Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud_c, Outerinfo, Winpop


  • This topic is locked This topic is locked
45 replies to this topic

#1 PB & J

PB & J

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 12 July 2007 - 08:26 PM

got this last weekend. Checked a lot online, and have downloaded SmitRem.exe, combofix.exe, OiUninstaller.exe, 2 different Hosters, Hijack This. I kept computer off internet connection completely, (unplugged the cable from router) since I was getting a batch of adware showing up every time I scanned, and I was scanning about every 15-20 min. It still "warns" me that it can't get on the internet...
SpyBot S&D always finds it, but cannot delete it. Someone suggested using SpyBot S&D in safe mode to get it. Try that first???
Sorry, I did not do all the things listed in you "before posting HJT", but I don't want to go online from that computer without being fairly certain it will be somewhat safe. My son built this computer, and took his hard drive with him when he moved, so I got new hard drive and OS and have just had it up for about a month before this happened (lazy me didn't have "time" to set up a firewall and get virus software, dumb, huh?) thanks, PB & J
whoops! just ran Spybot again and it got Win32.Agent.qt and Win32.VB.ahq, which also cannot be removed. PB&J
Logfile of HijackThis v1.99.1
Scan saved at 7:45:56 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Outerinfo\OuterinfoUpdate.exe
C:\WINDOWS\system32\??crosoft\d?dplay.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\PJ\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [zzGBK] D:\setup.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Omla] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb
O4 - HKCU\..\Run: [Ovi] C:\WINDOWS\system32\??crosoft\d?dplay.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...067/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Edited by PB & J, 12 July 2007 - 09:37 PM.


BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 13 July 2007 - 05:12 AM

Hi PB & J

"and have downloaded SmitRem.exe, combofix.exe, OiUninstaller.exe, 2 different Hosters, Hijack This"

Have you also ran them?

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please :thumbsup:
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 06:25 AM

No not run yet because I wanted to know what to do first, someone replied to my initial question that I should "get rid of Smitfraud_c first" (leaving Outerinfo active while I'm online?). Does Outerinfo just download junk, i.e. ads? Or does it send back info I don't want it to have (bank codes)? I am not a techie, and don't know enough to know what usual effects of any of this stuff will be.
My smitfraud remove instructions include downloading and updating AVG 7.5 to desktop before doing all in safe mode. I am working on vintage W97 now, and only common media is floppy, so I assume AVG is larger than I could download to floppy and transfer, so would have to to online from the affected computer to get AVG, exactly what I've been avoiding.
Sorry but I'm a nervous nellie, here, everyone makes it sound so sequence-dependent.
Should I try running SpyBot in safe mode first? Spybot finds it, just can't get rid because it's running.

#4 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 10:47 AM

I've been working from home this morning so I could also work on this. I finally got my XP to open in safe mode, ran SpyBot S&D in safe, also OIuninstaller. restarted, and ran spybot again. found no infections. Still getting screens popping up saying "unable to connect to internet. continue offline?", then immediately after, get screen that is named "f4efd" that says "Run-time error '5': invalid procedure call or argument". And I still have the tiny corner of a window showing in the upper left corner of desktop, that is not large enough for me to click with mouse and bring down. It shows everytime I boot, always running in background, but I don't know what it is. Next, my hijack this is on my desktop, how do I rename it? (right-click, properties brings a screen. Can I just go to Version and highlight the original file name and change Hijack This.exe to scanner.exe? pls advise. New logfile attached, but still called HJT. Thanks, I'm going to office now, and have meeting after work, so leave any msg, and have a good day tomorrow. PB&J
Logfile of HijackThis v1.99.1
Scan saved at 11:18:56 AM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\PJ\Desktop\Hijack This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {136869FC-A24E-80BF-1C15-8F8DBF52D39D} - C:\WINDOWS\system32\msyivvyj.dll (file missing)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {D9108109-E9A6-4541-9734-726247C10597} - C:\WINDOWS\system32\mljgg.dll
O2 - BHO: (no name) - {DA2065A9-EF28-4740-99E7-8A70CE4498F1} - C:\Program Files\MSN Gaming Zone\qubo83122.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\mljjife.dll
O4 - HKLM\..\Run: [zzGBK] D:\setup.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...067/mcfscan.cab
O20 - Winlogon Notify: mljgg - C:\WINDOWS\system32\mljgg.dll
O20 - Winlogon Notify: mljjife - C:\WINDOWS\SYSTEM32\mljjife.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#5 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 13 July 2007 - 10:48 AM

Hi

"Does Outerinfo just download junk, i.e. ads"

Yes.

