HELP REMOVE SMITFRAUD-C PLEASE !!

Posted 12/17/2006 11:16 PM
#40677
User avatar

blizaine Member

Date Joined Nov 2016
Total Posts: 5
okay iv been trying my hardest with several diferent ways to remove it but got confused with all but this one but now i am stuck ....i ran spybot search & destroy and it has located the following ...


--- Search result list ---
Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc

Smitfraud-C.: Library (File, nothing done)
C:\WINDOWS\system32\rpcc.dll

Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0





...I then ran Hijack This ...and the following list came up .....



Logfile of HijackThis v1.99.1
Scan saved at 2:56:14 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\secures4.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SvcManager] secures4.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pasksa - pasksa.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe








...I am stuck on exactly what items i should be selecting to delete ...could sumone pls help me
Posted 12/18/2006 2:10 AM
#40682
User avatar

blizaine Member

Date Joined Nov 2016
Total Posts: 5
is there no one that can help ?????
Posted 12/18/2006 4:54 AM
#40685
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hi blizaine








Please download the latest version (the file contains both English and French versions):
http://siri.geekstogo.com/SmitfraudFix.zip

Mirrors: Alternate official download locations for Smitfraudfix.zip
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://telechargement.zebulon.fr/259-smitfraudfix.html




Extract the content (a folder named SmitfraudFix) to your Desktop.











Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.











Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)





Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select 2 and hit Enter to delete infect files.

You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt



Note:
process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.



Rightclick on hijackthis exe file and rename it to hjt exe



Post a fresh hijackthis log using hjt exe with rapport txt, and tell how your computer are behaving






[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/19/2006 9:40 AM
#40728
User avatar

blizaine Member

Date Joined Nov 2016
Total Posts: 5
...okay heres the new log after running the fix




Logfile of HijackThis v1.99.1
Scan saved at 1:34:17 AM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
Posted 12/19/2006 11:45 AM
#40729
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Please download:

[color=#1991cf>http://swandog46.geekstogo.com/avenger.zip[/url]



by Swandog46 to your Desktop.



Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Quote:

[table style="MARGIN-LEFT: 15pt; WIDTH: 100%; mso-cellspacing: 0cm; mso-padding-alt: 4.5pt 4.5pt 4.5pt 4.5pt" cellSpacing=0 cellPadding=0 width="100%" border=0]
[tr ][td style="BORDER-RIGHT: #ffffff 0.75pt inset; PADDING-RIGHT: 4.5pt; BORDER-TOP: #ffffff 0.75pt inset; PADDING-LEFT: 4.5pt; BACKGROUND: #e0f4ff; PADDING-BOTTOM: 4.5pt; BORDER-LEFT: #ffffff 0.75pt inset; PADDING-TOP: 4.5pt; BORDER-BOTTOM: #ffffff 0.75pt inset"]



Files to delete:
C:\WINDOWS\system32\rpcc.dll


[/td][/tr][/table]Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

After the reboot,

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt





Rightclick on[/color] hijackthis exe [color=black>file] it to[/color] hjt [color=black>exe

[/color]

[color=black>Post]hjt exe with C:\avenger.txt[/color], and tell how your computer are behaving


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/19/2006 8:26 PM
#40750
User avatar

blizaine Member

Date Joined Nov 2016
Total Posts: 5
okay i followed the steps and when i click the green light icon a message appears ...selected file does not appear to be valid script.. and the error code is 1813
Posted 12/27/2006 5:46 AM
#41003
User avatar

snoopysbuddy Member

Date Joined Nov 2016
Total Posts: 1
Here's what I did to remove smitfraud-c. First, use spybot. Make sure to search for and download all updates before running the scan. The spybot scan will detect smitfraud-c and will remove all parts of it except for the rpcc.dll file. The easiest way is to remove it manually using Windows XP recovery console.

To do so, take Windows XP setup CD and boot from it. Once the setup program comes up, you will have the option to press "R" (I think it's "R") to use the Recovery Console. Log on and when you get to the command prompt you can navigate to the \windows\system32 directory and delete the file. In case you don't know DOS commands, enter the following three commands in the prompt:

cd \windows\system32
del rpcc.dll
exit

That should do it. Enjoy.
Posted 6/5/2008 8:15 PM
#62673
User avatar

Boring_Benji Member

Date Joined Nov 2016
Total Posts: 2
I removed Smitfraud easy with SuperAntiSpyware but my desktop is mess up:-( I got a big white box wich I do not know how to remove and when I try to change my desktop background this message pop up:

Windows Internet Explorer:
Cannot find the file:///C:/Windows/privacy_danger/index.htm'. Make sure the path or internet address is correct.

What has that to do with my background???

The same massage appear when I lock and unlock the start thing (What its called in english) down in the bottom of my screen.
Posted 8/25/2008 8:58 PM
#65293
User avatar

Big Liam Advanced member

Date Joined Nov 2016
Total Posts: 42
Here's what will fix the problem:


Download and run Spybot S&D, run it in safe mode to remove the first obvious traces of Smitfraud.



Once that has completed, reboot and run spybot in safe mode again, just to be on the safe side.



Once you are confident that Spybot has done its bit, download and run the following removal tool: http://www.bleepingcomputer.com/files/smitfraudfix.php



Wait until your subscription with Bullguard has run out, then don't bother to renew it, just buy Kaspersky instead, I'm going to.



I can't beleive Bullguard sat by and did SWEET F.A. while Smitfraud launched an attack on my machine... NOT IMPRESSED.



I managed a full system recovery because I have a bit of experience with these sort of things, I can only imagine you guys with no experience completely trashing your systems with a trojan/viral infection that has been around for a while now that BG can't deal with. Call your local computer repair man and help pay his mortgage next month for him to remove it for you.



I hope the 'tech guys' at BG are reading this one. Sorry, but you just lost a customer.



In the meantime, I hope this post helps you if you're a poor BG subscriber who just got infected with Smitfraud. Goodbye BG, Hello Kaspersky..
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Monday, January 23, 2017, 9:29 AM (GMT +1)
There are a total of 61,166 posts in 13,449 threads.
In the last 3 days there were 0 new threads and 3 reply posts.

Who's online

This forum has 37,988 registered members. Please welcome our newest member, Jamie_Paris.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.