|
Answer» Hello, I'm NEW to the board, so please forgive me if I'm posting erroneous information, while leaving out the important stuff.
Yesterday I was hijacked by Smitfraud and 40 other spywares. I ran Antivir, it had 5 detections, I removed them, and then Antivir stopped functioning. Then the computer BEGAN restarting all the time. I entered Safe Mode, found that Antivir still doesn't work, and ran Spybot and Ad-Aware. The found and removed many things, though they could not remove one entry of Smitfraud.C, specifically winsys2f.dll. I rebooted Safe Mode several times, ran Spybot and Ad-Adaware each time, and now each has no detections. I cannot find winsys2f.dll anywhere. I have folder oprions set to 'show hidden files' and unchecked 'hide protected operating system files.' I edited the registry so I was able to turn off System Restore. I tried reinstalling Antivir in Safe Mode with Networking, but it will not activate or function. When I start Windows normally, there are multiple errors and it is unusable or I get BSOD. It is also telling me I do not have a genuine copy of Windows (I don't know if I do or not, but I wasn't getting that message before.)
Any help resolving this would be appreciated, just let me know what to do or what else to post.
Here is my system, which was built from scratch (not by me) and includes no recovery disc:
Windows XP Professional Version 2002, SP 2
Intel Pentium III, 938 MHz, 512 MB of RAM
I don't know what other hardware to post, or where to find that information.
Here is my HijackThis log taken during Safe Mode (I can't run it in normal mode):
Logfile of HijackThis v1.99.1
Scan saved at 4:36:19 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kenneth E. McConnell\Desktop\Programs\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\VideosCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Kenneth E. McConnell\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [sdfghjgewaertyutrew.exe] C:\WINDOWS\system32\sdfghjgewaertyutrew.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Cliprex_WhenUSave_Installer] C:\Program Files\Cliprex_WhenUSave_Installer\Cliprex_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\KENNET~1.MCC\LOCALS~1\Temp\spchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERHer ya go
http://www.bleepingcomputer.com/forums/topic17258.html
http://wiki.castlecops.com/Malware_Removal:_SpyAxe_Removal
http://www.spywareremove.com/removeSmitfraud.html
http://www.anti-spyware-101.com/remove-smitfraud/
Spybot Search and DESTROY will handle that. If you use IE, you can use Spybot's immunize function to prevent a recurrence. Will also prevent a lot of other spyware.Spybot couldn't remove all instances of Smitfraud.C, only some of them. Now I'm also having trouble with adirss.exe.
Logfile of HijackThis v1.99.1
Scan saved at 10:46:27 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\adirss.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Documents and Settings\Kenneth E. McConnell\Desktop\Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Kenneth E. McConnell\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Cliprex_WhenUSave_Installer] C:\Program Files\Cliprex_WhenUSave_Installer\Cliprex_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\KENNET~1.MCC\LOCALS~1\Temp\spchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ProgramYeah, doing some google research on removing smitfraud would be a start.......otherwise
www.pc-tools.com
Spyware Doctor is a beast and will tell you if there is more to pick up. For me, it got rid of the worst spyware you can imagine. As long it is not a virus (doesn't look like it) Spyware Doctor will cover ya.
When you run into an "issue" I'm sure you will run into and need assistance regarding Spyware Doctor, PM me, and I will relieve you of your pain.
Be nice forum mods please I don't think more spyware removers are going to help. Spybot and Windows Defender already failed, in both safe and normal modes. Since I didn't get a recovery disc with this computer, I don't have any option now but to format the C drive and buy a new copy of XP. I just hope that the malware hasn't infected the BIOS or will otherwise survive the reformat, or I'll be wasting more money. My machine's pretty much an expensive boat anchor as is, and that's pretty depressing.Hi there.
Ok well so you can have the most efficient help i recommend posting the full HJT log file. By default the forum only allows so many characters. Take as many posts as it takes to post the full log.
ChrisQuote I don't think more spyware removers are going to help. Spybot and Windows Defender already failed, in both safe and normal modes. Since I didn't get a recovery disc with this computer, I don't have any option now but to format the C drive and buy a new copy of XP. I just hope that the malware hasn't infected the BIOS or will otherwise survive the reformat, or I'll be wasting more money. My machine's pretty much an expensive boat anchor as is, and that's pretty depressing. Smitfraud is not your average infection, it requires specially made tools to remove.
http://www.spywareremove.com/removeSmitfraud.html
Download that program and FOLLOW its instructions.
Do not ignor this post like you did my last one or your problem will NEVER be solved.
No regular spyware remover program can completely remove smitfraud.
smitfruad will get it just google it.. make sure you dl it from a good site
http://www.google.com/search?hl=en&q=smitfraud&btnG=Google+SearchThanks for the help. everyone!
I tried Smitfraudfix, and that seemed to work on that one.
However, I had several other INFECTIONS I couldn't get rid of. I couldn't run Panda AV, install ANY programs, or burn any discs. Yikes!
My computer was custom built, with no recovery/installation disc. So, tonight I made a bootable disk on an uninfected computer and ran FDISK on my infected one. I bought a new copy of XP at BestBuy and am installing that now.
So far, so good.
I lost some data and programs, but no biggie.
That's a good tip about POSTING THE COMPLETE HIJACK LOGS. I hadn't noticed that mine were getting the ends clipped off!
D'Oh!
Cheers.
|
