Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smitfraud


  • Please log in to reply
6 replies to this topic

#1 randle.mcmurphy

randle.mcmurphy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 09 June 2005 - 03:49 PM

Please can somebody help?

I'm (trying) to help a friend with the smitfraud virus - originally she had 'fatal error...with a blue screen & trojan-spyware smitfraud - and it seemed to be causing regular crashes.

I followed your excellent step-by-step instructions on the self-help forum, and the desk top has returned to normal, i.e. the 'fatal error' message has disappeared, but when i started to run ActiveScan, it crashed, and continued to do so, on 3 or 4 occasions - i was never able to run a full scan. It always kicks me back to the Scan Disc page. I even tried to update windows (don't think it's ever been done), in the vain hope this would help - but it just crashed

This is even the 2nd time i've had to type this!

Please can someone help?

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 21:56:20, on 09/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
C:\UNZIPPED\HIJACKTHIS_199\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {47B28440-D6D5-11D9-8071-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {47B28440-D6D5-11D9-8071-444553540000} - (no file) (HKCU)
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://dialer.offshoreclicks.com/files/900.../sex-viewer.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 10 June 2005 - 09:50 AM

Hi randle.mcmurphy, welcome to BC. I'll be helpng you with this problem. Give me a few minutes to review and I'll be right with you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 10 June 2005 - 11:27 AM

OK, you have at least one trojan I can see and a dialer that will run up your phone bill and no resident security programs. Let's get rid of the dialer and whatever else we can in the first round, then I'll recommend some protection for you to install ASAP.

First I need some more information about a couple of files. Go to the Jotti's malware scan site and submit the following files in bold for a malware scan:
http://virusscan.jotti.org/

Post the results of the scans in your next reply.

C:\WINDOWS\SYSTEM\autoclk.exe<--I know this one is bad but I want to see what it is named by the various AV companies to get more info on it.

C:\WINDOWS\STARTER.EXE<--If you don't recognize this file. Navigate to the C:\WINDOWS folder, right click on STARTER.EXE, select Properties and see if the company name is there and if it is something you know. Otherwise have jotti scan it and let me know either way.

Now--

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

2. Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

O4 - HKLM\..\Run: [autoclk] autoclk.exe

O9 - Extra button: Microsoft AntiSpyware helper - {47B28440-D6D5-11D9-8071-444553540000} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {47B28440-D6D5-11D9-8071-444553540000} - (no file) (HKCU)

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://dialer.offshoreclicks.com/files/900.../sex-viewer.exe


3. Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

4. Reboot your computer into Safe Mode and delete the following files if they exist:

C:\WINDOWS\SYSTEM\autoclk.exe

5. Now reboot back into normal mode. Now try running Panda ActiveScan
again. If you can't get it to work, try any two of these:

Kaspersky OnLine
eTrust Antivirus Web Scanner
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/...viruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

6. If you are still having problems with those, try downloading the free trial of TrojanHunter from here:
http://www.misec.net/trojanhunter/

Manually update it--instructions here:
http://www.misec.net/trojanhunter/updating/

Then run a full scan and post the results.

7. Now go to Windows Updates and see if you can get Internet Explorer updated to v. 6 Service Pack 1. If any problems with it, skip it and let me know, but it's important to get the latest version available, as the older ones are wide open to attacks of various kinds.

8. Scan again with HijackThis and post another log along with the report from TrojanHunter if you ran it.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 randle.mcmurphy

randle.mcmurphy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 13 June 2005 - 12:28 PM

Hi Papakid

Thanks for your help on this, sorry for the delay in getting back to you.

I'm not having much luck i'm afraid -

i tried the virusscan.jotti scan you suggested, but couldn't find the files in question under the browse option - although i did find a couple of them in the HJT file, which i fixed (the auto.clk, offshore & anti-spyare helper files)

The actice scan, kaspersky & evaluation copy of Trojanhunter all crashed mid-scan, as did the Windows Service Pack.

Hope you can help - here is my HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 18:36:11, on 13/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS_199\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 14 June 2005 - 09:38 AM

Well, HijackThis seems to think you were successful in updating IE.

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Don't know if that means IE was successfully updated and other needed updates weren't or just what exactly. Lots of strange business going on with these new infections. Could you tell me what you mean exactly by crashing? Do you get a message that the app needs to close (if so please reproduce the exact message here), it closes on its own, or freezes so that you have to force it to close--just what exactly would be helpful.

Could you try the jotti scan again, please? I should've had you unhide files and folders before looking for them. So please make sure your files are unhidden and try again--not sure if you deleted autoclk.exe after running HijackThis, but I would still like to check out the other if possible.
How to see hidden files in Windows

Let's try installing an antivirus and see if it will help. Please doownload AVG Free from here:

AVG Virus Scan

Save the setup file to your desktop.

Now boot your computer into Safe Mode

Install AVG and run a full system scan.

While in safe mode, see if you can get TrojanHunter to complete. If it still crashes, but doesn't close, see if you can get a log of what it found up til then. Click on File>Save Scan Report.

Still in Safe Mode, Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked--if still there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129

Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Reboot.

Now see if you can run TrojanHunter. If still having problems with a full scan, try Quick Scan. It should show what's running in memory at least if successfull and that's why I would like to see a log if we can get one.

And to investigate further--

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the mark all button.

6. Press the OK button.

7. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

8. Post a copy of the log as a reply to this post along with a fresh HijackThis log (scanned in normal mode) and any Trojan Hunter report you are able to save.

Let me know how this machine is running also--any unusual popups, strange behaviour, etc.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#6 randle.mcmurphy

randle.mcmurphy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 14 June 2005 - 03:22 PM

Hi Papakid

I've made sure that all my files are 'unhidden', but still can't find the two you speak of (although i did find auto.clk on a previous HJT log & deleted it). When the system crashes, it just automatically shuts doen without warning or message, and sends me to Scan Disc.

I did manage to run AVG in Safe Mode, which found three trojans: LF00!.exe, WOLD.exe & wldr.dll, which it removed. TrojanHunter also gave a complete scan in Safe Mode - the log is attatched. I also found the two files in the HJT log, which i deleted.

However, when i try to run Trojan Hunter in normal mode, it still crashes.

Here are my logs:

(not much to report from Trojan):

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Error: Unable to perform port check: PortChecker not initialized
Memory scan
No trojans found in memory
File scan
Error: Directory not found: D:\
No trojan files found

One last thing on smartdreck, i've sure i'm being daft & it's just basics, but i've saved the log, but cannot seem to attatch it here; also, when i run a new HJT log, it gives me a smartdreck log again! Am i doing something wrong?

Thanks

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 14 June 2005 - 05:51 PM

One last thing on smartdreck, i've sure i'm being daft & it's just basics, but i've saved the log, but cannot seem to attatch it here; also, when i run a new HJT log, it gives me a smartdreck log again! Am i doing something wrong?

I don't think so but not sure. I'm assuming you mean you can't copy and paste the log like you did the previous ones. ?? With the log file open, go to the Edit menu and click Select All, then Edit again>Copy.

If that doesn't work try redownloading HijackThis and StartDreck. You can use the self-extracting installer for HJT by following the directions in this tutorial:
http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/

If all else fails you can attach them to an email and send them to Papakid at myway.com--substitute @ for at so the spambots don't get me.

Also send a log from Dllcompare--run this one in safe mode and the others if you have to, just let me know:

Please download Dllcompare from here:

http://www.bleepingcomputer.com/files/dllcompare.php

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the compare button. When that completed click on the make log button. Then post the contents of that log as a reply to this post.

Edited by Papakid, 14 June 2005 - 05:52 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users