00,..
"nahddpmhfdjkjplogkcckhjniaoc"=hex:6a,61,6a,70,65,65,69,70,6c,6b,6e,61,64,6d,68,61,63,6b,64,66,00,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 23 Jul 2006 88 A.SHR --- "C:\i386\EBAF4F406A.sys"
Sun 23 Jul 2006 3,766 A.SH. --- "C:\i386\KGyGaAvL.sys"
Fri 25 Jan 2008 120 ..SH. --- "C:\WINDOWS\S5A497426.tmp"
Sun 7 Jan 2007 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Thu 26 Jul 2007 56 ..SHR --- "C:\WINDOWS\system32\6A404FAFEB.sys"
Sat 29 Jul 2006 88 ..SHR --- "C:\WINDOWS\system32\EBAF4F406A.sys"
Thu 26 Jul 2007 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 10 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2.tmp"
Fri 14 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT2.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT3.tmp"
Mon 26 Feb 2007 0 ...H. --- "C:\Documents and Settings\Brent Melvin\Application Data\Microsoft\Word\~WRL1594.tmp"
Fri 24 Aug 2007 4,192 A.SH. --- "C:\Documents and Settings\Brent Melvin\Application Data\Roxio\Dragon\3.x\DiscInfoCache\PHILIPS_DVD+-RW_SDVD8820_AD15_000_DICV018_DRGV9010055.TMP"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Brent Melvin\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Brent Melvin\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Brent Melvin\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Brent Melvin\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Thanks!

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 31 January 2008 - 10:49 PM

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\i386\EBAF4F406A.sys
C:\WINDOWS\S5A497426.tmp
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\system32\6A404FAFEB.sys
C:\WINDOWS\system32\EBAF4F406A.sys

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 brenmel123

brenmel123
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:09 AM

Posted 01 February 2008 - 04:58 AM

C:\i386\EBAF4F406A.sys moved successfully.
File move failed. C:\WINDOWS\S5A497426.tmp scheduled to be moved on reboot.
C:\WINDOWS\uccspecb.sys moved successfully.
C:\WINDOWS\system32\6A404FAFEB.sys moved successfully.
C:\WINDOWS\system32\EBAF4F406A.sys moved successfully.
File/Folder not found.

OTMoveIt2 v1.0.17 log created on 02012008_044139
:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users