Help With Trojan-Spy.HTML.Smitfraud.c

Question

Hi I need help fixing my computer, I like many of the posts I have seen have a problem with Trojan-Spy.HTML.Smitfraud.c it creates a blue desktop which says   'a fatal error has occured at 0028:C0011E6 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c *system can not function in normal mode. please check your security settings *scan your pc with any available antivirus / spyware removal programto fix your pc'   Also whenever I open internet explorer a window pops up asking if i wish to install some sort of dialer to which I always click no.   i have run hijack this and copied its scan here it is*   Logfile of HijackThis v1.99.1 Scan saved at 9:43:15 PM, on 4/30/2005 Platform: Windows XP  (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\systemwin32s.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\WINZIP\wzqkpick.exe C:\Documents and Settings\Daniels\My Documents\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com O1 - Hosts: 127.0.0.3 x.full-tgp.net O1 - Hosts: 127.0.0.3 counter.s**maniack.com O1 - Hosts: 127.0.0.3 autoescrowpay.com O1 - Hosts: 127.0.0.3 www.autoescrowpay.com O1 - Hosts: 127.0.0.3 www.awmdabest.com O1 - Hosts: 127.0.0.3 www.s**files.nu O1 - Hosts: 127.0.0.3 awmdabest.com O1 - Hosts: 127.0.0.3 s**files.nu O1 - Hosts: 127.0.0.3 allforadult.com O1 - Hosts: 127.0.0.3 www.allforadult.com O1 - Hosts: 127.0.0.3 www.iframe.biz O1 - Hosts: 127.0.0.3 iframe.biz O1 - Hosts: 127.0.0.3 www.newiframe.biz O1 - Hosts: 127.0.0.3 newiframe.biz O1 - Hosts: 127.0.0.3 www.vesbiz.biz O1 - Hosts: 127.0.0.3 vesbiz.biz O1 - Hosts: 127.0.0.3 www.pizdato.biz O1 - Hosts: 127.0.0.3 pizdato.biz O1 - Hosts: 127.0.0.3 www.aaas**ypics.com O1 - Hosts: 127.0.0.3 aaas**ypics.com O1 - Hosts: 127.0.0.3 www.virgin-tgp.net O1 - Hosts: 127.0.0.3 virgin-tgp.net O1 - Hosts: 127.0.0.3 www.awmcash.biz O1 - Hosts: 127.0.0.3 awmcash.biz O1 - Hosts: 127.0.0.3 buldog-stats.com O1 - Hosts: 127.0.0.3 www.buldog-stats.com O1 - Hosts: 127.0.0.3 fregat.drocherway.com O1 - Hosts: 127.0.0.3 slu*mania.biz O1 - Hosts: 127.0.0.3 www.slu*mania.biz O1 - Hosts: 127.0.0.3 toolbarpartner.com O1 - Hosts: 127.0.0.3 www.toolbarpartner.com O1 - Hosts: 127.0.0.3 www.megapornix.com O1 - Hosts: 127.0.0.3 megapornix.com O1 - Hosts: 127.0.0.3 www.sp2f***ed.biz O1 - Hosts: 127.0.0.3 sp2f***ed.biz O1 - Hosts: 127.0.0.3 greg-tut.com O1 - Hosts: 127.0.0.3 www.greg-tut.com O1 - Hosts: 127.0.0.3 nylonsexy.com O1 - Hosts: 127.0.0.3 www.nylons**y.com O1 - Hosts: 127.0.0.3 vparivalka.com O1 - Hosts: 127.0.0.3 www.vparivalka.com O1 - Hosts: 127.0.0.3 iframeprofit.com O1 - Hosts: 127.0.0.3 www.iframeprofit.com O1 - Hosts: 127.0.0.3 topsearch10.com O1 - Hosts: 127.0.0.3 www.topsearch10.com O1 - Hosts: 127.0.0.3 statscash.biz O1 - Hosts: 127.0.0.3 www.statscash.biz O1 - Hosts: 127.0.0.3 vxiframe.biz O1 - Hosts: 127.0.0.3 www.vxiframe.biz O1 - Hosts: 127.0.0.3 crazy-toolbar.com O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2416ADD5-4E72-4696-AAF6-FFD5CBE5D690}\SECURITY.EXE O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin
pjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin
pjpi150_01.dll O9 - Extra button: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE   it also seems i somehow have gotten some porn websites as hosts, how would I eliminate these as well.   Please Help, Any help would be much appreciated. Thank you very much in advance

ddols · Answer

I forgot to mention I am also running windows xp professional

Texruss · Answer

If this doesn't work:   http://cleanup.stevengould.org/   Then try it at my place: http://russelltexas.com/files/CleanUp40.exe   HTH,   Russell

ddols · Answer

thanks for all the help, I guess all this work is the price I pay for never cleaning up until I have a problem. the link for the clean up program could not be found however, is there any other place I can get it or do i simply have to wait until it becomes available?

Texruss · Answer

You've got several baddies besides the new Smitty. *;-) Another bad worm , yet another bad Trojan , and a third Trojan as well as CWS exploits. On a Fujita scale of 1 to 5 you've got about a 4.5. >;-(

FYI: Here's the Symantec page on Smitty:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.html

Comments: You're way behind on Windows Updates and lacking any Antivirus. Any fixes we do here will be wasted unless you promptly download SP2 (or order the free CD if you use dialup) and install an AV. http://russelltexas.com/malware/allclear.htm

Anyway...let's see what we can do:

Download CWShredder™ Version 2.1 here.

http://cwshredder.net/bin/CWShredder.exe

Save it to its own folder named CWShredder. Save it to the root of the C:\drive the same location as HijackThis. Don't run it yet.

Download Cleanup!. Install it, but don't run it yet:

http://cleanup.stevengould.org

Next: http://mvps.org/winhelp2002/hosts.htm (Download the zipped file, unzip it and copy it to C:\Windows\System32\Drivers\ETC and overwrite your current HOSTS file.) Full details on that page with a good overview of the HOSTS file and how it works.

Reboot to Safe Mode. http://www.bleepingcomputer.com/forums/tutorial61.html

In Safe Mode hit Control-SHIFT-ESCAPE and end the process for these applications:

systemwin32s.exe

From Safe Mode, run CWShredder. To open the program, double-click on CWShredder.exe. Now, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

Run HJT and FIX Check these line items: (if they still exist)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.s**maniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.s**files.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 s**files.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaas**ypics.com
O1 - Hosts: 127.0.0.3 aaas**ypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slu*mania.biz
O1 - Hosts: 127.0.0.3 www.slu*mania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2f***ed.biz
O1 - Hosts: 127.0.0.3 sp2f***ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylons**y.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.com
O1 - Hosts: 127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 topsearch10.com
O1 - Hosts: 127.0.0.3 www.topsearch10.com
O1 - Hosts: 127.0.0.3 statscash.biz
O1 - Hosts: 127.0.0.3 www.statscash.biz
O1 - Hosts: 127.0.0.3 vxiframe.biz
O1 - Hosts: 127.0.0.3 www.vxiframe.biz
O1 - Hosts: 127.0.0.3 crazy-toolbar.com
O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2416ADD5-4E72-4696-AAF6-FFD5CBE5D690}\SECURITY.EXE
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

Exit Hijackthis and empty the Recycle Bin.

Next: Enable Hidden Files:

http://www.bleepingcomputer.com/forums/How_to_see_hidden_files_in_Windows-tut62.html

Open Windows Explorer (type the word explorer at Start/Run). Delete the following files:

C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\SYSTEM32\systemwin32s.exe

Delete the following entire folder

C:\WINDOWS\SYSTEM32\Services

Exit Explorer and empty the Recycle Bin.

Run the Cleanup! program. Have it clean all files and also cookies (in Options). Select Fully erase files.

Reboot to normal mode. Download Spybot Search and Destroy and Adaware SE. Update and run both until nothing hostile is detected. http://russelltexas.com/malware/allclear.htm

For Smitfraud you will need to follow the steps 1-6 on Norton's page for removal instructions. You've already done the HOSTS file replacement mentioned in Norton's additional information at the bottom of their webpage.

If you have decided to do all this and haven't blasted your PC with a 12-gauge shotgun, run HJT and post a new log. *;-) Yes, this cleanup is time-consuming, but unless you have all drivers and CDs ready for a reformat and reinstall of Windows (as well as backups of all personal data) then this cleanup plan is your best option.

HTH,

Texruss

ddols · Answer

I've run into a couple snags, when I am rebooted in safe mode and go to the task manager to end the systemwin32.exe process it is not on the list. Also I was unable to delete C:/windows/system32/drct16.dll because it was currently in use by another program. Thanks for all your help so far.

Texruss · Answer

You can try to kill it with Hijackthis . Click the Misc Tools section button on the main screen , select delete a file on reboot and browse to the file.

It also looks like that .DLL is part of a much nastier Backdoor Trojan. If you're up for registry editing take a look at Symantec's removal instructions (part 4):

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

HTH,

Texruss

ddols · Answer

screw this im just going to reformat the hard drive and erase all this junk. Thanks anyways for all your help, in the future I will take further protection.

ddols · Answer

Ok, I've run the clean up but thats it. And then... Another snag, When I run adaware, during the scan my computer restarts itself for no reason. here's another hijack this if it helps   Logfile of HijackThis v1.99.1 Scan saved at 2:32:55 PM, on 5/1/2005 Platform: Windows XP  (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Daniels\My Documents\hiajckthis\HijackThis.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !! O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin
pjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin
pjpi150_01.dll O9 - Extra button: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66E1F206-9237-47C6-A7D2-E1C00CEF6E44} - C:\WINDOWS\System32\wldr.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{259C1D2A-D20E-47CA-9D59-61E5DA01D701}: NameServer = 160.10.4.4,160.10.2.5 O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Texruss · Answer

I understand...you were getting close though...two main baddies:

O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

Those entries would need to be fixed in HJT.

Then my second choice for hard to delete files is Killbox:

Download Killbox: http://www.bleepingcomputer.com/files/killbox.php
Unzip the contents of KillBox.zip to a convenient location.

Please go offline, close all other programs

Double-click on KillBox.exe.

Click on-Tools. Delete Temp Files

Click "Delete on Reboot".
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\mszx23.exe

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Delete on Reboot prompt.
Click "Yes" if asked if you want to reboot.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

All the best,

Texruss

Virus & Spyware

Help With Trojan-Spy.HTML.Smitfraud.c

Was this post helpful?