Options

Trojan-Spy.HTML - infected

Unknown
edited May 2005 in Spyware & Virus Removal
I need help. My computer is infected with that malaware (Trojan.smitfraud). My wallpaper has been replaced by that security warning and on top of that I am getting all these porno sites added to the list of "my favorite" websites. I have tried spybot and ad-aware and nothing happens. I have also tried to delete the program through the "add or remove software" portion of my control panel and nothing. Please help!!

Gman

Comments

  • Gman
    edited May 2005
    I ran Hijack This and these are the files that came up:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:08:11 PM, on 5/10/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\hx1gc6kj1y3hthd.exe
    C:\Program Files\Microsoft Money\System\Money Express.exe
    C:\WINDOWS\System32\crypt.exe
    C:\wp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Franklin Covey\Planner\Compass.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Gerardo Hernandez\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\LZG3LE~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [logspool] C:\WINDOWS\System32\datasysservice.exe
    O4 - HKLM\..\Run: [cryptdirx] C:\WINDOWS\System32\datasys.exe %srun%
    O4 - HKLM\..\Run: [host] C:\WINDOWS\System32\crypt.exe
    O4 - HKLM\..\Run: [logsysrunspoolx] C:\WINDOWS\System32\runspool.exe %srun%
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\hx1gc6kj1y3hthd.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [host] C:\WINDOWS\System32\datasysservice.exe
    O4 - HKCU\..\Run: [runcryptx] C:\WINDOWS\System32\datasys.exe %srun%
    O4 - HKCU\..\Run: [data] C:\WINDOWS\System32\crypt.exe
    O4 - HKCU\..\Run: [sysdir32cryptx] C:\WINDOWS\System32\runspool.exe %srun%
    O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
    O4 - Startup: HotSync Manager.LNK = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HOTSYNC.EXE
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {A975AB38-55A7-45EB-997A-E01DB4C19D5F} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A975AB38-55A7-45EB-997A-E01DB4C19D5F} - (no file) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks.com/downloader/cab/special/eztdl.cab
    O20 - AppInit_DLLs: jnr1u1yik4n.dll
    O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    Print out these instructions and then close all windows including Internet Explorer.

    Then I want you to fix some of those entries. Please do the following:

    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid

    Exit Add/Remove Programs.


    Make sure that you can VIEW ALL HIDDEN FILES.

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\LZG3LE~1.DLL
    O4 - HKLM\..\Run: [logspool] C:\WINDOWS\System32\datasysservice.exe
    O4 - HKLM\..\Run: [cryptdirx] C:\WINDOWS\System32\datasys.exe %srun%
    O4 - HKLM\..\Run: [host] C:\WINDOWS\System32\crypt.exe
    O4 - HKLM\..\Run: [logsysrunspoolx] C:\WINDOWS\System32\runspool.exe %srun%
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\hx1gc6kj1y3hthd.exe
    O4 - HKCU\..\Run: [host] C:\WINDOWS\System32\datasysservice.exe
    O4 - HKCU\..\Run: [runcryptx] C:\WINDOWS\System32\datasys.exe %srun%
    O4 - HKCU\..\Run: [data] C:\WINDOWS\System32\crypt.exe
    O4 - HKCU\..\Run: [sysdir32cryptx] C:\WINDOWS\System32\runspool.exe %srun%
    O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
    O9 - Extra button: Microsoft AntiSpyware helper - {A975AB38-55A7-45EB-997A-E01DB4C19D5F} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A975AB38-55A7-45EB-997A-E01DB4C19D5F} - (no file) (HKCU)



    Reboot your computer into SAFE MODE

    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\wp.exe
    C:\wp.bmp
    C:\Windows\sites.ini
    C:\Windows\popuper.exe
    C:\WINDOWS\System32\wldr.dll
    C:\Windows\System32\helper.exe
    C:\Windows\System32\intmonp.exe
    C:\Windows\System32\msmsgs.exe
    C:\Windows\System32\ole32vbs.exe
    C:\Windows\system32\msole32.exe
    C:\WINDOWS\System32\LZG3LE~1.DLL
    C:\WINDOWS\System32\datasysservice.exe
    C:\WINDOWS\System32\datasys.exe
    C:\WINDOWS\System32\crypt.exe
    C:\WINDOWS\System32\runspool.exe
    C:\WINDOWS\System32\hx1gc6kj1y3hthd.exe
    C:\Windows\System32\Log Files
    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Program Files\Security IGuard



    Reboot your computer to go back to normal mode.



    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


    Also post a new hijackthis log. Are you having any problems with your desktop?
Sign In or Register to comment.