PDA

View Full Version : Another Smitfraud-C.toolbar888 problem



BreakdownConspiracy
2007-05-09, 06:31
Hey all,
I havent had trouble with my pc, because its not on the internet much.
but now it has some Smitfraud-C.toolbar888 sypware on it. And I keep removing it with Spybot but alas it keeps returning. The intial spyware it self is just constantly opening up IE6 or Firefox 2 and directing my to some WinAntivirus 2007 rubbish.And yes my pc is not currently on the internet, so what i keep getting is a "work offline, or try again" prompt. Now ive been reading some of these other posts to see if they could help, and Ive also attached my log from my latest spybot scan, and my Hijackthis scan.
Cheers :eek:

Ps: I have AVGFree 7.5, Spybot 1.4, and Hijackthis, ver cant remember.

Log's are

tashi
2007-05-09, 07:54
Hello.

Please see the procedure for this forum: "BEFORE you POST" Mandatory Steps Before Requesting Assistance (http://forums.spybot.info/showthread.php?t=288)

Copy the information requested into this topic, and a helper will advise you when available.

Regards.

BreakdownConspiracy
2007-05-09, 12:52
Ok, now when I go into safe mode I wont let me see anything on the destop, but can still do ATL CTRL DEL and then run something like spybot or AVG.

OK heres my highjack log:



Logfile of HijackThis v1.99.1
Scan saved at 12:52:30 p.m., on 9/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Junk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\kxttuelf.dll",realset
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D7A194C-DC2E-4D07-A211-5C5A2E83992A}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D7A194C-DC2E-4D07-A211-5C5A2E83992A}: NameServer = 10.1.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D7A194C-DC2E-4D07-A211-5C5A2E83992A}: NameServer = 10.1.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Im not a big n00b but I need some direction :P
Let me know what I need next.
Cheers

pskelley
2007-05-19, 03:25
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

The administrator posted the links for you to read and follow, since I see no required antivirus scan, I must assume you did not.

If your issues are not resolved, this appears to be a Vundo infection which is tough to remove, here is what I need you to do.

1) http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< update your Java program, download the newest version and uninstall all old versions in Add Remove programs.

2) You are running MSConfig in Selective Startup mode, return it to Normal mode for the duration of the repair, you can return to SS mode to save your resources when we are finished.

3) D:\Junk\HijackThis.exe <<< HJT needs to run from a drive, move it to C\HJT\HijackThis.exe. Once there then point the mouse at the .exe and right click then choose rename. Call it BreakdownConspiracy.exe or whatever you wish.

4) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

restart the computer and post the uninstall list and a new HJT log.

Thanks

tashi
2007-05-26, 08:21
This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.