Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Spy - smitfraud.c [CLOSED]


  • This topic is locked This topic is locked

#16
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello, can you exactly tell what code you are getting?

There is a piece of code which comes up - looks like a file location


  • 0

Advertisements


#17
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I get this: (Build 2600.xpsp_sp2_rtm.040803-2158: Service Pack 2)

thats the exact information I get at the top of the safe mode screen.

Don't know how helpful this is.

J-alexander
  • 0

#18
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ah, so that means you can boot in safe mode.

That message is normal.

So, it's better we uninstall SP2 here.... so read here for different instructions how to uninstall it:

http://www.compphix....tallingsp2.html
  • 0

#19
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Safe mode appears - but I can't do anything. It appears, and disappears more quickly than it came. All that happens is a constant loop of restarts.

I can't get as far as any of the normal (or safe mode) menus appearing.

That's why I'm finding it difficult to attempt any type of system restore/uninstallation.


Thanks,

J-alexander

Edited by j-alexander, 30 June 2005 - 01:35 PM.

  • 0

#20
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Do you have your original XP cdrom?
Because we're going to need recovery console.

You need to follow next steps exactly described on this site:

http://support.micro...om/?kbid=875355
  • 0

#21
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
No problems - I'll do this tomorrow at some point and get back to you with the results.

Thanks for all the help so far!!

J-alexander
  • 0

#22
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok.. success. :tazz:
  • 0

#23
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Ever noticed - once you start getting somewhere with a problem you soon hit a brick wall?

Well it's happened again - tried to do a system restore but tripped up at step 5 - I don't know any administrator password (because I've never had one). I've tried all sorts - the product ID, nothing at all, all of my passwords (dating back since I had the laptop). I've also tried things like "default", "12345" and "abcd". Nothing works.

Hopefully you can help :tazz:

Thanks,

J-alexander
  • 0

#24
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hmm.. already tried to fill in nothing and just press OK.
Or use admin as login and admin as password?

Also take a look here:

http://www.kellys-ko...p_passwords.htm

This is the only thing I can think of right now. :tazz:
  • 0

#25
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I just tried typing in "admin" as the password..but that doesnt work. There isn't any option to put in a user name - it just asks for the system administrator password. Putting in nothing and so hitting return when the option to put in the password appears doesn't work either. I can't think why this doesn't work as I have never had a password for the administrator.

The link you gave me would be useful, but I can't get into DOS or any other operational mode and so I can't implement any of the options listed there.

Really confusing and frustrating :tazz: - nothing worse than passwords! (except smitfraud.c)

Thanks,

J-alexander
  • 0

Advertisements


#26
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
I am sorry to hear that.
I am really out of ideas now and I also don't have many knowledge about this and how to fix it. Assuming you can't use recovery console either.. :tazz:

Maybe post your problem about the passwords or how to restore your XP in general in the appropiate section of this forum? I'm pretty sure someone with much more knowledge about this will help you soon.

http://www.geekstogo...2003_NT-f5.html
  • 0

#27
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I've posted about the password problem on the other forum. If worst comes to worse I'm just gonna re-install windows. Nothing else for it.

Hopefully it won't come to that though.

Thanks for all your help so far (I'll keep you posted),

J-alexander
  • 0

#28
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help you and sorry I can't help you any further with this. :tazz:
  • 0

#29
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts

Glad I could help you and sorry I can't help you any further with this. :tazz:

View Post


It's no problem, honestly, if it comes to it the hard-drive wont know what hit it and smitfraud (and everything else for that matter) will be wiped clean. I'd just rather try with you guys that obliterate the data stored.

Your help has been very much appreciated, and coachwife6's help also.

Thanks,

J-alexander
  • 0

#30
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Ok - back on track now - the loop has ended - the operating system is back in use and the removal of smitfraud.c can be resumed.

Here's the most recent (new) hijackthis log which was requested.

Note: Wont be upgrading to SP1a till after smitfraud.c is gone :tazz:.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 17:43:50, on 05/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\lexpps.exe
C:\wp.exe
C:\Documents and Settings\john stephen\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=2346
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...GB_ZSzeb029AXGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {00203AA7-BCC8-4009-9716-6509F28DA918} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {00203AA7-BCC8-4009-9716-6509F28DA918} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {14771B69-2503-4BE3-9014-CAC285AC3B4B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {14771B69-2503-4BE3-9014-CAC285AC3B4B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B51E0E77-9820-4203-A72F-E6A1FAA6BD82} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EAFF285E-A890-441D-A5D3-75C00E48649D} - (no file) (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F920A57-5116-4CEB-8C93-46AB3A2D429F}: NameServer = 194.168.4.100,194.168.8.100
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

Thanks,

J-alexander
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP