BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
HELP REMOVE SMITFRAUD-C PLEASE !!
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > HELP REMOVE SMITFRAUD-C PLEASE !!  
Forum Quick Jump
 
New Topic Post reply to : HELP REMOVE SMITFRAUD-C  PLEASE !! Printable version of : HELP REMOVE SMITFRAUD-C  PLEASE !!
[ << Previous Thread | Next Thread >> ]

blizaine
New Member


Date Joined Dec 2006
Total Posts : 5
 
   Posted 12/18/2006 2:16 AM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
okay iv been trying my hardest with several diferent ways to remove it but got confused with all but this one but now i am stuck ....i ran spybot search & destroy and it has located the following ...
 
 --- Search result list ---
Smitfraud-C.: Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc
Smitfraud-C.:  Library (File, nothing done)
  C:\WINDOWS\system32\rpcc.dll
Smitfraud-C.: Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
 
 
...I then ran Hijack This ...and the following list came up .....
 
Logfile of HijackThis v1.99.1
Scan saved at 2:56:14 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\secures4.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] secures4.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: pasksa - pasksa.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
 
 
 
...I am stuck on exactly what items i should be selecting to delete ...could sumone pls help me
Back to Top
 

blizaine
New Member


Date Joined Dec 2006
Total Posts : 5
 
   Posted 12/18/2006 5:10 AM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
is there no one that can help ?????
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 12/18/2006 7:54 AM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
Hi blizaine




Please download the latest version (the file contains both English and French versions):
http://siri.geekstogo.com/SmitfraudFix.zip

Mirrors: Alternate official download locations for Smitfraudfix.zip
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://telechargement.zebulon.fr/259-smitfraudfix.html
 

Extract the content (a folder named SmitfraudFix) to your Desktop.

 


 
Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.


 
 
 
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
 
 
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
 
Note:
process.exe is detected by some antivirus programs  as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
 
Rightclick on hijackthis exe file and rename it to hjt exe
 
Post a fresh hijackthis log using hjt exe with rapport txt, and tell how your computer are behaving




Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
Do not PM me with logfiles. They will be deleted
 
 

Back to Top
 

blizaine
New Member


Date Joined Dec 2006
Total Posts : 5
 
   Posted 12/19/2006 12:40 PM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
...okay heres the new log after running the fix
 
 
Logfile of HijackThis v1.99.1
Scan saved at 1:34:17 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 12/19/2006 2:45 PM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
Please download:
 
by Swandog46 to your Desktop.
 
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:
 
 
Files to delete:
C:\WINDOWS\system32\rpcc.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After the reboot,
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
 
 
Rightclick on hijackthis exe file and rename it to hjt exe
 
Post a fresh hijackthis log using hjt exe with C:\avenger.txt, and tell how your computer are behaving
 


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
Do not PM me with logfiles. They will be deleted
 
 

Back to Top
 

blizaine
New Member


Date Joined Dec 2006
Total Posts : 5
 
   Posted 12/19/2006 11:26 PM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
okay i followed the steps and when i click the green light icon a message appears ...selected file does not appear to be valid script.. and the error code is 1813
Back to Top
 

snoopysbuddy
New Member


Date Joined Dec 2006
Total Posts : 1
 
   Posted 12/27/2006 8:46 AM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
Here's what I did to remove smitfraud-c. First, use spybot. Make sure to search for and download all updates before running the scan. The spybot scan will detect smitfraud-c and will remove all parts of it except for the rpcc.dll file. The easiest way is to remove it manually using Windows XP recovery console.

To do so, take Windows XP setup CD and boot from it. Once the setup program comes up, you will have the option to press "R" (I think it's "R") to use the Recovery Console. Log on and when you get to the command prompt you can navigate to the \windows\system32 directory and delete the file. In case you don't know DOS commands, enter the following three commands in the prompt:

cd \windows\system32
del rpcc.dll
exit

That should do it. Enjoy.
Back to Top
 

Boring_Benji
New Member


Date Joined Jun 2008
Total Posts : 2
 
   Posted 6/5/2008 11:15 PM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
I removed Smitfraud easy with SuperAntiSpyware but my desktop is mess up:-( I got a big white box wich I do not know how to remove and when I try to change my desktop background this message pop up:

Windows Internet Explorer:
Cannot find the file:///C:/Windows/privacy_danger/index.htm'. Make sure the path or internet address is correct.

What has that to do with my background???

The same massage appear when I lock and unlock the start thing (What its called in english) down in the bottom of my screen.
Back to Top
 

Big Liam
New Member


Date Joined Jan 2005
Total Posts : 42
 
   Posted 8/25/2008 11:58 PM (GMT +3)    Quote: HELP REMOVE SMITFRAUD-C  PLEASE !!Alert an admin about: HELP REMOVE SMITFRAUD-C  PLEASE !!
Here's what will fix the problem:
 
Download and run Spybot S&D, run it in safe mode to remove the first obvious traces of Smitfraud.
 
Once that has completed, reboot and run spybot in safe mode again, just to be on the safe side.
 
Once you are confident that Spybot has done its bit, download and run the following removal tool:  http://www.bleepingcomputer.com/files/smitfraudfix.php
 
Wait until your subscription with Bullguard has run out, then don't bother to renew it, just buy Kaspersky instead, I'm going to.
 
I can't beleive Bullguard sat by and did SWEET F.A. while Smitfraud launched an attack on my machine... NOT IMPRESSED.
 
I managed a full system recovery because I have a bit of experience with these sort of things, I can only imagine you guys with no experience completely trashing your systems with a trojan/viral infection that has been around for a while now that BG can't deal with.  Call your local computer repair man and help pay his mortgage next month for him to remove it for you.
 
I hope the 'tech guys' at BG are reading this one.  Sorry, but you just lost a customer.
 
In the meantime, I hope this post helps you if you're a poor BG subscriber who just got infected with Smitfraud.  Goodbye BG, Hello Kaspersky..
Back to Top
 
New Topic Post reply to : HELP REMOVE SMITFRAUD-C  PLEASE !! Printable version of : HELP REMOVE SMITFRAUD-C  PLEASE !!
 
Forum Information
Currently it is Sunday, September 21, 2014 7:08 PM (GMT +3)
There are a total of 60,613 posts in 13,319 threads.
In the last 3 days there were 2 new threads and 6 reply posts. View Active Threads
Who's Online
This forum has 36378 registered members. Please welcome our newest member, nightzkung.
3 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
This Connection is Untrusted (9)9/21/2014 3:03:28 PM (nightzkung)
Two Questions - Changelog & License (2)9/21/2014 1:01:38 AM (Hamlet)
Crackling Audio With Bullguard (8)9/20/2014 2:21:23 PM (Robert Mateescu)
I definitely have Malware, I've tried everything I know how to do (1)9/19/2014 6:47:25 PM (Robert Mateescu)