Tech Support Forum - View Single Post - HTML.Smitfraud & Trojanhorse Collected.6.BC

Scorpex · 05-31-2005, 12:39 AM

Sojerguy,

Let’s try this.

Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Make sure you can still view hidden files:
Go to My Computer->Tools/View->Folder Options->View tab
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type Services.msc then hit Ok
You must be very careful when dealing with services – There are other ones named very similar to this one. If you do not see the one named below - do nothing and close the Services window and continue on to the *** .

Scroll down and find the service called: Smart Card Client (SCardClnt)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled.

Now hit Apply and then Ok and close any open windows.

***Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing)

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll
C:\WINNT\system32\perfcii.ini
C:\WINNT\system32\winnook.exe
C:\WINNT\System32\SCardClnt.exe

Note: If you open the C:\WINDOWS\Downloaded Program Files folder and do not see the file WinCtlAdX.dll, double-click on each of the ActiveX Controls listed there and click on the dependency tab - look for WinCtlAdX.dll.

In your next post list the ActiveX Control that has WinCtlAdX.dll in the dependency tab.

Close HijackThis.

Restart your computer.

Run an online scan at http://www.pandasoftware.com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.

4SG

05-31-2005, 12:39 AM	#5 (permalink)
Scorpex Analyst, Security Team Join Date: Mar 2005 Location: NY Posts: 350 OS: XP Pro/Home SP2	Sojerguy, Let’s try this. Right click on this link -> http://www.bleepingcomputer.com/files/reg/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK. Make sure you can still view hidden files: Go to My Computer->Tools/View->Folder Options->View tab Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types. Remove the checkmark from the checkbox labeled Hide protected operating system files. Press the Apply button and then the OK button Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to Start->Run and type Services.msc then hit Ok You must be very careful when dealing with services – There are other ones named very similar to this one. If you do not see the one named below - do nothing and close the Services window and continue on to the * . Scroll down and find the service called: Smart Card Client (SCardClnt) When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. ***Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\System32\SCardClnt.exe (file missing) Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\Downloaded Program Files\WinCtlAdX.dll C:\WINNT\system32\perfcii.ini C:\WINNT\system32\winnook.exe C:\WINNT\System32\SCardClnt.exe Note: If you open the C:\WINDOWS\Downloaded Program Files folder and do not see the file WinCtlAdX.dll, double-click on each of the ActiveX Controls listed there and click on the dependency tab - look for WinCtlAdX.dll. In your next post list the ActiveX Control that has WinCtlAdX.dll in the dependency tab. Close HijackThis. Restart your computer. Run an online scan at http://www.pandasoftware.com/activescan/** and save the results from the scan! Restart and post a new HijackThis log along with the results from ActiveScan. 4SG