Smitfraudfix will not fix my Smitfraud- HJT Log

[Rahloom]

Hello and thank you greatly for your help. It is very appreciated.

I followed the several steps required prior to posting a HJT log, here's what I know so far.

Kaspersky Scan found several trojan.downloader.etc files.

House Call found Smit.fraud.G, Trojan.win32.dialer.etc, backdoor.win32.rbot.etc.

And Spybot S&D keeps finding Smit.Fraud.etc, but cannot delete it, even in safe mode.

I have tried to clean the Smit.Fraud with SmitFraudFix while in safe mode, 2 times, but after each time, Spybot S&D is still able to find it.

There was no CW or Vundo found.

I have the Kaspersky log saved as well as the Ewido log, if needed.

Thank you for helping,
David

 

[howard_hopkinso]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Click on the fix checked button.

Close HJT.

Run the SmitFraudfix again and Spybot S&D.

It may be that the infection is in one of your restore points. Turning off system restore will delete all your restore points and anything nasty that`s in them.

Reboot into normal mode and turn system restore back on.

Your HJT log is Clean BTW.


Regards Howard :wave: :wave:

 

[Rahloom]

Hi Howard and thanks for your time,

my system restore is off, all hidden and system files are shown, I rebooted into safe mode and used HJT to fix F2-REC:system.ini:UserInit=C:\Windows\system32\userinit.exe

I then tried SmitFraudFix again and here's what happens when I use command #2, the Clean command: a Windows window pops up saying "Disk Cleanup is calculating how much space you will be able to free on C:, this may take several minutes" Then 2-5 seconds later each time, I get the initial "you are in safe mode, this mode is used for troubleshooting and problem solving, cannot be used for networking etc..." message, that I get after I log into the XP account, and am given a choice to proceed with safe mode or cancel and reboot... Is this a normal side-effect when running the "clean" process of SmitFraudFix?

Anyways, after all of that, I ran SB S&D again, and it found the smitfraud like always, and gave me the following message as I tried to clean it: "Some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory) this could be fixed after a restart, may spybot load upon reboot?"

I have tried clicking yes, and when it reboots, I get the same error while trying to clean it, even though it's supposedly the first thing that's loaded.

Like I said, I have system restore turned off, hidden and system files shown, and I try smitfraudfix in safe mode.

Any ideas? Thanks a lot.

 

[Rahloom]

Also, I used Kaspersky again last night, and it said it found Troj_SE.77291, but was unable to do anything about it. Sorry I forgot to mention this.

 

[howard_hopkinso]

I`m sorry to hear you`re still having problems.

I have just looked at your HJT log again. It seems I may have missed a couple of things.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall any thing to do with(if there).

Viewpoint\Viewpoint Manager

Also, temporarily uninstall Spybot S&D, as this may be interfering with the Smitfraudfix.

Close Control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Fix all 016_DPF entries.

O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\LUCILO~1\LOCALS~1\Temp\hpdj.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Reboot into normal mode and turn system restore back on.

Run the Smitfraudfix again and see what happens. If your problems are then gone, reinstall Spybot S&D.


Regards Howard

 

[Rahloom]

Hi again Howard,

I think I have been able to rid my computer of the smitfraud problem.

However, there are still troubles for some reason. When I boot into normal mode (as opposed to safe mode), spywareguard warns me that my IE homepage has been changed and asks me to restore it or leave it as it's been changed. If i press restore, it turns into a never ending loop, so i finally just leave it as is... but upon the next reboot it does the same thing.

I used BitDefender to scan and it found 8 virii, was able to take care of 7 as I understood, but told me that my computer was still infected (infected with what, it didn't say) I have attached that report log, if you think it will help.

I then used Ewido suite in safe mode, and it found 51 infected files, I believe they were spyware but I'm no computer whiz. I have also attached that report log as well.

I followed your instructions and uninstalled S&D, as well as fixed those 8 scripts with HJT that you told me to. I have attached a log of HJT AFTER I cleaned those. I then ran Smitfraud again. I just ran my re-installed S&D, and it didn't find any SmitFraud or DSO exploits, or anything at all. It said I am clean.

If you need me to run any different scans and attach the logs, please don't hesitate to say so.

Again, your time is very much appreciated. Thanks.

-David

 

[howard_hopkinso]

First of all, your HJT log is clean.

It is possible that the Spwareguard alert is a false positive.

If you`re not having any other problems, I`d say just ignore it. If it`s begining to annoy you, just uninstall SpywareGuard.

The Ewido scan report shows that it deleted mostly tracking cookies etc.

As far as I can tell, your system is clean.

Regards Howard