Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

SmitFraud.c & W32Netsky.P Virus [RESOLVED]

Started by SmokyGirl , Jul 13 2005 06:44 PM

This topic is locked

#16
Michelle

Posted 15 July 2005 - 07:27 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Were you able to delete that file?

If not we can use a program called Killbox that will delete it.

But, AVG would still definitely need to be run, because that is one nasty worm and there are more files on your system from it.

#17
SmokyGirl

Posted 15 July 2005 - 09:56 PM

Member

Topic Starter
Member
23 posts

Bananafanafo,
Yes, I was able to remove Userconfig9x.dll, although I expected Windows to recreate a new uninfected one. Currently there is no C:\Windows\Userconfig9x.dll file.
I ran AVG and it found the same 89 files I thought I'd already deleted, this time in a folder I hadn't uncovered. They have all been quantantined.
Here is the latest Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:22 PM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TIES
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

#18
Michelle

Posted 15 July 2005 - 10:02 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Yes, I was able to remove Userconfig9x.dll, although I expected Windows to recreate a new uninfected one. Currently there is no C:\Windows\Userconfig9x.dll file.

That's a good thing! The userconfig9x.dll is never a good file - you don't want it on your computer. This file was not on your system until the worm put it there.

I ran AVG and it found the same 89 files I thought I'd already deleted, this time in a folder I hadn't uncovered. They have all been quantantined.

It found more than I expected!

I need you to do this as well - you should be able to run it OK since we've gotten rid of a lot of the infection:

ActiveScan

Copy the results of the ActiveScan and paste them.

#19
SmokyGirl

Posted 16 July 2005 - 12:10 AM

Member

Topic Starter
Member
23 posts

Bananafanafo,
I'll run the active scan, but first want to tell you I'm having MAJOR problems! This is the 1st I've been able to get back in Windows normal mode, to tell you my problems.
At power up, PC runs thru POST, the Windows splash screen appears, AVG boot scanner runs [I've tried disabling boot scan, but couldn't], then there is a quick c prompt, the Windows splash screen reappears, then Symantec's error msg displays, stating hit any key to continue. Somethings the key works and I can load up windows in Safe mode, but most times the PC freezes; there is a lot of disk accessing noise (usually read,write, read, write, then a VERY long pause (over 5 minutes). The keyboard and mouse are unresponsive and the hard disc goes silent, although it does respond when I insert a CD (reads the CD) but the screen remains with the symantec error msg. :tazz:

Other times I get a Windows Protection error, stating I need to restart the PC. Press any key (but it didn't wait while I logged the error, and restarted, running Scandisk because "I" hadn't shutdown properly. [unable to insert ranting emticon here] grrr...
I have removed some of the software I installed (Ad-Aware, XoftSpy v4.15) and had the same problems. Then I ran CleanUp! v4, with no success. finally I removed AVG and was able to get in Windows normal mode to update you.
I have StartDreck and HijackThis log files from just before and just after removing AVG, if you want to see them.
As I first stated I will run the Active Scan you suggested and let you know what happens!

#20
Michelle

Posted 16 July 2005 - 12:14 AM

Malware Removal Goddess

Retired Staff
8,928 posts

What kind of error messages from Symantec? Did you remove it through Add/Remove programs before you deleted those folders?

#21
SmokyGirl

Posted 16 July 2005 - 12:29 AM

Member

Topic Starter
Member
23 posts

I can't get Panda's Active Scan to run. The javascript won't open. I had this problem before posting to GTG also; both on this PC and 'my own Win 98 PC'.
I uninstalled Norton Anti-Virus, because it never would load without errors. I tried repairing, and removing from the setup disk. I then tried System Works, but again it won't install because "previous Symantic software is already installed". I uninstalled McAfee and then uninstalled Symantic's Live Update (via Control Panel's Add/Remove folder), then manually removed all the symantic folders that remained. However the error msg remains;

"Cannot find a device file that may be needed to run Windows or a Windows application.
the Windows registry or SYSTEM.INI files refers to this device file, but the device no longer exists.
If you deleted this file on purpose, try uninstalling the associated application using its uninstall or setup program.
If you still want to use the application associated with this device file, try reinstalling that application to replace
C:\PROGRA~1\SYMANTEC\SYMEVNT.386"

#22
Michelle

Posted 16 July 2005 - 12:33 AM

Malware Removal Goddess

Retired Staff
8,928 posts

This may work on a 98 but not 100% sure... Go to Start > Run - type:

system.ini

Click OK.

