PDA

View Full Version : Need help, Can't run SmitfraudFix



ta.herbert
2006-05-27, 06:43
I've been infected with Spyfalcon/Spyware Quake/whatever else happens to be there, having been looking around online for a fix, almost every solution requires the use of SmitfraudFix. Unfortunately, whenever I try to run it, a black DOS-like screen pops up momentarily and then disappears, but the program never runs. Is there a way to fix this, so that I can fix the adware on my computer? Here is the HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:58 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5335.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp102.tmp
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Utility] "C:\WINDOWS\Logi_MwX.Exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: gebyw - C:\WINDOWS\
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

LonnyRJones
2006-05-27, 09:33
Welcome to the forum

Temporaraly Disable nortons script blocking Download fixpath2.zip, extract the files inside and run Fixpath.exe: http://internet.cybermesa.com/~bstewart/misctools.html
Now those files can be deleted and the zip to, Smithfraudfix should work.

ta.herbert
2006-05-29, 01:51
I ran fixpath.exe, and told it to check/fx any errors, and it gave me the result:

The registry value type is correct (REG_EXPAND_SZ).
The minimum required directories were found in the Path.

So I then tried to run SmitfraudFix again, but the same quick flash of a black DOS screen appeared, and nothing. Am I doing something wrong?

LonnyRJones
2006-05-29, 05:49
Did you reboot into safe mode after running fixpath ?

Also temporaraly disable nortons scriptblocking

ta.herbert
2006-05-31, 03:11
I did try rebooting into safe mode, and the script blocking was disabled.

LonnyRJones
2006-05-31, 03:29
Desrcibe how you disabled script blocking please.
meaning its one thing to slose norton and another to turn off script blocking from within its options.

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.



regedit /a env.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"


Run check.bat . post the env.txt

ta.herbert
2006-05-31, 21:10
I disabled script blocking by going into Norton Internet Security, clicking on the options dropdown menu -> norton anti-virus -> script blocking, and unchecked the "enable script blocking" box.

Here's the env file:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"ComSpec"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
32,5c,63,6d,64,2e,65,78,65,00
"windir"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,00
"FP_NO_HOST_CHECK"="NO"
"OS"="Windows_NT"
"PROCESSOR_ARCHITECTURE"="x86"
"PROCESSOR_LEVEL"="6"
"PROCESSOR_IDENTIFIER"="x86 Family 6 Model 13 Stepping 8, GenuineIntel"
"PROCESSOR_REVISION"="0d08"
"NUMBER_OF_PROCESSORS"="1"
"PATHEXT"=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"
"TEMP"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,54,45,4d,50,00
"TMP"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,54,45,4d,50,00
"CLASSPATH"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,4a,61,76,\
61,5c,6a,32,72,65,31,2e,34,2e,32,5f,30,33,5c,6c,69,62,5c,65,78,74,5c,51,54,\
4a,61,76,61,2e,7a,69,70,00
"QTJAVA"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,4a,61,76,61,\
5c,6a,32,72,65,31,2e,34,2e,32,5f,30,33,5c,6c,69,62,5c,65,78,74,5c,51,54,4a,\
61,76,61,2e,7a,69,70,00
"Path"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
3b,25,53,79,73,74,65,6d,52,6f,6f,74,25,3b,25,53,79,73,74,65,6d,52,6f,6f,74,\
25,5c,73,79,73,74,65,6d,33,32,5c,57,42,45,4d,3b,43,3a,5c,50,72,6f,67,72,61,\
6d,20,46,69,6c,65,73,5c,41,54,49,20,54,65,63,68,6e,6f,6c,6f,67,69,65,73,5c,\
41,54,49,20,43,6f,6e,74,72,6f,6c,20,50,61,6e,65,6c,3b,43,3a,5c,50,72,6f,67,\
72,61,6d,20,46,69,6c,65,73,5c,51,75,69,63,6b,54,69,6d,65,5c,51,54,53,79,73,\
74,65,6d,5c,00

LonnyRJones
2006-06-01, 03:40
Thats looks ok,

There were some recent changes to smithfraudfix, re-download and try it again, hopefully it will run.

ta.herbert
2006-06-01, 06:35
Tried redownloading from http://siri.geekstogo.com/SmitfraudFix.php, but still getting the same problem.

LonnyRJones
2006-06-01, 07:03
Ill ask around, in the meantime try renaming SmitfraudFix.cmd to
SmitfraudFix.BAT and try that, provided you can see that .cmd extension ?
If not go into folder options view tab and uncheck hide file extension.

ta.herbert
2006-06-01, 08:16
same thing happens with SmitfraudFix.bat. Are there any other logs I could post to help find the problem?

LonnyRJones
2006-06-01, 08:56
Try this please
Move the folder SmitfraudFix to C:\
Press Windows + R
Enter cmd
- type cd\
- type cd SmitfraudFix
- type SmitfraudFix

If you see an error message let us know

ta.herbert
2006-06-01, 19:43
The error message I got was :

'find' is not recognized as an internal or external command, operable program or batch file.

LonnyRJones
2006-06-01, 20:49
Odd

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


dir /s %systemdrive%\find.* >logit.txt
start notepad logit.txt

Run check.bat and post back with the text that will open

ta.herbert
2006-06-01, 22:18
Here's what was in logit.txt after I ran check.bat:

Volume in drive C has no label.
Volume Serial Number is 5C7C-D31C

LonnyRJones
2006-06-02, 03:57
Do you have a friend that also runs XP you can get a copy of find.exe from ? put it in the c:\windows\system32 folder ?

ta.herbert
2006-06-02, 05:48
how would i make a copy of this? Is it in the installation disks?

LonnyRJones
2006-06-02, 07:23
Probaly be much easyer to get the file from another xp user
The odd thing is if your's was deleted windows would have put it back, if it couldnt find a copy it would have asked for the xp cd.
Do you have an XP cd ?

LonnyRJones
2006-06-04, 07:50
Any luck ta.herbert

Curious does start > search have any problems ?
check in the window\system32 folder, sort by type and tell me if any of these files are present
CMD.COM
netstat.com
ping.com
regedit.com
tasklist.com
taskkill.com
taskmgr.com
tracert.com
Other .com files ?

tashi
2006-06-09, 17:37
Still with us ta.herbert?

tashi
2006-06-16, 01:12
Thank you Lonny.

ta.herbert, this topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.