Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan-Spy.HTML.Smitfraud.c [CLOSED]

Started by Thomas Cary , May 09 2005 11:23 AM

This topic is locked

#1
Thomas Cary

Posted 09 May 2005 - 11:23 AM

New Member

Member
5 posts

Hi there,

I have also been affected by the Trojan-Spy.HTML.Smitfraud.c

I have read a few of the threads from other people that have been affected and I'm really impressed with the service that you provide.

However, being a complete amateur on the computer, I'm not sure what I should be doing and I'm hesitant to start downloading things unless absolutely necessary.

Do I need to load Adware/Spyware etc etc before contacting you, because everyone else that did that then said, "...but I still have the blue screen and the Warning sign"

I will obviously run those prior checks and post the Hijack This report if you say it is necessary to do so.

Best regards,

Tom

#2
Guest_usetobe_*

Posted 13 May 2005 - 04:00 PM

Guest

Hi thomas,

Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe

#3
Thomas Cary

Posted 21 May 2005 - 05:50 AM

New Member

Topic Starter
Member
5 posts

Usetobe!

Sorry. I have been away. Thought I was not going to get a reply. Brilliant.. yes, I am still having loads of problems. :tazz:

I ran as many of the suggested Spyware/Malware programs etc as I could. Some of them wouldn't complete the scan as they said there wasn't enough memory.. or the computer would shut down or freeze..

Still have the blue screen with the Smitfraud.c message.

Internet very slow.

This is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:45:21, on 21/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\FRIENDLY TECHNOLOGIES\BROADBANDACCESS\FTS.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDOESRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\VSSERV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE
C:\WINDOWS\PROFILES\THOMAS CARY\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Friendly Technologies\BroadbandAccess\fts.exe"
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\SOFTWIN\BITDEF~1\BDMCON.EXE
O4 - HKLM\..\Run: [BitDefender Virus Shield] C:\Program Files\Softwin\BitDefender8\\vsserv.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\bdnagent.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender8\\bdinit.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...482/mcfscan.cab
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\GT6ZK1AV\epl172[1].cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#4
Guest_usetobe_*

Posted 21 May 2005 - 06:08 AM

Guest

Hi Thomas,

This should be fun with you having 98SE. but we will try.

Lets get this show on the road..Firstly create a new folder on your c drive (for example c\hjt) and install HJT into that folder and run it from there. That way it can create backups if required.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Set PC to show hidden files (click link if you do not know how)LINK

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\GT6ZK1AV\epl172[1].cab

Ensure no windows open except HJT and click FIX CHECKED.

now using windows explorer locate the following files/folders and delete them.

C:\WINDOWS\Tempor~1\Content.IE5\GT6ZK1AV\epl172[1].cab
gclib.exe <<<------carry out a search for this

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Carry out another HJT scan and post the log back here, together with a report of any problems.

#5
Thomas Cary

Posted 22 May 2005 - 04:57 AM

New Member

Topic Starter
Member
5 posts

Hi Usetobe,

Have been faithfully following your instructions. Here is an update:

1) Have saved HJT to a new folder on C drive

2) Kaspersky Online Scan would NOT work... after starting the download a pop-up came up saying 'Do you want to install and run Kaspersky...' I clicked YES... then another pop-up appeared saying 'Do you want to install and run Microsoft Foundation Classes Runtime Library Files...' I said NO... It then Failed to load the ActiveX control. I tried it again clicking YES to the second pop-up but with no success. It pointed out that my IE security settings should be on Medium (which they are??).

3) I have BitDefender 8.0 installed anyway on my computer, so I ran a complete scan of All Files. (I went out and bought BitDefender after Smitfraud appeared.. but it didn't find it, which is why I came to Geeks to Go). Here is the Scan Log:

//-----------------------------------------------------------------
//
// Product: BitDefender 8 Professional Plus
// Version: 8.0
//
// Created on: 22/05/2005 11:46:12
//
//-----------------------------------------------------------------

Statistics

Scan path : C:\
D:\
E:\
Folders : 1140
Files : 111708
Archives : 979
Packed files : 23576
Identified viruses : 3
Infected files : 3
Warnings : 0
Suspect files : 2
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 4
Scan time : 00:56:49
Scan speed (files/sec) : 32

Virus definitions : 166058
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\SYSTEM\gclib.exe Suspect BehavesLike:Trojan.LowZones
C:\WINDOWS\SYSTEM\gclib.exe Disinfection failed
C:\WINDOWS\SYSTEM\gclib.exe Moved
C:\WINDOWS\TEMP\se.dll Infected Trojan.StartPage.BA
C:\WINDOWS\TEMP\se.dll Disinfection failed
C:\WINDOWS\TEMP\se.dll Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Infected Exploit.ADODB.Stream.Gen
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Move failed
C:\WINDOWS\r0faxcip.ini Infected Trojan.Agent.DM
C:\WINDOWS\r0faxcip.ini Disinfection failed
C:\WINDOWS\r0faxcip.ini Moved
C:\web.exe Suspect BehavesLike:Trojan.LowZones
C:\web.exe Disinfection failed
C:\web.exe Moved

4) Downloaded Buster, SpSeHjfix, CleanUp! and CWShredder to Desktop

5) Set PC to show hidden files (the link you gave me was for Windows XP... but I followed the same instructions and set Hidden Files to 'Show All Files'

6) NOW HAVING PROBLEM WITH ZIP FILES... You said 'Unzip SpSeHjfix to its own folder'... but how do I 'unzip'? I'm not brilliant with computers... When I double click on the icon in Desktop it asks me what program I want to use to run it. (Open with... and gives me a list) I have no idea. Don't know anything about Zip files...? Same thing with About: Buster

What to do?

Many thanks for your help,

Tom

#6
Guest_usetobe_*

Posted 22 May 2005 - 05:04 AM

Guest

Hi Tom,

I FORGOT YOU HAD 98, I need to get out of XP head, which is what most people have who come to the forum and step back in time to 98 days.. :tazz:

download a free trial of winzip

Winzip

Then when you double click on the afore mentioned programs they will unzip with that program.

#7
Thomas Cary

Posted 23 May 2005 - 05:09 AM

New Member

Topic Starter
Member
5 posts

Hi Usetobe :tazz:

First of all, sorry I keep replying so slowly.. I only get an hour or two on my PC before going to work, so I'm trying to carry out instructions asap. Thanks for your help!!

I have gone through all your instructions now (managed to unzip with my 98SE at last.. can I upgrade to XP or would it require too much of memory?)
Problems are as follows:

1) Still have the blue desktop with Trojan-HTML.Smitfraud.c
2) Still have problems shutting down and re-booting - it always tries to open an Internet connection after I have told it to Shut Down. Sometimes it just has the screen 'Windows is shutting down' and would stay like that all day.. have to shut down manually.
3) If my USB is connected to my Neuf Telecom box (ISP running ADSL through phone line) then it does something different when I start-up. Instead of saying the usual Logon to Windows.. what is your password? It says Logon to Microsoft Networking.. what is your password? I put the same one, but I'm not sure if I should?
4) USB to Neuf box also appeared to affect Safe Mode.. I couldn't run it while it was connected (the F8 button just beeped at me when I pressed it continuously)
5) Safe Mode sometimes froze, mouse wouldn't move.. had to shut down manually.
6) When I hover over some things, it seems to click them for me? Opens folders, shuts folders etc
7) When I did the HJT log in Safe Mode, it didn't give me the R1 - HKCU\Software files... so I couldn't delete them... but they appeared when I did the HJT scan in normal mode just now, as you can see below. I did manage to check and delete three of the entries.

Anyway, here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:20, on 23/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\FRIENDLY TECHNOLOGIES\BROADBANDACCESS\FTS.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\VSSERV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDOESRV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.neuf.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Friendly Technologies\BroadbandAccess\fts.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\SOFTWIN\BITDEF~1\BDMCON.EXE
O4 - HKLM\..\Run: [BitDefender Virus Shield] C:\Program Files\Softwin\BitDefender8\\vsserv.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\bdnagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender8\\bdinit.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...482/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

I have attached the SpSeHjfix log you asked for (I can't seem to open it to cut and paste here... so I have sent as an attachment).

Also, here is the Bit Defender Scan log that I sent yesterday:

//-----------------------------------------------------------------
//
// Product: BitDefender 8 Professional Plus
// Version: 8.0
//
// Created on: 22/05/2005 11:46:12
//
//-----------------------------------------------------------------

Statistics

Scan path : C:\
D:\
E:\
Folders : 1140
Files : 111708
Archives : 979
Packed files : 23576
Identified viruses : 3
Infected files : 3
Warnings : 0
Suspect files : 2
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 4
Scan time : 00:56:49
Scan speed (files/sec) : 32

Virus definitions : 166058
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\SYSTEM\gclib.exe Suspect BehavesLike:Trojan.LowZones
C:\WINDOWS\SYSTEM\gclib.exe Disinfection failed
C:\WINDOWS\SYSTEM\gclib.exe Moved
C:\WINDOWS\TEMP\se.dll Infected Trojan.StartPage.BA
C:\WINDOWS\TEMP\se.dll Disinfection failed
C:\WINDOWS\TEMP\se.dll Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Infected Exploit.ADODB.Stream.Gen
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Move failed
C:\WINDOWS\r0faxcip.ini Infected Trojan.Agent.DM
C:\WINDOWS\r0faxcip.ini Disinfection failed
C:\WINDOWS\r0faxcip.ini Moved
C:\web.exe Suspect BehavesLike:Trojan.LowZones
C:\web.exe Disinfection failed
C:\web.exe Moved

OK. I think that is all I can do for now!!! Thank you once again for all your help.

Tom

#8
Guest_usetobe_*

Posted 23 May 2005 - 01:21 PM

Guest

Hi Tom,

If you were to go down the upgrade to XP i would need to know several things before recommending that route.

What speed is your processor, how much Ram do you have and how big is hard drive/how much is free?

#9
Thomas Cary

Posted 24 May 2005 - 04:35 AM

New Member

Topic Starter
Member
5 posts

Compaq Presario 1400 series
Windows 98 4.10.2222 A
56MB RAM
64% system resources free
Available space on drive C: 2195MB of 4317MB (FAT32)
Available space on drive D: 646MB of 1399MB (FAT 32)
Not sure about processor but I think it is Intel Celeron 667 Mhz

I only mentioned it because everyone seems to have XP these days. But I read somewhere that it is not advisable to try downloading a new Windows package while you still have viruses. Smitfraud is obviously still haunting me.

What about restoring factory settings? Would that get rid of everything? (I only have a few documents that I would need to keep - and could save them onto floppy first??)

Was there nothing else that you could glean from my HJT scan? Or the other problems I told you about in my last report? How come those items that you told me to check and delete did not appear in the HJT scan in Safe Mode for instance?

How come the Smitfraud virus is still there?!!

Thanks again for your help! :tazz:

Tom

#10
Guest_usetobe_*

Posted 24 May 2005 - 05:24 AM

Guest

Hi Tom,

With regards to updating to XP, your system would need more Ram as XP needs 256mb to run nicely, all the rest of the specs are suitable, If you do not have much to save then a clean install would be the way to do it, that way it doesn't matter about what is on your drive as it would all be wiped and the installation would be like new, and you would not have any of your other problems.

But in the mean time we will try to clean what you have now.

As i said this will likely to be a few step process to try to clear your system. Some of your problems are quite complex and difficult to remove, even more so on 98.
We are tackling them one at a time.

Please repeat my previous instructions as it It is common to have to do this 2-3 times for this infection

i.e. Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now reboot your PC normally

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Set up your PC to show hidden files.

Boot into SAFE MODE again and using windows explorer locate and delete the following file

C:\WINDOWS\TEMP\se.dll

Run Cleanup again to clear out temp files, junk etc.

Right click on RD.REG HERE and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Now rescan with HJT and post the log back

#11
Guest_usetobe_*

Posted 21 June 2005 - 03:17 AM

Guest

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.