smithfraud-c [RESOLVED]

I have recently recovered from a relatively painful ordeal involving having acquired a virus. i've managed to get rid of it, but i think it may have installed something on my computer that i can't seem to get rid of. About every half hour or so my virus scan (avast!) tells me that i have adware in D:\Windows\system32\1024\ld4A2C.tmp\[UPX]. I tell it to delete it every time. i finally got fed up and deleted the .tmp file myself, but that didn't help. After i just a thorough system scan it came up about a dozen times telling me that the same file was infected. evertime i'd tell it to delete it and it would pop up with an error saying that it can't find the file. I also can't seem to get rid of a registry value that spybot keeps finding called "Smithfraud-c" i've scanned several times while the os was booting up, but everytime thus far was when the virus was still there. a friend told me that i had a rootkit installed, and i think that that may have caused spybot's inability to get rid of the spyware, even when it was starting up. The reason i think the virus scan and spybot is related is mostly just because of timing.

logfile:
Logfile of HijackThis v1.99.1
Scan saved at 2:59:05 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\OpenAFS\Client\Program\afsd_service.exe
D:\Program Files\Apache Group\Apache2\bin\Apache.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\MIT\Kerberos\bin\krbcc32s.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\dla\tfswctrl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\OpenAFS\Client\Program\afscreds.exe
D:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\nvctrl.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\SoftwareDistribution\Download\Install\dotnetfx.exe
D:\DOCUME~1\Stefan\LOCALS~1\Temp\IXP000.TMP\install.exe
D:\WINDOWS\system32\msiexec.exe
D:\WINDOWS\system32\MsiExec.exe
D:\WINDOWS\system32\MsiExec.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\?\D:\WINDOWS\system32\WBEM\WMIADAP.EXE
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ngen.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Documents and Settings\Stefan\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.cmu.edu/myandrew/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - D:\WINDOWS\system32\hp6657.tmp
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] D:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe D:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "D:\DOCUME~1\Stefan\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AFS Credentials.lnk = D:\Program Files\OpenAFS\Client\Program\afscreds.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Viewpoint Search - res://D:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115497786687
O20 - Winlogon Notify: AfsLogon - D:\WINDOWS\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: KFWLogon - D:\WINDOWS\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - D:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - D:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: UJ - Unknown owner - D:\DOCUME~1\Stefan\LOCALS~1\Temp\UJ.exe (file missing)

PS - I did go a little nuts trying to get rid of the virus, so if you think i may have deleted something important, please let me know

Thank you
-Stefan

#1
sjstefan

Posted 30 November 2005 - 02:12 PM

Advertisements

#2
OwNt

Posted 06 December 2005 - 06:36 PM

#3
sjstefan

Posted 07 December 2005 - 10:08 AM

#4
OwNt

Posted 07 December 2005 - 11:20 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us