Smitfraud-C, can't get rid of it

T

treetop333

New member
Hi,
Windows 2000 Pro with latest updates

Ran Virus check AVG and found nothing, Ran Spybot and got and cleaned the following in safe mode:

-- Search result list ---
LSA: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SYSTEM\CurrentControlSet\Control\Lsa

Smitfraud-C.: Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System

Error during check!: Smitfraud-C. [839] (Access violation at address 005A05D7 in module 'SpybotSD.exe'. Read of address 00000000) ()


Alexa Related: Link (Replace file, nothing done)
C:\WINNT\Web\related.htm




But when I rebooted in normal mode, I got the following:

Smitfraud-C.: Autorun settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-117609710-854245398-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System

Error during check!: Smitfraud-C. [839] (Access violation at address 005A05D7 in module 'SpybotSD.exe'. Read of address 00000000) ()





Logfile of HijackThis v1.99.1
Scan saved at 12:27:26 PM, on 10/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\wuauclt.exe
D:\spybot\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Administrator"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SYSTEM] winsmgrd.exe
O4 - HKCU\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?1f46a47794ee43d0bdede59b167ec535
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?1f46a47794ee43d0bdede59b167ec535
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157688026431
O17 - HKLM\System\CCS\Services\Tcpip\..\{15976729-CDA2-43AB-B4A2-95F3A8E5E488}: NameServer = 67.69.184.15 67.69.184.144
O17 - HKLM\System\CS1\Services\Tcpip\..\{15976729-CDA2-43AB-B4A2-95F3A8E5E488}: NameServer = 67.69.184.15 67.69.184.144
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\winmgrd.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe

Thanks

William
 
Welcome

Go start run type in services.msc hit ok
find (be very careful)
"NetDDE Server " double click it to bring up the properties
on that first page make sure you have the correct service !!, it will show the path to the bad file
C:\WINNT\system32\winmgrd.exe
Under "startup type" set it to disabled , click apply OK then exit services.
----------------------------------------------
Start Hijackthis and place a check next to these items If there.
O4 - HKCU\..\Run: [SYSTEM] winsmgrd.exe
====================================
Hit fix checked and close Hijackthis.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Check for problems with SpyBot and fix any items found


Post a new hijackthis log and a report from a free online such as panda
Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
 
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.
 
You must log in or register to reply here.
Back
Top