Options
Help with Trojan-Html.smitfraud.c
Ok. so i had a screen with a security alert that said that explorer could not load because of this. I looked on the forums, downloaded smitrem, ewido, and adaware and followed the insturctions. It removed the screen, but now all that comes up is just the background the the mouse pointer. I can still use task manager to start up things, but for some reason the desktop will not load. I have ran hijackthis and the log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 12:48:21 PM, on 04/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Home Use\Local Settings\Temp\wzff38\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe]
C:\WINNT\System32\FT_SilentSudokuInstaller.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton
AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE
CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
O4 - Startup: Symantec Setup Launcher.lnk = C:\Documents and Settings\Home
Use\Local Settings\Temp\SymLnch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program
Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} -
http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\fVxshell.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. -
C:\WINNT\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
If someone could help i would be more than greatful!!
Have a great day!
Logfile of HijackThis v1.99.1
Scan saved at 12:48:21 PM, on 04/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Home Use\Local Settings\Temp\wzff38\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe]
C:\WINNT\System32\FT_SilentSudokuInstaller.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton
AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE
CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
O4 - Startup: Symantec Setup Launcher.lnk = C:\Documents and Settings\Home
Use\Local Settings\Temp\SymLnch.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program
Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} -
http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) -
http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\fVxshell.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. -
C:\WINNT\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
If someone could help i would be more than greatful!!
Have a great day!
0
Comments
Please navigate to:
C:\Documents and Settings\Home
Use\Local Settings\Temp\
and locate the file:
"SymLnch.exe".
Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name" and please post in your next reply whatever the text in the box immediately to the right says for each.
Now go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
C:\WINNT\system32\fVxshell.dll
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here in your next reply for me to see.
Then launch HijackThis and place a checkmark by the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com...r/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://securityresponse.symantec.com...r/fix_homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINNT\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [FT_SilentSudokuInstaller.exe]
C:\WINNT\System32\FT_SilentSudokuInstaller.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINNT\System32\SMSSU.EXE
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} -
http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
http://download.spyspotter.com/spysp...terInstall.cab
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Upon reboot, follow the instructions here to show all system files and hidden folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Now navigate to and delete the following files/folders if they still exist:
C:\WINNT\System32\mmxp2passion.exe
C:\WINNT\System32\FT_SilentSudokuInstaller.exe
C:\WINNT\System32\SMSSU.EXE
Then rescan with HijackThis to get a new log.
What you'll need to post in your next reply:
1. Whether you got your desktop back
2. More information you got about SymLnch.exe by following the above instructions
3. Jotti results
4. HijackThis log
If all these cannot fit into one post, you can split them into two posts.