Trojan-spy.HTML.Smitfraud.c

Unknown · May 2005

I have run Spy-Bot and Ad-Aware. Running HijackThis gave me this log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\ZH3DFD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\cbed.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\wp.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\JoiExpress\propelac.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHIS\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {30DA8584-E4B3-45f7-A164-DB8F869FCF77} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {D1A82928-C8CE-4BD1-9EF7-D4899F25A8B6} - C:\WINDOWS\System32\oenn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\JoiExpress\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\cbed.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spino] C:\Program Files\Jurassic Park III Games\Dino Defender\DINO3.EXE
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\cbed.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O18 - Filter: text/html - {F8AC07C6-CBFC-48C3-AC60-010BEE1F6646} - C:\WINDOWS\System32\oenn.dll
O18 - Filter: text/plain - {F8AC07C6-CBFC-48C3-AC60-010BEE1F6646} - C:\WINDOWS\System32\oenn.dll
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

A solution in easy to understand English would be appreciated.

Shadow2018 · May 2005

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Make sure that you can VIEW ALL HIDDEN FILES.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

< enter bad lines from hijackthis here >

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist)

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard

Reboot your computer to go back to normal mode.

Once you have rebooted download the following reg file to your desktop by right clicking on the link, and selecting save as.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.

Reboot your computer and you should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

Reboot and post a new hijackthis log and let me know of any problems you experienced.

jeboyd812 · May 2005

"Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

< enter bad lines from hijackthis here >

Does this mean I have no "bad lines"?

Shadow2018 · May 2005

Sorry that's an error on my part. Go ahead and post a new log if you would. Before running Hijack this again please clean out the temp folder in your C drive.

jeboyd812 · May 2005

Ask and ye shall receive:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:49 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\QJ93F9.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\JoiExpress\propelac.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\wp.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {30DA8584-E4B3-45f7-A164-DB8F869FCF77} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {D1A82928-C8CE-4BD1-9EF7-D4899F25A8B6} - C:\WINDOWS\System32\oenn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\JoiExpress\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spino] C:\Program Files\Jurassic Park III Games\Dino Defender\DINO3.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O18 - Filter: text/html - {D95F0BF4-1C9D-4464-BCED-F58D9108ACA4} - C:\WINDOWS\System32\oenn.dll
O18 - Filter: text/plain - {D95F0BF4-1C9D-4464-BCED-F58D9108ACA4} - C:\WINDOWS\System32\oenn.dll
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Buckeye_Sam · May 2005

Let me step in here. Before you clean up smitfraud let's get rid of your other infection.

Make a new folder on your desktop and name it 'SpSeHjfix112'.
Download SpSeHjfix112 place it in the new folder and unzip the program.

http://www.derbilk.de/SpSeHjfix112.zip

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run SpSeHjfix112 and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.

Please post a new hijackthis log and the log from SpSeHjfix.

Shadow2018 · May 2005

Thanks Buckeye.

jeboyd812 · May 2005

I'm glad someone can read this.

SPSeHjFix log file:

