Tech Support Forum - View Single Post - HTML.Smitfraud & Trojanhorse Collected.6.BC

Scorpex · 05-25-2005, 12:34 AM

Sojerguy,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

You an outdated version of HijackThis. Please download and install the latest version by going to this Site
The newest version of HiJackThis(1.99.1) gives us more information to work with.
Note: When you post your next log – make sure word wrap is off before you copy and paste it.

Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button

Download KillBox. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\ole32vbs.exe
C:\WINNT\System32\hp5389.tmp
C:\WINNT\System32\winnook.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders (in blue) if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\LogFiles
C:\Program Files\Security iGuard

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hp5389.tmp
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <- if this is something you did – don’t delete
O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.

Close HijackThis.

Restart your computer.

1. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winhelp2002/DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. Download CleanUp! and install it.
(Alternate Link if the main link doesn't work - http://www.greyknight17.com/spy/Cleanup.exe )
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.

4SG

05-25-2005, 12:34 AM	#2 (permalink)
Scorpex Analyst, Security Team Join Date: Mar 2005 Location: NY Posts: 350 OS: XP Pro/Home SP2	Sojerguy, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. You an outdated version of HijackThis. Please download and install the latest version by going to this Site The newest version of HiJackThis(1.99.1) gives us more information to work with. Note: When you post your next log – make sure word wrap is off before you copy and paste it. Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK. Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found: Security iGuard Virtual Maid Search Maid Exit Add/Remove Programs. Go to My Computer->Tools/View->Folder Options->View tab Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types. Remove the checkmark from the checkbox labeled Hide protected operating system files. Press the Apply button and then the OK button Download KillBox. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no: C:\wp.exe C:\wp.bmp C:\bsw.exe C:\WINNT\sites.ini C:\WINNT\popuper.exe C:\WINNT\system32\hhk.dll C:\WINNT\System32\wldr.dll C:\WINNT\System32\helper.exe C:\WINNT\System32\intmon.exe C:\WINNT\System32\shnlog.exe C:\WINNT\System32\intmonp.exe C:\WINNT\System32\msmsgs.exe C:\WINNT\system32\msole32.exe C:\WINNT\system32\ole32vbs.exe C:\WINNT\System32\hp5389.tmp C:\WINNT\System32\winnook.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Delete these folders (in blue) if they exist: C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\WINNT\System32\LogFiles C:\Program Files\Security iGuard Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hp5389.tmp O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <- if this is something you did – don’t delete O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU) *Please remember to close all other windows, including browsers then click Fix checked.* Close HijackThis. Restart your computer. 1. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program. 2. Right click on this link -> http://mvps.org/winhelp2002/DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also. 3. Download CleanUp! and install it. (Alternate Link if the main link doesn't work - http://www.greyknight17.com/spy/Cleanup.exe ) The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. When it asks you if you want to logoff, click on Yes. 4. Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan! Restart and post a new HijackThis log along with the results from ActiveScan. 4SG Last edited by Scorpex; 05-25-2005 at 12:54 AM. Reason: Fine tuning