# Solved: Smitfraud.exe not working



## beth_reinbold (Jun 10, 2007)

this morning i started getting popups titled "Security Alert: Spyware Found" they look errily like a microsoft application, but i knew it wasnt. I checked task manager and noticed that i had 3 new processes running, imsmn.exe, iesmn.exe, and imsmain.exe. Did a google search and found this site. I already had hijack this so i ran that, no help. read through some of the forums and seen that i should try smitfraudfix.exe so i downloaded the most current version, but it will not run on my computer. it just opens and closes, any help? if i can get that to work, i already seen how to fix this problem.

any help will be greatly appreciated, as i am an online gamer and these popups are runing the experience. thanks.


----------



## MFDnNC (Sep 7, 2004)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a *folder* named *SmitfraudFix*) to your Desktop.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.


----------



## beth_reinbold (Jun 10, 2007)

did that, it will not run! thats my problem!


----------



## MFDnNC (Sep 7, 2004)

What do you mean it will not run - have you extracted ALL of the files to a folder VS. running the download


----------



## beth_reinbold (Jun 10, 2007)

yes, i downloaded it to my desktop, then i extracted to a folder on my desktop, went into safe mode, double clicked on smitfraudfix.cmd and it popped up and went away


----------



## MFDnNC (Sep 7, 2004)

How many files in that folder

Post a hijack log

Click here to download HJTsetup.exe:

http://www.thespykiller.co.uk/index.php?action=tpmod;dl=item5

*Scroll down to the download section where the download button is*

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## beth_reinbold (Jun 10, 2007)

13 files in the folder

heres the log

Logfile of HijackThis v1.99.1
Scan saved at 8:16:56 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Video ActiveX Access\iesplg.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


----------



## MFDnNC (Sep 7, 2004)

You must have files whitelisted in hijack to get a list that short and you have no active AV

You have no active AntiVirus!

Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

AVG 7.5 - http://free.grisoft.com/freeweb.php/doc/2/
================
Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.


----------



## beth_reinbold (Jun 10, 2007)

"You must have files whitelisted in hijack to get a list that short"

i dont understand what that means


----------



## MFDnNC (Sep 7, 2004)

That means HiJack is ignoring entries - that is one of the shortest lists I've seen


----------



## beth_reinbold (Jun 10, 2007)

so what can i do to change that, run the scans?


----------



## MFDnNC (Sep 7, 2004)

Do the scans

In hijack - click on ignorelist at the top and remove any entries in there


----------



## beth_reinbold (Jun 10, 2007)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/10/2007 at 11:44 PM

Application Version : 3.8.1002

Core Rules Database Version : 3251
Trace Rules Database Version: 1262

Scan type : Complete Scan
Total Scan Time : 03:00:57

Memory items scanned : 400
Memory threats detected : 4
Registry items scanned : 5541
Registry threats detected : 28
File items scanned : 75531
File threats detected : 49

Trojan.Media-Codec/V3
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IMSMAIN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IMSMAIN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESMN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESMN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IMSMN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IMSMN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESMIN.EXE
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESMIN.EXE
[rare] C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IMSMAIN.EXE
[user32.dll] C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESMN.EXE
HKLM\Software\Classes\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}
HKCR\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}
HKCR\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}#xxx
HKCR\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}\InprocServer32
HKCR\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESPLG.DLL
HKLM\Software\Classes\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\Implemented Categories
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\InprocServer32
HKCR\CLSID\{DF4E7A0C-E233-4906-B4C1-A404356541FF}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESBPL.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}
HKU\S-1-5-21-1400056882-2879173148-3612537154-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{DF4E7A0C-E233-4906-B4C1-A404356541FF}
HKCR\CLSID\{B8C5186E-EC37-4889-9C2E-F73649FFB7BB}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#UninstallString
C:\Program Files\Video ActiveX Access\iesbunst.exe
C:\Program Files\Video ActiveX Access\iesunst.exe
C:\Program Files\Video ActiveX Access\imsunst.exe
C:\Program Files\Video ActiveX Access\ot.ico
C:\Program Files\Video ActiveX Access\ts.ico
C:\Program Files\Video ActiveX Access\uninst.exe
C:\Program Files\Video ActiveX Access
C:\WINDOWS\Prefetch\IESMIN.EXE-0588F2B7.pf
C:\WINDOWS\Prefetch\IESMN.EXE-15D14ED5.pf
C:\WINDOWS\Prefetch\IMSMAIN.EXE-07BBF5F8.pf
C:\WINDOWS\Prefetch\IMSMN.EXE-332DD0DD.pf

Adware.Tracking Cookie
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][3].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][2].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][2].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected]ctor[1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][4].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Beth\Cookies\[email protected][1].txt
C:\Documents and Settings\Beth\Cookies\[email protected][1].txt
C:\Documents and Settings\Beth\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Cookies\[email protected][1].txt
C:\Documents and Settings\Your Name Here\Local Settings\Temp\Cookies\your name [email protected][2].txt
C:\Documents and Settings\Your Name Here\Local Settings\Temp\Cookies\your name [email protected][1].txt

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.Media-Codec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video ActiveX Access\iesmn.exe ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#rare [ C:\Program Files\Video ActiveX Access\imsmain.exe ]

Malware.SpyLocked
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString

Adware.GloboLook
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP110\A0019242.ICO

Adware.Zango Toolbar/Hb
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024132.DLL

Adware.180solutions/Seekmo
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024133.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024134.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024135.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024136.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0024145.DLL

Malware.DriveCleaner
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP136\A0030252.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP136\A0030267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP136\A0030268.EXE

Trojan.WinLoad32/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0008850.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0008852.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP41\A0008853.EXE

Logfile of HijackThis v1.99.1
Scan saved at 11:50:11 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

there was nothing on the ignore list


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


----------



## beth_reinbold (Jun 10, 2007)

ty so much, that SaS really helped! i work in internet tech support and i will definately be recommending this site and that program.:up:


----------

