Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

smitfraud.c

Started by rowen82 , Jun 10 2005 09:20 AM

Please log in to reply

#1
rowen82

Posted 10 June 2005 - 09:20 AM

Member

Member
10 posts

Hi there,

I've got the Smitfraud.c virus, and I checked out your advice to other people and tried to follow some of it.
I've left this for quite a while, so I'll try to remember correctly what I did.

Symptoms:
Blue wallpaper with that message
Internet Explorer closes suddenly
ZoneAlarm won't open any more on startup or any other time. I can't install it again either - I get err msg:
The file C:\Windows\System32\ZoneLabs\vsmon.exe could not be opened.
I cannot delete this file (vsmon.exe) and I have taken ZoneAlarm out of the Startup menu.

My config:
XP SP1

Actions taken:
I deleted wp.exe and wp.bmp files. I went through the registry and deleted one reference to wp if I remember correctly
I checked for popuper, intmonp and helper. I deleted any I found.

I have my normal desktop back, but the fact that my firewall won't run means I'm not convinced I've got rid of everything.

Basically I don't dare go on internet without a firewall, and even if I could reinstall ZoneAlarm or another, I would have to update.
I have no anti-virus. I have now downloaded one of the free ones you talked about, but cannot update it.
I already had AdAware, but downloaded AdAware SE. Of course, I cannot update it....
I am sending you this from work, so any advice you have for me I can only implement the next day.

You guys seem to be doing a great job here, I hope you can help me too.

Should I load SP2 (I have it on CD)? I wanted to wait to check I'd got rid of this thing first.

Thanks

Rich

Here's my HijackThis output:

Logfile of HijackThis v1.99.1
Scan saved at 19:58:14, on 09/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\sys002.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
F:\Temp\ZoneAlarm\zlsSetup_51_033_000.exe
C:\DOCUME~1\BOB~1.CON\LOCALS~1\Temp\GLB1.tmp
F:\Temp\Anti Virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ht tp://69.50.190.135/?to=FED&from=start_page&type=start_page
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sys002] C:\WINDOWS\System32\sys002.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll (HKCU)
O16 - DPF: Interface Chat Voila - http://chat10.x-echo...t/vchatsign.cab
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristonta...pristontale.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.memotech...lder/msxml4.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
Metallica

Posted 10 June 2005 - 09:36 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Hi rowen82,

Can you please surf to:
http://www.thespykil...x.php?topic=5.0
and follow the instructions there to upload this file:
C:\WINDOWS\System32\sys002.exe

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\hhk.dll
C:\WINDOWS\System32\helper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\ole32vbs.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\msmsgs.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot run HijackThis.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ht tp://69.50.190.135/?to=FED&from=start_page&type=start_page

O4 - HKLM\..\Run: [sys002] C:\WINDOWS\System32\sys002.exe

O9 - Extra button: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll

O9 - Extra button: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A0A5E59-2BA4-4D5B-8B1C-EC7B9859CF68} - C:\WINDOWS\System32\wldr.dll (HKCU)

We will have to look at ZA after we find out what the file I asked you to upload is.
It could be a trojan that disables firewalls and other security programs.

Regards,

#3
rowen82

Posted 11 June 2005 - 12:26 PM

Member

Topic Starter
Member
10 posts

Hi Metallica,

I tried to connect to internet to upload the sys002.exe file from my PC, and Internet Explorer could not connect. In the AOL browser, I typed www.dogpile.com and got a page full of strange characters.
Then I realised I could just copy the sys002.exe file onto my USB key. DOH!

I've uploaded it on skykiller for you.

Anyway, I ran Killbox, although it didn't reboot automatically.
I ran HijackThis and fixed the stuff you asked.

Is it worth trying to install ZA again, or is the SP2 firewall better?

Thanks a lot

Rich

#4
Metallica

Posted 11 June 2005 - 02:06 PM

Spyware Veteran

GeekU Moderator
33,101 posts

The SP2 firewall isn't very configurable, so I'd prefer ZA.
But don't use them simultaneously for that will cause real problems.

Can you post a new HijackThis log please.

sys002.exe is a trojan by the way, so you can delete that.

Regards,

#5
rowen82

Posted 13 June 2005 - 01:16 AM

Member

Topic Starter
Member
10 posts

Hoi

I deleted sys002.exe and I connected to internet briefly and it appeared to work.
Trying to install ZA failed again because of this vsmon.exe file. Do you know what this file is? It looks like it's a ZA file, but how come it runs every startup if I have uninstalled ZA? ZA does not appear in my Add/Delete Programs list.

HijackThis log after deleting sys002.exe:

Logfile of HijackThis v1.99.1
Scan saved at 23:11:58, on 12/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
F:\Temp\Anti Virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLSAV] C:\PROGRA~1\TECHCI~1\AOLSAV\AOLAgent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Fichiers communs\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Interface Chat Voila - http://chat10.x-echo...t/vchatsign.cab
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristonta...pristontale.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://www.memotech...lder/msxml4.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks

Rich

#6
Metallica

Posted 13 June 2005 - 01:24 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Fix this one:

O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

That is the ZoneAlarm service.
The rest looks good. :tazz:

Regards,

#7
rowen82

Posted 13 June 2005 - 04:11 AM

Member

Topic Starter
Member
10 posts

Thanks a lot!

I'll check it out tonight and see if ZA installs correctly. I imagine it should as it's only this process that's stopping it.

I'll give you a yea or nea tomorrow and then hopefully sign off.

Rich

#8
Metallica

Posted 13 June 2005 - 04:16 AM

Spyware Veteran

GeekU Moderator
33,101 posts

OK. I'll keep this thread open. :tazz:

#9
rowen82

Posted 14 June 2005 - 05:43 AM

Member

Topic Starter
Member
10 posts

Well, I still can't install ZA.

I checked and fixed vsmon.exe in HJThis and it did nothing. I rebooted - still there.
In Admin Tools/Services, the TrueVector Internet Monitor is there but not running (before or after fixing it in HJThis).
It doesn't appear in Task Manager/Processes.
How do I get rid of it as a Service - it's not even running!
HJThis log same as yesterday.

Thanks

Rich

#10
Metallica

Posted 14 June 2005 - 06:09 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Click Start > Run type services.msc > OK
In the list of services find:
TrueVector Internet Monitor (vsmon)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: vsmon

That should get rid of it.

Regards,

#11
rowen82

Posted 14 June 2005 - 07:25 AM

Member

Topic Starter
Member
10 posts

I wrote this earlier, but maybe I didn't click the right button to save.

Anyway,
I can't install ZA.
I checked and fixed vsmon.exe in HJThis and nothing happened.
I checked in the Services and the TrueVector Internet Monitor is not running (either before or after fixing it in HJThis). Rebooting changes nothing.

vsmon.exe does not appear in Task Manager/Processes

HJThis log same as yesterday.

How do I remove this service, and why is it blocking the installation if it's not even running?

Thanks

Rich

#12
rowen82

Posted 14 June 2005 - 07:26 AM

Member

Topic Starter
Member
10 posts

Sorry about the repetition - I obviously didn't refresh. SOrry!

#13
Metallica

Posted 14 June 2005 - 07:33 AM

Spyware Veteran

GeekU Moderator
33,101 posts

No problem. :tazz:

#14
rowen82

Posted 15 June 2005 - 07:20 AM

Member

Topic Starter
Member
10 posts

Hi again,

This vsmon.exe file still won't go!

I went into Services and disabled it. It then no longer appeared in HJThis list. Then I did a Delete an NT Service. OK, when I rebooted, the service no longer exists.
Try to instll ZA again - same msg - vsmon.exe in use.
I went into the Registry and found an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs - a REG_DWORD with a path to vsmon.exe. I deleted this too. No luck.
In HJThis, I did a delete on reboot for the file - didn't work. File still there and can't be deleted.

Is it worth just leaving ZA and getting a different firewall?
I can't try SP2 for the mo because my copy won't run. Heel grappig.

#15
Metallica

Posted 15 June 2005 - 07:27 AM

Spyware Veteran

GeekU Moderator
33,101 posts

I think this entry in the registry needs to go as well:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VSDATA95

Then locate and delete the files VSDATA95 and/or VSDATANT
Then find vsmon.exe and rename it to vsmon.bak

Reboot and you should be able to install ZA again.

Regards,