TechSpot

Argh! Murder My Smitfraud

By Eaterlover
Jun 24, 2008
Topic Status:
Not open for further replies.
  1. I surfed onto a very bad website two days ago and ended up with a variation of the smitfraud virus on my machine. I have eTrust Anti-Virus on my machine since it is a work computer and I immediately started manually deleting the files that the eTrust labeled as dangerous. Most of these files were located at c:\WINDOWS\DRIVERS\WIN32.

    I've been trying to find a cure on several forums, so my attempted fix chronology does not follow topic58138 :(, I hope this won't be too much of an issues.

    I installed AVG Anti-Virus, but it failed to delete many of the labeled, pernicious files.

    I found the Smitfraudfix.exe (via SiRi) first and I execute this file from safe mode. I have also attached the log from this attempt. Everything seemed to go smoothly.

    Next, I read about Combofix.exe and I executed this file from safe mode, and it seemed to go well too.

    However, my computer startup is significantly slower than before my virus infection and I suspect that there might be a few things I am missing. I have attached the HJT log file from my most recent scan.

    Can anyone tell me if my problems are truly fixed? and what my next steps should be?

    Thank you so much ahead of time.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hi Eaterlover,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Still quite a bit on there!!!!

    --------------------------------------------------------------------------

    Please only use 1 anti-virus - either uninstall AVG or uninstall Etrust


    --------------------------------------------------------------------------

    What does this mean to you? I don't want to suggest removing things that you use for your work

    Computer Sciences Corporation
    3170 Fairview Park Drive M/C 700
    Falls Church, VA 22042 US
    ------------------------------

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    ---------------------------------------------------------------

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here



    After both of those run a fresh hijackthis for me

    Attach here:
    1) mbam log
    2) Report.txt
    3) Fresh Hijackthis
     
  3. Eaterlover

    Eaterlover TS Rookie Topic Starter

    Thank you!

    Hi Blind Dragon, thanks for helping me out.

    Yes, the below section is part of my corporate computer:

    Computer Sciences Corporation
    3170 Fairview Park Drive M/C 700
    Falls Church, VA 22042 US
    ------------------------------

    I am going to uninstall AVG and try your instructions step by step.

    Thanks again!
     
  4. Eaterlover

    Eaterlover TS Rookie Topic Starter

    Some results

    I was able to follow all of your steps Blind Dragon.

    First, I uninstalled AVG from my computer.

    I installed the Malwarebyte's fix and ran it successfully. However, upon restart, the desktop refused to appear and I had to hard-reboot the machine.

    I installed the SDFix next and it ran succesfully. I have attached all the reports from these installs, can you let me know the next steps forward?

    Thank you!
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

  6. Eaterlover

    Eaterlover TS Rookie Topic Starter

    Hmmm, no XP disk

    Blind Dragon,

    I don't have an XP disk to restart the computer with, is there another option to this? I performed the Avira scan and I have attached the logs below.

    Thank you!
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Were you able to quarantine the registry entry that it found?
     
  8. Eaterlover

    Eaterlover TS Rookie Topic Starter

    HKEY_LOCAL_MACHINE\Software\DeterministicNetworks\DNE\Parameters -> symboliclinkvalue

    HKEY_LOCAL_MACHINE\Software\DeterministicNetworks\DNE\Parameters -> symboliclinkvalue

    I was not able to quarantine this item with Avira (the option was grayed out). Is there another way to do this?

    Thanks!
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Well, I wanted to test how the system would react with the file quarantined, to see what exactly it belonged to - but after talking with a friend -

    Cisco's VPN Client are responsible for inserting this hidden registry value

    So we should be safe there seeing that you use this software. Apparently it is a known problem, that it is detected as a rootkit and listed on Cisco's site FAQ/

    ----------------------------------------------------------------------

    Let's do an online scan and go from there.

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    -----------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  10. Eaterlover

    Eaterlover TS Rookie Topic Starter

    Stuck again

    My IE is crap, I'm not sure when it happened, but I think it happened around the time of getting infected by smitfraud. I can seem to get the browser to go anywhere even though I have downloaded and installed V 7 twice. :( I'm not sure how to get around this here.

    I was however, able to run the first steps and used ATF to clean out everything.

    Thanks again!
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Well let's see take a look, you can launch IE but have problems connecting to sites?

    Open notepad and copy and paste next bold in it:

    regedit /e peek.txt "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"
    type peek.txt >> look.txt
    del peek.txt
    start notepad look.txt


    Save this as look.bat , choose to save as *all files and place it on your desktop.

    It should look like this on your desktop: [​IMG]

    Doubleclick look.bat
    Notepad will open with some txt in it. Copy and paste the contents in your next reply.
     
     
  12. Eaterlover

    Eaterlover TS Rookie Topic Starter

    Look.bat

    Hmmm, I tried this step and the notebook keeps coming back blank with no text?

    Do you have a suggestion on what I might be doing wrong?

    Thanks!
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Please attach a new Hijackthis
     
  14. Eaterlover

    Eaterlover TS Rookie Topic Starter

    New HJT file

    Thanks Blind Dragon!
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Ok, I was missing some things for some reason, maybe trying to do too many logs. You may want to copy down the files I ask you to look for and delete while in safe mode.

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - {41045A8E-B676-4141-B9BC-F620E7147A9A} - C:\WINDOWS\system32\byXnNExW.dll (file missing)
    O2 - BHO: (no name) - {EAF3F6AE-7ABB-4A9E-A462-330081EE6083} - C:\WINDOWS\system32\efcCvVlk.dll (file missing)
    O4 - HKLM\..\Run: [lphc9naj0e1ct] C:\WINDOWS\system32\lphc9naj0e1ct.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    Viewpoint Manager Service

    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\system32\lphc9naj0e1ct.exe
    C:\WINDOWS\system32\efcCvVlk.dll
    C:\WINDOWS\system32\byXnNExW.dll


    After that, Reboot, and post a new HijackThis log here in a reply

    ------------------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    ------------------------------------------------------------------------------
     
  16. Eaterlover

    Eaterlover TS Rookie Topic Starter

    I did everything as followed and here is my new HJT Log.

    Thanks again! (I hope for a clean bill of health this time :)
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    good !

    Can you go on IE now? if so please run kaspersky scanner and attach log
     
  18. Eaterlover

    Eaterlover TS Rookie Topic Starter

    My Ie

    My IE still refuses to work. Even though the IE install seems to be fine, when I open the browser, it goes to a microsoft.com link and then freezes. I'm not sure how to fix this problem :(

    Thanks Blind Dragon
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Your Java still appears way out of date.
     
  20. Eaterlover

    Eaterlover TS Rookie Topic Starter

    IE problem

    Blind Dragon,

    I've updated to the latest version of Java from java.com, but my IE still appears to freeze once I open it. Any other thoughts?

    Thank you!
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    hi,

    I am not familiar with your firewall - black ice - make sure IE is set as an allowed program

    When you launch IE can you click on the tools menu or does it lock up and not let you click anything
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.