Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c/win32.agent And Maybe Something Else


  • This topic is locked This topic is locked
6 replies to this topic

#1 AmandaT

AmandaT

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 03 June 2007 - 09:32 PM

The computer I'm messing with was reformatted within the last week due to a virus my boyfriend got trying to download a game (he's bought it and lost it twice already). We reinstalled the drivers and it seemed fine.
The first thing I noticed was that Google search was giving odd results. We compared the results to other computers, and even copied the address of the "normal" results to the "broken" computer, and got the same weird results. The address was definitely google, but the results were weird.
I've been getting tons of pop ups for "anti-virus" software and it keeps trying to install. I was getting a lot of dings that sound like error messages, but no dialogue boxes. The windows on the task bar flash every once in a while for no apparent reason. Adobe tried to start a few times and gave me an error message. There was also a red circle with an exclamation I believe in the task bar earlier with a balloon telling me I need anti-virus. I seem to have gotten rid of that, but there's still a lot coming up on the scans.

I have run Ad-Aware many times in normal and safe mode. I just ran Housecall, Active Scan, and Spybot S&D. Each comes up with its own set of problems every time.
I just ran Stinger again and it didn't find anything.


Would a reformat get rid of this? If so, I'll do that since there's nothing important on the computer yet.
Also, what firewalls/antivirus programs would be good to use? If it slows down the computer much it will probably just get deleted, but this computer obviously needs something.


Logfile of HijackThis v1.99.1
Scan saved at 6:49:03 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\James\My Documents\My Music\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Documents and Settings\All Users\Application Data\upalgfmj.exe
C:\DOCUME~1\James\MYDOCU~1\YMBOLS~1\explorer.exe
C:\Program Files\Common Files\?ssembly\l?ass.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\retadpu1000272.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\James\My Documents\My Music\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\tabhlcho.dll",realset
O4 - HKLM\..\Run: [upalgfmj.exe] C:\Documents and Settings\All Users\Application Data\upalgfmj.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzum.dll,startup
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Orsl] "C:\DOCUME~1\James\MYDOCU~1\YMBOLS~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Lhdgurd] "C:\Program Files\Common Files\?ssembly\l?ass.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52B38C21-E376-4E4D-97F5-6246D4CF5B8E}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{929FDFF8-8209-4F05-93BF-568BBE1D8B31}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{A537FB9B-F0DC-4AED-9CDA-FA09EB7B26D0}: NameServer = 194.54.90.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCECA2D6-60C4-4CF4-AACB-42F6FA44934B}: NameServer = 194.54.90.238
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

Edited by AmandaT, 04 June 2007 - 12:45 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 04 June 2007 - 02:09 AM

Hi,

Would a reformat get rid of this? If so, I'll do that since there's nothing important on the computer yet.


Yes, since you reformated just one week again. This because this computer is terribly infected again.
This is due to the fact that your boyfriend don't have any Antivirus and Firewall present and is most probably browsing illegal sites (cracksites) or using p2p programs and get pirated software where you always get infected.

So the decision is yours, or I'll help you to clean this up (keep in mind that this will take a while and damage may still be present), or just go ahead and reformat.
Just let me know.
Look in my signature below under Antivirus and Firewalls for the ones I recommend. For example Avira is a great free Antivirus and Comodo is a great free Firewall.

If it slows down the computer much it will probably just get deleted

Malware slows down the computer even more, damages and collects personal info. So the choice can't be that hard.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AmandaT

AmandaT
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 04 June 2007 - 01:15 PM

Ok, so I'll reformat. I'm just not sure if this is something that survived the first reformat. I know he downloaded Hamachi because his brother (who knows computers a bit) told him to, and his brother sent him some stuff through that. Everything else on the computer is completely legit (like iTunes, etc.).
So after I reformat, is there anything I should run to make sure its clean?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 04 June 2007 - 01:29 PM

Hi,

I'm just not sure if this is something that survived the first reformat

No, that's not possible. A format will erase all data, including malware.
As I said previously, he got reinfected again because he wasn't protected (no Antivirus, no Firewall and no updated/fully patched Windows).

and his brother sent him some stuff through that

That could be anything - could be pirated software, cracks etc while his brother wasn't aware of the fact that they contained malware.

Anyway, keep in mind, during format and reinstall, make sure that the internet connection is unplugged. This means, unplug the Internet cable or whatever this computer is connected with the internet.
Reason I am telling this is because, when Internet connection is active after reinstall and there's no firewall or Antivirus yet installed, you can get infected immediately.
So, burn the installer for an Antivirus and Firewall onto cd or flashdrive, then unplug from the internet and leave it unplugged, then format and reinstall, then install Antivirus and Firewall, then connect with the internet and then immediately go to Windows update to install all updates.
Then you are safe again..... Unless questionable sites are visited, because you'll always get infected in such cases, even with the best Antivirus and Firewall present.

Also let him read this page:

How to prevent malware with lots of info and tips how to prevent this in the future.

Edited by miekiemoes, 04 June 2007 - 01:30 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AmandaT

AmandaT
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 05 June 2007 - 02:51 PM

Thanks. I reformatted last night and things look good so far. I got full copy of AVG from his mom, so it has antivirus, antispyware, firewall, etc. Everything is updated and looks good. Thanks for the help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 05 June 2007 - 02:58 PM

You're welcome. That's the best you could do since you formatted last week and nothing much besides malware was installed :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 PM

Posted 08 June 2007 - 01:48 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users