Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud (possible Variant) Trouble, Need Help!


  • This topic is locked This topic is locked
4 replies to this topic

#1 -Shadow-

-Shadow-

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 06 January 2007 - 02:37 AM

Hey guys, my PC's been on the fritz and I need some serious help with it. Appears to be Smitfraud or something similar, but it won't go away. I'm getting "Spyware Detected!" popups in my toolbar, Mozilla popup tabs to "antispyware" sites, and also, there is a program with a message that pops up for a split second, and then attempts to dial the internal modem, but with no luck (it's not plugged in) - the message that pops up is in Spanish, but other than that I know nothing of it. Unable to get a screenshot, but hopefully someone out there knows what i'm talking about.

I'm using Killbox, HJT, Spybot S&D, SmitFraudFix, Ad-Aware SE Personal, and running Norton Antivirus / Internet Security as my standard antivirus program.

---HIJACK THIS LOG---
Logfile of HijackThis v1.99.1
Scan saved at 6:17:10 PM, on 6/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{90E41656-095F-1033-0220-031106200001}\Update.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\RACLE~1\nopdb.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {09DD1AA1-8B6B-8A9B-6B84-85AD0B0DE6E0} - C:\WINDOWS\System32\rzdtn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30E41~2\Bar888.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\joxenuwy.dll",setvm
O4 - HKLM\..\Run: [{90E41656-095F-1033-0220-031106200001}] "C:\Program Files\Common Files\{90E41656-095F-1033-0220-031106200001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{90E41656-0960-1033-0220-03110620003d}] "C:\Program Files\Common Files\{90E41656-0960-1033-0220-03110620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [{90E41656-095F-1033-0220-03110620003d}] "C:\Program Files\Common Files\{90E41656-095F-1033-0220-03110620003d}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvpan.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Ohct] "C:\PROGRA~1\SMBOLS~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Hcar] "C:\PROGRA~1\COMMON~1\RACLE~1\nopdb.exe" -vt yazb
O4 - HKCU\..\Run: [Icdbuua] C:\Documents and Settings\Administrator\Application Data\??pPatch\??ool32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


---SMITFRAUDFIX LOG---
SmitFraudFix v2.120

Scan done at 18:22:15.12, Sat 06/01/2007
Run from C:\Documents and Settings\Administrator\Desktop\PC Security\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\svchost.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\svchosts.exe FOUND !
C:\WINDOWS\system32\drvpan.dll FOUND !

C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:11 AM

Posted 06 January 2007 - 08:28 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

You've got some nastiness in your log, but we've got a bigger problem. There really is no way to secure your computer without first patching and updating Windows to close numerous security holes in your current system. Please visit Windows Update and install Service Pack 1.

http://windowsupdate.microsoft.com/

Once you have done that, please post a fresh hijackthis log back here as a reply in this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 -Shadow-

-Shadow-
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 19 January 2007 - 04:16 AM

I'm back, terribly sorry about the large amount of time - been busy at work recently.

I was able to download the SP1 from Microsoft, however it will not install because my product key is already being used? So it looks like i'm unable to install SP1 or any further upgrades :thumbsup:.

Reccomended course of action? I haven't taken a fresh HJT log because I haven't done anything yet... what's the next step?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:11 AM

Posted 19 January 2007 - 06:44 AM

This day and age your options are quite limited. You can disconnect the computer from the internet completely and just use it offline. Or you can purchase a legal copy of Windows and install the necessary updates. Without the security patches for Windows you'll inevitably become reinfected, in just minutes of being online by some estimates.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 -Shadow-

-Shadow-
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 19 January 2007 - 09:14 AM

Looks like Windows is due for an upgrade then, thanks for the advice - well taken. I'll do a fresh install of a 'legit copy and i'll be back after installing SP1+2. Thanks, Buckeye_Sam.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users