(5/12/05 9:40:32 PM) SPSeHjFix started v1.1.2
(5/12/05 9:40:32 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/12/05 9:40:32 PM) Language: english
(5/12/05 9:40:32 PM) Win-Path: C:\WINDOWS
(5/12/05 9:40:32 PM) System-Path: C:\WINDOWS\System32
(5/12/05 9:40:32 PM) Temp-Path: C:\DOCUME~1\patron\LOCALS~1\Temp\
(5/12/05 9:41:17 PM) Disinfection started
(5/12/05 9:41:17 PM) Bad-Dll(IEP): c:\docume~1\patron\locals~1\temp\se.dll
(5/12/05 9:41:17 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\oenn.dll
(5/12/05 9:41:17 PM) Searchassistant Uninstaller - Keys Deleted
(5/12/05 9:41:17 PM) UBF: 6 - UBB: 4 - UBR: 13
(5/12/05 9:41:17 PM) FilterKey: HKCR\text/html (deleted)
(5/12/05 9:41:17 PM) FilterKey: HKCR\CLSID\{D95F0BF4-1C9D-4464-BCED-F58D9108ACA4} (deleted)
(5/12/05 9:41:17 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/12/05 9:41:17 PM) FilterKey: HKCR\text/plain (deleted)
(5/12/05 9:41:17 PM) FilterKey: HKCR\CLSID\{D95F0BF4-1C9D-4464-BCED-F58D9108ACA4} (error while deleting)
(5/12/05 9:41:17 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/12/05 9:41:17 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1A82928-C8CE-4BD1-9EF7-D4899F25A8B6} (deleted)
(5/12/05 9:41:17 PM) BHO-Key: HKCR\CLSID\{D1A82928-C8CE-4BD1-9EF7-D4899F25A8B6} (deleted)
(5/12/05 9:41:17 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\patron\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/12/05 9:41:17 PM) UBF: 4 - UBB: 3 - UBR: 12
(5/12/05 9:41:17 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\patron\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\patron\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/12/05 9:41:17 PM) Stealth-String not found
(5/12/05 9:41:18 PM) File added to delete: c:\windows\system32\oenn.dll
(5/12/05 9:41:18 PM) File added to delete: c:\docume~1\patron\locals~1\temp\se.dll
(5/12/05 9:41:18 PM) Reboot

(5/12/05 9:43:19 PM) SPSeHjFix started v1.1.2
(5/12/05 9:43:19 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/12/05 9:43:19 PM) Language: english
(5/12/05 9:43:19 PM) Win-Path: C:\WINDOWS
(5/12/05 9:43:19 PM) System-Path: C:\WINDOWS\System32
(5/12/05 9:43:19 PM) Temp-Path: C:\DOCUME~1\patron\LOCALS~1\Temp\

(5/12/05 9:44:13 PM) SPSeHjFix started v1.1.2
(5/12/05 9:44:13 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/12/05 9:44:13 PM) Language: english
(5/12/05 9:44:13 PM) Win-Path: C:\WINDOWS
(5/12/05 9:44:13 PM) System-Path: C:\WINDOWS\System32
(5/12/05 9:44:13 PM) Temp-Path: C:\DOCUME~1\patron\LOCALS~1\Temp\

Logfile of HijackThis v1.99.1
Scan saved at 10:53:56 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\FHCCA1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\wp.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\JoiExpress\propelac.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\JOI\Dunnow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {30DA8584-E4B3-45f7-A164-DB8F869FCF77} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\JoiExpress\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spino] C:\Program Files\Jurassic Park III Games\Dino Defender\DINO3.EXE
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A362135C-F617-47D0-A859-1AF675BA7888}: NameServer = 64.63.228.6 64.63.192.17
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Buckeye_Sam · May 2005

Good job!

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Make sure that you can VIEW ALL HIDDEN FILES.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D3499B30-9F40-4ADF-B9FA-212CB8497F0F} - (no file) (HKCU)

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist)

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard

Reboot your computer to go back to normal mode.

Once you have rebooted download the following reg file to your desktop by right clicking on the link, and selecting save as.

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Once it has downloaded, double-click on the smitfraud.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes button.

Reboot your computer and you should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit.

Reboot and post a new hijackthis log and let me know of any problems you experienced.

jeboyd812 · May 2005

I have my desktop back. Many thanks.

Still getting a "Messenger Services" popup. Different messages claiming windows has found this or that security problem and asking me to visit one of several "repair" or "patch" sites. Any way to get rid of this?

Logfile of HijackThis v1.99.1
Scan saved at 10:37:19 AM, on 5/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\YA3F12.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\JoiExpress\propelac.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\JOI\Dunnow.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SMART Notebook Download Plugin - {30DA8584-E4B3-45f7-A164-DB8F869FCF77} - C:\Program Files\SMART Board Software\NotebookPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\JoiExpress\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spino] C:\Program Files\Jurassic Park III Games\Dino Defender\DINO3.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A362135C-F617-47D0-A859-1AF675BA7888}: NameServer = 64.63.228.6 64.63.192.17
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Buckeye_Sam · May 2005

Your log looks clean, but if you are still getting those popups then something is still hiding.

Please run at least two of these online scans.
Make sure they are set to clean automatically:

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scans.

Trojan-spy.HTML.Smitfraud.c

Comments