Tech Support Forum - View Single Post - HTML.Smitfraud & Trojanhorse Collected.6.BC

MicroBell · 06-06-2005, 12:47 AM

Ok...I'm not sure what issues you have left...but you still have part of the smitfraud trojan files installed..so we are going to run the fix again. Don't worry if you can't find some of these files or entrys as they may be missing...but check anyway.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"paint.exe" = "shnlog.exe" [file not found]
"notepad.exe" = "msmsgs.exe" [file not found] <--remove those 2 entrys.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download the file located here.. http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure VIEW HIDDEN FILES is still enabled...and spybots teatimer is DISABELED

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes for each of these I list below or any that have a simular name.

C:\WINNT\System32\shnlog.exe
C:\WINNT\popuper.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\intmon.exe

Make sure to end those processes if they are listed.

Doubleclick that smitfraud.reg on your desktop and confirm you want to merge it with the registry.

Download KillBox http://www.atribune.org/downloads/KillBox.exe

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:.

** Note** You may not have all these...but paste them in anyway. If you get a Pending File Operations prompt on the last one ignor it and just reboot manually.

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\hp596C.tmp
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\winnook.exe
C:\WINNT\system32\hookdump.exe
C:\WINNT\desktop.html
C:\WINNT\screen.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

1.) Download Hoster from HERE ..Hoster http://www.greyknight17.com/spy/Hoster.exe

Run the program and Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

3.) Download and install CleanUp http://cleanup.stevengould.org/

Run the cleanup utility and reboot/logoff when prompted.

Click again on the smitfraud.reg file and merge it for a second time. This should fix the polices of those desktop tabs and allow you to delete that "Security" entry on that "WEB" tab.

Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default "My Current Homepage". Leave that entry be.

Once done...post another hijackthis log...and let me know the outcome of removing that desktop message/background

06-06-2005, 12:47 AM	#22 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Ok...I'm not sure what issues you have left...but you still have part of the smitfraud trojan files installed..so we are going to run the fix again. Don't worry if you can't find some of these files or entrys as they may be missing...but check anyway. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "paint.exe" = "shnlog.exe" [file not found] "notepad.exe" = "msmsgs.exe" [file not found] <--remove those 2 entrys. Please read these instructions carefully and print them out! Be sure to follow ALL instructions! Download the file located here.. http://www.bleepingcomputer.com/files/reg/smitfraud.reg Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. IMPORTANT Be sure VIEW HIDDEN FILES is still enabled...and spybots teatimer is DISABELED Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes for each of these I list below or any that have a simular name. C:\WINNT\System32\shnlog.exe C:\WINNT\popuper.exe C:\WINNT\System32\intmonp.exe C:\WINNT\System32\intmon.exe Make sure to end those processes if they are listed. Doubleclick that smitfraud.reg on your desktop and confirm you want to merge it with the registry. Download KillBox http://www.atribune.org/downloads/KillBox.exe Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program. In the killbox program, select the Delete on Reboot option. Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:. * Note** You may not have all these...but paste them in anyway. If you get a Pending File Operations prompt on the last one ignor it and just reboot manually. C:\wp.exe C:\wp.bmp C:\bsw.exe C:\WINNT\sites.ini C:\WINNT\popuper.exe C:\WINNT\System32\helper.exe C:\WINNT\System32\intmonp.exe C:\WINNT\System32\msmsgs.exe C:\WINNT\System32\ole32vbs.exe C:\WINNT\system32\msole32.exe C:\WINNT\System32\hp596C.tmp C:\WINNT\System32\shnlog.exe C:\WINNT\System32\intmon.exe C:\WINNT\System32\winnook.exe C:\WINNT\system32\hookdump.exe C:\WINNT\desktop.html C:\WINNT\screen.html Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way) FOLDERS to delete (in bold) if found: C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\WINNT\System32\Log Files C:\Program Files\Security IGuard Reboot into normal mode. 1.) Download Hoster from HERE ..Hoster http://www.greyknight17.com/spy/Hoster.exe Run the program and Press "Restore Original Hosts" and press "OK". Exit Program. 2.) Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" 3.) Download and install CleanUp http://cleanup.stevengould.org/ Run the cleanup utility and reboot/logoff when prompted. Click again on the smitfraud.reg file and merge it for a second time. This should fix the polices of those desktop tabs and allow you to delete that "Security" entry on that "WEB" tab. Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete any entry that says security..or anything other then the default "My Current Homepage". Leave that entry be. Once done...post another hijackthis log...and let me know the outcome of removing that desktop message/background __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder