Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SmitFraud.c & W32Netsky.P Virus [RESOLVED]


  • This topic is locked This topic is locked

#1
SmokyGirl

SmokyGirl

    Member

  • Member
  • PipPip
  • 23 posts
Please help me:help:
After working for numerous days I need help completely eliminating SmitFraud.c from a Windows 98 SE system.
I have run CleanUp!, Ad-Aware SE Personal, and CWShredder. [Note: Ad-Aware config would not allow selecting 'During removal unload Explorer & I.E. if neccessary' under Tweak, Clean Engine.] I have not been able to run any anti-virus software, to remove the W32Netsky.P virus. Running Trend Housecall resulted in an IE error "MS IE has encountered a problem & needs to close. We are sorry for the inconvenience." Restart Internet Explorer. Tried running SpywareDr 3.2 w and got "Error! This program has been damaged, possibly to a bad sector of the hard drive or a virus. Please reinstall." I've removed it. Can't install Norton AV, System Works, or McAfee. TDS-3 identified the W32Netsky.p files; I haven't manually gone in to delete them. Maybe I should have.
I have removed C:\Windows\wp.bmp and C:\Windows\System32\Intel32 (which appears to have been part of SmitFraud)....
Here is my HijackThis Log (I sure hope someone can help me get this PC running properly again!):

Logfile of HijackThis v1.99.1
Scan saved at 5:20:16 PM, on 7/13/05][/font]
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homedepot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
:tazz:
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please download StartDreck from HERE

Unzip it and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log :tazz:
  • 0

#3
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks bananafanafo! I'll get right on it.
  • 0

#4
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is StartDreck's log:

StartDreck (build 2.1.7 public stable) - 2005-07-14 @ 02:39:19 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as xxx at yyy

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*3dfx Tools=rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
*3dfx Task Manager="C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb06.exe
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
舞unServicesOnce
**on=rundll32 C:\WINDOWS\SUPPOIT.TXT,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{DD4B4381-EA2F-11D9-80E0-444559E9F918}
`InprocServer32=
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F86B7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFD20B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC59B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE3C5B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE515B=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEB2FB=C:\WINDOWS\EXPLORER.EXE
+FFFEF73B=C:\WINDOWS\RUNDLL32.EXE
+FFFD7157=C:\WINDOWS\TASKMON.EXE
+FFFD673B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDA4DF=C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
+FFFDA95F=C:\WINDOWS\SYSTEM\HPZTSB06.EXE
+FFFDE98F=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
+FFFC5AB3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFC0ED7=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFC50AB=C:\SUE - TEMP\TO FIX SMITFRAUD.C\STARTDRECK.EXE
翠pplication specific
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


Close HijackThis.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit it.

Using Windows Explorer, delete the following file:

C:\WINDOWS\TEMP\se.dll

Here is the important part!:

* We are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type (make sure it's exact!):

del C:\WINDOWS\SUPPOIT.TXT

Then, hit Enter.

Exit DOS.

Reboot your system and ignore the errors you WILL get after reboot.

Post a new HiJackThis log.
  • 0

#6
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks again bananafanafo, I'll be back shortly with a new HijackThis log. :tazz:
  • 0

#7
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Bananafanafo, I was missing one item that you wanted 'Fixed' in HijackThis:
R0 - HKLM\Software\Micosoft\Internet Explorer\Main,Start Page =
Everything else was done & here is my latest HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:43:20 AM, on 7/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O2 - BHO: (no name) - {C695CB26-F410-11D9-80E0-444500A5F4DD} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O18 - Filter: text/plain - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need another Startdreck log please.
  • 0

#9
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here you are:

StartDreck (build 2.1.7 public stable) - 2005-07-14 @ 04:00:45 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as xxx at yyyy

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*3dfx Tools=rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
*3dfx Task Manager="C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb06.exe
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*{DD4B4381-EA2F-11D9-80E0-444559E9F918}
`InprocServer32=
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
*{C695CB26-F410-11D9-80E0-444500A5F4DD}
`InprocServer32=C:\WINDOWS\SYSTEM\EFOGH.DLL
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F8A5F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFDEE3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC973=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE30B3=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE64E7=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE4957=C:\WINDOWS\EXPLORER.EXE
+FFFEDF0B=C:\WINDOWS\TASKMON.EXE
+FFFED587=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD78D7=C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
+FFFD063F=C:\WINDOWS\SYSTEM\HPZTSB06.EXE
+FFFD47A7=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
+FFFDEEC7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFD01D3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFDFE9F=C:\WINDOWS\RUNDLL32.EXE
+FFFE2367=C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE
+FFFCD45F=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFB2DD3=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFB6493=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFA1BD3=C:\SUE - TEMP\TO FIX SMITFRAUD.C\STARTDRECK.EXE
翠pplication specific
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DD4B4381-EA2F-11D9-80E0-444559E9F918} - (no file)
O2 - BHO: (no name) - {C695CB26-F410-11D9-80E0-444500A5F4DD} - C:\WINDOWS\SYSTEM\EFOGH.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL
O18 - Filter: text/plain - {C695CB25-F410-11D9-80E0-4445F0776AAA} - C:\WINDOWS\SYSTEM\EFOGH.DLL


Close HiJackThis.

Using Windows Explorer, delete the following files:

C:\WINDOWS\SYSTEM\EFOGH.DLL
C:\WINDOWS\TEMP\se.dll

Reboot, then rescan with HiJackthis and post a new log.
  • 0

Advertisements


#11
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Bananafanafo, sorry about the delay, but I couldn't stay awake any longer. Here is my latest HijackThis file:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:34 PM, on 7/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\SUE - TEMP\TO FIX SMITFRAUD.C\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\UTILIT~1\SPYBOT~1.4\SDHELPER.DLL
O2 - BHO: (no name) - {4988C485-F419-11D9-80E0-F89D9152EFF5} - C:\WINDOWS\SYSTEM\EFOGH.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I went to bed shortly after posting as well :tazz:

Run HiJackThis. Place a check next to this item and click FIX CHECKED:

O2 - BHO: (no name) - {4988C485-F419-11D9-80E0-F89D9152EFF5} - C:\WINDOWS\SYSTEM\EFOGH.DLL (file missing)

Close HiJackThis.

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\SYSTEM\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here along with a new HiJackThis log.
  • 0

#13
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Bananafanafo!
I'm back. I'd already removed the 'O2-BHO ...EFOGH.DLL (file missing), along with Samantic lines (since I'm still getting their error on startup of a missing file 'C:\Program`1\Symantec\symevnt.386'- never mind I've tried uninstalling all their software numerous times.)

The jotti scan came back clean, but here is the log and a new HijackThis one:


Wininet.dll
Status: OK
MD5 3d3f0083f8c210541884b4625083257d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Logfile of HijackThis v1.99.1
Scan saved at 6:54:44 PM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We got rid of that nasty se.dll, so let's see if we can get you an anti-virus program without it giving an error.

Please download AVG - it's free and I highly recommend it.

Once it's downloaded, run a full system scan and post a new HiJackThis log.

BTW, Have you deleted the Symantec folders here:

C:\Programs Files\Symantec
C:\Program Files\Common Files\Symantec Shared
  • 0

#15
SmokyGirl

SmokyGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Yes I've deleted both of those Samantic folders. I also discovered that the C:Windows\Userconfig9x.dll file was infected with Netsky.

I'll give AVG a try and get back to you. :tazz:

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP