Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smitfraud.c or w32.desktophijack problem


  • Please log in to reply
34 replies to this topic

#1 smitfraud problem

smitfraud problem

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 01:21 PM

I have been working on a machine for a couple of days now that has a problem that I believe to be related to smitfraud.c or w32.desktophijack. The machine will not present a desktop. Any attempt to run explorer.exe, iexplore.exe, adaware, spybot, local antivirus program fails with the following error:

The application failed to initialize properly (Oxoooooo5). Click OK to terminate application.

I can launch some apps such as task manager, msconfig, mmc, firefox browser, etc.

When trying to start HJT, I get a command prompt flash and then it closes.

I have gone through about everything that I can find in safe mode:

Killbox
Hoster
ewido-setup
smitfraud.reg
win.ini
sys.ini
unhookexec.inf
deldomains.inf
Cleanup!
ActiveScan
avgoldfix.reg

Any help is much appreciated.

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 01:40 PM

Ok, I think we are dealing with an infected wininet.dll here.

So, everything must go via taskmanager.
I assume you can surf via firefox? That's an advantage..

Download smitRem.zip
Save it somewhere you can easily find it. Browse via taskmanager to the file, rightclick on it, choose extract.
You'll get a new smitrem-folder.
Open that folder and doubleclick RunThis.bat
Follow the prompts on the screen.
When done, REBOOT
After reboot, run RunThis.bat once again.

Let me know I you regained your explorer and IE.
Search on your C\ for smitfiles.txt and post it in your next reply.
Post a new hijackthislog afterwards if you are able to run hijackthis.

Edited by miekiemoes, 15 July 2005 - 01:41 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 02:33 PM

I had run the smitRem bat file previously but went ahead and ran it 2 more times. I had not previously let the disk cleanup portion complete. Below is the smitfiles.txt file. It did not appear to be successful. I still do not have access to explorer and IE and I am unable to run HJT. Thanks in advance.

Pre-run Files Present


~ Program Files ~



~ Shortcuts ~



~ system32 ~



~ Windows directory ~



~ Drive root ~



Post-run Files Present


~ Program Files ~



~ Shortcuts ~



~ system32 ~



~ Windows directory ~



~ Drive root ~



~ Wininet.dll ~

Not Infected!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 02:58 PM

Hmmm..

Can you search first if there is actually a wininet.dll present in your system32-folder?
If so, can you upload it here to check?

http://virusscan.jotti.org/

Post the results in your next reply.
When searching via taskmanager for a file, make sure that 'all files' are selected instead of only programs, otherwise you wont find it.

Did you also already reboot after running smitrem? Because smitrem is updated since yesterday.

Edited by miekiemoes, 15 July 2005 - 02:59 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 03:14 PM

Nice site. Here are the results:

Service load:
0% 100%
File: wininet.dll
Status:
OK
MD5 57d9ef36c5b3ddb824047ac5b4ce5543
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing


I did do the reboot after each run on the smitrem.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 03:47 PM

Hmmm.. and still no explorer and IE?

Let's try something else..

Download:
http://users.pandora.be/bluepatchy/FixO.exe

Doubleclick FixO.exe and choose install.
This will create a new folder called FixO
Browse to that folder via new task in taskmanager, Open the folder and doubleclick FixO.bat

It will generate a log afterwards. Copy and paste the contents of that log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 03:55 PM

Here it is. Not much to go on I am afraid.

running from ---
C:\trojan\fixo\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

같같같같같같같같같같같같같같같같같같같같같같같같같같
existing bad files:
-----------------------------------------------------


existing important bad keys:
-----------------------------------------------------


Merging Registry----------


Deleting Files-------------


Searching for files not deleted:
-----------------------------------------------------


Searching for keys not deleted:
-----------------------------------------------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 03:59 PM

This is really odd..

So wininet.dll is really present in your system32-folder?
I assume that explorer.exe is still present in your C:\Windows and iexplore.exe present in your C:\Program Files\Internet Explorer\iexplore.exe ??

What error do you exactly get after reboot?

Maybe your wininet.dll is corrupted (disinfected but corrupt)

Open notepad and copy and paste next content in it:

dir c:\wininet.dll /a h /s > wininet.txt
start notepad wininet.txt


Save it as wininet.bat, choose to save as all files and save it.
Double-click on it. It will open Notepad with some text in it. Please post the contents of it in your next reply.

Edited by miekiemoes, 15 July 2005 - 04:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 04:14 PM

I know. This is frustrating. Working on it 3-4 hours a day for the last few days. Here are the results. Is this what you were looking for out of the bat file:

Volume in drive C has no label.
Volume Serial Number is 3478-9850

After reboot, when logging in I get the following error on explorer.exe. It happens 2 times right in a row.

