[j-alexander]

This infection seems to be everywhere! 2 of my computers are now infected (I suppose thats what I get for letting other people use them). I have tried several times to get rid of this infection myself...but to no avail.

I know all of you are very busy, and I have another new computer so there is no rush (I've waited a few weeks till after my exams were up to post here). And as two computers are infected I don't expect a quick response - if you're busy it can definately wait.

On the home PC which I'm posting from the infection doesn't seem to be too bad - I can use most applications and can actually still use IE. However, on the laptop which is also infected it seems to have taken a firmer grip (perhaps because the laptop uses XP opposed to the older pc using win98). I did try and post the laptop log first but as soon as I try to log on to geekstogo IE cuts out.

Anyway here is the first log (from the win98 pc). I'll post the laptop's log in this thread if thats ok (if you want me to make a new thread just say so and thats fine).

Hijackthis log 1 (win98 pc):

Logfile of HijackThis v1.99.1
Scan saved at 12:05:10, on 02/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.depnyhtpc...y5ys4HDVNvc.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: StartMulti - {D741A309-75B3-929C-5D25-C7A1BCA0C982} - C:\PROGRAM FILES\ACID BLUE ERROR\INSIDE MATH.DLL (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = home.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.168.4.100,194.168.8.100



Thanks in advance,

J-alexander

[Advertisements]

deleted - apparently its one problem (even if its the same problem) at a time....oh well....

Edited by j-alexander, 22 June 2005 - 12:56 PM.

[j-alexander]

deleted - apparently its one problem (even if its the same problem) at a time....oh well....

Edited by j-alexander, 22 June 2005 - 12:56 PM.

[Koretek]

Sorry it took this long to get to you Al, are you still having problems?

[j-alexander]

Sorry it took this long to get to you Al, are you still having problems?

yea - still have the two problems on the two pc's (see logs) - I'm just not confident enough to get rid of it by myself - not without expert instructions - the last time I attempted it I ended up having to universally undo to a previous date - not in any major rush but it was over the 10 days (5 days each problem) - so thought I'd just post on the no reply topic.

Thanks,

j-alexander

[coachwife6]

JA: We can only fix one at a time. Please rerun hijack this on the computer you want fixed first and post it in this thread.

[j-alexander]

JA: We can only fix one at a time. Please rerun hijack this on the computer you want fixed first and post it in this thread. 

Sorry, but im still going to use this thread. Because even if you cant do 2 problems....still could do one... one is now displayed. A second thread has been created for the other log.

J-alexander

[coachwife6]

I want you to use this thread. Post a log for one of the computers in this thread. If you choose to do the xp, you will have to update windows to sp1 first before it will be looked at by myself or anyone else on the board.

[coachwife6]

deleted - apparently its one problem (even if its the same problem) at a time....oh well....

It may be the same infection, but it's on two different computers - a 98 and an xp, which call for different tools. Fixing two computers in the same log and going back and forth and trying to figure out what computer I'm talking about is very confusing for myself and for you. I was going to fix one of the computers and once it was cleaned, and then start on the other one.

[j-alexander]

Thanks - got it now - have posted the new log for the xp pc in a second thread. The win98 is left on here.

Thanks,

J-alexander

[coachwife6]

I need you to run a log again for the 98 and post the results for the 98 in this thread. A lot could have happened since you first posted it and I need the most recent information. Did you post the log for the xp yet on the other thread?

[j-alexander]

Here's the most recent jog for the 98 pc:

Logfile of HijackThis v1.99.1
Scan saved at 14:06:11, on 24/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.depnyhtpc...y5ys4HDVNvc.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: StartMulti - {D741A309-75B3-929C-5D25-C7A1BCA0C982} - C:\PROGRAM FILES\ACID BLUE ERROR\INSIDE MATH.DLL (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = home.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.168.4.100,194.168.8.100


I did try and create a new hijackthis log on the xp system. But I have a more urgent problem with it now - since sp2 has been installed (i couldnt find sp1 on microsofts automatic update site - that thing is really cumbersome). So now it doesnt even get as far as the desktop. As soon as the loading windows screen comes up it loads for a bit and then just as it would normally go to desktop it continues on a loop of restarting. I have tried to restart in safe mode (normal safe mode, safe mode with networking and safe mode in MS-DOS) but that doesnt work. The other option (to restart in the last working configuration) doesnt work either. Any suggestions? (I'd rather leave myself open to re-infection on the xp system till its fixed so it can be fully update it rather than trying to get sp1 and continuing this never-ending loop).

Thanks,

J-alexander

[coachwife6]

Please download adaware before you start - instructions are down below. Don't run it yet.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.depnyhtpc...y5ys4HDVNvc.htm

O3 - Toolbar: StartMulti - {D741A309-75B3-929C-5D25-C7A1BCA0C982} - C:\PROGRAM FILES\ACID BLUE ERROR\INSIDE MATH.DLL (file missing)

O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page

• If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
• After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
• Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
• Once the definitions have been updated:
• Reconfigure Ad-Aware for Full Scan as per the following instructions:
  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.
  • Click the "Scanning" button (On the left side).
  • Under Drives & Folders, select "Scan within Archives"
  • Click "Click here to select Drives + folders" and select your installed hard drives.
  • Under Memory & Registry, select all options.
  • Click the "Advanced" button (On the left hand side).
  • Under "Shell Integration", select "Move deleted files to Recycle Bin".
  • Under "Log-file detail", select all options.
  • Click on the "Defaults" button on the left.
  • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  • Click the "Tweak" button (Again, on the left hand side).
  • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"
  • Under "Cleaning Engine", select the following:
    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarrantined objects after restoring"
  • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  • Click on "Proceed" to save these Preferences.
  • Click on the "Scan Now" button on the left.
  • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
• Close all programs except ad-aware.
• Click on "Next" in the bottom right corner to start the scan.
• Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
• After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

or you can download CleanUp!

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

[j-alexander]

Just finished using the instructions you gave to become free of smitfraud.c (on 1 pc at least!!). Here's the log after the virus was gone.

Logfile of HijackThis v1.99.1
Scan saved at 21:13:13, on 25/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = home.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.168.4.100,194.168.8.100

Thankyou very much for all the help - it is very much appreciated,

J-alexander

[coachwife6]

Good job. How is it running?

[j-alexander]

Running great (well, as can be expected with a pc thats fast becoming ancient). Only thing thats wrong with it is microsoft word needs a good kick to get started once it's loaded - when it has just started and you would normally be able to type you cant. It's easily solved by frantically pushing F1 or some other command button but is a little bit of a pest. It's old though, well expected.

Im happy to report that all traces of smitfraud (or any other virus) are completely gone thanks to your help.

Thanks very much again - much appreciated,

J-alexander