Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

smitfraud/downloader.small/the list goes on, help! [CLOSED]

Started by twistedmoose , Jun 06 2005 04:31 PM

  • This topic is locked This topic is locked

#1
twistedmoose
Posted 06 June 2005 - 04:31 PM

twistedmoose

    New Member

  • Member
  • Pip
  • 2 posts
Hi all you helpful people,

I've struggled with my family's pc for the last couple of hours, thought I was getting somewhere by following other 'smitfraud trojan' removal instructions only to find other trojans called 'downloader.small' by AVG. I'm running AVG and Ad-Aware and have updated them as much as possible, but cannot open Windows Update. I've run out of ideas and would really appreciate the help.

Cheers all!

This is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:12:54, on 06/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\WINNT\twain_32\SiPix\SCDeluxe\UsbPnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINNT\system32\atiupdpl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\AOL 8.0\waol.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11E98689-531B-49B3-B0FE-B090DEBEC948} - C:\WINNT\system32\jagd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINNT\System32\WinHelp.exe
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINNT\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINNT\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [DeluxeSgn] C:\WINNT\twain_32\SiPix\SCDeluxe\UsbPnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\winnt\gpalmdevc.dll,_mainRD
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZCxdm093XXGB
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4EADB29-3014-4462-9143-641C140DC5DA}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O18 - Filter: text/html - {B409E174-8699-4CAB-A4AD-528EA245939A} - C:\WINNT\system32\jagd.dll
O18 - Filter: text/plain - {B409E174-8699-4CAB-A4AD-528EA245939A} - C:\WINNT\system32\jagd.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ll_reg - Unknown owner - Rundll32.exe (file missing)
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: NetMeeting Remote Desktop (RPC) Sharing - Unknown owner - Rundll32.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Management Instrumentation Driver Extension - Unknown owner - C:\WINNT\System32\WinDriver.exe (file missing)
  • 0

Advertisements

#2
greyknight17
Posted 06 June 2005 - 05:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

OK, let's take care of these problems one by one.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
  • 0

#3
twistedmoose
Posted 07 June 2005 - 02:29 AM

twistedmoose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks so much! I've done most of what you said - I have a slow internet connection and couldn't get the online scanners to work, but instead I ran AVGFree which found the trojan startpage.19.J. I then followed the rest of your instructions, the logs are below (although I'm still getting internet explorer pop-ups):

Logfile of HijackThis v1.99.1
Scan saved at 09:30:58, on 07/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\WINNT\twain_32\SiPix\SCDeluxe\UsbPnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINNT\system32\atiupdpl.exe
C:\WINNT\system32\gclib.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.dur.ac.uk/Admin/proxy.config
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WinHelp] C:\WINNT\System32\WinHelp.exe
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINNT\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [DELUXECC] C:\WINNT\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [DeluxeSgn] C:\WINNT\twain_32\SiPix\SCDeluxe\UsbPnp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\winnt\gpalmdevc.dll,_mainRD
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: Domain = dur.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{086D3512-B652-4BF9-8FFF-A6BDF79C2621}: NameServer = 129.234.4.13,129.234.4.11
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ll_reg - Unknown owner - Rundll32.exe (file missing)
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: NetMeeting Remote Desktop (RPC) Sharing - Unknown owner - Rundll32.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Windows Management Instrumentation Driver Extension - Unknown owner - C:\WINNT\System32\WinDriver.exe (file missing)




(6/7/05 09:23:07) SPSeHjFix started v1.1.2
(6/7/05 09:23:07) OS: Win2000 Service Pack 4 (5.0.2195)
(6/7/05 09:23:07) Language: english
(6/7/05 09:23:07) Win-Path: C:\WINNT
(6/7/05 09:23:07) System-Path: C:\WINNT\system32
(6/7/05 09:23:07) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(6/7/05 09:23:11) Disinfection started
(6/7/05 09:23:11) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\se.dll
(6/7/05 09:23:11) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\system32\jagd.dll
(6/7/05 09:23:12) Searchassistant Uninstaller - Keys Deleted
(6/7/05 09:23:12) UBF: 6 - UBB: 1 - UBR: 19
(6/7/05 09:23:12) FilterKey: HKCR\text/html (deleted)
(6/7/05 09:23:12) FilterKey: HKCR\CLSID\{2671D72D-4B24-43D4-AC01-F76FE508D573} (deleted)
(6/7/05 09:23:12) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(6/7/05 09:23:12) FilterKey: HKCR\text/plain (deleted)
(6/7/05 09:23:12) FilterKey: HKCR\CLSID\{2671D72D-4B24-43D4-AC01-F76FE508D573} (error while deleting)
(6/7/05 09:23:12) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(6/7/05 09:23:12) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11E98689-531B-49B3-B0FE-B090DEBEC948} (deleted)
(6/7/05 09:23:12) BHO-Key: HKCR\CLSID\{11E98689-531B-49B3-B0FE-B090DEBEC948} (deleted)
(6/7/05 09:23:12) UBF: 4 - UBB: 0 - UBR: 19
(6/7/05 09:23:12) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/7/05 09:23:12) Stealth-String not found
(6/7/05 09:23:12) File added to delete: c:\winnt\system32\jagd.dll
(6/7/05 09:23:12) Reboot


(6/7/05 09:24:53) SPSeHjFix started v1.1.2
(6/7/05 09:24:53) OS: Win2000 Service Pack 4 (5.0.2195)
(6/7/05 09:24:53) Language: english
(6/7/05 09:24:53) Win-Path: C:\WINNT
(6/7/05 09:24:53) System-Path: C:\WINNT\system32
(6/7/05 09:24:53) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(6/7/05 09:25:07) Disinfection started
(6/7/05 09:25:07) Bad-Dll(IEP): (not found)
(6/7/05 09:25:07) Bad-Dll(IEP) in BHO: (not found)
(6/7/05 09:25:07) UBF: 4 - UBB: 0 - UBR: 19
(6/7/05 09:25:07) UBF: 4 - UBB: 0 - UBR: 19
(6/7/05 09:25:07) Bad IE-pages: (none)
(6/7/05 09:25:07) Stealth-String not found
(6/7/05 09:25:07) Not infected->END
  • 0

#4
greyknight17
Posted 07 June 2005 - 09:53 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, we're not clean yet, so you might still have popups. I just wanted to get rid of this one first.

OK, smitfraud seems to be removed by now. So let's do the other fixes:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [WinHelp] C:\WINNT\System32\WinHelp.exe
O4 - HKLM\..\Run: [Remote Procedure Call Locator] RUNDLL32.EXE reg678.dll ondll_reg
O4 - HKLM\..\Run: [Program In Windows] C:\WINNT\System32\IEXPLORE.EXE
O4 - HKLM\..\Run: [winupdt] RUNDLL32.EXE c:\winnt\gpalmdevc.dll,_mainRD
O4 - HKLM\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - HKCU\..\Run: [atiupdpl] C:\WINNT\system32\atiupdpl.exe
O4 - Startup: PowerReg Scheduler.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O23 - Service: ll_reg - Unknown owner - Rundll32.exe (file missing)
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: NetMeeting Remote Desktop (RPC) Sharing - Unknown owner - Rundll32.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extension - Unknown owner - C:\WINNT\System32\WinDriver.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\atiupdpl.exe
C:\WINNT\system32\gclib.exe
C:\WINNT\System32\WinHelp.exe
reg678.dll
C:\WINNT\System32\IEXPLORE.EXE - make sure you delete it in the system32 folder ONLY
c:\winnt\gpalmdevc.dll
C:\WINNT\system32\atiupdpl.exe

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose Yes.

I want you to run AVG again and see if it picks up anything.

Restart and run a new HijackThis scan. Save the log file and post it here.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#5
greyknight17
Posted 24 June 2005 - 07:22 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP