Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another smitfraud/Wp trojan case :o/


  • Please log in to reply

#1
memelz33

memelz33

    New Member

  • Member
  • Pip
  • 2 posts
First of all--thank GOD for your site!! :)
Okay, with that said, on to my most recent 'headache of the day' ;) lol


A couple days ago, while i was doing stuff that i normally do, i recieved an alert window from my AntiVir program telling me that it blocked access to a trojan; TR/Drop.Small.TY.2 I then have the option to delete, move to quarintine, etc....I had pretty much the same thing happen roughly a week or so ago, and at that time i choose to delete--never had any probs afterwards, so that is what i did this time as well. I never noticed nothing 'hinky' at that time, but knew when i signed off my AOL, i was gonna run all my 'anti' programs, just to make sure all was well....

The first thing i saw when i closed out AOL was this lovely 'fatal error blue' wallpaper :) Had that message; "Fatal error in IE...blah, blah,....caused by Trojan-Spy.HTML.Smitfraud.C....blah, blah, blah...." yall know the one, im sure..lol

I ran my AntiVir, and while it told me it had deleted that trojan, it did not come up with any new stuff at that time. Desktop was still screwed up ;)

To make a long story short--or trying to at least :) --from all the purusing ive done of various sites on this matter-(especially yours!)-ive pretty much figured out what has happened....I picked up that WP.EXE bug :) I couldnt figure out just what, how and where i picked this up at, nor could i locate any of the file names-(like the wldr.dll)that was being thrown at me by AntiVir, so i did a file search by date--and found the WP.exe and the WP.bmp files..I deleted those out, and while my desktop is now blk, i still have no desktop tab in my Display Properties box :)


Sorta scared to fiddle with my registry too much, but ive printed out instructions you gave another member here on how to get rid of this bug and restore the tab in D.Props....I just thought i should maybe post you my HJT log and make sure the same instructions would work for me, as that person might have a diff puter/OS than I.....

Im also going to post my AntiVir log in the right place for your inspection-(i cant post that here, right?) There is this thing about my swapfile im curious about.....

I just basically would love to make sure and know that ive gotten ALL the extra 'goodies' those bugs inject on my puter--this isnt the first time ive gone through this, unfortunately....Im also curious as to exactly how/when i might have picked this up--i had downed three new programs off the web within the past two weeks, two were installed, the other hasnt been yet-(the one not installed yet is an online pic album called, JAlbum..the two installed ones are IrfanView-(pic tool/screencapture)-and PhotoPlus...other than that, i had surfed the web a bit, researching and had visited diff sites....running AntiVir the whole time, of course :) Is it possible for me to have picked up this bug while surfing, then it suddenly tries to assert itself out of the blue? At the time i got the alert from AntiVir, i was doing the same things i do all the time and have been for months. Just curious :) To me, that bothers me more than anything else, i think--not know where/how i picked it up, ya know?


Heres the log for HJT--thanks so much for your time and your help! :tazz:
Mel

Logfile of HijackThis v1.98.0
Scan saved at 8:57:55 AM, on 4/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://magicsearch.us/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: IEByteRange - {722D2939-A14A-41A9-9EAC-AB8F4E295819} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.7\TAUMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - (no file) (HKCU)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.co...p-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.po...d-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.c...e-ob-assets.cab
O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.co...i-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.co...u-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet06.pogo....h-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.c...d-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pog...r-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.co...e-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.c...e-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.c...s-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game5.pogo.co...o-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Hearts by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmis...sCamControl.ocx
O16 - DPF: Turbo 21 TM by pogo - http://game6.pogo.co...1-ob-assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com...e-ob-assets.cab
O16 - DPF: Perfect Passer by pogo - http://perfectpasser...r-ob-assets.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.c...n-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/...n-ob-assets.cab
O16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.c...r-ob-assets.cab
O16 - DPF: Quick Shot by pogo - http://quickshot.pog...t-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo....m-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.c...t-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.co...a-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.c...e-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pog...n-ob-assets.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.co...w-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
O21 - SSODL: System - {63B481A0-E2BD-11D8-A630-444553540000} - (no file)
  • 0

Advertisements


#2
memelz33

memelz33

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Okay, so i couldn't figure out where else to post my log file from my AntiVir program, so i hope im not doing wrong by putting it here--if so, sooorry :tazz:

The part about the 'swapfile' i know has been up there since before all this mess the last couple days...not sure if is normal or is maybe caused by a different trojan? The rest it reports, i really dont know about.....

*These are not the full reports--only the section that shows what it found.

The first one, the 26th, is the very first one i ran right after i signed off AOL--shows only one of the TR/Drop thingys.....The very next scan, the next day, doesnt show the TR/Drop one, but now shows TWO for the TR/Antispyware *scratching head*

After kadiddling around trying to get this mess out, the next scan shows none of the TR stuff--not sure if thats good or not ;) lol I hope this helps some ;) I plan on running the AntiVir again in a bit--if i get anything diff, ill post that too....again, thanks!

Start of scan: Tuesday, April 26, 2005 22:21

Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK


C:\WINDOWS
WIN386.SWP
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\OPTIONS\CABS
WIN98_24.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
WIN98_25.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
C:\WINDOWS\temp
wldr.dll
[DETECTION] Is the Trojan horse TR/Drop.Small.TY.2
WAS DELETED!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start of scan: Wednesday, April 27, 2005 12:50

Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK


C:\WINDOWS
WIN386.SWP
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\OPTIONS\CABS
WIN98_24.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
WIN98_25.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
C:\WINDOWS\SYSTEM
srpcsrv32.dll
[DETECTION] Is the Trojan horse TR/TopAntiSpyware.i1
WAS DELETED!
C:\Program Files\AVPersonal\INFECTED
SPOOLSRV32.VIR
[DETECTION] Is the Trojan horse TR/TopAntiSpyware.i
WAS DELETED!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start of scan: Wednesday, April 27, 2005 16:25

Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK


C:\WINDOWS
WIN386.SWP
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\OPTIONS\CABS
WIN98_24.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
WIN98_25.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start of scan: Wednesday, April 27, 2005 22:21

Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK


C:\WINDOWS
WIN386.SWP
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\OPTIONS\CABS
WIN98_24.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
WIN98_25.CAB
ArchiveType: CAB (Microsoft)
NOTE! The archive is created by multiple volumes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP