Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Another Trojan-Spy.HTML.Smitfraud.c [RESOLVED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 4 posts
I tried getting rid of this trojan myself but the [bleep] blue screen is still in the background. I've already used ad-aware, CWShredder, Spybot, Ewido security suite, trend housecall, and AVG.

Here's the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:32 AM, on 17/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Documents and Settings\Teo\My Documents\Messenger Service Received Files\msnshell.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Program Files\Netscape\Users\vincent\prefs.js)
O1 - Hosts: www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Configuration Loader] win2update.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MSNShell] C:\Documents and Settings\Teo\My Documents\Messenger Service Received Files\msnshell.exe autorun
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\ReGet\RG_Link.htm
O8 - Extra context menu item: &List for ReGet - C:\Program Files\ReGet\RG_List.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\ReGet\RG_All.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldling...ripts/translate
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldling...ripts/translate
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ripts/translate (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ripts/translate (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ReGet - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Re&Get - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\WINNT\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! Chat JP 2 - http://cs.chat.yahoo...p/c302/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mail00.nshr....c.ca/iNotes.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4A88CB42-BBFE-496A-884F-98E8AC316292} (YJInstStarter Control) - http://dl.msg.yahoo....load/yjinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://communities.m...al/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FireDaemon Service: csrss2 (csrss2) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: csrsss (csrsss) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: FireDaemon Service: msnet (msnet) - Unknown owner - C:\winnt\ms.tmp\FireDaemon.EXE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: FireDaemon Service: rundll32 (rundll32) - Unknown owner - c:\winnt\system32\Microsoft\Protect\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: svchost32 (svchost32) - Unknown owner - c:\winnt\system32\Microsoft\Protect\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: systemnt (systemnt) - Unknown owner - C:\WINNT\system32\repair\repair32\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: winmgnt (winmgnt) - Unknown owner - C:\winnt\ms.tmp\FireDaemon.EXE (file missing)

and here's the ewido report

ewido security suite - Scan report

+ Created on: 10:20:24 PM, 16/06/2005
+ Report-Checksum: 88A52F3A

+ Date of database: 17/06/2005
+ Version of scan engine: v3.0

+ Duration: 232 min
+ Scanned Files: 100666
+ Speed: 7.21 Files/Second
+ Infected files: 24
+ Removed files: 24
+ Files put in quarantine: 24
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:

+ Scan result:
C:\crv.exe/aload.exe -> Backdoor.XLog.221 -> Cleaned with backup
C:\crv.exe/mpanel.exe -> Not-A-Virus.HackTool.Clearlog -> Cleaned with backup
C:\crv.exe/mstask.exe -> Trojan.Glitch -> Cleaned with backup
C:\crv.exe/pipecmd.exe -> Not-A-Virus.Tool.PipeCmd -> Cleaned with backup
C:\crv.exe/wmserver.exe -> Backdoor.Litmus.203 -> Cleaned with backup
C:\heel.exe/cool.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\heel.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\heel.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\lala.exe/winbaa.exe -> Trojan.Glitch -> Cleaned with backup
C:\lala.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\new.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\new.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\nieuw.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\nieuw.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\nieuw1.exe/attrib.exe -> Backdoor.SdBot.gen -> Cleaned with backup
C:\nieuw1.exe/winboot.exe -> Trojan.Glitch -> Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\NPMySrch.dll -> Spyware.MyWay.e -> Cleaned with backup
C:\Program Files\Serv-U\Serv-U32.exe -> Backdoor.ServU-based -> Cleaned with backup
C:\WINNT\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\system32\download\handbot4.exe/winbaa.exe -> Trojan.Glitch -> Cleaned with backup
C:\WINNT\system32\download\handbot4.exe/attrib.exe -> Backdoor.SdBot.bt -> Cleaned with backup
C:\WINNT\system32\mѕdtc.exe -> Spyware.PurityScan -> Cleaned with backup
C:\WINNT\system32\nvnav32g.dll -> Backdoor.IRC.Zcrew -> Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup

::Report End

Any help would be greatly appreciated.
  • 0




    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi canman and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

If you have resolved this issue please let us know.


  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ahh, I already resolved the problem, at least I think I did. So far no blue screen with the "Trojan-spy.html.smitfraud.c" junk.
While I was searching for help on this board, I noticed that there were quite a few people with the same problem. Is this some new malware? Also is it related to spysheriff. I had both of those problems at the same time.
thanks anyways, keep up the good work.
  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
They are actually 2 diffrent infections, but they seemed ot be going hand and hand now :tazz:

Glad your fixed.

  • 0



    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP