Before I Post My HJT Log...

Having trouble with trojans and spyware

Yesterday I infected my computer with a seeminly nasty trojan. I found this site and saw the "Read Me First" article for steps to take before asking for assistance. I tried doing as much as a could, but because of the trojan (I believe) I can't access the internet. Instead of my normal home page, I'm sent to "res://shdocsv.dll/blank.htm". It won't allow me to view anything else on the internet, so I can't do what the article says to do. From what I can see on my computer the trojan is called "Trojan-spy.HTML.smitfraud.c". I do have older versions of spybot, adaware, and norton antivirus; but they didn't fix anything when I ran them. I have older versions of those scanners because my internet had been down for a little over a year and I had just fixed it. Its a little disappointing to get it working and have it mess up after a few days. Anyway, any help is appreciated, and sorry you have to put up with my technical ignorance. This is a great site too! Very helpful and what not.

 

Re: Having trouble with trojans and spyware

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsmit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixsmit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you complete the above, get on a computer with internet access and follow the below:

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I recently asked for help in removing a trojan and spyware from my computer and bjgarrick told me what to do to fix the problem and told me to post my HJT log in another post. To do so I would have burn it to a disk and bring to this computer because the infected computer doesn't have internet (because the trojan or spyware won't let me access other websites). So would I be putting this computer at risk if I put a disk that was previously in the infected computer into this one? Or, am I just being a complete idiot and can just type the log on this computer and post it as an attachment... Thanks and sorry again if I'm sounding like a computer moron.

 

It will not hurt anything if you burn it on a disk and transfer it. Did you run the registry patch yet?

Also, I would recommend using a floppy as this will be easier and will take less time.

 

I did run the registry patch. I also put Hijack this on the computer, I guess I'll just put my log in a new post. Also, thanks for all the help so far.

 

Ok, here is my HJT Log...

 

Your Internet Explorer version is WAY out of date and represent a major security risk. After we fix your current problems, you must get updated..


Please look in Add or Remove Programs for the following and Uninstall them if found:

Kazaa


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm

O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL

O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL

O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thn32.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Kazaa ←–– Delete this whole folder if it exist!

C:\WINDOWS\System\intel32.exe

C:\WINDOWS\System\wtc.dll

C:\WINDOWS\System\thn32.dll

C:\WINDOWS\System\hookdump.exe

C:\WINDOWS\System32\svcnt.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file smitfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the smitfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


After you complete ALL of the above REBOOT, Scan with HijackThis and attach the new log.

 

I did as much of what you said as possible, but ran into a few problems. I rebooted in safemode with network (since that was what the preliminary spyware remover article said). I couldn't access the internet to download the CCleaner and Ad-Aware SE (I had Ad-Aware 6.0). I tried putting it on a disk to get CCleaner to the infected computer. An error occured and didn't allow me to run CCleaner. Spy-Bot couldn't find the proper dll file to run, so all I ended up doing was runing Ad-Aware 6.0...What should I do?

 

You should already have the updated versions. Ad-Aware 6 is WAY out of date, you must update to Ad-Aware SE 1.06.

You also must have CCleaner 1.21.130 and Spybot S&D 1.4 with all updates.

Get these updates and follow the post again.

 

I just tried to get the three programs on the infected computer and updated. When I tried to run Spybot and Ad-Aware Se there was an error: A required .DLL file, c:\\WINDOWS\\WININET.DLL, was not found. When I tried to start CCleaner there was another erorr: Run-time error "0". Sorry if I'm being difficult.

 

Skip this for now and complete the rest of the fix exactly as it appears.

 

Well, now I've run into several more problems. The infected computer won't start up saying; "NTLDR is missing, press any key to restart." It won't do anything however. Then the computer I was using for internet access won't start up because of GoBack. It says; "GoBack restarted your computer because it detected your system was unstable. Allowing it to continue running would have caused corrumption on disk #1. This instability is probably the result of a bug in an application running on your system, but could also be caused by hardware problems." It won't let me proceede beyond that point. It's just one thing after another... Thanks again.

 

Atratus,

This is going to be a Software problem. These problems will take some time to fix, personally I think its best to reinstall but however its up to you. These issues CAN be fixed but will take some time.

For now post this in the Software Forum, after they fix your software issues come back here and we will continue with the Malware removal.

If you decide to do a clean install drop a message and let me know.

Good Luck!

 

Alright, I will post my question in the software forum for now. Thanks for all your help with my other computer problems. I probably will just end up reinstalling, but for now I will try to fix the problem manually. It helps me learn more about these computers. I probably will be back here so you can help me remove the malware off my computer though. Thanks again!

 

Your Welcome!

Good Luck!

 

Ok, the problems have been fixed with the other computer (it actually had a virus)... Should I start over in trying to eliminate the smitfraud or begin where we left off?

 

Since we didnt really clean your system, go ahead and run the READ ME then post a fresh HJT log.