Options

trojan-spy.html.smitfruad.c

Unknown
edited August 2005 in Spyware & Virus Removal
Alright, lots of people seem to have this problem. Its giving me the whole blue screen with the message: "A fatal error in IE has occured at 0028:C0011E36 in VXD VMM (01) + 00010E36. Error was caused by Trojan-Spy.HTML.smitfraud.c
*System cannot function in normal mode.
Please check your security settings.
*Scan your PC with any available antivirus / spyware remover program to fix the problem"

I've run anti-virus and spyware, nothing comes up.
Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:30:47 AM, on 8/13/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\avgamsvr.exe
E:\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Wireless-G USB Network Adapter\WLService.exe
C:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\TASKMGRU.EXE
C:\WINNT\System32\MSIMN32.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\desk95.exe
C:\WINNT\System32\viewport.exe
E:\Program Files\iTunesHelper.exe
E:\avgemc.exe
C:\WINNT\System32\MSIMN32.EXE
C:\WINNT\System32\TASKMGRU.EXE
C:\WINNT\win32res.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\stlbd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\avgemc.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Win32res] C:\WINNT\win32res.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4473/mcfscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WUSB54GSVC - Unknown owner - C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe (file missing)

Help would be very very very much appreciated.

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited August 2005
    Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

    Download smitRem.zip and save the file to your desktop.
    Right click on the file and extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    Now scan with HJT and place a checkmark next to each of the following items:

    ===================================================
    O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINNT\bhoass.dll
    O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\stlbd.dll

    O4 - HKCU\..\Run: [MSIMN32] C:\WINNT\System32\MSIMN32.EXE
    O4 - HKCU\..\Run: [TASKMGRU] C:\WINNT\System32\TASKMGRU.EXE
    O4 - HKCU\..\Run: [Win32res] C:\WINNT\win32res.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111111} -
    ===================================================

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
    Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
    Let us know if any problems persist.
Sign In or Register to comment.