 Smitfraud_c, Outerinfo, Winpop, on my XP, didn't know which to do first, so waiting... |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jul 12 2007, 08:26 PM
Post
#1
|
|
|
Member  Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050  |
SpyBot S&D always finds it, but cannot delete it. Someone suggested using SpyBot S&D in safe mode to get it. Try that first??? Sorry, I did not do all the things listed in you "before posting HJT", but I don't want to go online from that computer without being fairly certain it will be somewhat safe. My son built this computer, and took his hard drive with him when he moved, so I got new hard drive and OS and have just had it up for about a month before this happened (lazy me didn't have "time" to set up a firewall and get virus software, dumb, huh?) thanks, PB & J whoops! just ran Spybot again and it got Win32.Agent.qt and Win32.VB.ahq, which also cannot be removed. PB&J Logfile of HijackThis v1.99.1 Scan saved at 7:45:56 PM, on 7/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinPop\winpop.exe C:\Program Files\Outerinfo\OuterinfoUpdate.exe C:\WINDOWS\system32\??crosoft\d?dplay.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\PJ\Desktop\HijackThis.exe O4 - HKLM\..\Run: [zzGBK] D:\setup.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe" O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - HKCU\..\Run: [Omla] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb O4 - HKCU\..\Run: [Ovi] C:\WINDOWS\system32\??crosoft\d?dplay.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...067/mcfscan.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe This post has been edited by PB & J: Jul 12 2007, 09:37 PM |
 |
 
|
|
Jul 13 2007, 05:12 AM
Post
#2
|
|
 Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi PB & J
"and have downloaded SmitRem.exe, combofix.exe, OiUninstaller.exe, 2 different Hosters, Hijack This" Have you also ran them? Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please 
-------------------- Microsoft MVP Consumer Security
  |
|
|
|
|
Jul 13 2007, 06:25 AM
Post
#3
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
No not run yet because I wanted to know what to do first, someone replied to my initial question that I should "get rid of Smitfraud_c first" (leaving Outerinfo active while I'm online?). Does Outerinfo just download junk, i.e. ads? Or does it send back info I don't want it to have (bank codes)? I am not a techie, and don't know enough to know what usual effects of any of this stuff will be.
My smitfraud remove instructions include downloading and updating AVG 7.5 to desktop before doing all in safe mode. I am working on vintage W97 now, and only common media is floppy, so I assume AVG is larger than I could download to floppy and transfer, so would have to to online from the affected computer to get AVG, exactly what I've been avoiding. Sorry but I'm a nervous nellie, here, everyone makes it sound so sequence-dependent. Should I try running SpyBot in safe mode first? Spybot finds it, just can't get rid because it's running. |
|
|
|
|
Jul 13 2007, 10:47 AM
Post
#4
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
I've been working from home this morning so I could also work on this. I finally got my XP to open in safe mode, ran SpyBot S&D in safe, also OIuninstaller. restarted, and ran spybot again. found no infections. Still getting screens popping up saying "unable to connect to internet. continue offline?", then immediately after, get screen that is named "f4efd" that says "Run-time error '5': invalid procedure call or argument". And I still have the tiny corner of a window showing in the upper left corner of desktop, that is not large enough for me to click with mouse and bring down. It shows everytime I boot, always running in background, but I don't know what it is. Next, my hijack this is on my desktop, how do I rename it? (right-click, properties brings a screen. Can I just go to Version and highlight the original file name and change Hijack This.exe to scanner.exe? pls advise. New logfile attached, but still called HJT. Thanks, I'm going to office now, and have meeting after work, so leave any msg, and have a good day tomorrow. PB&J
Logfile of HijackThis v1.99.1 Scan saved at 11:18:56 AM, on 7/13/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\HPZipm12.exe C:\Documents and Settings\PJ\Desktop\Hijack This.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {136869FC-A24E-80BF-1C15-8F8DBF52D39D} - C:\WINDOWS\system32\msyivvyj.dll (file missing) O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {D9108109-E9A6-4541-9734-726247C10597} - C:\WINDOWS\system32\mljgg.dll O2 - BHO: (no name) - {DA2065A9-EF28-4740-99E7-8A70CE4498F1} - C:\Program Files\MSN Gaming Zone\qubo83122.dll O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\mljjife.dll O4 - HKLM\..\Run: [zzGBK] D:\setup.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...067/mcfscan.cab O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll O20 - Winlogon Notify: mljjife - C:\WINDOWS\SYSTEM32\mljjife.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe |
|
|
|
|
Jul 13 2007, 10:48 AM
Post
#5
|
|
|
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi
"Does Outerinfo just download junk, i.e. ads" Yes. "My smitfraud remove instructions include downloading and updating AVG 7.5 to desktop before doing all in safe mode" AVG a-s (not AVG 7.5) is not necessary for removing smitfraud. "Should I try running SpyBot in safe mode first? Spybot finds it, just can't get rid because it's running." I am afraid it won't help at all. There are many infections that Spybot can't remove. "Next, my hijack this is on my desktop, how do I rename it? (right-click, properties brings a screen. Can I just go to Version and highlight the original file name and change Hijack This.exe to scanner.exe?" Go to Windows Explorer, go here -> C:\Documents and Settings\PJ\Desktop\ , find HijackThis.exe, highlight it, press F2 and give it a new name. Please run next combofix and post its log along with a fresh HijackThis log, please
This post has been edited by Shaba: Jul 13 2007, 10:50 AM -------------------- Microsoft MVP Consumer Security
|
|
|
|
|
Jul 13 2007, 11:11 AM
Post
#6
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
ref renaming hijack this, I tried several times, but all it does is change the label name on desktop, not on the program files iteslf. Is that what you want?
