Hi

My PC got infected with Trojan-Spy.HTML.Smitfraud.c.A blue screen appeared in place of my desktop.Im still able to access the icons on my desktop but how do I get rid of this screen. :scratch:

Any help/suggestions will be appreciated.

Here is my Hijacklog.Can you pls inform me what is harmful to my PC so I can get rid of it.

Logfile of HijackThis v1.99.1
Scan saved at 15:56:59, on 06-Jul-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\ABOUTTIME\ABOUTTIME.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {2B5C1B81-ED55-11D9-B80F-0040327F7371} - C:\WINDOWS\SYSTEM\HNLO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PhishingNet BHO - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - C:\PROGRAM FILES\DESKTOP ARMOR\GEEKSUPERHEROX.DLL
O2 - BHO: (no name) - {3684174A-EE24-11D9-B80F-0040E370041A} - C:\WINDOWS\SYSTEM\HNLO.DLL
O2 - BHO: (no name) - {3684174E-EE24-11D9-B80F-00409C4B0219} - C:\WINDOWS\SYSTEM\HNLO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Program Files\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\DESKTOP ARMOR\GEEKSUPERHEROX.DLL
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\PROGRAM FILES\DESKTOP ARMOR\GEEKSUPERHEROX.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\PROGRAM FILES\DESKTOP ARMOR\GEEKSUPERHEROX.DLL
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = smd
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.10
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - {3684174D-EE24-11D9-B80F-00406C999C6E} - C:\WINDOWS\SYSTEM\HNLO.DLL

Before fixing the desktop we need to get rid of the infection.

Please download Seeker's SpSeHjfix here:
http://www.derbilk.de/SpSeHjfix109.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please run SpSeHjfix.bat. Click "Start Disinfection" and follow the prompts. Allow your computer to reboot when required. Post the logfile from the tool here for me when done.

Also post a new hijackthis log.

Hi Buckeye_Sam

I tried what you suggested but now after rebooting the blue screen is still there and Im unable to see or access anything on my desktop.

Can you get explorer to open up by hitting the Windows + E keys at the same time?

Hi

Unfortunately thats not possible.I can only open the task manager which shows no programs running.

When you get into the task manager, click New Task and then Browse. This should allow you to navigate through your hard drive.

Try to find this file:

C:\Windows\System32\wininet.dll

Once you find it, rename it to wininet.old
Reboot your computer and let me know if there is any change.

Nope can't do that.It only allows "end task", "shut down" and "cancel".Im running windows98.

Can you reboot into Safe mode? Assuming you can, what do you get there?

its the same in safe mode.Not able to access anything.Only able to access A: drive when I boot with a bootable disk.Another thing when I boot up I get a message saying Explorer has performed illegal ops and will shut down.

You are going to have to reinstall Windows 98. You do not have to format your hard drive. You can just reinstall right over your current installation. This should repair your explorer file and allow you to reboot normally. It will not necessarily get rid of the virus, so we may still have work to do.

You will need a Windows boot disk and your Windows 98 installation cd. Let me know when you have these items and we'll take the next steps.

OK great, got the two disks! :thumbsup:

Follow these instructions from Microsoft.
http://support.microsoft.com/kb/q221829/

1. Insert the Windows 98 Startup disk in the floppy disk drive, and then restart your computer.
2. When the Windows 98 Startup menu is displayed, choose the Start computer with CD-ROM support option, and then press ENTER.
3. If CD-ROM support is provided by the generic drivers on the Startup disk, you receive one of the following messages, where X is the drive letter that is assigned to your CD-ROM drive:
Drive X: = Driver MSCD001

Drive X: = Driver OEMCD001
NOTE: If your CD-ROM drive is not available after you boot from the Windows 98 Startup disk, install the CD-ROM drivers that are included with your CD-ROM drive. For information about how to obtain and install the most current driver for your CD-ROM drive, view the documentation that is included with your device, or contact your hardware manufacturer.