"My smitfraud remove instructions include downloading and updating AVG 7.5 to desktop before doing all in safe mode"

AVG a-s (not AVG 7.5) is not necessary for removing smitfraud.

"Should I try running SpyBot in safe mode first? Spybot finds it, just can't get rid because it's running."

I am afraid it won't help at all. There are many infections that Spybot can't remove.

"Next, my hijack this is on my desktop, how do I rename it? (right-click, properties brings a screen. Can I just go to Version and highlight the original file name and change Hijack This.exe to scanner.exe?"

Go to Windows Explorer, go here -> C:\Documents and Settings\PJ\Desktop\
, find HijackThis.exe, highlight it, press F2 and give it a new name.

Please run next combofix and post its log along with a fresh HijackThis log, please :thumbsup:

Edited by Shaba, 13 July 2007 - 10:50 AM.

Microsoft MVP Consumer Security
Posted Image

Posted Image

#6 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 11:11 AM

ref renaming hijack this, I tried several times, but all it does is change the label name on desktop, not on the program files iteslf. Is that what you want?
I MUST go to work now, so will run combofix tonight and re-post. thanks thanks thanks!
PB&J

#7 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 13 July 2007 - 11:13 AM

Hi

"ref renaming hijack this, I tried several times, but all it does is change the label name on desktop, not on the program files iteslf. Is that what you want?"

According to your HjT log, HijackThis is on desktop and not on the program files.

If it is on the program files, browse there and repeat that process there.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#8 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 12:49 PM

(At work now, so away from the computer) Yes, HJT is on the desktop, and when I follow your directions, I can change the display name under icon, but the program itself still comes up and marks reports as "Hijack This". That's my question: is that what you want to happen?
SpyBot just before my last HJT posted showed no invections, but, as I said, I still have that little corner of white in the upper left corner of desktop and still get the message pop up every 15 minutes or so that "cannot connect to the internet". So something is still trying to connect.
I'll run Combofix when I get home tonight, but if you can let me know if the HJT rename situation is what you mean to happen, I will appreciate it.
PB&J

#9 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 13 July 2007 - 12:53 PM

Hi

"Yes, HJT is on the desktop, and when I follow your directions, I can change the display name under icon, but the program itself still comes up and marks reports as "Hijack This". That's my question: is that what you want to happen?"

No.

If you have troubles renaming it:

1) Go to start -> run.
2) Type cmd and hit ok
3) Type cd\ and hit enter
4) Type cd C:\Documents and Settings\PJ\Desktop and hit enter
5) Type ren Hijack This.exe scanner.exe
6) Type exit

It should be now renamed :thumbsup:

"SpyBot just before my last HJT posted showed no invections"

Yes but you are far from clean according to your HjT log.

Yes, run combofix and post its log along with HijackThis log; it'll remove most of infections.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#10 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 04:08 PM

I thought as much! Will change hjt name and run combo as soon as i get home tonight then re-post log
Thx much PB&J

#11 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 13 July 2007 - 09:18 PM

Ha! next problem: I tried to follow your instructions to change name of Hijack This, and found that notepad seems to be running in the background, and I cannot use the keyboard for anything. now what? Mouse works. I tried logging off and on again, no good; so then I closed down for hard boot. no good. still no keyboard, but each time I try to close, it starts going through countdown because notepad is running (?) What now?
PB&J

Edited by PB & J, 13 July 2007 - 09:19 PM.


#12 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 14 July 2007 - 01:03 AM

Hi

Do you mean that keyboard doesn't work in cmd window or at all in windows?
Microsoft MVP Consumer Security
Posted Image

Posted Image

#13 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 14 July 2007 - 06:07 AM

ALL windows.
do you think it will work at load up to hit F8 for safe mode?
I think if I can get to safe mode, I could run combofix.
but why is notepad being used? (what's using it, or keeping it busy so I can't use it?)
Thx

#14 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:59 PM

Posted 14 July 2007 - 06:17 AM

Hi

"do you think it will work at load up to hit F8 for safe mode?"

No idea.

If you can get it work in Boot menu, try "Last Good Known Configuration".

"but why is notepad being used? (what's using it, or keeping it busy so I can't use it?)"

Well combofix can use it but it won't keep it reserved all the time.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#15 PB & J

PB & J
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 14 July 2007 - 06:21 AM

but combofix is not up and running, just sitting on desktop
I'll go try again.
If worse comes to worst, can I re-format the hard drive still? that would be a pain, but I would only lose a month or so...

Edited by PB & J, 14 July 2007 - 06:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users