PC has been hijacked. need to clean it

By AndreasBIT
May 18, 2005
Topic Status:
Not open for further replies.
  1. problem: the pc is running slow, and windows are popping up from time to time.the homepage is set to default.home. i try to change it but it changes back. Clearly i am infected with some bugs. I have run pestpatrol with no result. Hijackthis comes highly recommended i understand. here is the logfile. (under) can somebody help me? how can i clean the pc?

    best regards
    andreasBIT

    the logfile:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:39:55, on 18.05.2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programfiler\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\SMSSU.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Programfiler\PestPatrol\PPMemCheck.exe
    C:\Programfiler\PestPatrol\PPControl.exe
    C:\Programfiler\PestPatrol\CookiePatrol.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programfiler\Messenger\msmsgs.exe
    C:\WINDOWS\System32\Tmntsrv32.EXE
    C:\WINDOWS\System32\SMSSU.EXE
    C:\WINDOWS\System32\Tmntsrv32.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Programfiler\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\Programfiler\PestPatrol\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programfiler\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\Programfiler\PestPatrol\CookiePatrol.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programfiler\3M\PSNLite\PsnLite.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    First go HERE and follow the instructions carefully. Print them out if you can.

    Once you have done that, go HERE for instructions on how to post your Hijackthis log.

    Regards Howard :wave: :wave:
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    SMSSU.EXE
    Tmntsrv32.EXE

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    C:\WINDOWS\System32\SMSSU.EXE
    C:\WINDOWS\System32\Tmntsrv32.EXE
    C:\WINDOWS\System32\SMSSU.EXE
    C:\WINDOWS\System32\Tmntsrv32.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
    O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    Unless these O17 IP-numbers are from your ISP, also 'FIX':
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140

    Now click on the Fix Checked button in HJT.
    When done, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Boot normal. When all OK, switch System Restore back on.
  4. AndreasBIT

    AndreasBIT Newcomer, in training Topic Starter

    thanks for the reply!
    i ran taskmanager after booting in safe mode and switching system restore off. i tried to end the smssu.exe and tmntsrv32.exe processes. but they popped up in taskmanager as soon as i clicked "end process"

    i proceeded and ran hijackthis, did as the instructions said. with all the users.
    I deleted the files and directories in Temp

    i have booted back up in normal mode
    now i have a security warning on my desktop:

    Security warning:
    a fatal error in IE has occured at 0028:C0011e36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.html.smitfraud.c
    *system can not function in normal mode. Please check your security settings
    *Scan your PC with any available antivirus / spyware remover program to fix the program


    any ideas?
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.