PDA

View Full Version : Smitfraud-C, can't get rid of it


treetop333
2006-09-11, 00:54
Hi,
Windows 2000 Pro with latest updates

Ran Virus check AVG and found nothing, Ran Spybot and got and cleaned the following in safe mode:

-- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SYSTEM\CurrentControlSet\Control\Lsa

Smitfraud-C.: Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System

Error during check!: Smitfraud-C. [839] (Access violation at address 005A05D7 in module 'SpybotSD.exe'. Read of address 00000000) ()


Alexa Related: Link (Replace file, nothing done)
C:\WINNT\Web\related.htm




But when I rebooted in normal mode, I got the following:

Smitfraud-C.: Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System

Error during check!: Smitfraud-C. [839] (Access violation at address 005A05D7 in module 'SpybotSD.exe'. Read of address 00000000) ()





Logfile of HijackThis v1.99.1
Scan saved at 12:27:26 PM, on 10/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\wuauclt.exe
D:\spybot\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SYSTEM] winsmgrd.exe
O4 - HKCU\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?1f46a47794ee43d0bdede59b167ec535
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?1f46a47794ee43d0bdede59b167ec535
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157688026431
O17 - HKLM\System\CCS\Services\Tcpip\..\{15976729-CDA2-43AB-B4A2-95F3A8E5E488}: NameServer = 67.69.184.15 67.69.184.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{15976729-CDA2-43AB-B4A2-95F3A8E5E488}: NameServer = 67.69.184.15 67.69.184.144
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\winmgrd.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe

Thanks

William
LonnyRJones
2006-09-16, 05:41
Welcome

Go start run type in services.msc hit ok
find (be very careful)
"NetDDE Server " double click it to bring up the properties
on that first page make sure you have the correct service !!, it will show the path to the bad file
C:\WINNT\system32\winmgrd.exe
Under "startup type" set it to disabled , click apply OK then exit services.
----------------------------------------------
Start Hijackthis and place a check next to these items If there.
O4 - HKCU\..\Run: [SYSTEM] winsmgrd.exe
====================================
Hit fix checked and close Hijackthis.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check for problems with SpyBot and fix any items found


Post a new hijackthis log and a report from a free online such as panda
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
tashi
2006-09-22, 20:19
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.