Smitfraud.c help needed

[budE]

Operating System Version: Windows XP Home SP1
Problem Application Name & Version: smitfraud.c
[HR]
Hi, I have a system hit by the smitfraud trojan and can't get things back right again. Start-Programs (shows-EMPTY) Can't open Control Panel from Start-Settings. CAN boot to safe mode, CAN use Windows Explorer, Can use Regedit. Got Display options up and viewing, but wallpaper won't change. Also the BlueScreen that smitfraud created is now gone.
Disabled SystemRestore
View all HiddenFolders and SystemFolders
Quit most of the system processes i.e. SMSSU.exe, TMNTSRV32.exe, IEND.exe
Ran AdAware and removed a lot of registry entries then rebooted.
Ran Spybot S&D but only found DSO Exploit, fixed.
System won't install AVG by Grisoft.
CWS Shredder found nothing.
Norton Anti-Virus won't run.
Can someone please help me get my system back up and running clean again. Below is my HijackThis log attached:

thanks in advance for any help given
BudE

[Sterling_Aug]

Update to SP2, check with anti-viruse programs.

http://www.sysopt.com/forum/showthre...hreadid=161595

[Hola hoop]

This particular trojan you got because of a not properly patched system. You do not need to upgrade to Service pack 2 to fix this as the patch is part of Service Pack 1 cumulative security patches.

budE its no use just quiting the processes as they come back. U seem to have done most of the scanning stuff to remove, but there are registration entries and also in your WINDOWS and WINDOWS sys32 folders there will be several icons relating to this, prolly Ghost, Sypware remove, antivirus and couple more.

Your highjack this log shows many things to be removed.
Remove all of the R1 and R0 entries
Remove all of the O4 - HKLM\..\Run: [p] C:\WINDOWS\p (dunno why u have so many on there)
Remove:
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O2 - BHO: (no name) - {D7AC1511-463F-7B9F-50A1-66F823A5FA17} - C:\WINDOWS\ipee32.dll


Dunno what this is but i would remove it unless valid program:
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain

I would remove :
O4 - HKLM\..\Run: [iend.exe] C:\WINDOWS\system32\iend.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

and maybe this :
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

I would also remove these 2 as no idea what they do or are:
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

That should give u a start. REMEBER TO BACK UP REGISTRY BEFORE U DO THIS!

Open registry editor and File/Export and save it sumwhere safe.

[Rocketmech]

Try Hijackthis Analyzer

It helps to scan and clean in Safe Mode. Or you can slave the hdd in another pc , then scan it there. Another option is use
UBCD for Windows or Knoppix .

In the long run you may need to Repair Install XP or bite the bullet.. backup , format and reinstall.

[budE]

Originally posted by Hola hoop
Hi again,
I did everything you suggested and here is my new HJT log. Seems stuff keeps coming back. Still can't do Start-Programs and find any programs as it says EMPTY.
Still can't do Start-Settings-Control Panel...it never pops up.
What in the world do I do next? Please help me get things back to working again.

thanks a lot
BudE

Logfile of HijackThis v1.99.1
Scan saved at 9:31:19 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Programs\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 8.0\waol.exe
O4 - HKLM\..\Run: [p] C:\WINDOWS\p
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7AB81E-19CE-4604-83C6-4C39BE4011B9}: NameServer = 151.164.1.7,151.164.1.8
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Hola hoop]

Hi again, as i said u still have work to do. The reason why they are still comming back is that there are still exe and dll running which is launching them again.

what are these 2 things?

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

dont know what there are but look a bit suspicious

Did you look in your windows and system32 folder for those icons? Choose arrange icons by....date and take a look at the last few icons and look at properties as to when they were created. If only in last few days then this could be your problem but google each one to make sure its spyware and not a valid system file.

ps - there shoul be no more than 7 or 8 in total between both folders

gl

[budE]

Originally posted by Hola hoop

[B]Hi again, as i said u still have work to do. The reason why they are still comming back is that there are still exe and dll running which is launching them again.

what are these 2 things?

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

dont know what there are but look a bit suspicious

Hi Hola...These are two programs that the owner said they installed and said it was ok. This is actually a system I am working on for a friend of a friend...unsuccessfully at the moment.

Did you look in your windows and system32 folder for those icons? Choose arrange icons by....date and take a look at the last few icons and look at properties as to when they were created. If only in last few days then this could be your problem but google each one to make sure its spyware and not a valid system file.

I did get into the Windows and WindowsSystem32 folders and only found 2 entries for which I deleted. Found and deleted ipee32.dll and xmllib.dll. I cleared out RecycleBin after deleting entries and rebooted too. Do you think any of these things are causing there to be NO programs when I go to Start-Programs? I'll killed many viruses and trojans before and this one is beating up on me good.
And I really do appreciate all of your time and help too...will check back later.

BudE

[Hola hoop]

Ok budE

Firstly, are u happy that the spyware has been sucessfully removed?
Is it only the control panel issue left now?

When this same thing happened to me my control panel was fine but what it did was to change my display properties

check my post about it here and check out my pic i uploaded.

In your registry there will be values for things like display and control panel and have values either 1 or 0 (show or hide)

It will be too complicated to explain each and every one, so best idea is once your happy the spyware has gone, back up important data and do a windows repair/re-install if u have cd. this will set all contol properties back to normal again.

this particular problem u had is not easy to FULLY fix and get everything back to normal.

ps - empty temp internet folder and delete all cookies and downloaded program files ( Internet properties/settings).
Also, when i got this trojan there were quite a few internet html pages it downloaded to. I found these in windows folder and the c: drive to. have a look
GL