Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SmitFraud.c & W32Netsky.P Virus [RESOLVED]

Started by SmokyGirl , Jul 13 2005 06:44 PM

  • This topic is locked This topic is locked

#1
SmokyGirl
Posted 13 July 2005 - 06:44 PM

SmokyGirl

    Member

  • Member
  • PipPip
  • 23 posts
Please help me:help:
After working for numerous days I need help completely eliminating SmitFraud.c from a Windows 98 SE system.
I have run CleanUp!, Ad-Aware SE Personal, and CWShredder. [Note: Ad-Aware config would not allow selecting 'During removal unload Explorer & I.E. if neccessary' under Tweak, Clean Engine.] I have not been able to run any anti-virus software, to remove the W32Netsky.P virus. Running Trend Housecall resulted in an IE error "MS IE has encountered a problem & needs to close. We are sorry for the inconvenience." Restart Internet Explorer. Tried running SpywareDr 3.2 w and got "Error! This program has been damaged, possibly to a bad sector of the hard drive or a virus. Please reinstall." I've removed it. Can't install Norton AV, System Works, or McAfee. TDS-3 identified the W32Netsky.p files; I haven't manually gone in to delete them. Maybe I should have.
I have removed C:\Windows\wp.bmp and C:\Windows\System32\Intel32 (which appears to have been part of SmitFraud)....
Here is my HijackThis Log (I sure hope someone can help me get this PC running properly again!):

Logfile of HijackThis v1.99.1
Scan saved at 5:20:16 PM, on 7/13/05][/font]
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
:tazz:
  • 0

Advertisements

#2
Michelle
Posted 14 July 2005 - 01:04 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please download StartDreck from HERE

Unzip it and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log :tazz:
  • 0

#3
SmokyGirl
Posted 14 July 2005 - 01:09 AM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks bananafanafo! I'll get right on it.
  • 0

#4
SmokyGirl
Posted 14 July 2005 - 01:48 AM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is StartDreck's log:

StartDreck (build 2.1.7 public stable) - 2005-07-14 @ 02:39:19 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as xxx at yyy

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*3dfx Tools=rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
*3dfx Task Manager="C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb06.exe
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
»RunServicesOnce
**on=rundll32 C:\WINDOWS\SUPPOIT.TXT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{DD4B4381-EA2F-11D9-80E0-444559E9F918}
`InprocServer32=
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FF0F86B7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFD20B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC59B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE3C5B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE515B=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB2FB=C:\WINDOWS\EXPLORER.EXE
+FFFEF73B=C:\WINDOWS\RUNDLL32.EXE
+FFFD7157=C:\WINDOWS\TASKMON.EXE
+FFFD673B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDA4DF=C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
+FFFDA95F=C:\WINDOWS\SYSTEM\HPZTSB06.EXE
+FFFDE98F=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
+FFFC5AB3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFC0ED7=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFC50AB=C:\SUE - TEMP\TO FIX SMITFRAUD.C\STARTDRECK.EXE
»Application specific
  • 0

#5
Michelle
Posted 14 July 2005 - 02:01 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

Close HijackThis.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit it.

Using Windows Explorer, delete the following file:

C:\WINDOWS\TEMP\se.dll

Here is the important part!:

* We are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type (make sure it's exact!):

del C:\WINDOWS\SUPPOIT.TXT

Then, hit Enter.

Exit DOS.

Reboot your system and ignore the errors you WILL get after reboot.

Post a new HiJackThis log.
  • 0

#6
SmokyGirl
Posted 14 July 2005 - 02:16 AM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks again bananafanafo, I'll be back shortly with a new HijackThis log. :tazz:
  • 0

#7
SmokyGirl
Posted 14 July 2005 - 02:51 AM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Bananafanafo, I was missing one item that you wanted 'Fixed' in HijackThis:
R0 - HKLM\Software\Micosoft\Internet Explorer\Main,Start Page =
Everything else was done & here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:43:20 AM, on 7/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O2 - BHO: (no name) - {C695CB26-F410-11D9-80E0-444500A5F4DD} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O18 - Filter: text/plain - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
  • 0

#8
Michelle
Posted 14 July 2005 - 02:53 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need another Startdreck log please.
  • 0

#9
SmokyGirl
Posted 14 July 2005 - 03:00 AM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here you are:

StartDreck (build 2.1.7 public stable) - 2005-07-14 @ 04:00:45 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as xxx at yyyy

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*3dfx Tools=rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
*3dfx Task Manager="C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb06.exe
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{DD4B4381-EA2F-11D9-80E0-444559E9F918}
`InprocServer32=
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
*{C695CB26-F410-11D9-80E0-444500A5F4DD}
`InprocServer32=C:\WINDOWS\SYSTEM\EFOGH.DLL
»Files
»System/Drivers
»Running Processes
+FF0F8A5F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFDEE3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC973=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE30B3=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE64E7=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE4957=C:\WINDOWS\EXPLORER.EXE
+FFFEDF0B=C:\WINDOWS\TASKMON.EXE
+FFFED587=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD78D7=C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
+FFFD063F=C:\WINDOWS\SYSTEM\HPZTSB06.EXE
+FFFD47A7=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
+FFFDEEC7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFD01D3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFDFE9F=C:\WINDOWS\RUNDLL32.EXE
+FFFE2367=C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE
+FFFCD45F=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFB2DD3=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFB6493=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFA1BD3=C:\SUE - TEMP\TO FIX SMITFRAUD.C\STARTDRECK.EXE
»Application specific
  • 0

#10
Michelle
Posted 14 July 2005 - 03:04 AM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {C695CB26-F410-11D9-80E0-444500A5F4DD} - C:\WINDOWS\SYSTEM\EFOGH.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O18 - Filter: text/plain - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL

Close HiJackThis.

Using Windows Explorer, delete the following files:

C:\WINDOWS\SYSTEM\EFOGH.DLL
C:\WINDOWS\TEMP\se.dll

Reboot, then rescan with HiJackthis and post a new log.
  • 0

Advertisements

#11
SmokyGirl
Posted 14 July 2005 - 04:04 PM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Bananafanafo, sorry about the delay, but I couldn't stay awake any longer. Here is my latest HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:34 PM, on 7/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O2 - BHO: (no name) - {4988C485-F419-11D9-80E0-F89D9152EFF5} - C:\WINDOWS\SYSTEM\EFOGH.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#12
Michelle
Posted 14 July 2005 - 06:12 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I went to bed shortly after posting as well :tazz:

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

O2 - BHO: (no name) - {4988C485-F419-11D9-80E0-F89D9152EFF5} - C:\WINDOWS\SYSTEM\EFOGH.DLL (file missing)

Close HiJackThis.

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\SYSTEM\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here along with a new HiJackThis log.
  • 0

#13
SmokyGirl
Posted 15 July 2005 - 06:19 PM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Bananafanafo!
I'm back. I'd already removed the 'O2-BHO ...EFOGH.DLL (file missing), along with Samantic lines (since I'm still getting their error on startup of a missing file 'C:\Program`1\Symantec\symevnt.386'- never mind I've tried uninstalling all their software numerous times.)

The jotti scan came back clean, but here is the log and a new HijackThis one:


Wininet.dll
Status: OK
MD5 3d3f0083f8c210541884b4625083257d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Logfile of HijackThis v1.99.1
Scan saved at 6:54:44 PM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • 0

#14
Michelle
Posted 15 July 2005 - 06:36 PM

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We got rid of that nasty se.dll, so let's see if we can get you an anti-virus program without it giving an error.

Please download AVG - it's free and I highly recommend it.

Once it's downloaded, run a full system scan and post a new HiJackThis log.

BTW, Have you deleted the Symantec folders here:

C:\Programs Files\Symantec
C:\Program Files\Common Files\Symantec Shared
  • 0

#15
SmokyGirl
Posted 15 July 2005 - 07:23 PM

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Yes I've deleted both of those Samantic folders. I also discovered that the C:Windows\Userconfig9x.dll file was infected with Netsky.

I'll give AVG a try and get back to you. :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP