Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud.c


  • This topic is locked This topic is locked

#1
Scottjohnson

Scottjohnson

    New Member

  • Member
  • Pip
  • 1 posts
Hey,

Got this trojan earlier and have been working on cleaning it up. I've completed most of the steps from out topics on it, starting with all the usual ad-ware scans. I've taken care of the change to my background (deleteing wp.bmp wp.exe etc, and deleting the system folder in regedit). One thing seems to be left is the change to my browser (IE 6) homepage, I just can't get rid of it.

Here is the HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:37:48 PM, on 4/16/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\System32\Ati2evxx.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\System32\tcpsvcs.exe
G:\WINNT\System32\snmp.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\Ati2evxx.exe
G:\WINNT\Explorer.EXE
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\Program Files\Winamp\winampa.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\QuickTime\qttask.exe
G:\WINNT\system32\CTHELPER.EXE
G:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINNT\system32\svcnut.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
G:\program files\valve\steam\steam.exe
G:\Program Files\WinZip\WZQKPICK.EXE
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Unziiped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://G:\WINNT\system32\shdocpl.dll/security.htm#subID=MPV;401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] G:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] G:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [FastStart] G:\WINNT\system32\svcnut.exe home
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "G:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Steam] "g:\program files\valve\steam\steam.exe" -silent
O4 - Global Startup: WinZip Quick Pick.lnk = G:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - G:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - G:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - G:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {AB92D341-61F6-457C-8523-8B3F652410BE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AB92D341-61F6-457C-8523-8B3F652410BE} - (no file) (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe


I bolded the two that seem to be connected to taking over my browser, but everytime I try and fix them they come back next scan including try to remove them in safe mode. ATM, apart from the browser hijack I don't see any other effects on my system, but of course after saying that :tazz:
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Scottjohnson to Geeks to Go!

Please read these instructions carefully. Then save them to a Notepad file and put it on your desktop! You may also what to print it. Be sure to follow ALL instructions!

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
Security IGuard
Virtual Maid
Search Maid
Press ‘delete this item’.
Press ‘back’

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
G:\WINNT\system32\svcnut.exe
Exit HijackThis.

***

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
G:\WINNT\system32\svcnut.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard

Reboot into normal mode.

***

* Download and install Registrar Lite.
* Double click the purple Registrar Lite icon on your desktop.
* Copy the line in the box below and paste it into the "Address" field (located at the top) of the program:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
* Click the "Go" button.
* It will take you into the "Policies" folder.
* Locate the "System" folder (in the right panel)
* If found, right-click on the System folder and go to Delete
* Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico


***

Download CleanUp!.

Find and doubleclick the file cleanup.

Go to options
Select ‘custom’
Put a check to:* empty recycle bins
* delete prefetch files
* scan local drives for temporary files
* CleanUp! All users.
* fully erase files (wipe clean)
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan and a fresh log using HijackThis.



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original post and still need assistance, please send me a PM.

Edited by g2i2r4, 06 May 2005 - 11:40 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP