Operating System Version: Windows XP Home SP1
Problem Application Name & Version: smitfraud.c
[HR]
Hi, I have a system hit by the smitfraud trojan and can't get things back right again. Start-Programs (shows-EMPTY) Can't open Control Panel from Start-Settings. CAN boot to safe mode, CAN use Windows Explorer, Can use Regedit. Got Display options up and viewing, but wallpaper won't change. Also the BlueScreen that smitfraud created is now gone.
Disabled SystemRestore
View all HiddenFolders and SystemFolders
Quit most of the system processes i.e. SMSSU.exe, TMNTSRV32.exe, IEND.exe
Ran AdAware and removed a lot of registry entries then rebooted.
Ran Spybot S&D but only found DSO Exploit, fixed.
System won't install AVG by Grisoft.
CWS Shredder found nothing.
Norton Anti-Virus won't run.
Can someone please help me get my system back up and running clean again. Below is my HijackThis log attached:
This particular trojan you got because of a not properly patched system. You do not need to upgrade to Service pack 2 to fix this as the patch is part of Service Pack 1 cumulative security patches.
budE its no use just quiting the processes as they come back. U seem to have done most of the scanning stuff to remove, but there are registration entries and also in your WINDOWS and WINDOWS sys32 folders there will be several icons relating to this, prolly Ghost, Sypware remove, antivirus and couple more.
Your highjack this log shows many things to be removed.
Remove all of the R1 and R0 entries
Remove all of the O4 - HKLM\..\Run: [p] C:\WINDOWS\p (dunno why u have so many on there)
Remove:
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O2 - BHO: (no name) - {D7AC1511-463F-7B9F-50A1-66F823A5FA17} - C:\WINDOWS\ipee32.dll
Dunno what this is but i would remove it unless valid program:
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
I would remove :
O4 - HKLM\..\Run: [iend.exe] C:\WINDOWS\system32\iend.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
and maybe this :
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
I would also remove these 2 as no idea what they do or are:
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
That should give u a start. REMEBER TO BACK UP REGISTRY BEFORE U DO THIS!
Open registry editor and File/Export and save it sumwhere safe.
It helps to scan and clean in Safe Mode. Or you can slave the hdd in another pc , then scan it there. Another option is use UBCD for Windows or Knoppix .
In the long run you may need to Repair Install XP or bite the bullet.. backup , format and reinstall.
Originally posted by Hola hoop Hi again,
I did everything you suggested and here is my new HJT log. Seems stuff keeps coming back. Still can't do Start-Programs and find any programs as it says EMPTY.
Still can't do Start-Settings-Control Panel...it never pops up.
What in the world do I do next? Please help me get things back to working again.
thanks a lot
BudE
Logfile of HijackThis v1.99.1
Scan saved at 9:31:19 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Hi again, as i said u still have work to do. The reason why they are still comming back is that there are still exe and dll running which is launching them again.
what are these 2 things?
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
dont know what there are but look a bit suspicious
Did you look in your windows and system32 folder for those icons? Choose arrange icons by....date and take a look at the last few icons and look at properties as to when they were created. If only in last few days then this could be your problem but google each one to make sure its spyware and not a valid system file.
ps - there shoul be no more than 7 or 8 in total between both folders
[B]Hi again, as i said u still have work to do. The reason why they are still comming back is that there are still exe and dll running which is launching them again.
what are these 2 things?
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
dont know what there are but look a bit suspicious
Hi Hola...These are two programs that the owner said they installed and said it was ok. This is actually a system I am working on for a friend of a friend...unsuccessfully at the moment.
Did you look in your windows and system32 folder for those icons? Choose arrange icons by....date and take a look at the last few icons and look at properties as to when they were created. If only in last few days then this could be your problem but google each one to make sure its spyware and not a valid system file.
I did get into the Windows and WindowsSystem32 folders and only found 2 entries for which I deleted. Found and deleted ipee32.dll and xmllib.dll. I cleared out RecycleBin after deleting entries and rebooted too. Do you think any of these things are causing there to be NO programs when I go to Start-Programs? I'll killed many viruses and trojans before and this one is beating up on me good.
And I really do appreciate all of your time and help too...will check back later.
Firstly, are u happy that the spyware has been sucessfully removed?
Is it only the control panel issue left now?
When this same thing happened to me my control panel was fine but what it did was to change my display properties
check my post about it here and check out my pic i uploaded.
In your registry there will be values for things like display and control panel and have values either 1 or 0 (show or hide)
It will be too complicated to explain each and every one, so best idea is once your happy the spyware has gone, back up important data and do a windows repair/re-install if u have cd. this will set all contol properties back to normal again.
this particular problem u had is not easy to FULLY fix and get everything back to normal.
ps - empty temp internet folder and delete all cookies and downloaded program files ( Internet properties/settings).
Also, when i got this trojan there were quite a few internet html pages it downloaded to. I found these in windows folder and the c: drive to. have a look
GL