Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have the smitfraud virus -Help me please![RESOLVED]


  • This topic is locked This topic is locked

#1
schade2121

schade2121

    Member

  • Member
  • PipPip
  • 10 posts
Hi there,

I've browsed some of the topics and you guys rule the world! I thought I might never get this thing off my computer...but now I have hope that I just might....

I have the smitfraud virus - with a blue background and a bunch of icons on my "desctop" (thats how the 'virus' spells it)

I have run all kinds of checks with AVG, Adaware etc but it won't seem to get rid of it.

I've read bits of everyones threads, but their HIJACKTHIS logs are far longer than mine....Does this mean my problem is a small one??

Here is my HIJACKTHIS log... I kinda need a stepbystep guide if that is possible? I don't know if I've just got Smitfraud or if I am infected with others too.

Here is my HIJACKTHIS log...

Logfile of HijackThis v1.99.1
Scan saved at 11:23:47 AM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Ok, thats it for now. Can I please get some help here? A sort of step by step guide? Or refer me to a step by step that has fully worked for someone else?

I need help here. I'm looking all lost and puppy dog eyeish towards banananafan (think I got the name right??) and anyone else who's been such an awesome help to others.

I'm a just a young man from New Zealand who just wants to be able to have free reign over his computer again! :tazz:

PLEASE help me!

Hayden
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Hayden and welcome to GTG.

Let me see if I can help you out here. :tazz:

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx

After doing that, do the below fixes:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O9 - Extra button: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CC10B6C6-C629-47BD-AD23-89CC21573413} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\wldr.dll


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

Is your desktop background hijacked also then? If it is, then do this also:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.
  • 0

#3
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok, I did what you asked.

I ran it in Safe mode and was able to delete all the items you mentioned in HIJACKTHIS....EXCEPT for -

C:\WINDOWS\System32\wldr.dll (file missing) (HKCU) - It did not show up on the Hijackthis log...

Also, was not able to find or delete C:\WINDOWS\System32\wldr.dll either...despite changing search functions to accommodate "search system folders" etc etc

Here is my log file (as you can see the [bleep] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/ has popped up again, even after "Fixing" it twice in Hijackthis...


Logfile of HijackThis v1.99.1
Scan saved at 10:58:38 PM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\slrundll.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{1875F90A-E01E-460A-A055-5338A3CC7629}: NameServer = 203.109.252.42 203.109.252.43
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



For some reason those crucial files I need to delete are eluding me...could it be my search?? What am I doing wrong?

I have the Windows Service Pack 1a already installed...but don't have the version 2 yet...should I try downloading that too?

Any other suggestions?

Thanks for your help so far...but I still have everything on my desktop (that means the blue background, icons, and red button on my toolbar with the white x on it)

Any other ideas??

Hayden :tazz:
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't get SP2 until you are clean since it can become very unstable if installed on a unstable machine.

Do this:

Look in your c:\windows\system32\ folder and see if you see a bunch of .ico files created around the same date. Do you see other files created around that date also?

**Note** DO NOT REBOOT THE PC During the removal process. If you do the filenames will change.

Download FindQoologic-Narrator.zip at http://forums.net-in...=post&id=134981 and save it to your Desktop. Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic. Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply.

Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.
  • 0

#5
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok - here goes!

I did the first step which you asked - which was to check the system32

folder for any .ico and found a bunch of them (the same ones that are

on my desktop) all created at the same time (4/23/2005 9.28AM) In that

same search a bunch of other items came up, but they all had dates of

8/23/2001 and 8/24/2001 respectively...including some dll files...not

sure if this computer is that old?? Why they would have that date

confuses me? Maybe the computer is that old...I did buy it second hand.


Secondly, I unzipped and ran FindQoologic and this was the log

generated -


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES,

THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING.

IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»




»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check --

0x77f7ecc3

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Jennifer\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»



! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-970

8-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 10:55
Operating System: Windows XP




Next I did the dll.compare and came up with this logfile -


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

1,116 items found: 1,116 files, 0 directories.
Total of file sizes: 202,857,479 bytes 193.46 M

Administrator Account = True

--------------------End log---------------------


Lastly, I ran the FindIt and after a long while - got this log to pop

up along with a list of errors in the cmd part -




Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 04/28/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES,

THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING.

IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 3B13-16DD

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 3B13-16DD

Directory of C:\WINDOWS\system32

04/23/2005 09:28 AM 2,238 MP3.ico
04/23/2005 09:28 AM 766 BlackJack.ico
04/23/2005 09:28 AM 2,238 Cruises.ico
04/23/2005 09:28 AM 766 Air Tickets.ico
04/23/2005 09:28 AM 2,238 Online Betting.ico
04/23/2005 09:28 AM 2,238 Viagra.ico
04/23/2005 09:28 AM 2,238 Car Insurance.ico
04/23/2005 09:28 AM 766 Pharmacy.ico
04/23/2005 09:28 AM 4,534 Remove Spyware.ico
04/23/2005 09:28 AM 2,238 Cigarettes.ico
04/23/2005 09:28 AM 766 Phentermine.ico
04/23/2005 09:28 AM 766 Online Casino.ico
04/23/2005 09:28 AM 766 Party Poker.ico
04/23/2005 09:28 AM 4,606 Credit Card.ico
04/23/2005 09:28 AM 2,238 Forex Trading.ico
04/23/2005 09:28 AM 4,286 Big Tits.ico
04/23/2005 09:28 AM 2,238 Britney Spears.ico
04/23/2005 09:28 AM 4,286 Pornstars.ico
04/23/2005 09:28 AM 4,286 Lesbian Sex.ico
04/23/2005 09:28 AM 4,286 Oral Sex.ico
20 File(s) 48,784 bytes
0 Dir(s) 15,055,044,608 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


And FINALLY - here is my current Hijackthis log -

Logfile of HijackThis v1.99.1
Scan saved at 11:22:32 AM, on 4/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.newgenlook.info/ad/ad0337/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE

Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - -

C:\WINDOWS\SYSTEM32\slserv.exe



Ok, thats it, I've done all you asked. Those are all my logs.

I await your guidance from here as to what to do next.

Many, MANY thanks for all your help so far! Didn't realise this would

be such an intensive process!

Hayden
  • 0

#6
Razor61

Razor61

    New Member

  • Member
  • Pip
  • 4 posts
;) Sorry to HIJACK this thread but i posted a help topic on the smitfraud about 8 days ago and i see everyone seems to have had help quite quickly and people who have posted yesterday are getting help already yet i have yet to have any reply or help from 8 days ago.

Can someone please help, i have posted my HijackThis log on my original thread. Sorry to be a pain but it gets quite frustrating when you see others being helped who have only just posted....

:tazz:
Many thanks
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, found the problem. Please make sure that word wrap is turned OFF in Notepad. The formatting it creates makes it hard for us to read the logs.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Delete these files:

C:\WINDOWS\system32\MP3.ico
C:\WINDOWS\system32\BlackJack.ico
C:\WINDOWS\system32\Cruises.ico
C:\WINDOWS\system32\Air Tickets.ico
C:\WINDOWS\system32\Online Betting.ico
C:\WINDOWS\system32\Viagra.ico
C:\WINDOWS\system32\Car Insurance.ico
C:\WINDOWS\system32\Pharmacy.ico
C:\WINDOWS\system32\Remove Spyware.ico
C:\WINDOWS\system32\Cigarettes.ico
C:\WINDOWS\system32\Phentermine.ico
C:\WINDOWS\system32\Online Casino.ico
C:\WINDOWS\system32\Party Poker.ico
C:\WINDOWS\system32\Credit Card.ico
C:\WINDOWS\system32\Forex Trading.ico
C:\WINDOWS\system32\Big Tits.ico
C:\WINDOWS\system32\Britney Spears.ico
C:\WINDOWS\system32\Pornstars.ico
C:\WINDOWS\system32\Lesbian Sex.ico
C:\WINDOWS\system32\Oral Sex.ico


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#8
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi there,

I did what you said and all that has changed is that the icons on my desktop don't have the pictures (but they still are icons without pictures)

I've still got the hijacked desktop... within moments of deleting the icons from the system32 folder, they popped back up again...

So I'm still right where I started from.

Here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 10:12:29 AM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\slrundll.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{1875F90A-E01E-460A-A055-5338A3CC7629}: NameServer = 203.109.252.42 203.109.252.43
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Any other ideas? Since this seems to be sweeping the net, has a definitive cure been found yet??

Should I take bananafan's advice and download windows service pack 2?

Thanks for all your help, but we must be missing some crucial step here as smitfraud still embeds my system.

Anyone else have advice?

Anyone found a way to get rid of it that I haven't tried yet?

ANY and ALL advice would be appreciated.

Many thanks,

Hayden
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete all those bad files you mentioned coming back in the system32 folder and also delete these 3 if found:

param32.dll
guninst.exe
popup_bl.dll


If you can't delete, try booting into the recovery console to do this.

You should upgrade to Service Pack 1 at least. Just had to mention that since it will give you more protection for the time being.

But delete those 3 files also - they should be the culprit here.

Then fix that newgenlook entry in HijackThis and restart.

Post back a new HijackThis log.
  • 0

#10
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi there,

Could delete 2 out of the 3 items you mentioned (it wouldn't allow me to delete
param32.dll

Also deleted wp.exe which keeps popping up also...only to find that it has returned again. AVG keeps coming up with a message saying suspecting trojan, but its just like the icons...it won't disappear.

Here is my hijackthis log... I'm still in the exact same position...nothing's changed. Still with the icons all over the "desctop"..and now comes up with adaware saying the newgen. page is trying to alter a registry. I click on block and the same message keeps popping up, so it won't let me block it.

Do I need to use killbox or some other programs?

Here is my hijackthis log -


Logfile of HijackThis v1.99.1
Scan saved at 11:51:37 AM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0337/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Once again, thanks for your help. I've been doing everything you asked, but I'm still in the same exact position. This is a real pain to get rid of!

Any more ideas?

Hayden :tazz:
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
How about using KillBox to delete:

c:\windows\system32\param32.dll


Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#12
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ah, SUCCESS!!

I deleted the dll file through killbox as suggested and rebooted. The little icon with the white x disappeared from my desktop! I then deleted the icons from the desktop, and they have stayed away. I then ran hijackthis and got rid of the newgenlook page. I changed the site in internet settings to msn.com, and now I go to that each time I open my internet explorer browser.

I ran your desktop recovery and got a nice new background that isn't blue and irritating...so I think I'm all back to normal.

Well...normal as far as smitfraud goes...

I think I have other viruses too.

But first here is my hijackthis log -

Logfile of HijackThis v1.99.1
Scan saved at 10:12:28 PM, on 5/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\slrundll.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{1875F90A-E01E-460A-A055-5338A3CC7629}: NameServer = 203.109.252.42 203.109.252.43
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


I then ran that mwav.exe and it came up with the following items -

File C:\DOCUME~1\Jennifer\LOCALS~1\TEMPOR~1\Content.IE5\4PQ74HUZ\index[1].htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Jennifer\Local Settings\Temporary Internet Files\Content.IE5\4PQ74HUZ\index[1].htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP31\A0005324.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP31\A0005335.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0005390.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0005402.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0005418.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006425.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006431.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006456.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006463.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006470.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006484.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006485.exe infected by "not-a-virus:AdWare.Serpo.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E47F9DFB-D64F-43C6-A121-75700BCA29CF}\RP32\A0006508.DLL infected by "Trojan-Downloader.Win32.WarSpy.g" Virus. Action Taken: No Action Taken.


I just need confirmation - am I finally rid of the smitfraud trojan??

Are these other viruses seperate and easy to get rid of?

I await your reply. Many thanks if this has got me rid of smitfraud!!!

Hooray!

Hayden :tazz:
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, basically all gone now. Those other infections are easy to remove.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#14
schade2121

schade2121

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Alrighty!

Think I'm all back to normal now. Managed to get rid of all those other nasties with system cleanup and an AVG scan.

Here is my logfile -


Logfile of HijackThis v1.99.1
Scan saved at 4:21:51 PM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\slrundll.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{1875F90A-E01E-460A-A055-5338A3CC7629}: NameServer = 203.109.252.42 203.109.252.43
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

I think I'm back in business! THANK YOU SO MUCH for all of your expert help!

Greyknight, you are a legend!

Hayden :tazz:

Guess you can consider this topic closed then eh?
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP