Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.html.smitfraud.c


  • Please log in to reply

#16
Emerald

Emerald

    New Member

  • Member
  • Pip
  • 5 posts
RE: Trojan-Spy.HTML.Smitfraud.c

I am responding back to previous post, I followed the Malware Removal list, and here is the Hijack This Log: Please help me determine what to remove, and do you know if this should help remove this Trojan or what else should I do.

FYI - my system would not let me update with windows updates, kept trying and kept getting error message - saying it could not update, ERROR.

THANK YOU very much for your HELP, Emerald

Logfile of HijackThis v1.99.1
Scan saved at 5:53:27 PM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\wp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nova Development\Photo Explosion\CalCheck.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\N3XVJDSW\HijackThis[1].exe
C:\WINNT\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {480CF806-5AD3-4136-A134-46B4DF505AB1} - C:\WINNT\System32\mfplay.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Inet\Perf] C:\WINNT\screendat.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Photo Explosion Calendar Checker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINNT\acezlink.htm
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {EC1549A8-2636-42D5-A82E-741789528426} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EC1549A8-2636-42D5-A82E-741789528426} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yah...nance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

  • 0

Advertisements


#17
bigbill

bigbill

    New Member

  • Member
  • Pip
  • 2 posts
:tazz: Just a note to all thanks for the help the last touch for this little *^&^%$&* is delete the system key it is completely added and is what is blocking you from changing your wall paper..... I looked in the reg of another system not effected didn't see the key. Alls good now


Thanks again

Bill
  • 0

#18
Emerald

Emerald

    New Member

  • Member
  • Pip
  • 5 posts
Thanks for your notes, I am sorry, still learning, not a computer expert, Where do I find this system key and registry you all speak of - I have XP. Just want to make sure what I am doing, before trying to delete. Question, so after I find this system key (please direct me), and delete it, will this then get rid of the Trojan - or is there more....

Thanks, Emerald
  • 0

#19
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
emerald,

You really should start your own thread, it helps clear up confusion

Also, this is the wrong forum on two counts---one, this forum is for win9x family; two, the Malware forum is where you should be posting.

That said,

the registry is a database of windows settings composed a hives on a windows xp machine. It is accessible by regedit.exe or regedt32.exe

Deleting the key is editing the registry and something you should have a little more knowledge of before going into it blindly.

Hijackthis, actually looks into the registry and shows you the keys.

In your case, these are all suspect keys and you can remove them by checking and clicking fix this.

O4 - HKLM\..\Run: [Inet\Perf] C:\WINNT\screendat.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

You should also delete these keys, since they are damaged/incorrect

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {480CF806-5AD3-4136-A134-46B4DF505AB1} - C:\WINNT\System32\mfplay.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
  • 0

#20
bigbill

bigbill

    New Member

  • Member
  • Pip
  • 2 posts
:tazz: Sorry for any confusion did not know this was just win98 found it thru google tracing the trojan. If you read the other posts before this and do them i.e. delete all the wp stuff
You find this key deleting it returned the system I was working on to its orignal system state.

Bill


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • 0

#21
1N73RF4C3

1N73RF4C3

    New Member

  • Member
  • Pip
  • 2 posts
Trojan-Spy.html.smitfraud.c

My name is Vicente J. Bailén; I fully restored my desktop wallpaper, and the lost panel!!

(Tested in a WinXP Pro with SP1, Spanish config available)

1) I ran Spybot S-D, (i thought it was a low level problem)
- It was removed a lot of problems, but my wallpaper desktop remains equal!.

2) I ran Norton AV 2004 Pro (live updates till 14, April, 2005, this seems serious).

- A lot of threats detected and some removed (restart computer), after all my desktop stay with the same blue screen.

4) Finally (The solution):

1) Kill task "wp.exe"

2) Delete "C:\wp.exe" - You will also see a file called "C:\wp.bmp".
This is the image you see on desktop (the blue screen)

4) Uninstall SecurityIGuard (some security, this is the wolves guarding the henhouse), <--- removed by spybot S-D (or Norton perhaps).

5) Fix registry settings to allow control panel tabs to be visible:

By typing "regedit" on execute "regedit" navigate to this folder.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Set the following value to this entry:

"NoDispBackgroundPage"=dword:0x00000000(0)

Then remove this other entry:

"Wallpaper"=reg_sz:"c:\wp.bmp"

Close regedit program and set your favourite wallpaper as you will.!!

My E-mail is [email removed to prevent spam] I will feel better, if i receive a (tiny if you are busy) letter from people who I’ve helped in some way by thinking i haven't waste my time posting this!.

bye folks and geeks!! "hasta otra, nos vemos en la inmensidad de la RED".

Edited by admin, 19 April 2005 - 12:03 AM.

  • 0

#22
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
This Topic is now closed,
as gerryf said you start a topic in the Malware Removal Forum,,

Please note:
Please refrain from posting help in the Malware Removal Forum until you have been trained at GeekU.



Any of the suggestion you try you do so at your own risk, We appreciate your trying help but be patient and one of the Mods or Trusted Helpers will be along to assist you.

Thannks
Don

admin edit: This is a very new infection, please have patience. We do have a fix in the works, but it's not as simple as removing a predfined list of items from a HijackThis log, and is much more involved than outlined above -- every infection may be slightly different, and still requires intervention of an expert. Please post a new topic in our malware removal forum

Edited by admin, 19 April 2005 - 12:04 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP