[ACromwell]

I have been reading a number of the postings regarding Smitfraud, hoping to shed some light on our problem, but find that all the suggested solutions require that the infected computer be at least accessible. Our machine will not respond to any command except CTR-ALT-DEL. The instructions for removal of the problem screen by dragging it down do not seem to work.

Using a different machine, I have downloaded Kill Box and HiJackThis and some other removal tools and taken them over to my dtr-in-law's house where the problem is.

The first thing I did was to bring over my copy of Norton Works and run it, while one still could, after which her machine became unresponsive. I am therefore unable to run any of the other tools.

I am using Windows XP home and she was using XP Pro.

Trying to get access to the hard drive, I have tried CTRL-ESC in the blind with no success and I have tried a SAFE start, but the machine wants an administrator password, which my dtr-in-law does not recall. She does not have an emergency startup disk. Can I make one from my machine to run on hers? Can I puchase one somewhere, or download it so that we can at least get to a point where we can start running the removal tools?


Would deeply appreciate any insight into this problem.

[Advertisements]

I have been reading a number of the postings regarding Smitfraud, hoping to shed some light on our problem, but find that all the suggested solutions require that the infected computer be at least accessible.  Our machine will not respond to any command except CTR-ALT-DEL.  The instructions for removal of the problem screen by dragging it down do not seem to work.

Using a different machine, I have downloaded Kill Box and HiJackThis and some other removal tools and taken them over to my dtr-in-law's house where the problem is.

The first thing I did was to bring over my copy of Norton Works and run it, while one still could, after which her machine became unresponsive.  I am therefore unable to run any of the other tools.

I am using Windows XP home and she was using XP Pro.

Trying to get access to the hard drive, I have tried CTRL-ESC in the blind with no success and I have tried a SAFE start, but the machine wants an administrator password, which my dtr-in-law does not recall.  She does not have an emergency startup disk.  Can I make one from my machine to run on hers? Can I puchase one somewhere, or download it so that we can at least get to a point where we can start running the removal tools?
Would deeply appreciate any insight into this problem.

[ACromwell]

I have been reading a number of the postings regarding Smitfraud, hoping to shed some light on our problem, but find that all the suggested solutions require that the infected computer be at least accessible.  Our machine will not respond to any command except CTR-ALT-DEL.  The instructions for removal of the problem screen by dragging it down do not seem to work.

Using a different machine, I have downloaded Kill Box and HiJackThis and some other removal tools and taken them over to my dtr-in-law's house where the problem is.

The first thing I did was to bring over my copy of Norton Works and run it, while one still could, after which her machine became unresponsive.  I am therefore unable to run any of the other tools.

I am using Windows XP home and she was using XP Pro.

Trying to get access to the hard drive, I have tried CTRL-ESC in the blind with no success and I have tried a SAFE start, but the machine wants an administrator password, which my dtr-in-law does not recall.  She does not have an emergency startup disk.  Can I make one from my machine to run on hers? Can I puchase one somewhere, or download it so that we can at least get to a point where we can start running the removal tools?
Would deeply appreciate any insight into this problem.

[ACromwell]

6/12/05
Since posting the previous, I was able to start the SAFE mode with command line, and went about deleting the various file that are listed for deletion, from the list. I found C:\wp.bmp and C:\Windows\System32\wldr.dll. both of which I deleted using command line.

I also deleted Security iguard, and deleted a file that had been marked as being received at the time the virus was received. This was marked “Surfsidekick 3”.

The Hijack log is posted below.

The blue screen of death has now been replace by a black screen of nothing, except for the cursor arrow.


Logfile of HijackThis v1.99.1
Scan saved at 8:49:43 PM, on 6/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...&MEMB...5E^^^^
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Any suggestions?

Edited by ACromwell, 12 June 2005 - 09:59 PM.