Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJAN-SPY.HTML.Smitfraud.c


  • This topic is locked This topic is locked

#1
zackjr

zackjr

    Member

  • Member
  • PipPip
  • 17 posts
Another victim of smitfraud. I am running Windows XP pro with SP1 and SP2. I have installed the listed programs as directed. What should I do first? thanks in advance for any assistance
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,335 posts
  • MVP
The first thing is to post your HijackThis log.

This bug is caused by a file wp.exe. You will see him down in the O4 entries.

Terminate the process and then check his box and Fix Checked. That still leaves a problem in your registry.

Start, Run, regedit, OK to bring up the regedit program.

find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)

Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.

Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK

Ron
  • 0

#3
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I decided to attempt a repair of same problem with same platform by following advise from Don77 given to Kplantier. I believe that I have resolved the smitfraud problem but I will post a HJT log in hopes of correcting anything else that might show up as questionable. Thanks again

Logfile of HijackThis v1.99.1
Scan saved at 11:03:57 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe

O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,335 posts
  • MVP
Mostly you have stuff that antispy has killed but didn't remove from the registry:

O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)

Unless the underlying bug is still active you should be able to check/Fix Checked and they should go away. (The two Microsoft AntiSpyware helper entries are bogus and have nothing to do with the real Micrososft AntiSpy.)

Ron
  • 0

#5
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I tried to fix the 023 Service:Workstation..., but HJT could not delete. Should I apply Kill box? and if so what exactly should I type in the box? thanks again
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 17,335 posts
  • MVP
There is no file for killbox to kill. Just a registry entry.

See if you can do the following:

Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the Workstation NetLogon Service. (not the one that just says Workstation)Double click on it and and then set the Start Type
to Disabled. Then OK.

Ron
  • 0

#7
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Done! then ran HJT again and it does not show up- thanks
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi zackjr
If you don't mind can we get a look at a fresh HJT please,
  • 0

#9
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
After Logfile of HijackThis v1.99.1
Scan saved at 10:47:06 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
adding an onboard sound driver my HJT log is:
  • 0

#10
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I thought I pasted the log file AFTER my statement:" After adding an onboard sound driver my HJT log is:" but it must have been inserted BETWEEN my statement. I'm almost certain my issues have been resolved. Thanks again
  • 0

#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
No problem Zack just wanted to have a final review of the log thats all,

So I will leave you with this,,
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,
  • 0

#12
zackjr

zackjr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
You guys at geekstogo rock.Your incredible experience,knowledge,and insight in the overwhelmingly complex realm of computer science blows us "everyday point and clickers away".Your skills are greatly needed and appreciated. and I love your forum that allows one to investigate and repair their computer system. Now, how do I make a PayPal payment? thanks
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Your very welcome zackjr
Thanks you and glad we could help,

This topic will now be closed should you have any further problems, please pm a staff memeber to have your topic reopened,

Thanks again
Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP