Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need Help!- need to removal smitfraud [CLOSED]

Started by jbloggs , Apr 28 2005 03:34 AM

  • This topic is locked This topic is locked

#1
jbloggs
Posted 28 April 2005 - 03:34 AM

jbloggs

    New Member

  • Member
  • Pip
  • 1 posts
[FONT=Arial]Hello! Im in a bit of trouble. A trojan horse has got into my computer and i am having serious trouble removing it. A blue screen has popped up on my desktop:

Error was caused by Trojan spy.html.smitfraud.c

*system cannot function in normal mode
*please check your security settings
*scan your PC with any availble antivirus / spyware remover program to fix the problem


Can someone help me? i've tried all antivirus scanners (AVG, spybot, norton) and i can't install Ad SE cos i have Windows 95 still. I've got a hijackthis.com log. It would save my life if someone could help me with it i can get rid of this spy.

Cheers :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 19:19:24, on 28/04/05
Platform: Windows 95 b (Win9x 4.00.1212)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMPAQ\COMPAQ EASY ACCESS BUTTON SUPPORT\CPQBZL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\AMEDDTCT.EXE
C:\PROGRA~1\COMPAQ\COMPAQ~1\OSD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\INTERNET\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SFPSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\sfpsvr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Program Files\Compaq\Compaq Easy Access Button Support\cpqbzl.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {F9752A5F-5D00-478A-A64A-48A5F17D2374} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F9752A5F-5D00-478A-A64A-48A5F17D2374} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .au:2048/science?_ob=MImg&_imagekey=B6VGS-43X7KNP-5-N&_cdi=6046&_orig=search&_coverDate=09/11/2001&_sk=999149999&view=c&wchp=dGLbVtb-zSkWA&_acct=C000014118&_version=1&_userid=202616&md5=259c637bba82beb663: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O15 - Trusted Zone: *.tl81.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.tl81.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82...hm::/update.exe
  • 0

Advertisements

#2
greyknight17
Posted 28 April 2005 - 07:11 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Oh my, you are using a very old operating system there.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\SFPSVR.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Security iGuard

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O4 - HKLM\..\Run: [sfpsvr] C:\WINDOWS\sfpsvr.exe
O4 - HKLM\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {F9752A5F-5D00-478A-A64A-48A5F17D2374} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F9752A5F-5D00-478A-A64A-48A5F17D2374} - (no file) (HKCU)
O12 - Plugin for .au:2048/science?_ob=MImg&_imagekey=B6VGS-43X7KNP-5-N&_cdi=6046&_orig=search&_coverDate=09/11/2001&_sk=999149999&view=c&wchp=dGLbVtb-zSkWA&_acct=C000014118&_version=1&_userid=202616&md5=259c637bba82beb663: C:\PROGRA~1\INTERN~1\PLUGINS\npp
df32.dll
O15 - Trusted Zone: *.tl81.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.tl81.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82...hm::/update.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\VTLBAR1.DLL
C:\WINDOWS\sfpsvr.exe
C:\WINDOWS\System32\tss.exe
C:\WINDOWS\SYSTEM\systime.exe
C:\WINDOWS\SYSTEM\msmsgs.exe
C:\Program Files\Security iGuard\

Reboot into Normal Mode.

**Note** DO NOT REBOOT THE PC During the removal process. If you do the filenames will change. You may do the above HijackThis fixes, but starting below here, try to keep your computer on until I come back with a fix. Otherwise, wait until you can leave the computer on before running the new HijackThis and FindIt's log.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.
  • 0

#3
greyknight17
Posted 20 June 2005 - 05:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP