cicero
2007-04-11, 18:35
Note: After reviewing many forums, the SpyBot S&D appears to be the better organized. Thanks!
April 11, 2007: Any one have ideas on how to remedy another case of smitfraud, Hijacker.Agent.jh and Trojan.BHO.g?
System:
: HP Pavilion, 2.6 GHz, 512 MB, 56% free disk space, Windows XP
: Internet Connection Firewall enabled in Network Connections
: Running Internet Explorer v6.026 w/ Panicware popup blocker enabled
: Dialup connection through external USR modem using ATT WorldNet
: Norton AV 2002 does not detect any viruses
Symptoms: (began appearing March 2007)
: Modem began behaving differently, receiving data before login acknowledgement
: Modem intermittently receiving data after web page contents downloaded
: Internet Explorer window seemed to flash briefly on occasion.
: Nuisance pop-up windows becoming more numerous over time
: Slow Internet access
: Situation degrades over time
: Spybot 1.4 detects smitfraud-c-toolbar888, but cannot cure.
>> Numerous postings are describing SpyBot detecting smifraud as a false positive
First Fix Attempt
: Search Google for smitfraud and was taken in by the XoftSpySE ad
: Downloaded XoftSpySE on April 8, 2007, paid $39.95
: Ran XoftSpySE, which detected and removed some items, but could not fix symptoms.
: XoftSpySE also kept noting an apparent registry issue with default IE home page, but could not fix.
Note: After running fixes described below, the XoftSpySE update give error message: “XoftSpySE is unable to download the latest update, ... Does you firewall setting grant access to XoftSpySE to connect to the Internet?”
Will try to delete and reload XoftSpySE, but am not pleased with the product nor their home page.
*******************************************************************
Second Fix Attempt
Printed out, reviewed and followed instructions on these documents:
http://forums.spybot.info/showthread.php?t=9190
>> did not have C:\windows\svchost.exe or p2pnetworking.exe
http://forums.techguy.org/security/515882-solved-smitfraud-c-toolbar888-spybot.html
>> did not try Brute Force Uninstaller or Panda's ActiveScan
http://forums.techguy.org/security/555188-solved-smitfraud-c-toolbar888.html
>> did not try Killbox, OTMoveIt by OldTimer, or Dr.Web CureIt.
http://forum.piriform.com/index.php?showtopic=9284
>> did not try Superantispyware
http://www.short-media.com/forum/showthread.php?t=54915
>> did not try Panda ActiveScan as it requires access to the Internet and PC is infected and I have a slow dialup connection.
An analysis of the postings above, and others, led me to take the following common steps:
Ran HijackThis and did system scan and none of the entries matched ones noted in links above.
>> did notice O2 - BHO: (no name) regarding system/32/forarp.dll. Could not find any data on this dll.
>> did not select any items to remove
Ran Vundo Fix, which found and removed C:\WINDOWS\System32\tmp5.tmp.dll
>> I searched C: and also found this dll in Doc-Settings/Owner/local setting/temp internet files
Ran ATF Cleaner after rebooting into Safe Mode (F8).
>> found items and I clicked “Empty Selected”
>> Spybot had already been set to normal mode and TeaTimer was unchecked
Ran SmitfraudFix after rebooting into Safe Mode and selected option 2 Clean and deleted infected files
Ran AVG Anti-Spyware 7.5 after rebooting into Safe Mode following instructions in the postings.
>> Had downloaded AVG on Monday, April 9. PC degraded more and could not download latest update.
Reset Web Settings option in Control Panel - Internet Options.
Made new Restore Point, ran disk cleanup and deleted old Restore Points
Rebooted, setup desktop again which had been changed. Rebooted again, connected to Internet and the nuisance pop-ups began appearing again within 5 minutes.
*******************************************************************
Third Fix Attempt
PC system state accessing Internet 5 minutes after cleaning steps noted above:
Ran Vundo Fix, and no problems were found this time even though receiving nuisance pop-ups.
Ran XoftSpySE and found High Risk registry value changed and removed it:
"software\microsoft\internet explorer\main\start page\about:blank:@:about:blank
>> For reference, my PC default home page is about:blank
Ran HijackThis and did system scan (see log below), and did not select and remove any items.
>> Concerned about these two entries, but they may be normal:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll (dated 4/6/2007 – no apps loaded 4/6)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll (dated 5/15/2002)
Ran SpyBot v1.4 and received the same error “smitfraud-c-toolbar888” and removed error.
>> hkey_local_machine\software\Araf15
>> hkey_users\…..\Software\Microsoft\aldd
Ran ATF Cleaner, selected all and removed items.
Booted into Safe Mode (as admin this time):
Ran SmitfraudFix and selected option 2 Clean and deleted infected files
Ran AVG Anti-Spyware 7.5 after downloading ewido-signatures4-full-current (dated 4/10/07) from work.
>> Found Hijacker.Agent.jh with 19 traces – associated with IE start/search pages.
>> Found Trojan.BHO.g attached to temp2.tmp.dll and tempe.tmp.dll in system 32 directory.
>> Applied all Actions to remove these, though they had been found and removed in second fix attempt above.
Ran SpyBot v1.4 from SafeMode, and it could not find “smitfraud-c-toolbar888”.
Ran ATF Cleaner from SafeMode
Ran Cleandisk and rebooted to Normal mode and did not open IE or connect to Internet.
Ran SpyBot v1.4 and found “smitfraud-c-toolbar888” again in the same registry locations noted above.
Does anyone have ideas on what is “sticking” between fixes/ reboots to continue causing this Trojan intrusion?
R
*******************************************************************
Logs from Third Fix Attempt
SmitFraudFix v2.166
Scan done at 19:58:06.38, Tue 04/10/2007
Run from C:\Temp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
*******************************************************************
VundoFix V6.3.19
Interesting, that VundoFix found C:\WINDOWS\System32\tmp5.tmp.dll, but did not find temp2.tmp.dll and tempe.tmp.dll noted by AVG Anti-Spyware 7.5. Hence, Vundo did not create a log.
*********************************************
Logfile of HijackThis v1.99.1
Scan saved at 8:10:30 PM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\data\hardware_763n\virus\downloads\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {4a867545-75a5-4e20-ad00-6d247d356fe1} - C:\WINDOWS\system32\forarp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\cbxutr.dll",realset
O4 - Global Startup: EzTune.lnk = C:\Program Files\Gateway\EzTune\dthtml.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O20 - AppInit_DLLs:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\dtsrvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
*******************************************************************
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:29:22 PM 4/10/2007
+ Scan result:
C:\Program Files\Ahead\InCD\InCD.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HPSelect\frontend\ct.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\WinPortrait\wpctrl.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\SMINST\RECGUARD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NeroCheck.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hphmon04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lsasss.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ps2.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system\hpsysdrv.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\hp\KBD\KBD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp2.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmpE.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
::Report end
END
Edit:
"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)
April 11, 2007: Any one have ideas on how to remedy another case of smitfraud, Hijacker.Agent.jh and Trojan.BHO.g?
System:
: HP Pavilion, 2.6 GHz, 512 MB, 56% free disk space, Windows XP
: Internet Connection Firewall enabled in Network Connections
: Running Internet Explorer v6.026 w/ Panicware popup blocker enabled
: Dialup connection through external USR modem using ATT WorldNet
: Norton AV 2002 does not detect any viruses
Symptoms: (began appearing March 2007)
: Modem began behaving differently, receiving data before login acknowledgement
: Modem intermittently receiving data after web page contents downloaded
: Internet Explorer window seemed to flash briefly on occasion.
: Nuisance pop-up windows becoming more numerous over time
: Slow Internet access
: Situation degrades over time
: Spybot 1.4 detects smitfraud-c-toolbar888, but cannot cure.
>> Numerous postings are describing SpyBot detecting smifraud as a false positive
First Fix Attempt
: Search Google for smitfraud and was taken in by the XoftSpySE ad
: Downloaded XoftSpySE on April 8, 2007, paid $39.95
: Ran XoftSpySE, which detected and removed some items, but could not fix symptoms.
: XoftSpySE also kept noting an apparent registry issue with default IE home page, but could not fix.
Note: After running fixes described below, the XoftSpySE update give error message: “XoftSpySE is unable to download the latest update, ... Does you firewall setting grant access to XoftSpySE to connect to the Internet?”
Will try to delete and reload XoftSpySE, but am not pleased with the product nor their home page.
*******************************************************************
Second Fix Attempt
Printed out, reviewed and followed instructions on these documents:
http://forums.spybot.info/showthread.php?t=9190
>> did not have C:\windows\svchost.exe or p2pnetworking.exe
http://forums.techguy.org/security/515882-solved-smitfraud-c-toolbar888-spybot.html
>> did not try Brute Force Uninstaller or Panda's ActiveScan
http://forums.techguy.org/security/555188-solved-smitfraud-c-toolbar888.html
>> did not try Killbox, OTMoveIt by OldTimer, or Dr.Web CureIt.
http://forum.piriform.com/index.php?showtopic=9284
>> did not try Superantispyware
http://www.short-media.com/forum/showthread.php?t=54915
>> did not try Panda ActiveScan as it requires access to the Internet and PC is infected and I have a slow dialup connection.
An analysis of the postings above, and others, led me to take the following common steps:
Ran HijackThis and did system scan and none of the entries matched ones noted in links above.
>> did notice O2 - BHO: (no name) regarding system/32/forarp.dll. Could not find any data on this dll.
>> did not select any items to remove
Ran Vundo Fix, which found and removed C:\WINDOWS\System32\tmp5.tmp.dll
>> I searched C: and also found this dll in Doc-Settings/Owner/local setting/temp internet files
Ran ATF Cleaner after rebooting into Safe Mode (F8).
>> found items and I clicked “Empty Selected”
>> Spybot had already been set to normal mode and TeaTimer was unchecked
Ran SmitfraudFix after rebooting into Safe Mode and selected option 2 Clean and deleted infected files
Ran AVG Anti-Spyware 7.5 after rebooting into Safe Mode following instructions in the postings.
>> Had downloaded AVG on Monday, April 9. PC degraded more and could not download latest update.
Reset Web Settings option in Control Panel - Internet Options.
Made new Restore Point, ran disk cleanup and deleted old Restore Points
Rebooted, setup desktop again which had been changed. Rebooted again, connected to Internet and the nuisance pop-ups began appearing again within 5 minutes.
*******************************************************************
Third Fix Attempt
PC system state accessing Internet 5 minutes after cleaning steps noted above:
Ran Vundo Fix, and no problems were found this time even though receiving nuisance pop-ups.
Ran XoftSpySE and found High Risk registry value changed and removed it:
"software\microsoft\internet explorer\main\start page\about:blank:@:about:blank
>> For reference, my PC default home page is about:blank
Ran HijackThis and did system scan (see log below), and did not select and remove any items.
>> Concerned about these two entries, but they may be normal:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll (dated 4/6/2007 – no apps loaded 4/6)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll (dated 5/15/2002)
Ran SpyBot v1.4 and received the same error “smitfraud-c-toolbar888” and removed error.
>> hkey_local_machine\software\Araf15
>> hkey_users\…..\Software\Microsoft\aldd
Ran ATF Cleaner, selected all and removed items.
Booted into Safe Mode (as admin this time):
Ran SmitfraudFix and selected option 2 Clean and deleted infected files
Ran AVG Anti-Spyware 7.5 after downloading ewido-signatures4-full-current (dated 4/10/07) from work.
>> Found Hijacker.Agent.jh with 19 traces – associated with IE start/search pages.
>> Found Trojan.BHO.g attached to temp2.tmp.dll and tempe.tmp.dll in system 32 directory.
>> Applied all Actions to remove these, though they had been found and removed in second fix attempt above.
Ran SpyBot v1.4 from SafeMode, and it could not find “smitfraud-c-toolbar888”.
Ran ATF Cleaner from SafeMode
Ran Cleandisk and rebooted to Normal mode and did not open IE or connect to Internet.
Ran SpyBot v1.4 and found “smitfraud-c-toolbar888” again in the same registry locations noted above.
Does anyone have ideas on what is “sticking” between fixes/ reboots to continue causing this Trojan intrusion?
R
*******************************************************************
Logs from Third Fix Attempt
SmitFraudFix v2.166
Scan done at 19:58:06.38, Tue 04/10/2007
Run from C:\Temp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
*******************************************************************
VundoFix V6.3.19
Interesting, that VundoFix found C:\WINDOWS\System32\tmp5.tmp.dll, but did not find temp2.tmp.dll and tempe.tmp.dll noted by AVG Anti-Spyware 7.5. Hence, Vundo did not create a log.
*********************************************
Logfile of HijackThis v1.99.1
Scan saved at 8:10:30 PM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\data\hardware_763n\virus\downloads\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {4a867545-75a5-4e20-ad00-6d247d356fe1} - C:\WINDOWS\system32\forarp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\cbxutr.dll",realset
O4 - Global Startup: EzTune.lnk = C:\Program Files\Gateway\EzTune\dthtml.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O20 - AppInit_DLLs:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\dtsrvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
*******************************************************************
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:29:22 PM 4/10/2007
+ Scan result:
C:\Program Files\Ahead\InCD\InCD.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HPSelect\frontend\ct.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\WinPortrait\wpctrl.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\SMINST\RECGUARD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NeroCheck.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hphmon04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lsasss.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ps2.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system\hpsysdrv.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\hp\KBD\KBD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp2.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmpE.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
::Report end
END
Edit:
"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)