Trojan-Spy.HTML.Smitfraud.c

05.05.05, 17:18
Na moim deskopie Windowsowskim pojawił się dzisiaj rano następujący napis:

Security Warning

A fatal error in ID has occured at [i tutaj ciąg liczb, które nie mogę
odczytać, bo przy ostatnim włączaniem komputera ten napis się zmieszyć, że
trudna Go oczytać w tej chwili]. Error was caused by Trojan-Spy.HTML.Smitfraud.c.

* [nie mogę odczytać] can not funktion in normal mode.
Pleace check your security settings.
* Scan you PC with any avible antivirus/ spyware remover program to fix the
problem.



Skanowałam programem Ad- aware. On znalazł, że program pt. Security iGuard
jest infiltrowany, więc tenże program wyrzuciłam. Jako firewall mam ZoneAlarm
Pro. Na razie oprócz tego, że nie mogę wejść na mój gmail, wszystko działa.
Czy ktoś ma jakieś doświadczenia z tym trojanem? Próbowałam coś znaleść na ten
temat przez Google, ale jedyne, co znalałam, to notatka na jakimś forum
holenderskim; ktoś się tam zgłościł po czym, jak dostał ten sam problem.

Pozdrowienia,

CJ
    • Gość: Kolobos Re: Trojan-Spy.HTML.Smitfraud.c IP: *.icm.edu.pl / *.icm.edu.pl 05.05.05, 17:54
      Przeskanuj tym:
      www.spychecker.com/program/hijackthis.html
      I wklej wyniki skanowania na forum.
      • clairejoanna Re: Trojan-Spy.HTML.Smitfraud.c 05.05.05, 18:40
        Logfile of HijackThis v1.99.1
        Scan saved at 18:37:32, on 05.05.2005
        Platform: Windows XP SP1 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
        C:\WINDOWS\System32\Ati2evxx.exe
        C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
        C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
        C:\WINDOWS\system32\ZoneLabs\vsmon.exe
        C:\WINDOWS\Explorer.EXE
        C:\Programme\WinPoET Broadband Connection\WrOS.EXE
        C:\WINDOWS\soundman.exe
        C:\Programme\Synaptics\SynTP\SynTPLpr.exe
        C:\Programme\Synaptics\SynTP\SynTPEnh.exe
        C:\WINDOWS\System32\atiptaxx.exe
        C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
        C:\Programme\Ahead\InCD\InCD.exe
        C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
        C:\Programme\Saitek\Saitek Gaming Extensions\saicnfig.exe
        C:\Programme\Messenger\msmsgs.exe
        C:\WINDOWS\System32\rundll32.exe
        C:\WINDOWS\System32\ctfmon.exe
        C:\PROGRA~1\The Weather Channel\DWHeartbeatMonitor.exe
        C:\wp.exe
        C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
        C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
        C:\Programme\StarOffice6.0\program\soffice.exe
        C:\WINDOWS\system32\ntvdm.exe
        C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
        C:\Programme\mozilla.org\Mozilla\mozilla.exe
        C:\Instalki\Hijack\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
        de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
        res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
        de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
        R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
        http://pralerts.zonelabs.com/pralerts/pranalyze.jsp?PN=tonchkml&VER=1,+4,+0,+0&FN=TONCHKML.EXE&Created=2af1608d&Size=45056&MD5=72fa2d9e96fdb0aef459cc4525f6dd6b&&RIPA=194.25.134.33&RP=811&Connect=1&Pgmstatus=1&Zone=2&Keycode=cra6k29w8euri5r5tr37kqef9g0&Product=ZoneAlarm+Pro&ProductVersion=3.5.169.002&HU100=&DTST=9484&QSRC=1&OS=Windows+XP-5.1.2600--SP&LANG=1031&CL=en
        (obfuscated)
        O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
        C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
        C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
        O2 - BHO: (no name) - {B2CFC1F1-2D65-4097-AD42-2DFB32418EEE} -
        C:\WINDOWS\System32\hipf.dll
        O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
        C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
        C:\WINDOWS\System32\msdxm.ocx
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
        C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
        O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
        C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
        O4 - HKLM\..\Run: [SoundMan] soundman.exe
        O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
        O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
        O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
        O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
        O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
        Shared\ccApp.exe"
        O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
        Shared\ccRegVfy.exe"
        O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
        O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
        O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate
        Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
        O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate
        Bytes\CloneCD\CloneCDTray.exe"
        O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Programme\Saitek\Saitek Gaming
        Extensions\saicnfig.exe /autorun
        O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe
        /Consumer
        O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
        Shared\Security Center\UsrPrmpt.exe
        O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
        O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll,DllInstall
        O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
        O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
        O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
        O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\The Weather Channel\The
        Weather Channel.exe
        O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\The Weather
        Channel\DWHeartbeatMonitor.exe
        O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
        O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
        O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK =
        C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
        O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
        C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console -
        {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
        C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
        O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
        C:\Programme\Yahoo!\Messenger\yhexbmes.dll
        O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
        {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
        C:\Programme\Messenger\MSMSGS.EXE
        O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
        - C:\Programme\Messenger\MSMSGS.EXE
        O9 - Extra button: Microsoft AntiSpyware helper -
        {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
        O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
        {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
        O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
        v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115132697407
        O18 - Filter: text/html - {A26C1B30-9C78-4B83-9D3B-858F19AF4632} -
        C:\WINDOWS\System32\hipf.dll
        O18 - Filter: text/plain - {A26C1B30-9C78-4B83-9D3B-858F19AF4632} -
        C:\WINDOWS\System32\hipf.dll
        O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
        O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
        C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
        O23 - Service:
        • Gość: Kolobos Re: Trojan-Spy.HTML.Smitfraud.c IP: *.icm.edu.pl / *.icm.edu.pl 05.05.05, 18:46
          Uzyj tego:
          www.trojaner-info.de/files/SpSeHjfix112.exe

          W hijackthis wybierz scan only i zaznacz te wpisy:


          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
          res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
          de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*www.yahoo.de
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
          res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
          R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          about:blank
          R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
          about:blank
          R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
          de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*www.yahoo.de
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
          R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
          R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
          pralerts.zonelabs.com/pralerts/pranalyze.jsp?PN=tonchkml&VER=1,+4,+0,+0&FN=TONCHKML.EXE&Created=2af1608d&Size=45056&MD5=72fa2
          d9e96fdb0aef459cc4525f6dd6b&&RIPA=194.25.134.33&RP=811&Connect=1&Pgmstatus=1&Zon
          e=2&Keycode=cra6k29w8euri5r5tr37kqef9g0&Product=ZoneAlarm+Pro&ProductVersion=3.5
          .169.002&HU100=&DTST=9484&QSRC=1&OS=Windows+XP-5.1.2600--SP&LANG=1031&CL=en
          (obfuscated)
          O2 - BHO: (no name) - {B2CFC1F1-2D65-4097-AD42-2DFB32418EEE} -
          C:\WINDOWS\System32\hipf.dll
          O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Claire\LOKALE~1
          \Temp\se.dll,DllInstall
          O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
          O18 - Filter: text/html - {A26C1B30-9C78-4B83-9D3B-858F19AF4632} -
          C:\WINDOWS\System32\hipf.dll
          O18 - Filter: text/plain - {A26C1B30-9C78-4B83-9D3B-858F19AF4632} -
          C:\WINDOWS\System32\hipf.dll

          I Fix Checked, nastepnie po resecie wklej nowy log z hijackthis.
          • clairejoanna Re: Trojan-Spy.HTML.Smitfraud.c 05.05.05, 20:33
            Zaufałam i wykasowałam. Mam backup, więc mogę sobie na to pozwolić.

            Mój Ad- Aware zrobił kolejne skannowanie i kolejny raz pokazał mi z 26 "criticle
            objects", prawie wszystkie, opróć z dwóch, trzech, z czegoś, co się nazywa
            CoolWebSearch. Tego CoolWebSearch- a nie jestem w stanie znaleść.
            Już kilka razy dzisiaj mi pokazywał tego CoolWebSearcha i już kilka razy Go
            dzisiaj kazowałam, a cały czas jakby jest.

            O to rezultaty hijackthis -a:

            Logfile of HijackThis v1.99.1
            Scan saved at 20:23:39, on 05.05.2005
            Platform: Windows XP SP1 (WinNT 5.01.2600)
            MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
            C:\WINDOWS\System32\Ati2evxx.exe
            C:\WINDOWS\Explorer.EXE
            C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
            C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
            C:\WINDOWS\soundman.exe
            C:\Programme\Synaptics\SynTP\SynTPLpr.exe
            C:\Programme\Synaptics\SynTP\SynTPEnh.exe
            C:\WINDOWS\System32\atiptaxx.exe
            C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
            C:\Programme\Ahead\InCD\InCD.exe
            C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
            C:\Programme\Saitek\Saitek Gaming Extensions\saicnfig.exe
            C:\WINDOWS\System32\ctfmon.exe
            C:\Programme\Messenger\msmsgs.exe
            C:\PROGRA~1\The Weather Channel\DWHeartbeatMonitor.exe
            C:\WINDOWS\system32\ZoneLabs\vsmon.exe
            C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
            C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
            C:\Programme\StarOffice6.0\program\soffice.exe
            C:\Programme\WinPoET Broadband Connection\WrOS.EXE
            C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
            C:\WINDOWS\system32\ntvdm.exe
            C:\WINDOWS\System32\rundll32.exe
            C:\Instalki\HijackThis.exe

            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
            res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
            res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
            R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
            O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
            C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
            O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
            C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
            O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
            C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
            O2 - BHO: (no name) - {C4574351-24E9-484D-AEB2-E62E185E2F83} -
            C:\WINDOWS\System32\hipf.dll
            O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
            C:\WINDOWS\System32\msdxm.ocx
            O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
            C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
            O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
            C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
            O4 - HKLM\..\Run: [SoundMan] soundman.exe
            O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
            O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
            O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
            O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
            O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
            Shared\ccApp.exe"
            O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
            Shared\ccRegVfy.exe"
            O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
            O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
            O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate
            Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
            O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate
            Bytes\CloneCD\CloneCDTray.exe"
            O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Programme\Saitek\Saitek Gaming
            Extensions\saicnfig.exe /autorun
            O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe
            /Consumer
            O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
            Shared\Security Center\UsrPrmpt.exe
            O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
            O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll,DllInstall
            O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
            O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
            O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
            O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\The Weather Channel\The
            Weather Channel.exe
            O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\The Weather
            Channel\DWHeartbeatMonitor.exe
            O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
            O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK =
            C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
            O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
            O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
            C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
            O9 - Extra 'Tools' menuitem: Sun Java Console -
            {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
            C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
            O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
            C:\Programme\Yahoo!\Messenger\yhexbmes.dll
            O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
            {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
            C:\Programme\Messenger\MSMSGS.EXE
            O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
            - C:\Programme\Messenger\MSMSGS.EXE
            O9 - Extra button: Microsoft AntiSpyware helper -
            {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
            O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
            {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
            O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
            v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115132697407
            O18 - Filter: text/html - {FEE20CA2-872F-447E-B1E8-CEC550E30CA8} -
            C:\WINDOWS\System32\hipf.dll
            O18 - Filter: text/plain - {FEE20CA2-872F-447E-B1E8-CEC550E30CA8} -
            C:\WINDOWS\System32\hipf.dll
            O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
            O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
            C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
            O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
            Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
            O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
            Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
            O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
            Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
            O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
            C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
            O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation
            - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
            O23 - Service: SymWMI
            • Gość: Kolobos Re: Trojan-Spy.HTML.Smitfraud.c IP: *.warszawa.sdi.tpnet.pl 05.05.05, 20:50
              Ad-Aware Ci wykrywa i usuwasz nim to czy co?
              Przeskanuj system tym:
              housecall.trendmicro.com/housecall/start_corp.asp
              www.windowsecurity.com/trojanscan/
              www.pandasoftware.com/activescan/pol/activescan_principal.htm
              Do tego podanym nizej SpyBot S&D i usun wszystko co znajdzie.

              Uzylas programu, ktory podalem? Bo dalej masz aboutblank czy jak tam wolisz
              coolwebsearch.
              www.trojaner-info.de/files/SpSeHjfix112.exe <- uruchom i start disinfect
              nastepnie pojawi sie przycisk log, nacisnij i pojawi sie plik:
              SPSeHjFix.log, wklej jego zawartosc na forum.

              Tutaj masz opis usuwania falszywej tapety:
              www.searchengines.pl/phpbb203/index.php?showtopic=31936&st=0&p=149274&#entry149274
              (Trojan-Spy.HTML.Smitfraud.c)

              W hijackthis zaznacz to:
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
              res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
              res://C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll/spage.html
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
              R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
              about:blank
              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
              about:blank
              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
              O2 - BHO: (no name) - {C4574351-24E9-484D-AEB2-E62E185E2F83} -
              C:\WINDOWS\System32\hipf.dll
              O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\Claire\LOKALE~1
              \Temp\se.dll,DllInstall
              O18 - Filter: text/html - {FEE20CA2-872F-447E-B1E8-CEC550E30CA8} -
              C:\WINDOWS\System32\hipf.dll
              O18 - Filter: text/plain - {FEE20CA2-872F-447E-B1E8-CEC550E30CA8} -
              C:\WINDOWS\System32\hipf.dll

              I Fix Checked, nastepnie sciagnij:
              www.downloads.subratam.org/KillBox.zip
              Rozpakuj, zaznacz Delete file on reboot wklej sciezke do pliku (sam/a nie
              szukaj tylko wklejaj gotowa) i naciskaj czerwony przycik ale na pytanie o reset
              odpowiadaj nie i tak zrob z tymi plikami:
              C:\WINDOWS\System32\hipf.dll
              C:\DOKUME~1\Claire\LOKALE~1\Temp\se.dll

              Jak chcesz wiecej poczytac tym CWS'ie to tutaj:
              www.searchengines.pl/phpbb203/index.php?showtopic=34586
              Zainstaluj tez:
              www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D ->
              przeskanuj i wlacz ochrone przegladarki
              www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz
              ochrone przegladarki
              www.wilderssecurity.net/spywareguard.html <- SpywareGuard

              Po wszystkim wklej nowy log.

              "Zaufałam i wykasowałam. Mam backup, więc mogę sobie na to pozwolić."

              heh, jak nie chcesz to mozesz nic nie usuwac...
              • clairejoanna Re: Trojan-Spy.HTML.Smitfraud.c 06.05.05, 00:13
                Za pomocą searengines.pl wreszcie wyrzuciłam tego trojana. Teraz deskop jest w
                porządku, ale nadal moj gmail nie działa... i może też lepiej? Od gmaila sie
                zaczeło, ściągnęłam książkę adresową z yahoo w formie cvs... Co to się człowiek
                nie nauczy w swoim życiu...

                Usuwać mogę, co chcesz, ale skąd mam wiedzieć, że to Ty nie jesteś tym hackerem,
                który mnie śledzi przez pół internetu, żeby mi ukraść moją fantastyczną pracę z
                norweskiego? :-b Bo to jest chyba to najbardziej wartościowe, co mam na kompie ;-)

                Pozdrowienia,

                CJ
                • Gość: Kolobos Re: Trojan-Spy.HTML.Smitfraud.c IP: *.warszawa.sdi.tpnet.pl 06.05.05, 00:25
                  Wklej nowy log z hijackthis, zobacze czy nic nie zostalo.
                  Zawsze mozesz sprawdzic w internecie czy to co napisalem faktycznie jest do
                  kasacji czy tez chce Ci zepsuc jeszcze bardziej system ;-)
                  • clairejoanna Re: Trojan-Spy.HTML.Smitfraud.c 06.05.05, 00:57
                    Logfile of HijackThis v1.99.1
                    Scan saved at 00:55:04, on 06.05.2005
                    Platform: Windows XP SP1 (WinNT 5.01.2600)
                    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                    Running processes:
                    C:\WINDOWS\System32\smss.exe
                    C:\WINDOWS\system32\winlogon.exe
                    C:\WINDOWS\system32\services.exe
                    C:\WINDOWS\system32\lsass.exe
                    C:\WINDOWS\system32\svchost.exe
                    C:\WINDOWS\System32\svchost.exe
                    C:\WINDOWS\system32\spoolsv.exe
                    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
                    C:\WINDOWS\System32\Ati2evxx.exe
                    C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                    C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
                    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                    C:\Programme\WinPoET Broadband Connection\WrOS.EXE
                    C:\WINDOWS\Explorer.EXE
                    C:\WINDOWS\soundman.exe
                    C:\Programme\Synaptics\SynTP\SynTPLpr.exe
                    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
                    C:\WINDOWS\System32\atiptaxx.exe
                    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
                    C:\Programme\Ahead\InCD\InCD.exe
                    C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
                    C:\Programme\Saitek\Saitek Gaming Extensions\saicnfig.exe
                    C:\Programme\Messenger\msmsgs.exe
                    C:\WINDOWS\System32\ctfmon.exe
                    C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
                    C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
                    C:\Programme\StarOffice6.0\program\soffice.exe
                    C:\WINDOWS\system32\ntvdm.exe
                    C:\Programme\Yahoo!\Messenger\ypager.exe
                    C:\Programme\mozilla.org\Mozilla\mozilla.exe
                    C:\Instalki\HijackThis.exe

                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
                    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
                    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
                    C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
                    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
                    C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
                    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
                    C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                    C:\WINDOWS\System32\msdxm.ocx
                    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
                    C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
                    C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
                    O4 - HKLM\..\Run: [SoundMan] soundman.exe
                    O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
                    O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
                    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
                    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
                    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec
                    Shared\ccApp.exe"
                    O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec
                    Shared\ccRegVfy.exe"
                    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
                    O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
                    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate
                    Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
                    O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate
                    Bytes\CloneCD\CloneCDTray.exe"
                    O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Programme\Saitek\Saitek Gaming
                    Extensions\saicnfig.exe /autorun
                    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SymNetDrv\SNDMon.exe
                    /Consumer
                    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec
                    Shared\Security Center\UsrPrmpt.exe
                    O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
                    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
                    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
                    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
                    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\The Weather Channel\The
                    Weather Channel.exe
                    O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
                    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK =
                    C:\Programme\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
                    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
                    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                    C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
                    O9 - Extra 'Tools' menuitem: Sun Java Console -
                    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
                    C:\Programme\Java\j2re1.4.1_01\bin\npjpi141_01.dll
                    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
                    C:\Programme\Yahoo!\Messenger\yhexbmes.dll
                    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
                    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
                    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
                    C:\Programme\Messenger\MSMSGS.EXE
                    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
                    - C:\Programme\Messenger\MSMSGS.EXE
                    O9 - Extra button: Microsoft AntiSpyware helper -
                    {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
                    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
                    {7F8F6C57-E9A3-4A5F-A553-D8BBDA0CC763} - (no file) (HKCU)
                    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
                    v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115132697407
                    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
                    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
                    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
                    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
                    Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
                    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
                    Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
                    Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
                    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
                    C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
                    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation
                    - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
                    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
                    C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
                    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
                    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
                    O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company -
                    C:\Programme\WinPoET Broadband Connection\WrOS.EXE


                    Może i jest do sprawdzenia, ale może też jest tak, że to wszystko Wielki Spisek
                    Infiltrowania mojego laptopa :-)

                    Pozdrowienia i dzięki,

                    Claire Joanna
                    • Gość: Kolobos Re: Trojan-Spy.HTML.Smitfraud.c IP: *.warszawa.sdi.tpnet.pl 06.05.05, 11:48
                      Log juz juz ok :-)
Pełna wersja