4. Insert the Windows 98 CD-ROM in the CD-ROM drive, type the following command at a command prompt, and then press ENTER
X:\setup
where X is the drive letter that is assigned to your CD-ROM drive.

5. When you receive the following message, press ENTER, and then follow the instructions on the screen to complete the Setup procedure:
Please wait while the Setup initializes. Setup is now going to perform a routine check on your system. To continue press Enter.


========================


If your computer is already set up to boot from the CD-ROM, then it's a bit easier.
http://support.microsoft.com/?kbid=250928

1. Start Windows, and then insert the Windows 98 CD-ROM into your CD-ROM drive.
2. Click Browse This CD, and then double-click Setup.exe.
3. Follow the instructions to complete the Windows Setup procedure.




When you have completed the reinstallation post a hijackthis log and we'll see what we are dealing with.

Hi

I re-installled windows98.Before that I ran AVG rescue disk and removed 3 Trojans located: C:/windows/system/intel32.exe
C:/windows/system/OEGG.DLL
C:/windows/uninstiu.exe

I have access now to my PC but blue screen still there.
Here is my HiJackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 16:48:26, on 20-07-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ABOUTTIME\ABOUTTIME.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {DE3A0297-5EFF-4FF2-A48D-ABBC67D4D774} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Program Files\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = smd
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.10

Also the SPSeHjFix Log before everything went haywire:

(7-8-05 16:53:08) SPSeHjFix started v1.09
(7-8-05 16:53:08) OS: Win98SE A (4.10.67766446)
(7-8-05 16:53:08) Language: english
(7-8-05 16:53:18) Disinfect started
(7-8-05 16:53:18) Bad-Dll(IEP): (not found)
(7-8-05 16:53:18) Bad-Dll(IEP) in BHO: (not found)
(7-8-05 16:53:18) UBF: 6
(7-8-05 16:53:18) UBB: 5
(7-8-05 16:53:18) FilterKey: HKCR\text/html (deleted)
(7-8-05 16:53:18) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7-8-05 16:53:21) FilterKey: HKCR\CLSID\ (deleted)
(7-8-05 16:53:21) FilterKey: HKCR\text/plain (deleted)
(7-8-05 16:53:21) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7-8-05 16:53:21) FilterKey: HKCR\CLSID\{3684174D-EE24-11D9-B80F-00406C999C6E} (error while deleting)
(7-8-05 16:53:21) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B5C1B81-ED55-11D9-B80F-0040327F7371} (deleted)
(7-8-05 16:53:21) BHO-Key: HKCR\CLSID\{2B5C1B81-ED55-11D9-B80F-0040327F7371} (error while deleting)
(7-8-05 16:53:21) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3684174A-EE24-11D9-B80F-0040E370041A} (deleted)
(7-8-05 16:53:21) BHO-Key: HKCR\CLSID\{3684174A-EE24-11D9-B80F-0040E370041A} (error while deleting)
(7-8-05 16:53:21) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3684174E-EE24-11D9-B80F-00409C4B0219} (deleted)
(7-8-05 16:53:21) BHO-Key: HKCR\CLSID\{3684174E-EE24-11D9-B80F-00409C4B0219} (error while deleting)
(7-8-05 16:53:21) UBR: 14
(7-8-05 16:53:21) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7-8-05 16:53:21) Stealth-String not found:
(7-8-05 16:53:21) File added to delete: error
(7-8-05 16:53:21) File added to delete: c:\windows\system\hnlo.dll
(7-8-05 16:53:21) Reboot

Hi

Thanx for all the help.I managed to fix the problem.
Here is what I did.

I re-installed windows.Afterwards I had to install the desktop feature in Add/Remove programs in control panel.Now I was able to get rid of the blue background.But still unable to change backgrounds from right-click on the desktop itself.Then I ran Spybot search and destroy after having updated latest updates.This found the trojan and I removed it with Spybot.Now able to change background. :thumbsup: