Tech Support Forum - View Single Post - HTML.Smitfraud & Trojanhorse Collected.6.BC

sojerguy · 05-24-2005, 08:42 PM

This has all started since yesterday (5/23/05).

This most recent infection has happened since;
a) I let AOL know I would be dispensing with their services and
b) Since I got DSL .

This has convinced me to get a firewall. Any recommendations on that?

The symptoms.
A blue screen of death look-a-like with a message in the center (my normal desktop icons are still around the edges), with a message in the center stating;

“Security Warning
A fatal error has happened in IE at 0028.C0011E36 in UXD VMM(01) + 0001E036. Error was caused by Trojan-Spy.HTML.Smitfraud.c”

It then tells me to check my security settings and to use an anti-virus software.

That is on my desktop.

Today in my “icon tray” I have gotten two new mini-icons, a red stop screen with a white X and a random timed “popup” balloon, saying “you’re infected with soyware; and next to it a pulsing upside down caution sign. Neither has any property or delete options when right clicked.

Also a new “Anti-virus Gold 2.0” option appeared on my start menu (ain’t it fun), with requisite attempts to get me to buy it. I was able to remove it using Setting-Contro Panel-Add remove software.

Have done(s).

Running Ad-Aware since Sunday has continually found 7-11 “serious” dangers each time.

AVG will continually find (and remove Trojan Horse Collected.6.BC), but is unable to prevent it getting back on.

Spybot Search & Destroy is now finding 1 or 2 items each time I run it, (as opposed to 1 threat every two weeks).

CWShredder finds nothing (though Ad-Aware found and eliminated 8 CoolWebSearch items).

Have just run HJT (after running all the above. Here’s the log.

Logfile of HijackThis v1.99.0
Scan saved at 7:28:46 PM, on 5/24/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\msole32.exe
C:\WINNT\popuper.exe
C:\WINNT\System32\intmonp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINNT\System32\intmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\bsw.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by America Online
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -

C:\WINNT\System32\hp5389.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -

{E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -

http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2...ousecall/xscan

53.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server - Lexmark International, Inc. -

C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: Smart Card Client - Unknown - C:\WINNT\System32\SCardClnt.exe (file missing)

05-24-2005, 08:42 PM	#1 (permalink)
sojerguy Registered User Join Date: Sep 2004 Location: seattle-tacoma metro blob Posts: 110 OS: win XP ver 5.1.26001	HTML.Smitfraud & Trojanhorse Collected.6.BC This has all started since yesterday (5/23/05). This most recent infection has happened since; a) I let AOL know I would be dispensing with their services and b) Since I got DSL . This has convinced me to get a firewall. Any recommendations on that? The symptoms. A blue screen of death look-a-like with a message in the center (my normal desktop icons are still around the edges), with a message in the center stating; “Security Warning A fatal error has happened in IE at 0028.C0011E36 in UXD VMM(01) + 0001E036. Error was caused by Trojan-Spy.HTML.Smitfraud.c” It then tells me to check my security settings and to use an anti-virus software. That is on my desktop. Today in my “icon tray” I have gotten two new mini-icons, a red stop screen with a white X and a random timed “popup” balloon, saying “you’re infected with soyware; and next to it a pulsing upside down caution sign. Neither has any property or delete options when right clicked. Also a new “Anti-virus Gold 2.0” option appeared on my start menu (ain’t it fun), with requisite attempts to get me to buy it. I was able to remove it using Setting-Contro Panel-Add remove software. Have done(s). Running Ad-Aware since Sunday has continually found 7-11 “serious” dangers each time. AVG will continually find (and remove Trojan Horse Collected.6.BC), but is unable to prevent it getting back on. Spybot Search & Destroy is now finding 1 or 2 items each time I run it, (as opposed to 1 threat every two weeks). CWShredder finds nothing (though Ad-Aware found and eliminated 8 CoolWebSearch items). Have just run HJT (after running all the above. Here’s the log. Logfile of HijackThis v1.99.0 Scan saved at 7:28:46 PM, on 5/24/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\shnlog.exe C:\WINNT\System32\msole32.exe C:\WINNT\popuper.exe C:\WINNT\System32\intmonp.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe C:\WINNT\System32\intmon.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\bsw.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\akik.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\System32\hp5389.tmp O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe O4 - HKCU\..\Run: [WindowsFY] C:\bsw.exe O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) O9 - Extra button: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E21A2B83-6083-444D-89BC-7435A2C26FFC} - (no file) (HKCU) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ousecall/xscan 53.cab O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: Smart Card Client - Unknown - C:\WINNT\System32\SCardClnt.exe (file missing)