Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-spy.html.smitfraud.c Virus


  • Please log in to reply
3 replies to this topic

#1 man140530

man140530

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 May 2005 - 03:05 AM

Hi,

Some days back I got this blue screen error saying that there is an internal IE error. Security IGuard got installed. My IE page (which is usually blank) when opened showed the title "Search for:" and there were various links all over the page.

When I tried to browse through url in the IE, nothing happened.

I had a look at some sites which spoke about this virus.

The things which I have done on my PC till now are as follows:

Un-installed Security IGuard
Removed wp.exe
Removed wp.bmp

Removed all entries of "wp.exe" from registry
Removed all entries of "C:\wp.bmp" from registry

Removed entries such as NoDispBackgroundPage, etc.
from
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System in the registry.

After all these, I changed the Themes and selected Windows XP Theme. So I have managed to get back the original Windows XP desktop back which was not happening earlier.

Now my main concern is
1) I keep on getting popups when I try to access different sites.
2) I'm not able to use my IE as a browser. It still shows "Search for:" as title and various links all over the page. And entering a URL and then clicking GO does not work.

(My alternate way of now browsing sites is to open MS Word and then type the url there)

Please find below HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 12:32:21 AM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\atiupdpl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Network Associates\ProtectionPilot\1.0.0\EVENTPARSER.EXE
C:\Program Files\Network Associates\MSSQL\Binn\sqlagent.EXE
d:\Program Files\Network Associates\ProtectionPilot\1.0.0\NAIMSERV.EXE
d:\Program Files\Network Associates\ProtectionPilot\1.0.0\srvmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9FAFC38A-B32C-41C6-BB04-69E9B0983D54} - C:\WINDOWS\System32\mlbm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\System32\atiupdpl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {80270E80-92C5-464E-8AB5-AD7270AB0CDE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {80270E80-92C5-464E-8AB5-AD7270AB0CDE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114322303281
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB90A289-D403-4C1A-B586-E1330C2C1F1A}: NameServer = 203.94.227.70,203.94.243.70
O18 - Filter: text/html - {E3A02586-CAB7-4E9E-AC47-67B17A5F9D54} - C:\WINDOWS\System32\mlbm.dll
O18 - Filter: text/plain - {E3A02586-CAB7-4E9E-AC47-67B17A5F9D54} - C:\WINDOWS\System32\mlbm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee ProtectionPilot 1.0.0 Event Parser (EVENTPARSER301) - Network Associates, Inc. - d:\Program Files\Network Associates\ProtectionPilot\1.0.0\EVENTPARSER.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee ProtectionPilot 1.0.0 Server (NAIMSERV301) - Network Associates, Inc. - d:\Program Files\Network Associates\ProtectionPilot\1.0.0\NAIMSERV.EXE

Could anyone help me with this !

BC AdBot (Login to Remove)

 


#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 PM

Posted 20 May 2005 - 02:54 PM

Welcome man140530 to Bleeping Computer.

Let's start cleaning up.

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe
Don't use it yet!

***

Download 'SpSeHjfix' to the desktop.
Rightclick a blank part of the desktop and select new folder, call it ‘spfix’.
Unzip the file into that folder.
Don't use it yet!

***

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix' and click on "Start Disinfection".
When it's finished it will reboot your computer to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage.

***

Now run the CWShredder - Hit The FIX button!

***

Reboot the computer.

****

Download and run this online virus scan:
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you check "AutoClean"

***

Then reboot the computer again.
Post back in this topic with a fresh Hijack This log to see how we did.
Also post me the log that was created by 'SpSeHjfix'.


Posted Image
Life is what happens while you're making other plans

#3 man140530

man140530
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 20 May 2005 - 11:03 PM

I could not download nor could run the online virus scan "trendmicro\housecall", you had mentioned.(Mostly due to the Security settings of my ActiveX controls.) I tried to change the settings but it still did not run.

Is there any other online virus scan which I can run?
or
Is there any other tool which will scan the virus.

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:11 PM

Posted 21 May 2005 - 04:23 AM

Please use this one (without ActiveX but with a clean possibility).


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users