PDA

View Full Version : Infected with Smitfraud.C.gp Virus, I can't clean it



jmup-
2008-10-16, 18:29
Hi, my work laptop has been infected with Smitfraud.c.gp according to spybot. Ad-Aware and McAffee VirusScan both do not detect a problem. Spybot can't clean the virus, neither in regular nor safe mode. After doing some searching I found a program called Smitfraudfix, and I ran it in safe mode unsuccessfully. Spybot still shows I have a problem.

My computer is my work laptop, and has a whole host of programs working in the background for vpn and automatic updates or whatever. I am ashamed to not know 100% what programs are normal and which are not. The company I work for is Rogers, so thats what all those trusted zones and stuff are about.

Anyway, here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:21 AM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ixia\licensing\lmgrd.exe
C:\Program Files\Ixia\licensing\noded.exe
C:\Program Files\Ixia\licensing\lmgrd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Ixia\licensing\ixialm.exe
C:\Program Files\Ixia\IxAdmin\bin\IxAdminAgent.exe
C:\Program Files\Ixia\hwmanager\HwMgrService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Ixia\hwmanager\hwmanager.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nbsdvtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\rsosvc.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\schdlsv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\consctl.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Communications Inc
F3 - REG:win.ini: load= loadbwcc.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: eTrust SSO Client Startup.lnk = C:\WINDOWS\RunHide.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://142.146.40.109
O15 - Trusted Zone: http://*.rogers.mphro.com (HKLM)
O15 - Trusted Zone: http://*.Rapid (HKLM)
O15 - Trusted Zone: http://*.Rapid.rogers.com (HKLM)
O15 - Trusted Zone: crossroads.net.wireless.rogers.com (HKLM)
O15 - Trusted Zone: http://itolls.rogers.com (HKLM)
O15 - Trusted Zone: ossjunction.net.wireless.rogers.com (HKLM)
O15 - Trusted Zone: http://rcilx030.rogers.com (HKLM)
O15 - Trusted Zone: http://rcilx031.rogers.com (HKLM)
O15 - Trusted Zone: http://rsohp013.rogers.com (HKLM)
O15 - Trusted Zone: web-dev.net.wireless.rogers.com (HKLM)
O15 - Trusted Zone: http://*.RSSESNITAPWA (HKLM)
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - https://tkweb-english.rogers.com/WFC/plugins/j2re-1_4_2_12-windows-i586-p.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rci.rogers.ca
O17 - HKLM\Software\..\Telephony: DomainName = rci.rogers.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rci.rogers.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rci.rogers.ca
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: IxAdminAgent - Ixia - C:\Program Files\Ixia\IxAdmin\bin\IxAdminAgent.exe
O23 - Service: IxiaHardwareManager - Unknown owner - C:\Program Files\Ixia\hwmanager\HwMgrService.exe
O23 - Service: IxiaLicenseServer - Macrovision Corporation - C:\Program Files\Ixia\licensing\lmgrd.exe
O23 - Service: IxServerService - Ixia - C:\Program Files\Ixia\IxServer.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: nbsdvt - Unknown owner - C:\WINDOWS\system32\nbsdvtsvc.exe
O23 - Service: noded - Unknown owner - C:\Program Files\Ixia\licensing\noded.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: RSO Service (rsosvc) - Rogers Shared Operations - C:\WINDOWS\system32\rsosvc.exe
O23 - Service: RSS Scheduler (schdlsvc) - Unknown owner - C:\WINDOWS\system32\schdlsv.exe

--
End of file - 8798 bytes

pskelley
2008-10-17, 14:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

my work laptop has been infected with Smitfraud
The company I work for is Rogers,


Note:When the infected computer in question is a company machine in the workplace, and you are an employee.

Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.
--------------------------------------------
Malware removal forum volunteers are unable to assist users with infected corporate or Government machines. Please contact our office support so they may provide direct assistance for your needs. Thank you.

pskelley
2008-10-24, 15:39
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.