PC has been hijacked. need to clean it

[AndreasBIT]

problem: the pc is running slow, and windows are popping up from time to time.the homepage is set to default.home. i try to change it but it changes back. Clearly i am infected with some bugs. I have run pestpatrol with no result. Hijackthis comes highly recommended i understand. here is the logfile. (under) can somebody help me? how can i clean the pc?

best regards
andreasBIT

the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 11:39:55, on 18.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Programfiler\PestPatrol\PPMemCheck.exe
C:\Programfiler\PestPatrol\PPControl.exe
C:\Programfiler\PestPatrol\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programfiler\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programfiler\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programfiler\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programfiler\3M\PSNLite\PsnLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod-tjeneste (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

 

[howard_hopkinso]

Hello and welcome to Techspot.

First go HERE and follow the instructions carefully. Print them out if you can.

Once you have done that, go HERE for instructions on how to post your Hijackthis log.

Regards Howard :wave: :wave:

 

[RealBlackStuff]

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
SMSSU.EXE
Tmntsrv32.EXE

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
Unless these O17 IP-numbers are from your ISP, also 'FIX':
O17 - HKLM\System\CCS\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0803A9A1-E881-4207-8A89-690532D9480C}: NameServer = 217.13.4.24,217.13.7.140

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

 

[AndreasBIT]

thanks for the reply!
i ran taskmanager after booting in safe mode and switching system restore off. i tried to end the smssu.exe and tmntsrv32.exe processes. but they popped up in taskmanager as soon as i clicked "end process"

i proceeded and ran hijackthis, did as the instructions said. with all the users.
I deleted the files and directories in Temp

i have booted back up in normal mode
now i have a security warning on my desktop:

Security warning:
a fatal error in IE has occured at 0028:C0011e36 in VXD VMM<01> + 00010E36. Error was caused by Trojan-Spy.html.smitfraud.c
*system can not function in normal mode. Please check your security settings
*Scan your PC with any available antivirus / spyware remover program to fix the program


any ideas?

 

[RealBlackStuff]

Go to this post and follow the advice from (my) post #4
https://www.techspot.com/vb/topic25021.html