Tech Support Forum - View Single Post - Smitfraud-C, 888 toolbar help!

filo_romz · 11-22-2006, 05:43 AM

Hey my friend recently caught a heavy virus while browsing through some sites and he has great difficulty in getting access to the internet. Here is his recent logfile:

--------------

Logfile of HijackThis v1.99.1
Scan saved at 11:30:21 PM, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VirusRescue\vrsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\??mbols\??rss.exe
C:\PROGRA~1\COMMON~1\WNSXS~1\fast.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpah.dll,startup
O4 - HKLM\..\Run: [tnziiib.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tnziiib.dll,xeokrvd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [VirusRescue] C:\Program Files\VirusRescue\VirusRescue.exe /s
O4 - HKLM\..\Run: [SpywareHeal] C:\Program Files\SpywareHeal\SpywareHeal.exe /h
O4 - HKLM\..\Run: [cqjkpwk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cqjkpwk.dll,kghdbsf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uuir] "C:\PROGRA~1\COMMON~1\WNSXS~1\fast.exe" -vt tzt
O4 - HKCU\..\Run: [Bwcpgrj] C:\Program Files\Common Files\??mbols\??rss.exe
O4 - Startup: .protected
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
O4 - Global Startup: .protected
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: vrsvc - Unknown owner - C:\Program Files\VirusRescue\vrsvc.exe

--------------

my friend says that the trojan or virus behind it is Smitfraud-C or some form or another... It seems that the virus makes icons which look like anti-virus program icons or protection icons and keeps returning evreytime he logs on the internet. He keeps disconnecting from the internet and makes his computer extremely slow... He also sees an 888 toolbar on his computer which could also have contributed to the slowing down of his computer.

I hope you can help my dear friend out! Thank you TSF

11-22-2006, 05:43 AM	#1 (permalink)
filo_romz Registered User Join Date: Dec 2005 Posts: 20 OS: WinXP	Smitfraud-C, 888 toolbar help! Hey my friend recently caught a heavy virus while browsing through some sites and he has great difficulty in getting access to the internet. Here is his recent logfile: -------------- Logfile of HijackThis v1.99.1 Scan saved at 11:30:21 PM, on 22/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\VirusRescue\vrsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\??mbols\??rss.exe C:\PROGRA~1\COMMON~1\WNSXS~1\fast.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\SafetyBar.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvpah.dll,startup O4 - HKLM\..\Run: [tnziiib.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\tnziiib.dll,xeokrvd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [VirusRescue] C:\Program Files\VirusRescue\VirusRescue.exe /s O4 - HKLM\..\Run: [SpywareHeal] C:\Program Files\SpywareHeal\SpywareHeal.exe /h O4 - HKLM\..\Run: [cqjkpwk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cqjkpwk.dll,kghdbsf O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vvdkkpe.dll,agkxvbc O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Uuir] "C:\PROGRA~1\COMMON~1\WNSXS~1\fast.exe" -vt tzt O4 - HKCU\..\Run: [Bwcpgrj] C:\Program Files\Common Files\??mbols\??rss.exe O4 - Startup: .protected O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe O4 - Global Startup: .protected O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file) O21 - SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - C:\WINDOWS\system32\fmrmhc.dll (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: vrsvc - Unknown owner - C:\Program Files\VirusRescue\vrsvc.exe -------------- my friend says that the trojan or virus behind it is Smitfraud-C or some form or another... It seems that the virus makes icons which look like anti-virus program icons or protection icons and keeps returning evreytime he logs on the internet. He keeps disconnecting from the internet and makes his computer extremely slow... He also sees an 888 toolbar on his computer which could also have contributed to the slowing down of his computer. I hope you can help my dear friend out! Thank you TSF