It should produce a log - if it does please copy everything in the notepad and paste it here.

#23
SmokyGirl

Posted 16 July 2005 - 12:36 AM

Member

Topic Starter
Member
23 posts

System.ini File:

[boot]
oemfonts.fon=vgaoem.fon
shell=Explorer.exe
system.drv=system.drv
drivers=mmsystem.dll power.drv
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=mouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
fonts.fon=vgasys.fon
fixedfon.fon=vgafix.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv

[keyboard]
keyboard.dll=
oemansi.bin=
subtype=
type=4

[boot.description]
system.drv=Standard PC
keyboard.typ=Standard 101/102-Key or Microsoft Natural Keyboard
mouse.drv=Standard mouse
aspect=100,96,96
display.drv=Standard PCI Graphics Adapter (VGA)

[386Enh]
ebios=*ebios
woafont=dosapp.fon
mouse=*vmouse, msmouse.vxd
device=*dynapage
device=*vcd
device=*vpd
device=*int13
keyboard=*vkd
display=*vdd,*vflatd

device=dva.386

[NonWindowsApp]
TTInitialSizes=4 5 6 7 8 9 10 11 12 13 14 15 16 18 20 22

[power.drv]

[drivers]
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
wave=mmsystem.dll
midi=mmsystem.dll

[iccvid.drv]

[mciseq.drv]

[mci]
cdaudio=mcicda.drv
sequencer=mciseq.drv
waveaudio=mciwave.drv 9
avivideo=mciavi.drv
videodisc=mcipionr.drv
vcr=mcivisca.drv
MPEGVideo=mciqtz.drv
QTWVideo=C:\WINDOWS\SYSTEM\MCIQTW.DRV
MPEGVideo2=mciqtz.drv

[vcache]

[Macx]

[drivers32]
msacm.lhacm=lhacm.acm
VIDC.VDOM=vdowave.drv
MSACM.imaadpcm=imaadp32.acm
MSACM.msadpcm=msadp32.acm
MSACM.msgsm610=msgsm32.acm
msacm.msg711=msg711.acm
MSACM.trspch=tssoft32.acm
vidc.CVID=iccvid.dll
VIDC.IV31=ir32_32.dll
VIDC.IV32=ir32_32.dll
vidc.MSVC=msvidc32.dll
VIDC.MRLE=msrle32.dll
VIDC.IV50=ir50_32.dll
msacm.iac2=C:\WINDOWS\SYSTEM\IAC25_32.AX
msacm.msg723=msg723.acm
vidc.M263=msh263.drv
vidc.M261=msh261.drv
VIDC.YUY2=msyuv.dll
VIDC.UYVY=msyuv.dll
VIDC.YVYU=msyuv.dll

#24
SmokyGirl

Posted 16 July 2005 - 12:39 AM

Member

Topic Starter
Member
23 posts

Bananafanafo is there anyway to delete the last reply? I let it slip by with a name intact.
Ooops!

#25
Michelle

Posted 16 July 2005 - 12:41 AM

Malware Removal Goddess

Retired Staff
8,928 posts

I will edit it out.

Please do this for me while I work on your solution for that problem.

This may fix the javascript problem:

http://www.microsoft...&DisplayLang=en

Please download and install it.

#26
Michelle

Posted 16 July 2005 - 12:52 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Do you know how to navigate in the registry?

BTW, I had a very similar problem with my ME system except it was a firewall causing the problem. I couldn't get into anything but Safe Mode, so I do know how to fix it :tazz:

#27
SmokyGirl

Posted 16 July 2005 - 01:07 AM

Member

Topic Starter
Member
23 posts

Yes I can navigate in the registry. I downloaded Windows 5.6 script file and will try Active Scan again.

#28
Michelle

Posted 16 July 2005 - 01:14 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Ok, I need you to do this:

Copy everything in the code box below (starting with REGEDIT4) and paste it into notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixse.reg on your desktop.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Double-click fixse.reg on your desktop and when asked if you want to merge with the registry click YES.

Then do this for me:

Go to Start > Run - copy the below line and paste it into the box:

regedit /e c:\symevent.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\SymEvnt"

Click OK. Then navigate to C:\symevent.txt open it and copy everything inside and paste it here. Let me know if you don't find that .txt file because it means that registry key doesn't exist and we will have to look elsewhere.