PDA

View Full Version : Smitfraud



MotherFragger
2006-05-12, 04:59
SmitFraudFix v2.43

Scan done at 20:29:55.18, Thu 05/11/2006
Run from C:\Documents and Settings\Brant\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\country.exe Deleted
C:\ms1.exe Deleted
C:\secure32.html Deleted
C:\uniq Deleted
C:\Documents and Settings\Brant\Application Data\Install.dat Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:21:40 PM, 5/11/2006
+ Report-Checksum: A892FA8C

+ Scan result:

HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Brant\Local Settings\Temp\010N83A070\1988.tmp -> Trojan.Sinowal.n : Cleaned with backup
C:\Documents and Settings\Brant\Local Settings\Temp\010N83A070\2412.tmp -> Trojan.Sinowal.n : Cleaned with backup
C:\Documents and Settings\Brant\Local Settings\Temp\010N83A070\2632.tmp -> Trojan.Sinowal.n : Cleaned with backup
C:\Documents and Settings\Brant\Local Settings\Temp\010N83A070\3396.tmp -> Trojan.Sinowal.n : Cleaned with backup
C:\Documents and Settings\Brant\Local Settings\Temp\010N83A070\3984.tmp -> Trojan.Sinowal.n : Cleaned with backup
C:\kl1.exe -> Trojan.Sinowal.n : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00012.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Cleaned with backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\Program Files\SpySheriff -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\tool1.exe -> Downloader.Small.csn : Cleaned with backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\tool3.exe -> Proxy.Small.bo : Cleaned with backup
C:\tool4.exe -> Adware.BHO : Cleaned with backup
C:\tool5.exe -> Hijacker.Small.kr : Cleaned with backup
C:\toolbar.exe -> Backdoor.Haxdoor.il : Cleaned with backup
C:\WINDOWS\system32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\winmuse.exe -> Downloader.Agent.akj : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 8:42:40 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1145032885\ee\AOLSoftware.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\Tugger\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145032885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb13.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{BA2D9411-DBB4-43e4-9421-780413650A67}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144468003687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144467993843
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

CalamityJane
2006-05-14, 00:19
Hi MotherFragger,

You got rid of the Smitfraud pest, but you have something much more serious :(

Do a *scan only* with HijackThis and checkmark these entries in the list:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"

O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
.....................
Then delete these files:
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe

C:\WINDOWS\SYSTEM32\xptptt.dll

Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe)
and save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix


Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
.............................................
Important!

Now you need to know what it is that you had on there that is so bad.

Ibm000011.exe is associated with one of the many Torpig trojan variants
http://www.sophos.com/virusinfo/analyses/search-results/?search=Ibm00001&action=search

The Trojan attempts to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP.
You need to take any and all precautions to protect any accounts, passwords, any sensitive data on that PC, as Torpig is a remote access trojan, allowing an intruder to access the computer and often contains a keylogger and/or password stealer.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/sec.../virusrat.mspx


And more bad news
xptptt.dll is the Hackdoor rootkit.

What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.

Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.

Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

Basically, your system has been completely compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.

IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.

If you're going to try to "clean" this (which I don't recommend as the best action),
You need to get a good online AV scan as the trojan has possibly disabled or impaired any security software installed on the compromised computer. Any of the following will scan and clean the computer for free using the online AV scanner.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm

Edit to add note: Received a PM from the original poster:


Calamity:

I knew that my trojan was horrible, so i fdisked and reinstalled Windows XP. Although painful, I have no issues now. Thanks for trying to help! I just wanted to let you know I fixed my problem...

Regards,

{name removed}
AKA MotherFragger
So this case bascially resolved :)

tashi
2006-05-18, 10:46
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.