Link to home
Start Free TrialLog in
Avatar of dttri
dttriFlag for Viet Nam

asked on

Trojan-Spy.HTML.Smitfraund.c

Hi,
My computer was infected with this virus/trojan. I have use Ad-aware, Spybot, AVG in Normal Mode and Safe Mode to destroy it but no help. This is my HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:09 PM, on 5/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\AMP\Apache\Apache2\bin\Apache.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
E:\AMP\Apache\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\AMP\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\system32\RunDll32.exe
E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
E:\Program Files\Java\jre1.5.0\bin\jusched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\ISS\BlackICE\blackice.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINNT\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\AMP\Apache\Apache2\bin\ApacheMonitor.exe
E:\AMP\mysql\bin\winmysqladmin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mspaint.exe
D:\Security\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - E:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] E:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: WinMySQLadmin.lnk = E:\AMP\mysql\bin\winmysqladmin.exe
O4 - Global Startup: BlackICE PC Protection.lnk = E:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: SnapDetect.lnk = C:\WINNT\Twain_32\CA561A\SnapDetect.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Monitor Apache Servers.lnk = E:\AMP\Apache\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download All by FlashGet - E:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {A431858B-C3BC-4744-A770-FB152EBAB482} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A431858B-C3BC-4744-A770-FB152EBAB482} - (no file) (HKCU)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\Program Files\MDT6\AcPreview.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Apache2 - Unknown owner - E:\AMP\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - E:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: MySql - Unknown owner - E:/AMP/mysql/bin/mysqld-nt.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - E:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

In the system tray, there is a red X icon, when I click it, it open my browser and point to this page:
http://antispy.newgenlook.info/inde...777&said=ad0179

Thanks very much!
Avatar of r-k
r-k

Hi,

For the future, it is more useful if you run the logfile through the on-line analysis at:

 http://www.hijackthis.de/

and just post a link to the analyzed file.

I ran your file through, and the results are at:

http://www.hijackthis.de/logfiles/982832b2b0daf3f732a93d9bddae51e8.html

It really shows only one bad entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/

which you should be able to fix directly in Hijackthis or by editing the registry.
Avatar of dttri

ASKER

Thank you,
I have tried what you said already, but no help.
My desktop was flooded with new shortcuts created automatically (I delete, but after a while they appear again)

Fix also ALL the O16 and O18 entries.

But I think this may be the culprit:

C:\WINNT\System32\mspaint.exe

Try renaming that file, scan with HJT, do the fixes and reboot.

Zee
Ane, the following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
(Description: SiS Keyboard Daemon. Unnecessary program. Removing it will free up a small amount of resources. This program also contributes to Windows crashing on certain computers.)

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
(Description: CMedia audio card system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
(Description: WinZip system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Zee

Have you tried this registry patch?

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Double click it to merge or right-click and select merge.

As suggested somewhere else.

Zee
ASKER CERTIFIED SOLUTION
Avatar of blue_zee
blue_zee
Flag of Portugal image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Adware Away claims to clean it:

http://www.adwareaway.com/desktophijacker.htm

It's true this software cleansup really nasty malware lika about blank that others struggle.

The trial version usually is fully active for some sessions:

http://www.adwareaway.com/download/AdwareAway.exe

Follow the simple instructions.

Good luck.

Zee
Avatar of dttri

ASKER

Thank you very much Zee,
I will post back soon. :-)
Avatar of dttri

ASKER

Thank you experts!
I have tried Kaspersky (http://www.kaspersky.com/trials?chapter=146481750) and after 2 time restart, the spyware gone!
to blue_zee: I haven't tried AdwareAway yet. But if I was infected again, I will try it :-). Just joking.
Thank you for your help

PS: I put a link that help me so much in destroying this spyware, so that anyone can use if their computer was infected:
http://www.wilderssecurity.com/showthread.php?p=434918

Glad you're out of trouble, for the moment!
;-) j/k

You can get a refund posting a 0 points question here:

https://www.experts-exchange.com/Community_Support/

Informing you answered the question yourself.

Don't forget to include a link to this question.

Cheers,

Zee

You should have asked for a refund...

You were posting in so many forums that you now feel great for solving the problem, but you did find the answer yourself.

Thanks,

Zee

Avatar of dttri

ASKER

Hi blue_zee,
I think the support that you give me is very good, so the points for you is allright.

Cheers,