Trojan-spy : Smitfraud.c

Unknown
edited July 2005 in Spyware & Virus Removal
Help. My PC has been infected by the trojan Smitfraud.c. Luckily I also own a laptop so am able to communicate independently. The Trojan is preventing me logging on to my PC so any possible solutions that involve entering the Windows control panel and deleting programs, or logging onto the internet to download software will not work. If I try to log on I get the message that Explorer.exe has failed.Entering via Safe mode does not seem to help either. I can get into cmd.exe but my knowledge of DOS is so limited I am not sure what to do next.
My PC is running Winidows XP

Any suggestions

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    Boot into Safe mode. Then try to bring up task manager by clicking CTRL - ALT - DELETE.

    If you can get that far click on New Task and enter explorer.exe

    Once you've done that look for this file.

    C:\Windows\System32\wininet.dll

    If you find it rename it to wininet.old
    Then copy the wininet.dll file from your laptop and paste it to the infected computer.
    Reboot and let me know what happens.

    If you can get back to normal mode try to get a hijackthis log so I can see what else you are dealing with.
  • JamesV
    edited July 2005
    Hi,
    I have the same problem as the above person... I can not copy the wininet.dll to from my laptop to the infected computer, as access is denied...

    what could be done next.
    thanks in advance for any help...

    br

    james
  • JamesV
    edited July 2005
    Hi,

    I was able to take a hijackthis log file, found below:

    i am not able to delete any wininet.dll, because it doesnt allow acces. Thanks in advance for any help you can offer.

    Looking though some of the other threads, I didnt find any lines of the hijackthis scan that matched up with what they were finding...

    Thanks in advance for any help you can offer.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:47:49, on 19/07/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\cmd.exe
    C:\Documents and Settings\voskuja\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\voskuja\LOCALS~1\Temp\se.dll/space.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = levi.nethawk.fi:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.4*;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Adobe\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4EAEF5AC-B728-4851-9264-1331DED7133A} - C:\WINNT\system32\hnhc.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [WebCam Go Sti Service Application] wbcgosvc
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Go Control\CAMTRAY.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Microsoft--Updates] bling.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [bdhrei39] C:\WINNT\system32\bdhrei39.exe
    O4 - HKLM\..\Run: [intel32.exe] C:\WINNT\system32\intel32.exe
    O4 - HKLM\..\RunServices: [Microsoft--Updates] bling.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = Office10\OSA.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: PGPtray.lnk = D:\Program Files\Network Associates\PGP\PGPtray.exe
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    O4 - Global Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O12 - Plugin for .mpe: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {CDBD9968-7BF1-11D4-9D36-0001029DEBEB} (Loader Class) - http://sokosti.nethawk.fi/TDBIN/Spider.ocx
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sonera-ssl.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nethawk.fi
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nethawk.fi
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nethawk.fi
    O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
    O20 - Winlogon Notify: style2 - C:\WINNT\q4299792_disk.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NetHawk Starter Service (nss) - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: OracleOraHome816ClientCache - Unknown owner - C:\Oracle\Ora816\BIN\ONRSD.EXE
    O23 - Service: PGPsdkService (PGPsdkServ) - Networks Associates Technology, Inc. - C:\WINNT\System32\PGPsdkServ.exe
    O23 - Service: PGPService - Networks Associates Technology, Inc. - D:\Program Files\Network Associates\PGP\PGPservice.exe
    O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - D:\Program Files\checkpoint\REmoteSecu\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - D:\Program Files\checkpoint\REmoteSecu\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited July 2005
    JamesV - Please don't post your log into another person's thread. Just like it says in the large red letters at the top of this, and every page. Please begin your own thread and post your log and someone will help you.
  • JamesV
    edited July 2005
    HI,

    sorry, I read the red print after I posted... :eek: sorry for the confusion. I have since then posted a new thread. Thanks!

    jv
This discussion has been closed.