Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.smitfraud.c ---Homerjay---


  • This topic is locked This topic is locked

#1
homerjay

homerjay

    Member

  • Member
  • PipPip
  • 56 posts
yes, i'm another one!!
i used avast antivirus, home (and free) edition, updated every day, but nothing, no virus/trojan found... "your system is ok" but i do't think so!!
i delete the wp.exe and .bmp and all the registry objects (with regcleaner) but i can't remove the popuper.exe and intmonp.exe. But now i haven't no more the blue scrren (a black one now), and the yellow triangol on the bar.
i used ad-aware and trojan hunter too, but nothing happens!!!!
i've seen all of your messages but my english is not so good and i'm not a software specialist..... sorry :tazz:

this is what i understood: there is no antivirus software, right now, able to eliminate this malware, isn't it?
'cause this is a new trojan or a new version of a previous trojan?
i can't found anithing similar in symantec.com or avast.com, no virus definition for this trojan. it is so tremendous??? it's a serious menance??? does it steal password??? and so on......

i'm trying panda antivirus online scan right now (this is another pc).....

i think i'm not able to follow your indications, so, what if i format my pc?? it's secure or not? does it exist a single software to remove the malware, or will it exist in a few days????


thanks very much to all of you!!!

Edited by homerjay, 14 April 2005 - 06:25 AM.

  • 0

Advertisements


#2
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
i can't download windows update, Iexplorer says: "i'm serching for the latest version of windows update software..... click yes" (or something similar in english :tazz: )

after this, in the past i download the softare, it checked my updates and suggest new updates. now this doesn't happen! i had the previous page forever!!! someone says i had bad activex control: how to download it?

or how can i donload the updates manually? i've found this: http://www.microsoft...en&categoryId=7

but o can't see what i already have....

without windows updates i'm really exposed, isn't it?

Edited by homerjay, 14 April 2005 - 12:45 PM.

  • 0

#3
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
.... i respond to my questions, 'cause nobady else do it... ;)

these are my actions, as indicated in other posts:
reboot in safe mode, and view hidden folder/file
delete c:\windows\system32\intmonp.exe
delete c:\windows\popuper.exe
(i've just deleted wp.exe and helper.exe manually before)

and it seems to work. of course i have to test it for a while, but now i have no more the previous file in my task!!
i didn't use Pocket Killbox, 'cause it seems ok, but if something's bad i use it!!

and now a new question: it's really ok, or just it seems to??? :tazz: ;)

only one thing it's bad for now, but not so important:
my desktop is black and i can't change it 'cause i have only 2 tabs in desktop properties. what i have to do? can you post the exact sequence to modify the registry? i've searched HKCU but i don't knoq how to modify it

thanks a lot!!!

Edited by homerjay, 15 April 2005 - 05:54 AM.

  • 0

#4
Joshy J

Joshy J

    New Member

  • Member
  • Pip
  • 9 posts
Edit: E-mail Address Removed

Please refrain from replying to to topics in the Malware Removal Forum until you have been trained at GeekU
Thanks
Don

Edited by ScHwErV, 16 April 2005 - 06:08 AM.

  • 0

#5
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
thanks, i'll try the msconfig, but my system doesn't load any toolbar or similar things ......my pc is always clean :tazz:

is there a software to modify the registry without manually intervent????
  • 0

#6
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
homerjay,

Hello and welcome to Geeks To Go.

Please ignore the suggestions about msconfig. It will only hinder our ability to fix your computer as it will hide things that I need to see. Msconfig is also not a fix to any problem. It is merely a band-aid to get you by for the time being.

Please read this post and follow the instructions there.

In order to get a better idea of whats happening with your computer:
  • Please download the latest version of HiJackThis from either Site 1 or Site 2
  • Copy it into its own folder, doubleclick HijackThis.exe, and hit "Do a system scan and save a logfile"
  • When the scan is finished, it will ask you to save the log. Just save it anywhere that you will remember like your desktop.
  • After you save it, the log will open in notepad. In notepad, press Ctrl-A to Select All, and copy its contents in a reply to this post.
  • Most of what it lists will be harmless or even essential
  • Don't Fix Anything Yet
Good Luck

ScHwErV :tazz:
  • 0

#7
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
thanks ScHwErV
i know msconfig can't fix any problem, i just run it to have an idea, just this.

this is my log:

Logfile of HijackThis v1.99.1
Scan saved at 15.54.17, on 16/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\SygatePF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avast4\aswUpdSv.exe
C:\Programmi\Avast4\ashServ.exe
C:\Programmi\FreePOPs\freepopsservice.exe
C:\Programmi\FreePOPs\freepopsd.exe
C:\Programmi\Avast4\ashMaiSv.exe
C:\Programmi\Avast4\ashWebSv.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SygatePF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programmi\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [TorrentSearch] C:\Programmi\TSx\TSx.exe minimized
O4 - HKLM\..\Run: [Schedulatore di FinePrint v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Programmi\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &RSDN Search - res://C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL/GoVM.dll.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {DAE9A75E-0B76-4250-A15E-7693BAF47E25} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DAE9A75E-0B76-4250-A15E-7693BAF47E25} - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095002666201
O16 - DPF: {7F8B2500-3B5D-474C-B828-C766ECE3AB3C} (ATLmosquito1 Class) - http://fax.tiscali.i...cx/mosquito.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FreePOPs - Unknown owner - C:\Programmi\FreePOPs\freepopsservice.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\SygatePF\smc.exe



note: when i start up my system, my firewall and antivirus don't run automatically (really strange), so i run them manually
i have black desktop as the last problem (as i think)
i've deleted all the values in the registry containing intmonp.exe, helper.exe, popuper.exe, wp.exe, virualmaid and searchmaid

that's all

Edited by homerjay, 16 April 2005 - 08:03 AM.

  • 0

#8
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
homerjay

As you have started your own removal, I dont know if I will be able to determine what infection you do have.

Can you give me a better idea of your symptoms and what you have already done.

ScHwErV :tazz:
  • 0

#9
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
my symptoms WERE: Internet explorer popups at regular interval time, with spot page, casino and so on.
yellow icon flashing in the tray bar, similar to Windowd icon ("memory full" or similar, i don't know the exact phrase in english).
blue desktop with a white reference to trojan-spy.html.smitfraud.c and removal instruction, like execute an "antivirus" installed.
instalation oh this antivirus, i don't remember the name.

i've read a post in this forum saying to reboot in safe mode and delete manually the files intmonp, wp, popuper and helper. i've previously deleted manually the files wp.exe, wp.mpg, and helper.exe without rebooting in safe mode. then i rebooted in safe mode and deleted popuper.exe ad intmonp.exe.
then i deleted any references in the registry (with regedit) to these files and to Virtualmaid and searchmaid (i don't know if the last 2 are part of the malware....)

this is the actual situation: black screen, if i left click on the desktop, i have only 2 tabs, so it's impossible to change the desktop image.
i have NO MORE yellow icon or popups, no one of the previous symptoms!! i have NO MORE these file (intmonp ecc..) in the task manager window!!! so i think it's all ok!! :tazz:

i think i deleted the malware but i can't get the "full performance" of my system: in fact sometimes in the start-up, my pc doesn't load my antivirus and my firewall (avast 4 and sygate pro), so i need to restart the pc.
and sometimes (with the other identities, a limited access one) it restarts by itself, without prompting.

so, very thanks to you ScHwErV but i think i need help ;)

and 2 question for you: this "smitfraud.c" is a new virus, not yet included in the virus definitions??
and: i think i've deleted all the malware... so what if i replace a previous configuration?

note: in the registry i found this link: C:\.......\desktop\intmonp.rar and c:\....\desktop\intmonp00000.rar.
i think the malware downloads itself in the desktop and then run itself, isn't it?

Edited by homerjay, 17 April 2005 - 08:29 AM.

  • 0

#10
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
homerjay

Lets try a few scans and see if we can figure out whats happening on your computer.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

After that, post back with the results of those scans and we will see what we can come up with.

ScHwErV :tazz:
  • 0

Advertisements


#11
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
this is my kaspersky log, it takes a very long time!!!:

Total number of scanned objects: 113106
Number of viruses found: 16
Number of infected objects: 32
Number of suspicious objects: 5
Duration of the scan process: 53599.452 sec

it's so strange, because i have a fully updated antivirus, avast 4!!!
i deleted the most of the viruses, but i don't delete these cause they're all my e-mails, both coming, sending, sent ecc (.dbx files) :


C:\Documents and Settings\Daniele...}\Microsoft\Outlook Express\ebay.dbx Trojan-...ayfraud.aa send delete

C:\Documents and Settings\Daniele...\Outlook Express\Posta in arrivo.dbx not-vir...2.Finger.b send delete

C:\Documents and Settings\Daniele...ft\Outlook Express\Posta inviata.dbx not-vir...2.Finger.b send delete

C:\Documents and Settings\Daniele...\Outlook Express\Posta in arrivo.dbx not-vir...2.Finger.b send delete

C:\Documents and Settings\Daniele...ft\Outlook Express\Posta inviata.dbx not-vir...2.Finger.b send delete

C:\Documents and Settings\Daniele...\Outlook Express\Posta in arrivo.dbx not-vir...2.Finger.b send delete

C:\Documents and Settings\Daniele...ft\Outlook Express\Posta inviata.dbx not-vir...2.Finger.b send delete


now i'm performing another scan with the same antivirus, i think tonite it's complete.

i see in kaspersky there's a virus definition for smitfraud.c, and in symantec exists a similar virus... but nothing in avast.

Edited by homerjay, 19 April 2005 - 03:27 AM.

  • 0

#12
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
After that completes, let me know how things are running and if it found anything else.

If KAV is finding things in the dbx files, you should go through your email and empty the deleted items and then find and delete any emails with attachments unless you are sure you need to keep them.

ScHwErV :tazz:
  • 0

#13
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

If KAV is finding things in the dbx files, you should go through your email and empty the deleted items and then find and delete any emails with attachments unless you are sure you need to keep them.

View Post


ok, but KAV find malware not in my deleted items, but in my incaming, outcoming ecc, in all my folders, it's so strange.
however, i always delete sospicious files, and i use mailwasher too, so many mails do not arrive in my pc!! i can't explain why i have all this malwares!!
  • 0

#14
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
It might be just catching things that look suspicious.

How are things running now?

ScHwErV :tazz:
  • 0

#15
homerjay

homerjay

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
i'm sorry but my 2nd scan was interrupted by a blackout....... i'm not a lucky man!
now i'm performing an ad-aware scan, 'cause it's faster than antivirus scan. this evening i start the antivirus scan, it takes 15 hours to complete, so i need 24 hours in total.... sorry :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP