PDA

View Full Version : Smitfraud-C.Toolbar888 please help!



Jay74
2007-04-17, 18:47
Spybot S&D keeps picking up Smitfraud-C.Toolbar888 and it recreates itself when rebooting. Any help would be very appreciated. Here is my Panda online scan log and my HJT log. Thanks so much in advance.

Incident Status Location

Adware:Adware/LoopAd Not disinfected C:\WINDOWS\SYSTEM\alg32.exe
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\anyuser@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@belnk[1].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Profiles\JoeC\Cookies\joec@yadro[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Profiles\JoeC\Cookies\joec@burstnet[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Profiles\JoeC\Cookies\joec@www.burstbeacon[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 10:38:18 AM, on 4/17/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WMPCI54G WLAN MONITOR\WMP54G.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ALG32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\MY PICTURES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charterfunerals.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WMLAN54G.exe] C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WINRRT32] rundll32 WINRRT32.DLL,run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [rw service] C:\WINDOWS\SYSTEM\alg32.exe
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: Yahoo! Pyramids - http://download2.games.yahoo.com/games/clients/y/pyt1_x.cab

pskelley
2007-04-19, 17:00
Welcome to the forum, you have some nasty problems and most tools will not run on Windows 98. Smitfraud-C.Toolbar888 is not one of them, see this information: http://forums.spybot.info/showthread.php?t=8668

http://www.microsoft.com/windows/support/endofsupport.mspx <<< you understand there is no way you can protect this system anymore? You will just continue to bring it to someone to clean?

Here are your problems,
http://www.sarc.com/avcenter/venc/data/trojan.startpage.k.html
http://www.google.com/search?hl=en&q=ALG32.EXE&btnG=Google+Search
http://spywaredlls.prevx.com/RRHDIC11548908/WINRRT32.DLL.html

hXXp://www.alwaysupdatednews.com/install/aun_0032.exe <<< nasty see this:
http://www.castlecops.com/ActiveX.html
Trojan.Downloader.Small X B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4 identified by SpywareBlaster

hXXp://www.pacimedia.com/install/pcs_0006.exe
http://www.castlecops.com/ActiveX.html
PaciMedia Installer X C0B285F6-DB2B-4908-9C58-F6D95397D747 pcs_####.exe Trojan - see here

1) Windows 98
Open My Computer.

Select the View menu and click Folder Options.

Select the View Tab.

In the Hidden files section select Show all files.

Click OK.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKLM\..\Run: [WINRRT32] rundll32 WINRRT32.DLL,run
O4 - HKCU\..\Run: [rw service] C:\WINDOWS\SYSTEM\alg32.exe
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0032.exe
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0006.exe
O16 - DPF: Yahoo! Pyramids - http://download2.games.yahoo.com/gam...s/y/pyt1_x.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\SYSTEM\ALG32.EXE <<< delete that file

WINRRT32.DLL <<< search and delete that file, it should also be in C:\Windows\

3) run cleanmgr
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post a new HJT log, let me know about any malware problems.

Thanks

tashi
2007-04-26, 22:57
Due to lack of a response to helper this topic has been archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.

Thanks pskelley.