Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I am infected with Trojan-Spy.HTML.Smitfraud.c


  • Please log in to reply

#1
James Trickey

James Trickey

    New Member

  • Member
  • Pip
  • 2 posts
:tazz:

I connected to the Broadband Internet on my Laptop yesterday afternoon

I am now infected with many trojans and viruses, and I have run 3 antivirus programs, but they all cannot destroy Trojan-Spy.HTML.Smitfraud.c I have a blue screen saying:

Security Warning

A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

*System cannot function in normal mode.
Please check your security settings.

*Scan your PC with any available antivirus / spyware remover program to fix the problem


Then, on reboot, system cannot display temp.dll file to restore the desktop.

Here is my HijackThis v1.99.1 Logfile. I am currently using a BT Yahoo Broadband Browser.

Logfile of HijackThis v1.99.1
Scan saved at 09:40:35, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\mqbdmail.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\iphxmlc.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\DOCUME~1\James\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gloscheck.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gloscheck.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B3264EF3-DE73-45B0-918F-1CC6B38794BA} - C:\WINDOWS\system32\elbg.dll (file missing)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\James\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [034j32P] mqbdmail.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H0vtRSj3S] iphxmlc.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


Can anyone help me, please?

Thankyou!
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, I don't think it's going to work the first time around, but it should get a little better. I want to see how this infection acts when we attempt to remove it like this and hopefully it will show some more of it's ugly mug for us to see and remove the rest of the way. Lets get started.

First Step:

Please download CleanUp!and install it. Do not run the program yet, we will do this later in Safe Mode.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B3264EF3-DE73-45B0-918F-1CC6B38794BA} - C:\WINDOWS\system32\elbg.dll (file missing)
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\James\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [034j32P] mqbdmail.exe
O4 - HKCU\..\Run: [H0vtRSj3S] iphxmlc.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\system32\mqbdmail.exe
C:\WINDOWS\system32\iphxmlc.exe
C:\WINDOWS\isrvs
C:\WINDOWS\system32\elbg.dll

Now once those are deleted, right click deldomains.inf and click Install again just as you did before, just to be safe :tazz:

Now click Start, All Programs, Cleanup! and click the "CleanUp!" button. When it is finished it will ask if you want to log off, say NO. Now reboot normally and post a new log.

-=jonnyrotten=- ;)
  • 0

#3
James Trickey

James Trickey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hello, thank you for your help!

I have run a full system scan on 3 different antivirus / spyware applications and it seems to have deleted the rogue files. I am following the procdure of removal given by Symantec an I have disabled System Restore.

The blue screen has gone and all my files and settings have stopped changing. I still have one problem, however: I cannot get wallpaper to display. When I right click and choose properties (or do the same from the Control Panel), it lists everything (Screensaver, themes . . .) apart from backgrounds. :tazz: With the themes, it has the basic XP files an folders settings etc, but displays no background. The strange thing is, though, that it is displaying a picture from my clip art collection at the centre an I can't get it to change. The current screen is blue, with a clipart picture of a sunset in the centre.

Can you help me display a ifferent screensaver and fix it????

Thankyou,

James Trickey
  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Yes I can help you. First lets get a look at a new Hijack This log to make sure you're clean.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP