Help me with Smitfraud =[
Panz3...@googlemail.com
everywhere >_< It seems I can't even browse a web page without getting
it again. The only way I can fix it is by re-formatting. But the weird
thing is, it doesn't show any symptoms of Smitfraud. I don't get the
blue screen on my desktop, or a bunch of internet shortcuts, or any
error messages. I only know I have it because Spybot S&D detects it
and I have an svchost.exe in my Windows folder which I can't remove. I
want to get rid of it because last time, it got really annoying. It
just sat there for ages doing nothing then eventually fucked up my
windows explorer before.
So how do I get rid of this before it pisses me off again? And don't
say "Use Google", I've Googled it up and nothing helps. Also,
SmitFraudFix doesn't help either.
There must be SOME way to remove this pest, I'm sure the creator of it
wasn't a genius.
David H. Lipman
1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"
3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe
4. Save the scan results (Main.txt and Extra.txt)
5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...
{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Gaz
<Panz3...@googlemail.com> wrote in message
news:8e45910a-67fb-4a67...@a1g2000hsb.googlegroups.com...
Try superantispyware together with smitfraudfix (it does usually work). Get
hijack this and look through the processes, a good little trick for picking
up things that these programes dont get, is to check program files, and
order by date, check for newly installed programmes, do the same thing from
within common files within programe files, do the same in the windows folder
and in the windows system32 folder. Use google to search individual entrys
if they look odd and you are not sure....
Gaz
Gaz
Panz3...@googlemail.com
and uploaded my svchost.exe (in Windows directory) to it and I finally
found out that it was actually Jeefo.
Now, call me paranoid, but I've been getting a strange message which
seems to be attempting to imitate IE's "Internet Explorer has
encountered an error and needs to close" error. The thing is, there's
some text missing, the "send error report" or whatever button isn't
there, and when I click "Close" on the error, nothing happens. I'm
wondering if this is "normal" or related to some sort of virus. Have a
look :
David H. Lipman
| http://img151.imageshack.us/img151/1926/iejpgyc0.jpg
So you are saying that you uploaded %windir%\svchost.exe (maybe to Virus Total) and it was
declared as Jeefo ?
Can you please provide FULL facts.
Clark
Sorry for the direct link but that was the only option,
download from asquared (www.emsisoft.com)
http://download1.emsisoft.com/a2usb.zip
save it where you want, reboot to safe mode with networking, run it
(a2free.exe) update it (let it do the deep scan)
reboot when it's done.
That one works with most variants of Smitfraud,
if your ctl/alt/del and such are not working download Dial a fix.
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles
choose policies untick, hide disabled policies, rescan and remove all,
(green checkmarks to the left)
let us know how you did.
Clark...
--
Don't you have Google in your part of the world?
Panz3...@googlemail.com
wrote:
> From: <Panz3r.K...@googlemail.com>
Yes it was VirusTotal. There were about 33 results, and each either
said "Hidrag", "Jeefo" and "Powerman". From what I know they're all
the same thing. So I ran a little program to get rid of Jeefo and it
worked, no more errors. It also found more than 1000 infected exe's on
my comp which I guess explains why sometimes my programs decide not to
load and I need to re-extract or re-download them xD
David H. Lipman
| Yes it was VirusTotal. There were about 33 results, and each either
| said "Hidrag", "Jeefo" and "Powerman". From what I know they're all
| the same thing. So I ran a little program to get rid of Jeefo and it
| worked, no more errors. It also found more than 1000 infected exe's on
| my comp which I guess explains why sometimes my programs decide not to
| load and I need to re-extract or re-download them xD
Use the following Multi AV Scanning Tool to make sure all are removed.
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *