Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am infected with Trojan-Spy.HTML.Smitfraud.c

Started by James Trickey , May 15 2005 03:05 AM

  • Please log in to reply

#1
James Trickey
Posted 15 May 2005 - 03:05 AM

James Trickey

    New Member

  • Member
  • Pip
  • 2 posts
:tazz:

I connected to the Broadband Internet on my Laptop yesterday afternoon

I am now infected with many trojans and viruses, and I have run 3 antivirus programs, but they all cannot destroy Trojan-Spy.HTML.Smitfraud.c I have a blue screen saying:

Security Warning

A fatal error in IE has occured at 0028:C0011E36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

*System cannot function in normal mode.
Please check your security settings.

*Scan your PC with any available antivirus / spyware remover program to fix the problem


Then, on reboot, system cannot display temp.dll file to restore the desktop.

Here is my HijackThis v1.99.1 Logfile. I am currently using a BT Yahoo Broadband Browser.

Logfile of HijackThis v1.99.1
Scan saved at 09:40:35, on 15/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\mqbdmail.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\iphxmlc.exe
C:\Program Files\BT Yahoo!\Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\DOCUME~1\James\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gloscheck.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gloscheck.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B3264EF3-DE73-45B0-918F-1CC6B38794BA} - C:\WINDOWS\system32\elbg.dll (file missing)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~1\Help\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\James\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [034j32P] mqbdmail.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H0vtRSj3S] iphxmlc.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


Can anyone help me, please?

Thankyou!
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 15 May 2005 - 02:16 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Ok, I don't think it's going to work the first time around, but it should get a little better. I want to see how this infection acts when we attempt to remove it like this and hopefully it will show some more of it's ugly mug for us to see and remove the rest of the way. Lets get started.

First Step:

Please download CleanUp!and install it. Do not run the program yet, we will do this later in Safe Mode.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {B3264EF3-DE73-45B0-918F-1CC6B38794BA} - C:\WINDOWS\system32\elbg.dll (file missing)
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\James\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [034j32P] mqbdmail.exe
O4 - HKCU\..\Run: [H0vtRSj3S] iphxmlc.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A4DA12DD-1110-4630-B26F-6917B9C32BD8} - (no file) (HKCU)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\system32\mqbdmail.exe
C:\WINDOWS\system32\iphxmlc.exe
C:\WINDOWS\isrvs
C:\WINDOWS\system32\elbg.dll

Now once those are deleted, right click deldomains.inf and click Install again just as you did before, just to be safe :tazz:

Now click Start, All Programs, Cleanup! and click the "CleanUp!" button. When it is finished it will ask if you want to log off, say NO. Now reboot normally and post a new log.

-=jonnyrotten=- ;)
  • 0

#3
James Trickey
Posted 16 May 2005 - 05:26 AM

James Trickey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hello, thank you for your help!

I have run a full system scan on 3 different antivirus / spyware applications and it seems to have deleted the rogue files. I am following the procdure of removal given by Symantec an I have disabled System Restore.

The blue screen has gone and all my files and settings have stopped changing. I still have one problem, however: I cannot get wallpaper to display. When I right click and choose properties (or do the same from the Control Panel), it lists everything (Screensaver, themes . . .) apart from backgrounds. :tazz: With the themes, it has the basic XP files an folders settings etc, but displays no background. The strange thing is, though, that it is displaying a picture from my clip art collection at the centre an I can't get it to change. The current screen is blue, with a clipart picture of a sunset in the centre.

Can you help me display a ifferent screensaver and fix it????

Thankyou,

James Trickey
  • 0

#4
-=jonnyrotten=-
Posted 16 May 2005 - 11:12 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Yes I can help you. First lets get a look at a new Hijack This log to make sure you're clean.

-=jonnyrotten=- :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP