TROJAN-SPY.HTML.Smitfraud.c
Started by
zackjr
, Apr 23 2005 10:14 PM
#1
Posted 23 April 2005 - 10:14 PM
#2
Posted 24 April 2005 - 05:52 PM
The first thing is to post your HijackThis log.
This bug is caused by a file wp.exe. You will see him down in the O4 entries.
Terminate the process and then check his box and Fix Checked. That still leaves a problem in your registry.
Start, Run, regedit, OK to bring up the regedit program.
find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)
Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.
Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK
Ron
This bug is caused by a file wp.exe. You will see him down in the O4 entries.
Terminate the process and then check his box and Fix Checked. That still leaves a problem in your registry.
Start, Run, regedit, OK to bring up the regedit program.
find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)
Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.
Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK
Ron
#3
Posted 24 April 2005 - 09:50 PM
I decided to attempt a repair of same problem with same platform by following advise from Don77 given to Kplantier. I believe that I have resolved the smitfraud problem but I will post a HJT log in hopes of correcting anything else that might show up as questionable. Thanks again
Logfile of HijackThis v1.99.1
Scan saved at 11:03:57 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe
O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:03:57 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe
O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
#4
Posted 25 April 2005 - 10:24 AM
Mostly you have stuff that antispy has killed but didn't remove from the registry:
O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)
Unless the underlying bug is still active you should be able to check/Fix Checked and they should go away. (The two Microsoft AntiSpyware helper entries are bogus and have nothing to do with the real Micrososft AntiSpy.)
Ron
O2 - BHO: (no name) - {D5405EA0-062B-B611-DAA2-2D18C8E9EFAF} - C:\WINDOWS\system32\iegl.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7FDBB7E8-DB4E-49D1-8234-6FEC6936702B} - (no file) (HKCU)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntcp.exe" /s (file missing)
Unless the underlying bug is still active you should be able to check/Fix Checked and they should go away. (The two Microsoft AntiSpyware helper entries are bogus and have nothing to do with the real Micrososft AntiSpy.)
Ron
#5
Posted 25 April 2005 - 06:18 PM
I tried to fix the 023 Service:Workstation..., but HJT could not delete. Should I apply Kill box? and if so what exactly should I type in the box? thanks again
#6
Posted 25 April 2005 - 06:29 PM
There is no file for killbox to kill. Just a registry entry.
See if you can do the following:
Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the Workstation NetLogon Service. (not the one that just says Workstation)Double click on it and and then set the Start Type
to Disabled. Then OK.
Ron
See if you can do the following:
Start then right click on My Computer and press Manage. In the new window
Service and Applications then Services. In the right pane scroll down and find
the Workstation NetLogon Service. (not the one that just says Workstation)Double click on it and and then set the Start Type
to Disabled. Then OK.
Ron
#7
Posted 25 April 2005 - 06:33 PM
Done! then ran HJT again and it does not show up- thanks
#8
Posted 25 April 2005 - 08:02 PM
Hi zackjr
If you don't mind can we get a look at a fresh HJT please,
If you don't mind can we get a look at a fresh HJT please,
#9
Posted 26 April 2005 - 08:50 PM
After Logfile of HijackThis v1.99.1
Scan saved at 10:47:06 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
adding an onboard sound driver my HJT log is:
Scan saved at 10:47:06 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Zack\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114007548123
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
adding an onboard sound driver my HJT log is:
#10
Posted 26 April 2005 - 09:03 PM
I thought I pasted the log file AFTER my statement:" After adding an onboard sound driver my HJT log is:" but it must have been inserted BETWEEN my statement. I'm almost certain my issues have been resolved. Thanks again
#11
Posted 26 April 2005 - 10:03 PM
No problem Zack just wanted to have a final review of the log thats all,
So I will leave you with this,,
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection
Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster
Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,
For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan
Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot
Remeber to Check Windows for updates
Probably a good time to create a new restore point See Here Name it clean or something like that,
So I will leave you with this,,
Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection
Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster
Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,
For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan
Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot
Remeber to Check Windows for updates
Probably a good time to create a new restore point See Here Name it clean or something like that,
#12
Posted 28 April 2005 - 12:56 AM
You guys at geekstogo rock.Your incredible experience,knowledge,and insight in the overwhelmingly complex realm of computer science blows us "everyday point and clickers away".Your skills are greatly needed and appreciated. and I love your forum that allows one to investigate and repair their computer system. Now, how do I make a PayPal payment? thanks
#13
Posted 28 April 2005 - 04:09 PM
Your very welcome zackjr
Thanks you and glad we could help,
This topic will now be closed should you have any further problems, please pm a staff memeber to have your topic reopened,
Thanks again
Don
Thanks you and glad we could help,
This topic will now be closed should you have any further problems, please pm a staff memeber to have your topic reopened,
Thanks again
Don
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users