Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud.c infection-need help in Safe mode


  • Please log in to reply
5 replies to this topic

#1 chriswalton

chriswalton

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 13 July 2005 - 06:49 AM

I am trying to deal with a Smitfraud.c infection on a home PC running Windows XP, I have read and printed the materials posted on this forum and the forum for HijackThis log submissions but need some basic help getting started with the solutions. I can get to Safe mode (either basic, with networking or with commands - presumably it should be with commands?) but dont know how to operate in Safe mode to download and run Spybot, Ad-aware and HijackThis, or to carry out other basic commands (I am posting this from my office computer). I have not been able to run my McAfee Security Center/Viruscan program from basic Safe mode using the Windows Task Manager either (or run much of anything else from basic Safe mode). I am getting Spybot, Ad-aware and HJT burned onto a CD and will try to install and run them from the CD, which may work, but can someone help get me started? Many thanks and apologies for the (hopefully) simple questions

BC AdBot (Login to Remove)

 


m

#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 PM

Posted 13 July 2005 - 07:04 AM

Try running Sysclean you'll also need the virus template file from here lpt***.zip

or

DrWeb CureIT

If your good with the command line also try Sophos Command Line scanner

Once you've installed spybot/adaware you'll need to do this from windows as you can't install any program from safe mode in XP.

Do the following:

For users of Win2K/XP run adaware/spybot from "safe mode with command prompt"

At the C:\ prompt type the following:-

cd\
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
cd\
C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

Alternatively download the ultimate BootCD 4 Windows which will allow spybot to run from the PE environment. Download Spybot Plugin Forum post about plugin

Edited by stidyup, 13 July 2005 - 07:10 AM.


#3 chriswalton

chriswalton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 14 July 2005 - 07:36 AM

Many thanks for this. Here is a synopsis of my relatively futile attempts so far:

1. From my Windows blue screen with the smitfraud.c security warning, using the windows task manager, I installed from a CD spybotsd14.exe (spybot), aawsepersonal.exe (ad-aware se personal), cleanup40.exe (cleanup!) and a trial version of ewido security suite, ewido-setup.exe. I also tried to install spywareblastersetup34.exe but got a message that "C:\Windows\Sys32\MSINET.OCX Unable to register the DLL|OCX: LoadLibrary failed; code 998 Invalid access to memory location" after which I aborted. I tried to install, and believe I did install, drweb-432b-win-en.exe, but it would not run fully because the license key file was not found, and I got a message to that effect when trying to run it. I have since figured out that this was probably the wrong DrWeb file (not the drweb-cureit.exe file I should have had), so I am planning to try again tonight with the correct drweb-cureit.exe file. Out of frustration or ignorance I probably installed or re-installed spybot, ad-aware, cleanup, ewido and the (incorrect) drweb programs several times, both from windows blue screen and from safe mode - if I should uninstall and/or reinstall any of those please let me know.

2. I was not able to run either spybot, ad-aware or cleanup!4.0 from safe mode with command prompt. I believe that all attempts gave me the same error message "The application failed to initialize properly (Oxc0000005). Click on OK to terminate the application" That is the same error message that I get when I try to boot up Windows in regular mode, under the title "Explorer.EXE Application Error", just before the screen goes to blue with the Smitfraud.c security warning.

3. I was able to run ewido security suite from safe mode, and ewido found and cleaned 1827 infected objects. I have a log of that scan if it would be helpful, but it looked like a whole lot of spyware. I tried spybot, ad-aware and cleanup! again after this successful ewido scan, but those programs still would not initialize properly.

4. I tried to run sysclean.com (from trendmicro) but was not able to get it to run, although looking back I believe that I may have tried only from windows and not from safe mode. I will try again from safe mode. I have separately downloaded the virus template file (lpt***.zip), but do I need to do anything in particular with that file, or will the sysclean.com program find it on my C:\ or D:\ drive if it needs it?

5. I dont think I was able to do anything effective with Sophos command line scanner - is it right that I would only use that once I have the names of particular files/programs that I am having trouble deleting (i.e., after another program identifies hard-to-delete files)? I have downloaded a trial version of Sophos anti-virus software (savxp50sasfx.exe) that I can try to run tonight if that would be helpful.

6. I can also try to run hijackthis, which I now have on a CD, and get a log, although I dont know if it will run or if it is too early for that. The ultimate bootCD 4 Windows looks a bit scary to me as a novice, so I have not headed down that path thus far.

thanks in advance for any help

#4 chriswalton

chriswalton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 15 July 2005 - 05:59 AM

I have been able to run ewido, DrWeb-Cure it and the Sophos command line cleaner, and have now posted a HijackThis log in the HijackThis logs and analysis forum rather than here - from what I have seen on this website I believe this is the right procedure to follow. Any help with the HJT log would be welcome.

#5 rmm55

rmm55

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 15 July 2005 - 10:43 AM

In dealing with the smithfraud nasty usually wininet.dll gets infected and must be replaced with a fresh clean version. You can download it from here http://www.dll-files.com/dllindex/dll-files.shtml?wininet. Put the fresh copy in the system32 directory and then rename the original to wininet.old. Restart the computer
Roy Mel - YourTechOnline technician
roy@no_spam_yourtechonline.com (remove no_spam_)

#6 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:24 PM

Posted 15 July 2005 - 11:11 AM

Once you have posted a HJT log, do not make any more changes to your computer untill contacted by a member of the HJT Team.
Any changes you make could effect your posted HJT log.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users