View Full Version : Smitfraud-c Registry Key
I was hit by the Smitfraud-c, I've tried my best but I cannot get rid of it. The only thing that is being detected is the registry entry for the virus, I am unsure as to whether or not I should delete the entry.
Smitfraud-C.: [SBI $C30A3B68] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}
I used a combination of AVG Pro 7.5, HijackThis, CCleaner, Spybot, and SmitfraudFix.
While in safe mode:
- AVG found the files d.exe, e.exe, and sav.exe, I quarentined and deleted them
- Spybot was able to delete all of the other files except for the registry entry
- Ran HijackThis and fixed the issues coresponding with: O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
- Ran the SmitfraudFix
- Rebooted in to a normal session and ran CCleaner
- Spybot still gives me the Smitfraud registry entry but nothing else detects anything wrong in both safe mode or normal.
I have the HJT log attached to my post and I can provide any information necessary, any help getting this thing off of my system would be great.
Hi
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose
System registry.
Then click OK.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_CLASSES_ROOT\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Start hjt, do a system scan, check (if found):
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
Close browsers and fix checked.
Reboot.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report & a fresh hjt log (without using attachments, please).
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.