Smitfraud Virus also

[rambo1964]

I have the dreaded smitfraud virus and cant sem to get rid of it, please help. After I did everything recomended in the preliminary instrutions and ran ss&d again and it comes up with 6 smitfraud entries.I ran Panda Antirootkit and had no problems, here is my hjt and combo fix file, avg came up with 2 items and I quartine them but I cant seem to make a record of it:

Any help is appreciated.

 

[kimsland]

Download Smitfraud Fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Clean:

Reboot your computer in Safe Mode
(before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infected files.

You will be prompted: Do you want to clean the registry ? answer Y (yes)
and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:

To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
----------------------------------------------------

Additional Steps:

(Start -Run)
sc stop Messenger
sc config Messenger start= disabled

Restart

 

[rambo1964]

Thanks for the reply, I had allready ran the Smitfraud fix as per the preliminary removal instrutions from here, with no luck. But I did run it again and followed your Optional and Additional steps but still no luck. Smitfraud fix never finds an infected file. After I rebooted I ran SS&D and still it comes up with 6 Smitfraud .

Can you tell me what to do now?

 

[techflame23]

this may help a little, but i shouldnt think it will get rid of the virus.
It may help delete it though. Anyway there are still some critical entries in your hijack this log that need fixing.

Have hijack this fix the following.

O2-BHO: (no name) - {00000000-0000-4D6D-B3EF-E8E1C825BA45} - C:\Program Files\5ij7nm4e\5ij7nm4e.dll (file missing)

O2-BHO: (no name) - {11888CC9-1A2C-3288-2904-48B60E39F5C2} - C:\WINDOWS\system32\aubfju.dll (file missing)File Missing

O2 - BHO: (no name) - {4B2B4EAB-8A4B-AEB5-4A34-DB2FF795AD93} - C:\WINDOWS\system32\clzt.dll (file missing)

O2-BHO: (no name) - {A72B197D-DE9A-FD39-9E3C-8BBAAD134198} - C:\WINDOWS\system32\vlhjjn.dll (file missing)

O2 - BHO: (no name) - {DE9C8164-1C81-3F20-A4DE-601341AB69C6} - C:\WINDOWS\system32\vohjdkz.dll (file missing)

O2 - BHO: (no name) - {E8BD73D6-3E5C-42AE-82E8-B4FC5225DE40} - C:\Program Files\ClearSearch\ClearSearch.dll (file missing)


O2 - BHO: (no name) - {F5E9BA4A-76FF-040D-8A4C-09C53E0E4497} - C:\WINDOWS\system32\hsm.dll (file missing)

O4-HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain


and just to be on the safe side, delete this too.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

 

[Blind Dragon]

That's not smitfraud and don't remove the ctfmon.exe it is ok in that folder

Step 1

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

--------------------------------------------------------------------------------------------

Step 2
Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

--------------------------------------------------------------

Step 3
Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------

Step 4
Attach MBAM log here with new Hijackthis log ran afterwards

 

[kritius]

in addition to Blind Dragons advice,

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[rambo1964]

Thanks for all the help. Should I remove the files Techflame suggested? Here is my OTMoveit2 file:

Explorer killed successfully
< purity >
C:\Documents and Settings\darrell\My Documents\Μіcrosoft moved successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_104159

 

[Blind Dragon]

You didn't follow step 2 of my instructions above, please do so before completing the rest of these instructions.

Disable Teatimer

• Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
• Open Spybot S&D
• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[rambo1964]

I thought I had did step 2, sorry about that, I am guessing I should have unistalled J2se runtime????? I hope that is it because I unistalled it and then followed your next steps. I have attached the new combo fix log and hjt log.
Thanks for spending the time with this.

 

[rambo1964]

Also...it used to have a popup from avg at boot into windows saying !update.exe trying to excucute. But after doing the instrutions from this site that has not reapeared.

 

[Blind Dragon]

ok, i am going through your logs, sorry for the delay. You appear to have a lop.com infection which is usually associated with messenger plus. There are also a few others, I'll keep your log until you reply

Generate Uninstall List

• 
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.

Upload a File to Virustotal
Please visit Virustotal found HERE

• Click the Browse... button
• Navigate to the file C:\PROGRAM FILES\mpegmeal\databias.exe
• Click the Open button
• Click the Send button
• Copy and paste the results back here please.

 

[rambo1964]

Dont appologize for the delay, I am just happy you are taking the time to help me with this. Here is my uninstall list. I had no files in the Crogram files\mpegmeal folder.

 

[Blind Dragon]

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders
• Remove the checkmark from the checkbox labeled Hide protected operating system files
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types
• Put a checkmark in the checkbox labeled Display the contents of system folders.

Then try to upload to virus total

 

[rambo1964]

All of that was allready as you suggested. when I right click on the folder it says it is empty, o bytes, size on disk 0 bytes

 

[Blind Dragon]

I just looked through some definition files and SUPERantispyware should kill at least 3 of the bad entries. Whatever is left we will remove manually.



Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE

• Launch SuperAntiSpyware and click on 'Check for updates'.
• Once the updates have been installed,exit SuperAntiSpyware.

Scan with SuperAntiSpyware

• Start SuperAntiSpyware.
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.
  
  It's possible that the program will ask you to reboot in order to delete some files.
  
  Obtain the SuperAntiSpyware log as follows:
  Click on 'Preferences'.
  Click on the 'Statistics/Logs' tab.
  Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
  It will then open in your default text editor,such as Notepad.
  Attach the notepad file here on your next reply

Afterwards run a new hijackthis for me

 

[rambo1964]

I did the scan, the files you requested are attached. Thanks

 

[Blind Dragon]

Ok, one more thing then we can remove some of these

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\SYSTEM32\s?stem\?hkdsk.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here

 

[kimsland]

Sorry to interfere, but chkdsk does not have a or h switches, also what are the ? marks?

C:\WINDOWS\SYSTEM32\s?stem\?hkdsk.exe /a h

 

[Blind Dragon]

its not chkdsk it purity in disguise

I didn't think I needed to expain myself but...

To the user the file with the question marks in it will appear to have the same name as a legitimate file, you have them check properties of the file to make sure it matches that of the bad file found by the findfiles batch.

Edit: I didn't mean to sound rude, its just been a long day sorry

 

[rambo1964]

I must be doing something wrong, I followed your instructions and a c:\windows\system32\cmd.exe box comes up and says this:


C:\Documents and Settings\darrell\Desktop>dir C:\WINDOWS\SYSTEM32\s?stem\?hkdsk.
exe /a h 1>files.txt
The filename, directory name, or volume label syntax is incorrect.

C:\Documents and Settings\darrell\Desktop>notepad files.txt


Also since your previous instructions when I start windows a error box comes up saying:

error loading ptmg1v.dll
the specified module could not be found

 

[Blind Dragon]

is there a notepad files.txt on your desktop if so copy and paste it here for me

This one can be a pain - This is caused by virus writers using a Greek or Cryllic unicode character that looks the same as the Latin 'Y' and 'C'. Even though the two folder names appear to be the same, they are unique and can thus exist together in the same folder.

#1 C:\WINDOWS\SYSTEM32\system\chkdsk.
#2 C:\WINDOWS\SYSTEM32\s?stem\?hkdsk.

To you they will both look like #1

 

[rambo1964]

Yes, there is a files.txt on the desktop but nothing is in it.

 

[Blind Dragon]

I know kritius tried earlier but lets try something similar

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]purity[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[rambo1964]

The results are:

< purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05052008_144439

 

[Blind Dragon]

Guess we have to do it the old fashioned way

you may want to copy and paste this into notepad then save it to your desktop to access while in safe mode

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {00000000-0000-4D6D-B3EF-E8E1C825BA45} - C:\Program Files\5ij7nm4e\5ij7nm4e.dll (file missing)
O2 - BHO: (no name) - {11888CC9-1A2C-3288-2904-48B60E39F5C2} - C:\WINDOWS\system32\aubfju.dll (file missing)
O2 - BHO: (no name) - {4B2B4EAB-8A4B-AEB5-4A34-DB2FF795AD93} - C:\WINDOWS\system32\clzt.dll (file missing)
O2 - BHO: (no name) - {A72B197D-DE9A-FD39-9E3C-8BBAAD134198} - C:\WINDOWS\system32\vlhjjn.dll (file missing)
O2 - BHO: (no name) - {DE9C8164-1C81-3F20-A4DE-601341AB69C6} - C:\WINDOWS\system32\vohjdkz.dll (file missing)
O2 - BHO: (no name) - {F5E9BA4A-76FF-040D-8A4C-09C53E0E4497} - C:\WINDOWS\system32\hsm.dll (file missing)
O4 - HKLM\..\Run: [error new] C:\PROGRA~1\mpegmeal\databias.exe
O4 - HKLM\..\Run: [rbj35v46] C:\WINDOWS\system32\rbj35v46.exe
O4 - HKCU\..\Run: [Coufltow] C:\WINDOWS\SYSTEM32\s?stem\?hkdsk.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\mpegmeal

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\rbj35v46.exe
C:\WINDOWS\SYSTEM32\system\chkdsk.exe <-Should be at the bottom of system folder out of alhpa order - right click to check properties (Not Microsoft file)

After that, Reboot, and post a new HijackThis log here in a reply