[eddroux]

I posted this topic last night but it was pretty late. I didn't have any replies as of this evening so I figured I should post it again. So if anyone can help me, please reply. I'll be here waiting to hear from you.

I have a pc (not the one I'm on) that has been infected with the Smitfraud trojan and need some help removing it. My HijackThis Log is listed below. I can not get to the desktop, however I was able to boot in safe mode with command prompt and get to Windows Explorer. What do I need to do next?

Logfile of HijackThis v1.99.1
Scan saved at 11:18:20 PM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.com
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bel...oad/tgctlsr.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.wea...Transporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

[Advertisements]

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link - http://www.bleepingc...iles/lspfix.php

To remove New.net please follow these steps:

1. Click on start, then settings and then control panel.

2. Double-click on the Add/Remove Programs icon.

3. Look through the installed programs for a program called New.Net or NewDotNet.

4. If there is no uninstall program listed then do the following:
1. Go to www.newdotnet.com/removal.html
2. Scroll down to Procedure 4and follow the removal instructions.

Once the computer has rebooted, start HijackThis and fix any of the corresponding entries for that program that are found.

Then reboot and delete the C:\Program Files\NewDotNet\ directory.

At this point you should be clean.

If you can not connect to the Internet after removing New.net, Please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Then post a new HiJackThis log for me, and we can get rid of smitfrad.

[Justin]

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link - http://www.bleepingc...iles/lspfix.php

To remove New.net please follow these steps:

1. Click on start, then settings and then control panel.

2. Double-click on the Add/Remove Programs icon.

3. Look through the installed programs for a program called New.Net or NewDotNet.

4. If there is no uninstall program listed then do the following:
1. Go to www.newdotnet.com/removal.html
2. Scroll down to Procedure 4and follow the removal instructions.

Once the computer has rebooted, start HijackThis and fix any of the corresponding entries for that program that are found.

Then reboot and delete the C:\Program Files\NewDotNet\ directory.

At this point you should be clean.

If you can not connect to the Internet after removing New.net, Please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

Then post a new HiJackThis log for me, and we can get rid of smitfrad.

[eddroux]

As I stated in my post, I can not see the desktop at all so I can not click start and go to control panel to get in to add/remove programs. I am only able to get into windows explorer when I boot in safe mode with command prompt. If any one has any idea on how I can get into add/remove programs without being able to see the start button or get into control panel, please let me know.

[Justin]

Sorry, Do this first, and we will come back to the first set of instructions later.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

Edited by Jfcap, 02 June 2005 - 09:02 PM.

[Justin]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.