Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#1
joshuageeks6999

joshuageeks6999

    Member

  • Member
  • PipPip
  • 91 posts
Hi...located your site by Google of Trojan-Spy...Smitfraud!!! Looks like I'm not alone!!

On boot get message

A fatal error in IE has occurred at
0028:C0011E36 in VXD VMM(01) + 00010E36
Error was caused by Trojan-Spy.HTML.Smitfraud

Attempts at IE fail, using Taskmgr for all functions. IE results in message in address line res://bhoass.dll/HTTP_Blocked.htm

Wonder if some of this is ligitimate new spyware blocking illegal attempts at change.

I've tried
Adaware-se
SpybotSD
CWShredder
Microsoft Antispyware
XoftSpy

...all new downloaded versions today 4/17
...and here's the newest HJT log

Also, I've tried to absorb other threads on this and have
...a system.ini logfile ready for you
...downloaded Reglite, but it does NOT locate a system file under Policies...

THANK you...by the way...would it be too much to ask, say for the range of donations that you've received??

joshuageeks6999

Logfile of HijackThis v1.99.1
Scan saved at 2:01:59 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\XPsys.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\dane\Start Menu\Programs\Startup\netdb.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Registrar Lite\rl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dane\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [s19byn.exe] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [s19byn] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [vOTMRa.exe] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [vOTMRa] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [iframeworks.exe] C:\DOCUME~1\dane\LOCALS~1\Temp\nbmj.dat
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Windows.hta
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Microsoft® JavaScript® Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...layer5AxWin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!
I will be helping you clean your system as soon as possible. I just have a question for you...since you have no "system" folder inside the current user policy folder, are you able to change the wallpapper on your desktop? Right-click on the desktop and go to properties: are all of your tabs there? Themes, Desktop, Screen Saver, appearance, settings?
  • 0

#3
Deven

Deven

    Member

  • Member
  • PipPip
  • 85 posts
I am also having this problem, in my registry, under Windows, I don't see a system folder but when I try and change my wallpaper on my deskotp, it won't let me, I only see the Screen Saver and Settings tabs.
  • 0

#4
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi!! and welcome to my problems!! I just had a banana and changed to yellow paper to take notes on...in your honor!! ...hope this works....!!!

Right click on desktop....all tabs present. When i startup after login to one of my administrative user accounts, i see only the screensaver....no icons. One of the other admin user accounts, i get the "fatal error" message listed in my original entry here.

And i AM ABLE TO CHANGE the desktop. But i have had to go to the taskmgr/applications/run to C:\WINDOWS\explorer.exe to load/run the desktop. On startup, that wouldn't happen (unless i fixed the problem already and just don't know it!!...i did run all of the Adaware, etc, again...havn't restarted since then...

i'll go restart now!!)

joshua

Edited by joshuageeks6999, 17 April 2005 - 05:43 PM.

  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Don't worry about your desktop, we'll figure out ;)

I will be back as soon as possible ;)

I just had a banana and changed to yellow paper to take notes on...in your honor!!

:tazz: Thank you :)

Edited by bananafanafo, 17 April 2005 - 05:46 PM.

  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Would you be willing to do me a huge favor? Since this is a new infection, one of our experts would like to analyze the malware files from your computer. Here in a little bit I will give you the instructions on submitting these files for analysis if you would do this for me? :tazz:

Thank you ;)
  • 0

#7
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi...re malware files for your expert...ABSOLUTELY...anything i can do to help...may even discover other problems too. I've allowed this pc to be used by others so....who knows what's out here?!?

I'll check in soon....do need to work/eat/walkthedog...but i'm all yours!!

...i'm currently more fun than my infected pc... joshua
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Thank you! :tazz:
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Do you know how to send files to a zipped folder?

:tazz:
  • 0

#10
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
...i'm ready...checking in...feel free to suggest ETA of next messages, to let me know if it's going to be later or tomorrow, I'll never ever hold you to it...not to worry about timing...i realize this is all free-form and not planned...it's 5:50 pm here in seattle at the moment of this post...joshua
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok I need you to set your computer to show hidden files:

TO VIEW HIDDEN FILES

Then, using Windows Explorer (they won't show up by "search"), please locate these files:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

C:\Windows\System32\Log Files
(this is a whole folder I need zipped up only if there are files in it)

I need each one zipped up, then please e-mail the zipped folders:HERE

Let me know if there are any files you couldn't find.

Thanks again :tazz:
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
And I will probably be on most of the night :tazz:
  • 0

#13
Peacemaker45

Peacemaker45

    New Member

  • Member
  • Pip
  • 1 posts
This is roughly the same problem I'm having atm. My dad managed to kill the blue fatal error screen, but I also don't have all the tabs I should when I go to properties on the desktop. On top of that, Spybot Resident keeps popping up with messages that say something is trying to add itself to the registry, showing that the "filename" for lack of a better term is just string of seemingly random letters, trying to write to c:/windows/(string of random letters). It looks like this:

Category: System Startup user entry
Change: Value Added

Entry: Gspycwg

Old Data:
New Data: C:/windows/hmlnfgk.exe

I keep telling it to Remember Change and hitting Deny Change, but since the letters under "Entry" are different every time, it's not remembering. I downloaded AdAware, Spybot, and Hijack This, but have yet to run Hijack This. I ran AdAware and Spybot and those both found a bunch of stuff.

I'll be watching this thread closely :) Good luck for both our sakes!

Matt
  • 0

#14
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
:tazz: ...well, i was able to learn how to reveal hidden files...had done that in the past...

...and i did a quick refresher on right click options of zipping files...however, i only found 2 of the files/folders you listed...i must have missed something...

I've gone back to confirm all files showing.

I'm exploring! not opening so the visibility is good!

But, found C:\wp.exe and C:\wp.bmp only.

I have a system.ini file in WINDOWS; a help.exe not helper.exe in System32; have ole32.dll in System 32 but no .exe files....and there's no Log Files identifier in System32. I'll go back and messaroundwith System32 a bit...promise not to leave any marks ;)

Do you want the two(measly) files i found....??
joshua
  • 0

#15
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Wow!! just read thru some of the 'similar threads' re this trojan!! Fascinating similarities with things i might have done recently....

I was having a 'different' problem, went to Spywarrior to search for threads covering the subject (jimbutt hijacker) but I downloaded and PURCHASED the Xoftspy product!!! It did not work. One of the other threads seems to be implying that this product carried with it a worm or two, and the trojan in question....????

It also suggests a shutdown of Spydoctor as it might interfere with corrections...

...so, who do you trust...i mean, i feel i'm in a safe environment here...Right?...but if you wanted to get info or files or logs out of me....i'd be giving it all up here...who's to say that the product i purchased...by the way, they have my credit card info at sales@paretologic.com...was safe?? :tazz:

joshua
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP