Posted: Tue Dec 13, 2005 12:21 am Post subject: Got hit with Smitfraud C.
1) I got hit with Smitfraud C.. Upon opening IE, it would instantly switch to one of two web site that were desperately trying to get me to sign up for a variety of anti-virus software: Winantivirus, Ad-Protect, Spy Fighter, on a web page titled "Security Troubleshooting", and Spy Trooper, Spy Axe, Spy Guard, on a web page titled "Online Security Center." The next day a "Spy Axe" icon showed up on my desk top, along with one in the Launch Window.
2) Every few minutes there is a window popping up by the system tray stating that computer is infected with "iworm_attck_vi22.02a"
3) From time to time various ads are poping up, example:casino, etc.
4) From time to time other notices pop up, for example "you computer is running slow, is infected, etc.
5) Also, Norton is reporting that the computer is getting hit with "Hacktook. Rootkit", and Norton is denying access, but is stating thai it is not able to repair it.
6) Norton is also defeating a Trojan called "Spaxe"
7) I was able to defeat the Browser take over by disabling a BHO, titled "hp6D32l.tmp" using "BHO Demon". This allows my normal access to the internet via Yahoo.
Computer is a Pentium 4, with XP.
9) Ran Ad-Ware Personal SE, Norton Premier, and SpyBot. SpyBot found Smitfraud, but was not able to fix one of two files. It fixed a registry value.....policies\explorer\run\nvctrl.exe, but was not able to fix a registry-change value.....Internet setting\Zone Map\Domains\Windows\free-spy-cam.net\*!=W=4>
10) These problems came very suddenly, when I opened a news article in Yahoo. The broswer shut down instantly, and two icons showed up on my desk top representing the two files stated above. I haven't had any virus problems for three years, and bingo, it happens. The take over was not the "blue death" I have read about.
11) Norton is running, SpyBot, and Ad-Ware and Microsoft ad-ware are not running. Microsoft firewall is on.
12) Below is a HijackThis log taken in the "non-safe" mode. I would appreciate a bit of help on this one. Is their any programs out there that will remove this beast, or must it be removed manually, and how difficult is it to do?
13) I disabled "System Restore" and ran Norton again thinking that I would find something hidden in there but nothing showed.
Logfile of HijackThis v1.99.1
Scan saved at 12:17:51 AM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
1- Download smitRem
and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
2- Download the trial version of Ewido Security Suite from HERE.
Install it (When installing, under "Additional Options" uncheck : -Install background guard and -Install scan via context menu), and update the definitions to the newest files. Do NOT run a scan yet.
Reboot your computer in Safe Mode (at startup tap F8 and select Safe Mode) .
1- Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
2- Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in
Computer is a Pentium 4, with XP.
