Smithfraud-c trojan unable to delete fully

Comments

• Trogan London, UK

  April 2006 edited April 2006

  The entries in Spybot are false postives and nothing to worry about.
  
  There a few entries that need removing from your log. Before we begin, can you move HJT out of the eDonkey2000 Downloads folder and into its own folder please.
  
  Next, do the following:

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  • C:\WINDOWS\system32\nvsvcd.exe
  • Click on the submit button
  • Please post the results in your next reply.

  Do the same for this file:
  
  C:\WINDOWS\system\smss.exe
  
  
  Please post a new HJT log, as well as the scan results.

  0
• judgeuk

  April 2006 edited April 2006

  Ok here are the results trojan-1000
  
  load: 0% 100%
  
  File: nvsvcd.exe
  Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
  MD5 3ac8d1a441169346451eb399e3828038
  Packers detected: -
  Scanner results
  AntiVir Found nothing
  ArcaVir Found nothing
  Avast Found nothing
  AVG Antivirus Found nothing
  BitDefender Found nothing
  ClamAV Found nothing
  Dr.Web Found nothing
  F-Prot Antivirus Found W32/Methodbod.A - Packed
  Fortinet Found nothing
  Kaspersky Anti-Virus Found nothing
  NOD32 Found nothing
  Norman Virus Control Found nothing
  UNA Found nothing
  VirusBuster Found nothing
  VBA32 Found nothing
  
  
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 08:12:57, on 14/04/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
  C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  C:\Program Files\Norton Internet Security\ISSVC.exe
  C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
  C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Razer\CopperHead\razerhid.exe
  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  C:\WINDOWS\RTHDCPL.EXE
  C:\WINDOWS\ALCMTR.EXE
  C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
  C:\Program Files\dvd43\dvd43_tray.exe
  C:\Program Files\iTunes\iTunesHelper.exe
  C:\WINDOWS\system32\ctfmon.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
  C:\Program Files\iPod\bin\iPodService.exe
  C:\Program Files\Razer\CopperHead\razertra.exe
  C:\Program Files\Razer\CopperHead\razerofa.exe
  C:\Program Files\Slim Multimedia Keyboard\OSD.EXE
  C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
  C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
  C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
  C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
  C:\Documents and Settings\Jason Headon\Desktop\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findhash.com/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
  O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
  O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
  O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\CopperHead\razerhid.exe
  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
  O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
  O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
  O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
  O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
  O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
  O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
  O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
  O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
  O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
  O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
  O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
  O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
  O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
  O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
  O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
  O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
  O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
  O23 - Service: WUSB54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe (file missing)
  
  
  Glad you know what your looking at mate .
  
  cheers
  jas

  0
• Trogan London, UK

  April 2006 edited April 2006

  It's look like you have a trojan on your computer, but I want to be 100% sure before we start the fix.
  
  Can you go HERE and scan the following files please:
  
  C:\WINDOWS\system\smss.exe
  C:\WINDOWS\system32\nvsvcd.exe
  
  Post back the results for both.

  0
• judgeuk

  April 2006 edited April 2006

  This is a report processed by VirusTotal on 04/14/2006 at 09:40:09 (CET) after scanning the file "smss.exe_" file.
  Antivirus Version Update Result
  AntiVir 6.34.0.24 04.14.2006 Worm/Caimbot
  Avast 4.6.695.0 04.03.2006 no virus found
  AVG 386 04.13.2006 no virus found
  Avira 6.34.0.56 04.13.2006 Worm/Caimbot
  BitDefender 7.2 04.14.2006 no virus found
  CAT-QuickHeal 8.00 04.13.2006 no virus found
  ClamAV devel-20060202 04.14.2006 no virus found
  DrWeb 4.33 04.14.2006 DLOADER.Trojan
  eTrust-InoculateIT 23.71.129 04.14.2006 no virus found
  eTrust-Vet 12.4.2162 04.13.2006 no virus found
  Ewido 3.5 04.13.2006 no virus found
  Fortinet 2.71.0.0 04.14.2006 no virus found
  F-Prot 3.16c 04.13.2006 W32/Methodbod.A@dr - Packed
  Ikarus 0.2.59.0 04.14.2006 no virus found
  Kaspersky 4.0.2.24 04.14.2006 no virus found
  McAfee 4740 04.13.2006 no virus found
  NOD32v2 1.1488 04.13.2006 a variant of Win32/Agent.TV
  Norman 5.90.15 04.13.2006 no virus found
  Panda 9.0.0.4 04.13.2006 Suspicious file
  Sophos 4.04.0 04.14.2006 no virus found
  Symantec 8.0 04.14.2006 no virus found
  TheHacker 5.9.7.129 04.13.2006 no virus found
  UNA 1.83 04.13.2006 no virus found
  VBA32 3.10.5 04.13.2006 no virus found
  
  
  
  
  This is a report processed by VirusTotal on 04/14/2006 at 09:39:23 (CET) after scanning the file "nvsvcd.exe" file.
  Antivirus Version Update Result
  AntiVir 6.34.0.24 04.14.2006 no virus found
  Avast 4.6.695.0 04.03.2006 no virus found
  AVG 386 04.13.2006 no virus found
  Avira 6.34.0.56 04.13.2006 no virus found
  BitDefender 7.2 04.14.2006 no virus found
  CAT-QuickHeal 8.00 04.13.2006 no virus found
  ClamAV devel-20060202 04.14.2006 no virus found
  DrWeb 4.33 04.14.2006 no virus found
  eTrust-InoculateIT 23.71.129 04.14.2006 no virus found
  eTrust-Vet 12.4.2162 04.13.2006 no virus found
  Ewido 3.5 04.13.2006 no virus found
  Fortinet 2.71.0.0 04.14.2006 no virus found
  F-Prot 3.16c 04.13.2006 W32/Methodbod.A - Packed
  Ikarus 0.2.59.0 04.14.2006 no virus found
  Kaspersky 4.0.2.24 04.14.2006 no virus found
  McAfee 4740 04.13.2006 no virus found
  NOD32v2 1.1488 04.13.2006 no virus found
  Norman 5.90.15 04.13.2006 no virus found
  Panda 9.0.0.4 04.13.2006 no virus found
  Sophos 4.04.0 04.14.2006 no virus found
  Symantec 8.0 04.14.2006 no virus found
  TheHacker 5.9.7.129 04.13.2006 no virus found
  UNA 1.83 04.13.2006 no virus found
  VBA32 3.10.5 04.13.2006 no virus found
  
  
  
  sure looks like i have an infection . any ideas trojan-1000

  0
• Trogan London, UK

  April 2006 edited April 2006

  Yep, they need to go.
  
  First, put HJT into its own folder. Create a new folder on your desktop and call it HJT. Move the dynamite icon into it.
  
  Next, please do the following:
  
  Open HijackThis
  - Click the Do a system scan only button
  - Check the following entries (below)
  
  O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
  
  O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
  
  - Close ALL open windows (especially Internet Explorer!)
  Click Fix Checked
  
  
  We need to view hidden files and folders:
  

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

  
  Find and delete the following, if found:
  
  C:\WINDOWS\system\smss.exe << this file
  C:\WINDOWS\system32\nvsvcd.exe << this file
  
  ================================================================
  
  Reboot and do the following:
  
  Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked and then press "OK" to remove:
  

  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin

  
  ================================================================
  
  Download Ewido Anti-Malware
  

  • Install Ewido
  • When installing the program, under "Additonal Options" uncheck:
    • Install background guard
    • Install scan via context menu
  • Once installed, open Ewido
  • You will need to update Ewido to the latest definition files
    • On the left hand side of the main screen click update.
    • Then click on the Start Update button.
  • The update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, you can manually update Ewido » Ewido manual updates.
  • After it has finished, close Ewido.

  Next, please reboot your computer in Safe Mode by doing the following:
  1) Restart your computer
  2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3) Instead of Windows loading as normal, a menu should appear
  4) Select the first option, to run Windows in Safe Mode.
  
  For additional help in booting into Safe Mode, see the following site:
  http://www.pchell.com/support/safemode.shtml
  
  Once in Safe Mode, please oepn Ewido.

  • Click on scanner
  • Click Complete System Scan. (Please don't use the computer while Ewido is scanning)
  • NOTE: During some scans with Ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop

  Close Ewido
  
  Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

  0