Options
Sorry to bother people but i would like help with a trojan spy......
Hi, Yesterday my computer froze and i turned it off from the mains. When i switched it back on, there was a blue screen saying " A Fatal error in IE has occured at 0028:C0011E36 in VXD VMM (01) + 00010E36. Error was caused by Trojan-spy.html.smitfraud.c
*System can not function in normal mode, check security settings
*Scan your PC with any available antivirus/spyware remover program
I had a look at some of the other threads where people had the same problem but it doesnt seem to make much sense to me, sorry.
My computer runs with is ME not XP. Maybe im being stupid but im not sure how to Scan with "hijack this" as my computer is stuck on the same blue screen thus i cant download it or anything else that may help.
Any help at all would be greatly appreciated!!!
*System can not function in normal mode, check security settings
*Scan your PC with any available antivirus/spyware remover program
I had a look at some of the other threads where people had the same problem but it doesnt seem to make much sense to me, sorry.
My computer runs with is ME not XP. Maybe im being stupid but im not sure how to Scan with "hijack this" as my computer is stuck on the same blue screen thus i cant download it or anything else that may help.
Any help at all would be greatly appreciated!!!
0
Comments
When you have both hijackthis and smitRem.zip transferred over to the infected computer let me know and we'll proceed.
Logfile of HijackThis v1.99.1
Scan saved at 11:12:04, on 13/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DHUPDT.EXE
C:\WINDOWS\DHBRWSR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\BSW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\DHSVR.EXE
A:\HIJACKTHIS_199\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL
O2 - BHO: (no name) - {89E61816-1928-488C-B653-492689FD676D} - C:\WINDOWS\SYSTEM\HPJG.DLL
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM\1tvi.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunOnce: [EDM0CFZ.EXE] C:\WINDOWS\SYSTEM\EDM0CFZ.EXE /k
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\RunOnce: [EDM0CFZ.EXE] C:\WINDOWS\SYSTEM\EDM0CFZ.EXE /k
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0a\aoltray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab
O18 - Filter: text/html - {B7778329-1BAC-4732-8D57-DC0DC5F5A15B} - C:\WINDOWS\SYSTEM\HPJG.DLL
O18 - Filter: text/plain - {B7778329-1BAC-4732-8D57-DC0DC5F5A15B} - C:\WINDOWS\SYSTEM\HPJG.DLL
You'll need to find smitrem.zip that you downloaded earlier(or download it again) and extract it to your desktop. You should then see a folder named SmitRem.
Next, please reboot your computer in Safe Mode by doing the following:
1. Restart your computer.
2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
3. When you have the menu on the screen. Select the option for Safe Mode using the arrow keys.
4. Then press enter on your keyboard to boot into Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
Reboot back to normal mode and post a new HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Logfile of HijackThis v1.99.1
Scan saved at 23:20:56, on 13/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DHUPDT.EXE
C:\WINDOWS\DHBRWSR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL
O2 - BHO: (no name) - {89E61816-1928-488C-B653-492689FD676D} - C:\WINDOWS\SYSTEM\HPJG.DLL
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM\0u3ozmy.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [BearShare] "C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunOnce: [EDM0CFZ.EXE] C:\WINDOWS\SYSTEM\EDM0CFZ.EXE /k
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\RunOnce: [EDM0CFZ.EXE] C:\WINDOWS\SYSTEM\EDM0CFZ.EXE /k
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0a\aoltray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3D897CAE-92FD-4F0D-BE43-DC9824B26898} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} (Dhsigned Control) - http://ads.dealhelper.com/updates/DealHelperNew.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab
O18 - Filter: text/html - {B7778329-1BAC-4732-8D57-DC0DC5F5A15B} - C:\WINDOWS\SYSTEM\HPJG.DLL
O18 - Filter: text/plain - {B7778329-1BAC-4732-8D57-DC0DC5F5A15B} - C:\WINDOWS\SYSTEM\HPJG.DLL
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Internet Cache Files]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Active Setup Temp Folders]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Downloaded Program Files]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Recycle Bin]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Old files in root of drive]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Temporary files]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Setup files]
"StateFlags2005"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\VolumeCaches\Offline Pages Files]
"StateFlags2005"=dword:00000002
Please download Seeker's SpSeHjfix here:
http://www.derbilk.de/SpSeHjfix109.zip
Unzip it to the desktop but do NOT run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please run SpSeHjfix.bat. Click "Start Disinfection" and follow the prompts. Allow your computer to reboot when required. Post the logfile from the tool here for me when done along with a new hijackthis log.