The application failed to initialize properly (Oxoooooo5). Click OK to terminate application.

I get a few Service Control Manager errors in the System log after the reboot. not sure if these are helpful:

7001- The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error:
Invalid access to memory location.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

7023- The Network Connections service terminated with the following error:
Invalid access to memory location.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

7009- Timeout (30000 milliseconds) waiting for the ewido security suite guard service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The Cryptographic Services service terminated with the following error:
Invalid access to memory location.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The WebClient service terminated with the following error:
Invalid access to memory location.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 04:25 PM

Hmm; I don't get it actually...

According to the results of the batch there is no wininet.dll present on your system??
Or maybe you didn't wait long enough until notepad opened automatically afterwards. Or your OS is not installed on C:\
I also hope you wrote it in notepad and not in wordpad.

Can you edit that wininet.bat?
Rightclick it and choose edit..
Delete the content of it and paste this instead:

dir %systemdrive%\wininet.dll /a h /s > wininet.txt
start notepad wininet.txt


Run it again afterwards and please be patient and wait until notepad opens automatically.

What OS do you have? XP? what service pack?

Also, can you tell me what steps you also performed before? Did you delete some files manually? Because in your first post I see you have been tinkering with win.ini, sys.ini and other apps.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 04:52 PM

I did copy the line you sent me to notepad so should be all set there.
I opened the file prematurely.
I can browse right to wininet.dll and uploaded this file directly to the http://virusscan.jotti.org/ site that you gave me.
As far as prvious steps.

I have run killbox several times based on various posts that I have seen.
It detected and deleted a few things off the original run. Here is the list I was working from:
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuser.exe
C:\Windows\zloader.exe
C:\Windows\system32\wp.bmp
C:\Windows\system32\hhk.dll
C:\Windows\system32\wldr.dll
C:\Windows\system32\helper.exe
C:\Windows\system32\intmon.exe
C:\Windows\system32\shnlog.exe
C:\Windows\system32\perfcii.ini
C:\Windows\system32\intmonp.exe
C:\Windows\system32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\oleadm32.dll

I ran Hoster but I think my hosts file was not changed prior to this.

I ran the smitfraud reg file.

I followed all the steps found in this article:
http://forums.techguy.org/t375039.html
and followed these to a T:
http://www.bleepingcomputer.com/forums/How...aid-t17258.html
http://forums.techguy.org/archive/t-374465.html

With regards to win.ini and sys.ini,
I added this line in the win.ini file. There was an article to place a ; infront of the run line but the run line was not even in there.
;run=explorer.exe
I added this line to the system.ini file. Again there was no reference to this line before I added it
shell=explorer.exe

Here is the updated bat file log...

Volume in drive C has no label.
Volume Serial Number is 3478-9850

Directory of C:\I386

08/29/2002 06:00 AM 599,040 WININET.DLL
1 File(s) 599,040 bytes

Directory of C:\Program Files\Common Files\Adaptec Shared\System

12/17/2002 02:04 PM 459,024 Wininet.dll
1 File(s) 459,024 bytes

Directory of C:\trojan

07/12/2005 06:08 PM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE

09/29/2004 02:27 PM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE

01/27/2005 01:08 PM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/02/2005 04:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE

03/10/2005 03:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/06/2004 06:05 PM 588,288 wininet.dll
1 File(s) 588,288 bytes

Directory of C:\WINDOWS\$NtUninstallKB834707$

08/04/2004 03:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\$NtUninstallKB867282$

09/29/2004 02:47 PM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$NtUninstallKB883939$

03/10/2005 04:02 AM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$NtUninstallKB890923$

01/27/2005 01:13 PM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 03:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SYSTEM32

07/12/2005 06:08 PM 657,920 wininet.dll
1 File(s) 657,920 bytes

#12 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 04:55 PM

Oh BTW. Windows XP sp2. I think I am at sp2. Any easy way for me to tell through task manager?

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 05:01 PM

That's where you broke it:

With regards to win.ini and sys.ini,
I added this line in the win.ini file. There was an article to place a ; infront of the run line but the run line was not even in there.
;run=explorer.exe
I added this line to the system.ini file. Again there was no reference to this line before I added it
shell=explorer.exe


I don't have those lines in mine though.

Look in next folder if you have a backup of it:
C:\Windows\pss and restore your original win.ini and system.ini
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 smitfraud problem

smitfraud problem
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 July 2005 - 05:08 PM

I had both and renamed the old...copied in the backups. Going for a reboot now. I just noticed a dir named !Submit and it contains msole32.exe in it. I take it this is from a trojan?

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:55 AM

Posted 15 July 2005 - 05:14 PM

the !submit is from killbox. You may delete that entire folder.

Uuh, I don't really understand what you have done now. You need to restore the ones that are present in your Windows-folder.. replace them with the backups.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users