PDA

View Full Version : Smitfraud-C.Toolbar888



simonek
2007-01-17, 01:07
Hello,
Everytime I use Spybot it is showing the Smitfraud-C.Toolbar888 malware. Tried to use ProcesExplorer but with no results - it was difficult to find out which .dll should be killed.
I am posting the log from e-trus virus scaneer. When tried Panda my antuvirus program(AVAST) blocked the download of ActiveX copmponents due to some Trojans found.

ETRUST ANTYVIRUS scanner
java.jar-5d45dd39-656b42aa.zip>NewSecurityClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
java.jar-5d45dd39-656b42aa.zip>NewURLClassLoader.class Java/ByteVerify!exploit infected C:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv588.jar-2915a3cc-62634006.zip Java/Shinwow.W infected, no cure C:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv588.jar-2915a3cc-62634006.zip>Matrix.class Java/Shinwow.W infected C:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv588.jar-2915a3cc-62634006.zip>Dummy.class Java/ByteVerify!exploit infected C:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
patcher.exe Win32/Istbar.CA infected C:\Program Files\
serial.zip>patcher.exe Win32/Istbar.CA infected C:\Program Files\
secure32[1].htm HTML/Startpage.TH infected C:\RECYCLER\S-1-5-21-220523388-606747145-1801674531-1003\Dd12\
fvsluefbyl[1].txt Win32/Anserin!generic infected C:\RECYCLER\S-1-5-21-220523388-606747145-1801674531-1003\Dd26\
patcher.exe Win32/Istbar.CA infected C:\WINDOWS\
loaderadv544.jar-6b5b560a-2001affc.zip Java/Shinwow.W infected E:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
loaderadv544.jar-6b5b560a-2001affc.zip>Matrix.class Java/Shinwow.W infected E:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\jar\
FirstApplet.class-2cfbd5bd-6398ac01.class Java/ByteVerify!exploit infected E:\Documents and Settings\User\Dane aplikacji\Sun\Java\Deployment\cache\javapi\v1.0\file\

And the logs from the HIJACKTHIS log:
Logfile of HijackThis v1.99.1
Scan saved at 00:05:26, on 2007-01-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\atividx.exe
C:\WINDOWS\system32\ipsuequd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vssmnptc.exe
C:\WINDOWS\system32\sdmvdlxe.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\mmcvwli.exe
C:\WINDOWS\system32\bsmvvgo.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.spy-sheriff.com/?advid=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] C:\WINDOWS\system32\0106.exe
O4 - HKLM\..\Run: [012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678912345678] C:\Program Files\user32.exe
O4 - HKLM\..\Run: [Ati Display Settings] C:\WINDOWS\system32\atividx.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [lmjvservc] ipsuequd.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\jplgodea.dll",setvm
O4 - HKLM\..\RunServices: [Ati Display Settings] C:\WINDOWS\system32\atividx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cwingllib] C:\WINDOWS\system32\atllsimm.exe
O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\system32\sdmvdlxe.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [mdwinllm3] C:\WINDOWS\system32\mmcvwli.exe
O4 - HKCU\..\Run: [llsymvb] C:\WINDOWS\system32\bsmvvgo.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {826287F8-454E-11D9-ADFE-00062919A34C} (ActiveXUploadFotoCom.UserCtrlFotoCom) - http://express.foto.com/activeX/newUploadFotoCom.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Can you help me can be done to remove it from my machine ?
Thanks
Simon

Angelfire777
2007-01-17, 14:33
Hi, welcome to Safer Networking forums!

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

tashi
2007-01-24, 21:07
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.