Need Help to Remove Smitfraud C and Command Service

[pskelley]

OK, listen up. This is a tough infection and you need to follow the directions exactly. If you are uncomfortable with them, get someone with more computer experience to lend you a hand.

First, when you ran the ewido scan, you ignored everything ewido found? How can ewido fix the stuff if you ignore it? Please also notice that even ewido security scan pointed out that alexa junk is a bunch of adware. Once we run the tool for the Downloader.Qoologic.bj infection I want you to restart the computer in safe mode, and run ewido again. This time delete everything it locates unless you are positive it is not bad.

Instructions for Downloader.Qoologic.bj infection start here:

Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

Hold that HJT log until you are finished.

Open the ewido program and choose update, then Start Update. This takes a few moments, once complete, close the program.

Now restart the computer in safe mode:
http://www.bleepingcomputer.com/tuto...utorial61.html

Once in Safe Mode, open ewido and choose scanner then complete system scan. Allow ewido to delete what it finds unless you know is it not bad. When it is fininished, save the scan report,


Thanks.

[trader197]

First, when you ran the ewido scan, you ignored everything ewido found? How can ewido fix the stuff if you ignore it?

From your instructions:

delete everything it locates unless you are positive it is not bad.

have ewido delete anything it locates unless you know it is not bad.

NOTE: During some scans with ewido it is finding cases of false positives.
If you are unsure of any entry found select none for now.

As I said before, I deleted the entries unless I knew they were ok, per your instructions. And there are specific reasons for having the Alexa toolbar, which I use. However, that said, I have deleted more of the ewido results, including Alexa, since I can redownload if necessary.

Below are the ewido and HJT logs. Having no problems with popups after being online for a long period of time, but I notice that a Spybot scan still flags Smitfraud-C.

Thank you.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:38:33 AM, 4/16/2006
+ Report-Checksum: 92D3A502

+ Scan result:

:mozilla.41:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Clickbank : Ignored
:mozilla.29:C:\Documents and Settings\Steve\Application Data\Mozilla\Users50\bds293\eezkq4vh.slt\cookies.txt -> TrackingCookie.Commission-junction : Ignored
:mozilla.32:C:\Documents and Settings\Steve\Application Data\Mozilla\Users50\bds293\eezkq4vh.slt\cookies.txt -> TrackingCookie.Preferences : Ignored
:mozilla.48:C:\Documents and Settings\Steve\Application Data\Mozilla\Users50\bds293\eezkq4vh.slt-new\cookies.txt -> TrackingCookie.Commission-junction : Ignored
:mozilla.184:C:\Documents and Settings\Steve\Application Data\Mozilla\Users50\bds293\eezkq4vh.slt-new\cookies.txt -> TrackingCookie.Clickbank : Ignored
:mozilla.217:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
:mozilla.221:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
:mozilla.222:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
:mozilla.231:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
:mozilla.232:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
:mozilla.239:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored
C:\Documents and Settings\Steve\Cookies\steve@linksynergy[1].txt -> TrackingCookie.Linksynergy : Ignored
HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Alexa Internet\Hosts -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO\CLSID -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO\CurVer -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CLSID -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CurVer -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Adware.Alexa : Cleaned with backup
HKU\S-1-5-21-803110200-4000862400-3611119083-1006\Software\Microsoft\Internet Explorer\MenuExt\Mail to a Friend... -> Adware.Alexa : Cleaned with backup
HKU\S-1-5-21-803110200-4000862400-3611119083-1006\Software\Microsoft\Internet Explorer\MenuExt\See Related Links -> Adware.Alexa : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\Default User\45gcd5di.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Steve\Application Data\Mozilla\Users50\bds293\eezkq4vh.slt-new\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.434:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Directnetadvertising : Cleaned with backup
:mozilla.511:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Cj : Cleaned with backup
:mozilla.512:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oj60lqsj.default\cookies.txt -> TrackingCookie.Cj : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Steve\My Documents\AOL Downloads\America Online 7.0\acd2se.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup
C:\Documents and Settings\Steve\My Documents\AOL Downloads\America Online 7.0\acd2se.exe/cd_load.exe -> Adware.Cydoor : Cleaned with backup
C:\Documents and Settings\Steve\My Documents\ARTICLE LIGHTNING\NicheProductPak1.zip/NICHE PRODUCTS/Organic Secrets.zip/Organic Secrets/Organic Secrets/OrganicSecrets.exe -> Trojan.Passview : Cleaned with backup
C:\Program Files\Common Files\ozfo\ozfop.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Program Files\PCDJ\TSUninstaller.exe -> Adware.TimeSink : Cleaned with backup
C:\Program Files\Radmin\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Cleaned with backup
C:\WINDOWS\system32\AlxRes.dll -> Adware.AlexaBar : Cleaned with backup
C:\WINDOWS\system32\AlxRes.dll.bak -> Adware.AlexaBar : Cleaned with backup
C:\WINDOWS\system32\AlxTB2.dll -> Adware.AlexaBar : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:52:32 AM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Novatel Wireless\Merlin Ricochet\MerlinRicochetModemManager.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Hijackthis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\MSJAVA.DLL (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\MSJAVA.DLL (file missing)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://www.sitesell.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1142773917799
O17 - HKLM\System\CCS\Services\Tcpip\..\{82ABDD86-56F4-4972-9CB1-6CC1C68F5996}: NameServer = 168.253.8.17 168.253.8.18
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[LonnyRJones]

"Spybot scan still flags Smitfraud-C"

Post the topmost part of a SpyBot report please
Open SpyBot 1.4, check for and get any updates available, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools,and view report, ensure all the options are select near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report, Press export, in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "manage attachments" button , navigate to and attach or post that report please.

[trader197]

Hello, thank you for getting back to me. I downloaded Spybot 1.4, which says it has fixed Smitfraud-C and a few other things I didn't know I still had from the previous version of Spybot. I am posting the log as an attachment...

[LonnyRJones]

Does it show in your next scans ?
Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload2
If not then everything is ok

[trader197]

They don't show up anymore! Thanks very much for your help. This was a very bad situation, and I never could have done it myself. This site is an incredible resource for getting rid of some very nasty threats that can attack from out there.

[LonnyRJones]

Your good to go after taking some security steps

Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated


To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

[tashi]

As the problem appears to be resolved this topic will be archived.

If you need it re-opened please send me a pm and provide a link to the thread.