Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unable to Remove Smitfraud-C/PSGuard/Nsag-B [RESOLVED]

Started by nbeamer , Oct 27 2005 04:47 PM

This topic is locked

#1
nbeamer

Posted 27 October 2005 - 04:47 PM

Member

Member
14 posts

I appear to be infected by Smitfraud-C, PSGuard, and/or Nsag-B (maybe they're all related?). Original symptoms were very slow computer, excessive harddrive activity, and when connected to the Internet, unauthorized apparent downloading. I updated my OS, and then used the following (updated) programs:

Ad-aware SE
Spybot Search and Destroy
Avast! (Alwil)
smitrem.exe

These seemed to help, but certain files/registries couldn't be accessed because they were in use. (I even ran the programs in Safe Mode, or upon reboot.) I did manage to replace my infected Wininet.dll file with a clean copy from my OS disk (replaced file while in DOS mode). However, some problems are resurfacing, and I have to clean things up again. Spybot S&D also shows registry entries that I can't fix.

Any help would be appreciated, thanks! Here's my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:07 PM, on 10/26/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.virtualrealityz.com/?7
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.virtualrealityz.com/?6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.virtualrealityz.com/?3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virtualrealityz.com/?1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.virtualrealityz.com/?4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.virtualrealityz.com/?2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\D9B948C0.hta
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3COM\MODEMMGR\Program\mdmMgr.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O14 - IERESET.INF: START_PAGE_URL=http://business.dellnet.com/

#2
lovethepirk

Posted 31 October 2005 - 10:31 PM

Visiting Staff

Member
528 posts

nbeamer,

Sorry for the wait we will be with you very shortly with some instructions.
Thanks for your patience.

Lovethepirk

#3
lovethepirk

Posted 01 November 2005 - 07:46 AM

Visiting Staff

Member
528 posts

nbeamer,

Welcome to G2G and we are sorry you had to wait. Although you might have already ran through some of these steps please do so again so we are covering all our bases :tazz:

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

First please try going into add/remove programs in your control panel and uninstalling this:
PSGuard

Download this file again smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Scan with HijackThis again and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.virtualrealityz.com/?7
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.virtualrealityz.com/?6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.virtualrealityz.com/?3
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virtualrealityz.com/?1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.virtualrealityz.com/?4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.virtualrealityz.com/?2

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

We recommend that you fix this next entry as it is a known resource hog and is does not need to be running
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

I also see that you have restrictions on your Internet Explorer browser. If neither you nor your administrator has set these restrictions, you may also choose to have HijackThis fix these additional two lines.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Close all other windows except HijackThis, and hit Fix Checked

Navigate to this folder and remove it:
C:\Program Files\PSGuard

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Also uncheck "View my Active desktop as a web page".
Click OK then Apply and OK.

Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!
Save the log from Panda for us to look at..

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt, and post the Panda log.
Let us know if any problems persist.

#4
nbeamer

Posted 02 November 2005 - 11:31 PM

Member

Topic Starter
Member
14 posts

I followed your instructions, and the requested log files are included below. Here are some "anomalies" I encountered along the way, just in case it makes any difference:

PSGuard did not show under "Add/Remove Programs" (I may have removed it previously).

Five of the items you instructed me to check for removal with HijackThis didn't appear after the last run (maybe the newer version of Ad-Aware SE got them).

You only specified one line (not two) related to IE restrictions, and only that one line appeared in HijackThis. I checked it for removal.

The folder C:\Program Files\PSGuard did not exist for removal. (Again, I may have also removed this previously.)

I didn't see any evidence of Disk Cleanup running at the completion of smitRem.exe. Maybe it just ran real fast?

I could not find Control Panel -> Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" (remember, I'm running Win98SE). However, right-clicking my desktop did reveal Active Desktop -> View As Web Page, which I did uncheck.

I saw no Autoclean box to check within Panda ActiveScan, so I just started it and it ran.

Anyway, things seemed to go well. No problems are evident with the computer right now, but things looked "fixed" once before, and then problems re-emerged. Here are my HijackThis, smitRem and Panda logs (thanks again!):

Logfile of HijackThis v1.99.1
Scan saved at 6:33:05 AM, on 11/02/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\D9B948C0.hta
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3COM\MODEMMGR\Program\mdmMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

smitRem © log file
version 2.7

by noahdfear

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

oleext.dll

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~ wininet.dll ~~~~

wininet.dll Present!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~

oleext.dll

~~~ Icons in system folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:

Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\oleext.dll
Dialer:Dialer.Gen No disinfected C:\WINDOWS\SYSTEM\CyberFoxes-uninstall.exe
Dialer:Dialer.Gen No disinfected C:\WINDOWS\SYSTEM\Sexy Girls-uninstall.exe
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\oleext.dll

#5
lovethepirk

Posted 03 November 2005 - 06:42 PM

Visiting Staff

Member
528 posts

nbeamer,

You did well and thanks for the good feedback.

Navigate to these files and delete them please:
C:\WINDOWS\SYSTEM\oleext.dll
C:\WINDOWS\SYSTEM\CyberFoxes-uninstall.exe
C:\WINDOWS\SYSTEM\Sexy Girls-uninstall.exe

Please go to this website and submit the following file for viruses/trojans:
http://virusscan.jotti.org/

Submit this file:

C:\WINDOWS\SYSTEM\D9B948C0.hta

Let us know what the results were for the file(s).

Reboot and please run one last online scan...

Please run Bitdefender scan here:
http://www.bitdefend...m/scan8/ie.html
Scan your entrire computer and delete any bad files it finds and post any log it produces.

Also post another HJT log for us to look at with feedback on how things went :tazz:

Thanks,

LTP

#6
nbeamer

Posted 04 November 2005 - 01:14 AM

Member

Topic Starter
Member
14 posts

Since our last efforts, the computer was used, and developed problems with slowness again. So, I repeated the previous instructions you gave me. Things went well (AdAware found and cleaned a couple of items, and smitRem showed clean), but Panda ActiveScan produced this log:

Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\Desktop\Download Music.url
Spyware:Spyware/Smitfraud No disinfected C:\RECYCLED\DC5.DLL
Dialer:Dialer.Gen No disinfected C:\RECYCLED\DC6.EXE
Dialer:Dialer.Gen No disinfected C:\RECYCLED\DC7.EXE

I deleted the first item listed (and another similarly suspicious one on my desktop), then emptied my recycle bin.

Next I rebooted and followed your more recent instructions. I deleted the three files as directed, then tried the "jotti" scan, which came back saying that D9B948C0.hta had a size of 0 Kb, and that a firewall (I don't have one) or a virus was preventing the file from being scanned. I searched for the file on my computer and could not find it (yes, my folder options were set for "show all files"). Apparently this file no longer exists on my machine. Does this mean I can check the reference to it on my next HJT run (to remove this)?

I then rebooted and ran Bitdefender. I'm not sure how well this ran, because during the download of virus definitions it stopped and said the download failed, but that it might still run OK. So I ran it, although I'm not sure if it really scanned ALL my files. It did complete, and this is the only log I could extract from it:

BitDefender Online Scanner - Real Time Virus Report
Generated at: Thu, Nov 03, 2005 - 22:03:40
--------------------------------------------------------------------------------

Scan Info
Scanned Files 18579
Infected Files 2

Virus Detected
One_Half.3591 2

--------------------------------------------------------------------------------
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

I ran Bitdefender again, and this time it seemed to successfully complete the definitions download. The scan still seemed to run "short" (only twenty-some-thousand scanned files or so), but, again, it did finish, and the log showed that nothing was found on this second run.

I rebooted once more (into normal Windows mode), and ran HJT, getting the following log:
(Thanks again for your help!)

Logfile of HijackThis v1.99.1
Scan saved at 10:39:18 PM, on 11/03/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\D9B948C0.hta
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3COM\MODEMMGR\Program\mdmMgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {6CAF5AC0-725E-11D3-AF8D-40084BC17C2F} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab

Edited by nbeamer, 04 November 2005 - 09:26 AM.

#7
lovethepirk

Posted 04 November 2005 - 11:33 PM

Visiting Staff

Member
528 posts

Sounds like the only thing we are dealing with here is slowness.

Let's try something here and see if it works. You have an item in your log that pertains to
a security update from Microsoft. It has been updated to fix some issues but I am not sure when
you got this update. Let's disable this update from running on your computer for a while and see how your computer responds. If things look better we should try then to uninstall the update and then redownload it.

Scan with HijackThis again and place a check next to these items:

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\D9B948C0.hta
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {6CAF5AC0-725E-11D3-AF8D-40084BC17C2F} - http://www.dell.com/ (file missing) (HKCU)

Close all other windows except HijackThis, and hit Fix Checked

Reboot.

Now see if you can get a feel for how the computer is running.

Let us know and please post another HJT log.

Thanks,

LTP

Edited by lovethepirk, 04 November 2005 - 11:35 PM.

#8
nbeamer

Posted 05 November 2005 - 11:49 PM

Member

Topic Starter
Member
14 posts

I ran HijackThis as instructed, checked the five items indicated, hit "Fix Checked", rebooted, ran HijackThis again and saved a logfile (see below). I'll let you know about system performance after I use it a bit more.

At this point I would also like to mention that whenever I run Spybot Search & Destroy 1.3 it still finds seven "registry changes" related to Smitfraud-C:

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc\*!=W=4

HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4

Spybot S&D is unable to clean these, saying that they are in use. It is also unable to clean them upon startup, even in Safe Mode. Also, my Spybot S&D's "latest detection update" is August 4, 2005. I think that's when I first installed S&D. When trying to update definitions, the update always fails ("Bad Checksum"), so I haven't been able to get more recent updates. Anyway, my point is that I still detect Smitfraud-C residue, and have not been able to get rid of it.

Thanks again, and here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:24 PM, on 11/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3COM\MODEMMGR\Program\mdmMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab

Edited by nbeamer, 05 November 2005 - 11:53 PM.

#9
lovethepirk

Posted 06 November 2005 - 10:47 AM

Visiting Staff

Member
528 posts

Those entiries that were found by Spybot are valid entries, they are restricted sites put in your registry for safety :tazz:

Now, you are running the old version of Spybot(1.3). Let's get you up and running with version 1.4, updates and all

Please go into add/remove programs in your control panel and uninstall Spybot - Search & Destroy

Then go to this website and download the most up-to-date Spybot:
http://www.download....spybot&subj=dl
Install it and UPDATE it. Hopefully the updates go well, if not let us know, there are ways around this.

Run a scan with the new Spybot and see if it still finds those legit entries

Please check to see if you have the latest adaware se version 1.06...
--if not please uninstall your current version and get the lastest here:
http://lavasoft.elem...pport/download/

Let us know how things went with the updates and then tell us how the computer is running.

#10
nbeamer

Posted 08 November 2005 - 12:57 AM

Member

Topic Starter
Member
14 posts

Thanks for the advice about the Spybot version (I thought I had the latest). As you directed, I uninstalled Spybot 1.3, downloaded Spybot 1.4, installed it, updated it (successfully this time!), and scanned my system. No problems were found (!), so I guess the upgrade/update took care of the false positives on the legit reg entries. The scan ran incredibly fast compared to Spybot 1.3; I hope that's to be expected.

I DO have the latest version of Ad-Aware SE (1.06) and I've been keeping it updated and using it, so I should be OK in that department.

The computer has bogged down a few times (screen windows taking a long time to open or close while I stare impatiently at the hourglass cursor, system not responding to mouse clicks, system freezing up, etc.) since my last "corrective actions". However, right now it appears OK, so maybe I should see how it continues to run for a while, before we try anything else.

Thanks again!

#11
lovethepirk

Posted 08 November 2005 - 09:58 PM

Visiting Staff

Member
528 posts

nbeamer,

I was a bit concerned about those entries that the old spybot found and after a bit of investigation it seems they may have been morphed entries by an infection. Although the new spybot did not find them I would still like you to run this registry fix...

Instructions: Copy and paste the quoted text into a text editor such as Notepad.
Save this text as Fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on Fixme.reg. When it asks you to merge the information to the registry click Yes.

REGEDIT4

[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc]
[-HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vv7.al.57e.net]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracktraff.cc]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trackhits.cc]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\s13.tempx.cc]
"*"=dword:00000004

[HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000004

After this let us know if your computer is running slower than you think it has in the past. Your computer looks clean now, but if things are slow we could do some more digging.

Regards,

Lovethepirk

#12
nbeamer

Posted 09 November 2005 - 11:18 AM

Member

Topic Starter
Member
14 posts

I created the Fixme.reg file and ran it; all went well. Then I rebooted and ran my usual "suite" of malware tools: Ad-Aware SE 1.06, Spybot S&D 1.4, and Alwil Avast!

Ad-Aware, as usual, found and cleaned a few "tracking cookies". Avast found nothing. Spybot ran MUCH LONGER than last time (I suspected that something was "weird" with the last run, since in only took a few seconds!) Spybot found 23 "Zonemap.Ranges" issues of the forms:

HKEY_USERS\D.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Rangex\:Range

and:

HKEY_USERS\Software\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Rangex\:Range

where x = 0 to 11, with the exception of:

HKEY_USERS\D.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

which was not found.

I allowed Spybot to "fix" these, which it did successfully. (I hope this was the proper thing to do.)

I'll let you know about system performance once we get some use on the computer. Aside from the slowness experienced, however, here's a typical problem: If the computer has been sitting idle for a while (hours), and has gone into screen-saver and monitor power-saver mode, it often can't be woken up; moving the mouse or touching the keys does not bring the monitor out of power-saver mode, and I don't hear any hard drive activity either. Cntrl-Alt-Del usually does nothing; sometimes a second Cntrl-Alt-Del results in a reboot, but sometimes the only solution is a hard reboot. Our ISP is Juno, and we use their software (Microsoft IE based) for dialup service. If it has any bearing on the problem, this software is usually left running all day, although we only connect when we need to.

#13
lovethepirk

Posted 09 November 2005 - 10:34 PM

Visiting Staff

Member
528 posts

Sounds like you might have the option to turn off the hard drive after a set number of minutes/hours on.

Go into Start > Settings > Control Panel > Display and see if you can find anything checked about turning off hard disks.

If you do I would unselect that. You could also play with the configuration a bit to see if you can figure something out.

After a little bit of tinkering please post another HJT log :tazz:

Edited by lovethepirk, 10 November 2005 - 06:44 PM.

#14
nbeamer

Posted 10 November 2005 - 11:33 PM

Member

Topic Starter
Member
14 posts

Well, today, every time I sneaked up on the computer and moved the mouse, it woke up right away, just as it should. I thought that maybe we actually "cured" the machine, but when I clicked to connect to the internet, the same old problems recurred: long pauses (maybe 5 to 10 seconds) where everything appeared frozen (cursor, screen activity, etc.) occurring every few seconds, and frantic audible hard drive activity during these periods. I click to close a window, and it takes forever, while all this is going on. It's as if something is going on in the background that I don't know about, and that's what scares me. Restarting the computer always seems to make this problem go away, at least for a while. Also, I noticed that the system time clock is showing the wrong time (another symptom that I've seen in the past).

By the way, I checked, and yes, the display control panel WAS set to shut down the hard drive after an hour, so I changed it to "never". Shouldn't that setting have been OK, though, and shouldn't the hard drive have woken up when I moved the mouse? This isn't a laptop, so I don't know if this setting even affects anything. Anyway, I'm still currently set to start the screen saver after 10 minutes, and turn off the monitor after 15 minutes, but now the system should never try to turn off the hard drive.

Here's the latest HJT log:
(Thanks again!)

Logfile of HijackThis v1.99.1
Scan saved at 8:19:03 PM, on 11/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\3COM\MODEMMGR\PROGRAM\MDMMGR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: 3Com Modem Manager.lnk = C:\Program Files\3COM\MODEMMGR\Program\mdmMgr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab

#15
lovethepirk

Posted 11 November 2005 - 10:27 PM

Visiting Staff

Member
528 posts

nbeamer,

Glad to hear we fixed that hard disk shutoff :tazz:

Let's clena your temporary files then do a more detailed look at what might be running on your computer.

Download Crap Cleaner from here or here.
Install and run it. The windows tab should be opened in the upper left of the program. Click analyze and then click run cleaner.

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Thanks,

LTP