[freebird53]

[COLOR=purple]I recently tried to remove the Smitfraud.c virus from a friend's computer and went through all of the instructions on your forum, however nothing would paste from the clipboard into HiJack This. I had everything highlighted so I know that was not it. Anyway, I ended up not performing the action and the virus was still there among many others. I ran AVG virus scanner and it said it "healed" the files it found. I was finally able to connect to the internet after that and run Windows 2000 updates (which had not been done in a long time, obviously). Now, after I shut down the computer, it won't finish the boot sequence and go into Windows. I'm at a loss at where to go next. This is an IBM NetVista 8303 computer. I have no discs with this computer. I had to get updates on the Bios from IBMs website and also downloaded the Program Recovery Discs, which also did not work. I'm at a loss as to what I should do next. Someone please help!!!...I cleaned this computer of 3500 affected files and 589 trojans already. By the way, everything worked fine after the Bios update and I had no trouble until I ran the Windows updates.

[Advertisements]

Welcome freebird53 to Geeks to Go!


Let's see what we can do. It probably has nothing to do with the updates you did, I think it's part of an infection we see lately.

You have no startup disk or Windows 2000 CD (maybe you can borrow it just to get into the system).

Edited by g2i2r4, 25 June 2005 - 07:45 AM.

[g2i2r4]

Welcome freebird53 to Geeks to Go!


Let's see what we can do. It probably has nothing to do with the updates you did, I think it's part of an infection we see lately.

You have no startup disk or Windows 2000 CD (maybe you can borrow it just to get into the system).

Edited by g2i2r4, 25 June 2005 - 07:45 AM.

[freebird53]

Let me tell you what I have done so far. I went to IBM's website and downloaded the critical Bios update and installed that before I did anything else. It was working fine. Then I downloaded the Enhanced diagnostics CD and the Program Recovery CD for this computer. It did a backup on the base partition. When I tried to log back into the Windows program, it asked me for an Administrator password and I put that in, however after doing my windows updates, it told me that was not the correct password. I know that it is and I typed it several times being very careful to put it in exactly the way it's supposed to be. After getting frustrated, I went to bed and when I came back in that morning and turned on the computer, it wouldnt even boot up. I can't get to a c: prompt, I cant get into the Bios, it just goes through and gives me keyboard errors now, etc. and its saying the Bios is shadowed....then the screen goes blank...just a dark screen. I have a bootable Bios disc but the computer won't read it I guess. I am at a complete loss now as to what to do. Any suggestions????

[freebird53]

I do have a windows XP cd I can use. I dont necessarily have to use the 2000 because I would like to reformat the hard drive altogether, however I can't get a c: prompt to even do that

[g2i2r4]

I let your topic be moved to 'Windows XP, 2000, 2003, NT'.

The helpers here are better at this sort of problems than I am.

I leave you in their capable hands.

Good luck.

[freebird53]

Well I just got everything solved on my own....EXCEPT....I still have the Smitfraud.c virus...HOWEVER...I ran HiJack This and was able to get the log and will post this.....

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\System32\APPXEC32.exe
C:\WINNT\system32\cdrtc921.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINNT\system32\?ttrib.exe
C:\WINNT\system32\hookdump.exe
C:\Program Files\emhw\raeo.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\for john\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {E3070675-E3CD-9711-EB92-B5FEDAFC0DBD} - C:\WINNT\system32\bktdsll.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [f69ce1179a25] C:\WINNT\System32\APPXEC32.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [cf6c1f02be52] C:\WINNT\system32\cdrtc921.exe
O4 - HKLM\..\Run: [appqw.exe] C:\WINNT\system32\appqw.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKCU\..\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT /SCAN
O4 - HKCU\..\Run: [Uvquscl] C:\WINNT\system32\?ttrib.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [Otrl] C:\Program Files\emhw\raeo.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {3E7E5FF1-07FE-4B35-AF14-67343E007412} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3E7E5FF1-07FE-4B35-AF14-67343E007412} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downlo...ACCESS_1055.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe (file missing)

[g2i2r4]

Please hold on, be right back.

I'll have your topic transported back again

[freebird53]

Thanks so much!!!....maybe today is a good day after all...woohoooo!!!

[g2i2r4]

could you post me the header of the HijackThis log too?

That's the part of HijackThis log date, Windows version etc.

[freebird53]

Sure...give me a minute....be right back

[freebird53]

Logfile of HijackThis v1.99.1
Scan saved at 3:56:10 PM, on 06/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

[g2i2r4]

lol, your minute is shorter than mine.

[freebird53]

and I thought we were supposed to be slow here in the South...lol

[g2i2r4]

Please disbale Spyware Killer for the duration of this advise.


Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Please download the Killbox.
Unzip it to the desktop. Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\cdrtc921.exe
C:\WINNT\system32\appqw.exe
C:\WINNT\System32\APPXEC32.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Use Windows Explorer to remove these folders (if present):
C:\Program Files\emhw\
C:\Program Files\SPYSPOTTER\
Close Windows Explorer.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {E3070675-E3CD-9711-EB92-B5FEDAFC0DBD} - C:\WINNT\system32\bktdsll.dll

O4 - HKLM\..\Run: [f69ce1179a25] C:\WINNT\System32\APPXEC32.exe

O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe

O4 - HKLM\..\Run: [cf6c1f02be52] C:\WINNT\system32\cdrtc921.exe

O4 - HKLM\..\Run: [appqw.exe] C:\WINNT\system32\appqw.exe

O4 - HKCU\..\Run: [Uvquscl] C:\WINNT\system32\?ttrib.exe

O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe

O4 - HKCU\..\Run: [Otrl] C:\Program Files\emhw\raeo.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Microsoft AntiSpyware helper - {3E7E5FF1-07FE-4B35-AF14-67343E007412} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3E7E5FF1-07FE-4B35-AF14-67343E007412} - (no file) (HKCU)

O16 - DPF: {E3943A24-2F83-4505-9AE5-F705E81B50CB} - http://akamai.downlo...ACCESS_1055.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save Report
• Save the report to your desktop

Close Ewido

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let me know if any problems persist.

[freebird53]

Thanks for your post. Should I uninstall the AVG virus scanner before I do all of this? Also, before when I used Killbox, it would only let me put one line in at a time. Is this normal?...or should I click on the Red x after each line I c&p....