I'm new to this forum but like most people I need help yesterday!
After spending a week trying to remove a hijacking/spyware prog from my work pc, I ended up giving up and just backing up and reformatting the sucker....(who was the sucker?)
Nevertheless, all was back to normal after 5 hours of reinstalling the o/s and other required progs. I even created a backup of the system (which is still located on the HD). Also, for the first time ever, I created an ERD just in case anything like that happened again.
Well, low and behold, one weekend later I come to work and find the pc infected again. This time with a different strain. Something along the lines of smitfraud...whatever that is.
This issue is a little different from the other. With this one, Windows will not even start up as per normal. Just before completion of startup, an error pops up...
"explorer.exe has generated erros and will be closed by Windows. You will need to restart the program. An error log is being created." ...and they continue to be generated. One after another, after another, after another.
Whilst this is happening, the desktop is blue (like the dreaded blue screen) with an exception error in the centre listing "A fatal error has occurred in IE caused by Trojan-Spy.HTML.smitfraud.c" as well as some other crap.
The important thing is that I do not have access to my Start Menu, task bar or desktop items...although they are all visible at times. I cannot browse files to search or nothing. I only have some functionality via Task Manager. The same applies in Safe Mode.
After a lengthy process of using a 2nd pc to dowbload HJT, copy to floppy and transfer to infected pc via task manager, I managed to create a log file, copy to floppy and back to other pc to post on this forum.
If anyone has the time and willingness to help me, I would appreciate it greatly!
The log file details are as follows:
Logfile of HijackThis v1.99.1
Scan saved at 3:21:56 PM, on 14/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\explorer.exe
C:\trojfix\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp9ACB.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.anz.com.au
O15 - Trusted Zone: http://www.commbank.com.au
O15 - Trusted Zone: http://www.emailcash.com.au
O15 - Trusted Zone: http://www.footytips.com.au
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Thanks in advance.
BV