Options

Infected trojan-spy.html.smitfraud.c Pls help!!

Unknown
edited July 2005 in Spyware & Virus Removal
Can someone help to get rid of this? My notebookgot infected yesterday. I can't access to desktop items and control panel. The only way I access to my programs is thru task manage -> new task. The system also can't access to internet connection.
I hv tried scan system with ad-aware and adware-away (without licence) but still can't remove it. Pls advise.

Below is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:38 PM, on 6/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q12021205_disk.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Logical Disk Manager Provider (apee) - Unknown owner - C:\WINNT\system32\msnmsgr.exe" -netsvcs (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: QoS Provider (qosprv) - Unknown owner - C:\WINNT\system32\iexplore.exe" -netsvcs (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\tomcat5\bin\tomcat.exe

Thx

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited June 2005
    Print out these instructions and then close all windows including Internet Explorer.

    Then I want you to fix some of those entries. Please do the following:

    Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

    Security IGuard
    Virtual Maid
    Search Maid
    PSGuard

    Exit Add/Remove Programs.


    Make sure that you can VIEW ALL HIDDEN FILES.

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System\blank.htm
    O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
    O20 - Winlogon Notify: style2 - C:\WINNT\q12021205_disk.dll


    Reboot your computer into SAFE MODE

    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\wp.exe
    C:\wp.bmp
    C:\WINNT\q12021205_disk.dll
    C:\WINNT\sites.ini
    C:\WINNT\popuper.exe
    C:\WINNT\uninstIU.exe
    C:\WINNT\System32\wldr.dll
    C:\WINNT\System32\helper.exe
    C:\WINNT\System32\intmon.exe
    C:\WINNT\System32\intmonp.exe
    C:\WINNT\System32\msmsgs.exe
    C:\WINNT\System32\ole32vbs.exe
    C:\WINNT\system32\msole32.exe
    C:\WINNT\system32\shnlog.exe
    C:\WINNT\system32\oleadm.dll
    C:\WINNT\System32\Log Files
    C:\Program Files\Search Maid
    C:\Program Files\Virtual Maid
    C:\Program Files\Security IGuard
    C:\Program Files\PSGuard



    Reboot your computer to go back to normal mode and post a new hijackthis log.
  • auwyong
    edited June 2005
    FYI, I can't access to Control Panel. Can I proceed to the following instructions without performong Add/Remove Program? I tried to access it with rundll32.exe but unsuccessful. Any shortcut for accessing Control Panel?
    Thanks.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited June 2005
    Click Windows + R to bring up the Run dialogue. Then enter in appwiz.cpl and that should get you to Add/Remove programs.
  • auwyong
    edited June 2005
    A script error when I try to open Add/Remove programs with appwiz.cpl.

    Error: Access is denied to: res://appwiz.cpl/places.htc
    URL: res://appwiz.cpl/default.hta

    Can reformating harddisk remove the bugs?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited June 2005
    Reformatting the hard disk will remove everything. You'll be starting over from a blank disk. It's an extreme step. But if you don't mind losing everything and starting over it will solve your problem. However there are other options if you don't want to do that yet.


    There is a new tool that recently became available for smitfraud.

    Download smitRem.zip and save the file to your desktop.
    Right click on the file and extract it to it's own folder on the desktop.


    Reboot your computer into SAFE MODE


    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.



    Reboot back to normal mode and let me know how it went.
  • auwyong
    edited June 2005
    The problem still there. The tool attempt to delete infected files but can't find the files. The blue screen has turned to pure blue instead of the blue screen with error messages.
    Could it be the windows environment being damaged? What will happen if I reinstall the windows 2000 directly? I think reformating will be my last option to get rid of the problem.
    Anyway, thanks for your effort.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    Click Windows + E to bring up explorer. You should be able to access the control panel from there.
    • Control Panel>Display
    • Go to the Desktop tab and click on the Customise Desktop button.
    • Go to the Web tab
    • In the web page box, click on the page that is checkmarked and then click the Delete button.
    • Ok your way out of the dialog and check your desktop.
  • auwyong
    edited July 2005
    The Windows + E is not working. Even now the Windows + R also unable to work as previous. I think I'll give up to it. Preparing for the painful reformating.

    Thanks and appreciate for your help.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    That sounds like your best bet at this point. Sorry we could catch up to it. :(
Sign In or Register to comment.