Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud C Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 Crotonboy

Crotonboy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 21 January 2007 - 03:39 AM

A few days ago while searching for the best price on a computer, my antivirus program(NOD32) indicated that I was infected by Smitfraud-C. It could not clean or quarantine the file even on a subsequent scan. I did a full scan with Ad-Aware(twice). No luck. I ran Spybot S&D. It found it but could not get rid of it in its entirety. Stated that it could possibly be in memory that was being used and directed me to have it run again by restarting my computer and having it run at startup. It did not remove it . Did this 2 more times. Ran Housecall, Panda Anti Virus, purchased and ran Webroot Spysweeper, and McAfee Stinger. None did the trick. Then I downloaded and ran Smitfraudfix. It did not get rid of it either. Hope someone can help me. HLogfile of HijackThis v1.99.1
Scan saved at 2:11:15 AM, on 1/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interl.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] "C:\Program Files\iolo\System Mechanic 5 Professional\SysMech5.exe" /COMPLETECACHE
O4 - HKCU\..\Run: [iolo Task Agent] "C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F9DED47C-5B9F-4119-BAAF-E772E1BB551E} (HyperSend Agent) - https://www.hypersend.com/img/0/setup/hsc_win.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021} - C:\PROGRA~1\NETEXC~1.0\FlowHook.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing)

ere are my Hijack This logs

BC AdBot (Login to Remove)

 


m

#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:45 PM

Posted 23 January 2007 - 11:04 AM

Hi Crotonboy,

I am sorry to tell you that there is a bot worm on your computer. :thumbsup:

A bot worm is a program that is installed without your knowledge and enables a hacker, sitting at another computer perhaps thousands of miles away, to control your computer so that it does what he wants -- it becomes his "bot."

Bots can be used to launch denial-of-service attacks (This is where hundreds of bots simultaneously bombard a website with requests for information, overwhelming its capacity to respond and, thereby, shutting it down) and for other sorts of mischief. The bot can also do mass spam mailing, download files to the computer, or upload files and data, including passwords and other private information.

For these reasons it is very important that, starting immediately, this machine be kept off the internet and physically disconnected from any network it may be part of.

If you use or have used this computer for online banking or shopping or for accessing or storing personal information such as school records, then you need to take steps to protect your information that may have been compromised. I recommend these steps for action:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

This is something i don't like to recommend normally, but with a computer this badly infected, the best solution for your safety would be to reformat the hard drive and reinstall Windows.

Please read the following link very carefully:

When Should I Format, How Should I Reinstall

Here are some more links to help you decide:


Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx


Only you can make this decision, you know the uses this computer has been put to. But please consider carefully before deciding against a reformat. If you do make that decision I will do my best to help you disinfect it, but you must understand that once a machine has been taken over by this type of malware, it can never be declared clean.

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

Please let me know whatever decision you make.

Dave

Edit: if you are hesitating about whether to reformat, at least go online from a clean computer and change all your passwords immediately. Then follow through with the other steps in the "How do I handle possible identity theft" article.

Edited by DaveM59, 23 January 2007 - 01:08 PM.


#3 Crotonboy

Crotonboy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 27 January 2007 - 12:24 AM

Thanks for your help, Dave. I think I will reformat my hard drive and do a clen reinstall.

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:45 PM

Posted 27 January 2007 - 08:00 AM

Hi again Crotonboy,

Thanks for getting back to me.

If you want to read more about your infection, there is a good write-up here.

Notice the last paragraph of the article:

It executes these commands locally on an affected system, providing the remote user virtual control over the machine.


That means there's no way of telling how many other alterations to the system may have been made. Which in turn means there's no way of being sure it is secure again.

I think you have made a prudent decision.

I will leave this topic open for a while. If you have questions about the reinstall process I'll be glad to answer them, or if I can't, I'll call on some of the Windows experts here to fill in the gaps in my knowledge.

Dave

#5 Crotonboy

Crotonboy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 27 January 2007 - 12:16 PM

Dave,

I am grateful for all the advice you have given me.

I plan on doing the reformat and reinstall this weekend. I have one big concern. A local Company provides the wireless signal that I pick up by an antennae that attached to my house. It connects to a Orinoco wifi card that is connected to a usb cable that connects to my computer (this is probably more explanation than is necessary but just want to be clear). My concern is: how will I get reconnected to the internet without the program and drivers that allow me to do so? This may be a question that is out of your area of expertise but would appreciate any help or direction you could provide.

Tom

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:45 PM

Posted 27 January 2007 - 02:09 PM

Hi Tom,

The only advice I can give on this question is, make sure you have all your drivers and other essential software on disks before you begin, IOW download that stuff now and burn it to a CD.

Frankly I'm kind of surprised that you didn't get a driver disk with your Orinoco WiFi card. Or maybe I just don't understand how your internet connection is set up. The connection software from the company I'm sure would be available for download. Call your ISP and ask if you can't find all the necessary software available for download from their website. Tell them you're going to do a clean install of Windows. They should also be able to tell you what default Windows settings need to be changed in order to use their service.

Re: drivers, they can be installed in just about any order, with one exception. Always install the chipset (motherboard) drivers as soon as your basic Windows installation is done. I prefer to do graphics right after that because the 800x600 default Windows driver looks awful on my screen. Obviously Windows Updates needs to be one of the first sites you visit once your internet connection is established, along with the update sites for your antivirus and antispyware software.

Edit: this is not very clear. My preferred order is: first the chipset (this includes IDE drivers), then the graphics, then other devices (audio, USB, etc.).

Frankly I don't know what the procedure would be if you have bought a commercial product like SpySweeper and downloaded it, rather than buying a disk in a store. I would think there must be a license number you could use when you reinstall it, so that you could update it immediately without having to re-register.

Hope this helps. If you have more questions, just ask.

Dave

Edited by DaveM59, 27 January 2007 - 05:40 PM.


#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:45 PM

Posted 11 February 2007 - 10:48 AM

Hi Tom, just wondering how you made out with the re-install.

#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:45 PM

Posted 18 February 2007 - 09:59 AM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users