I MUST go to work now, so will run combofix tonight and re-post. thanks thanks thanks! PB&J |
|
|
|
|
Jul 13 2007, 11:13 AM
Post
#7
|
|
|
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi
"ref renaming hijack this, I tried several times, but all it does is change the label name on desktop, not on the program files iteslf. Is that what you want?" According to your HjT log, HijackThis is on desktop and not on the program files. If it is on the program files, browse there and repeat that process there. -------------------- Microsoft MVP Consumer Security
|
|
|
|
|
Jul 13 2007, 12:49 PM
Post
#8
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
(At work now, so away from the computer) Yes, HJT is on the desktop, and when I follow your directions, I can change the display name under icon, but the program itself still comes up and marks reports as "Hijack This". That's my question: is that what you want to happen?
SpyBot just before my last HJT posted showed no invections, but, as I said, I still have that little corner of white in the upper left corner of desktop and still get the message pop up every 15 minutes or so that "cannot connect to the internet". So something is still trying to connect. I'll run Combofix when I get home tonight, but if you can let me know if the HJT rename situation is what you mean to happen, I will appreciate it. PB&J |
|
|
|
|
Jul 13 2007, 12:53 PM
Post
#9
|
|
|
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi
"Yes, HJT is on the desktop, and when I follow your directions, I can change the display name under icon, but the program itself still comes up and marks reports as "Hijack This". That's my question: is that what you want to happen?" No. If you have troubles renaming it: 1) Go to start -> run. 2) Type cmd and hit ok 3) Type cd\ and hit enter 4) Type cd C:\Documents and Settings\PJ\Desktop and hit enter 5) Type ren Hijack This.exe scanner.exe 6) Type exit It should be now renamed "SpyBot just before my last HJT posted showed no invections" Yes but you are far from clean according to your HjT log. Yes, run combofix and post its log along with HijackThis log; it'll remove most of infections. -------------------- Microsoft MVP Consumer Security
|
|
|
|
|
Jul 13 2007, 04:08 PM
Post
#10
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
I thought as much! Will change hjt name and run combo as soon as i get home tonight then re-post log
Thx much PB&J |
|
|
|
|
Jul 13 2007, 09:18 PM
Post
#11
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
Ha! next problem: I tried to follow your instructions to change name of Hijack This, and found that notepad seems to be running in the background, and I cannot use the keyboard for anything. now what? Mouse works. I tried logging off and on again, no good; so then I closed down for hard boot. no good. still no keyboard, but each time I try to close, it starts going through countdown because notepad is running (?) What now?
PB&J This post has been edited by PB & J: Jul 13 2007, 09:19 PM |
|
|
|
|
Jul 14 2007, 01:03 AM
Post
#12
|
|
|
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi
Do you mean that keyboard doesn't work in cmd window or at all in windows? -------------------- Microsoft MVP Consumer Security
|
|
|
|
|
Jul 14 2007, 06:07 AM
Post
#13
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
ALL windows.
do you think it will work at load up to hit F8 for safe mode? I think if I can get to safe mode, I could run combofix. but why is notepad being used? (what's using it, or keeping it busy so I can't use it?) Thx |
|
|
|
|
Jul 14 2007, 06:17 AM
Post
#14
|
|
|
Koutsi Group: HJT Team Coach Posts: 5,768 Joined: 8-July 06 From: Finland Member No.: 75,186 |
Hi
"do you think it will work at load up to hit F8 for safe mode?" No idea. If you can get it work in Boot menu, try "Last Good Known Configuration". "but why is notepad being used? (what's using it, or keeping it busy so I can't use it?)" Well combofix can use it but it won't keep it reserved all the time. -------------------- Microsoft MVP Consumer Security
|
|
|
|
|
Jul 14 2007, 06:21 AM
Post
#15
|
|
|
Member Group: Members Posts: 28 Joined: 11-July 07 Member No.: 143,050 |
but combofix is not up and running, just sitting on desktop
I'll go try again. If worse comes to worst, can I re-format the hard drive still? that would be a pain, but I would only lose a month or so... This post has been edited by PB & J: Jul 14 2007, 06:25 AM |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 20th November 2009 - 11:42 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.