I think I have the smitfraud virus. It comes up when I run spybot but won't delete it. I don't see anything really unusual in my hjt log except for the 'no name' files. I know where the infected files are suppossedly located on my computer but cannot delete them because they are always in use. I can't run 'smitfraud fix' because my computer won't let me boot in safe mode, just regular mode. Is it ok to run smitfraud fix in regular mode?? Everywhere i read about it says to do it in safe mode but no one addresses what to do if you can't use safe mode. Here is my hjt log. If anyone sees anything wrong with it or has any ideas I would appreciate it. Thanks Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:33:42 PM, on 10/31/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Roxio\Media Experience\DMXLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe C:\Program Files\Advanced Registry Doctor\RegManServ.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} - (no file) O2 - BHO: (no name) - {72C5FABF-667F-4155-9246-8CC20FAC0775} - (no file) O2 - BHO: (no name) - {E4EEFFED-93CD-4CF0-A0F3-50D139121FEE} - (no file) O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Gabe\Advanced JPEG Compressor\ajcieex.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CC616A8F-9AD7-4A57-B4C6-D3C300006940}: NameServer = 68.230.242.30,68.230.242.25 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe The only symptom my computer has of the virus is pop ups in IE about every 2-3 minutes. But i actually use firefox for browsing. Thanks again
http://www.bleepingcomputer.com/forums/topic17258.html This guide seems very easy and accurate. bunny
Would seem easy enough if I could go into safe mode... but i can't. Does it matter?? Should I run the program in normal mode??
Why can't you go into safe mode? I think the reason you're asked to go into safemode is to make sure the virus isn't running at that time,but you may as well give it a go.
When i try to boot in safe mode i get the blue screen of death. "A fatal error has occurred and windows has shutdown blah blah blah." Then I have to use the power button on my cpu to shut it down and restart.
I didn't know Cpu's had power buttons. Try without going into safemode if you really can't get into safemode. I also suggest you restore your computer to before this virus infected your computer. How to restore computer 1. Log on to Windows as Administrator. 2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts. 3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next. 4. On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK. 5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer. 6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears. 7. Click OK. Back to the top Troubleshooting You may inadvertently restore Windows XP to a previous configuration that you do not want. To undo the restoration: 1. Log on to Windows as Administrator. 2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts. 3. On the Welcome to System Restore page, click Undo my last restoration, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK. 4. On the Confirm Restoration Undo page, click Next. System Restore restores the original Windows XP configuration, and then restarts the computer. 5. Log on to the computer as Administrator. The System Restore Undo Complete page appears. 6. Click OK. Source: http://support.microsoft.com/?scid=kb;en-us;306084&x=15&y=16
how could you not know computers have power buttons. On the front of my dell there is a circular button that i push to turn it on.... I'm at a loss for words. If anyone has the same problem and comes across this thread in the future i actually did get some good help here, http://www.bleepingcomputer.com/forums/index.php?showtopic=114488&st=0&p=650566&#entry650566 smitfraud gone and I can boot into safe mode now.
Great, problem solved. I think you've had a slight mix up: CPU stands for Central Processing Unit,in short, Cpu means processor. And a processor looks like this: I think you meant PC or Computer.
