Smitfraud-c.Toolbar888 & Chisyne

[pskelley]

Follow these directions carefully:

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {17F59AF6-2B8B-4F0E-95EF-2C63325E87FC} - (no file)
O2 - BHO: (no name) - {36AC279D-F685-487E-98D3-687E8864E2E4} - (no file)
O2 - BHO: (no name) - {41B0038E-894A-410A-8998-3CB5CE8EE81D} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {5C821749-EB0F-4CE1-9BAE-EFDF4BBE4AF6} - (no file)
O2 - BHO: (no name) - {61EC73CD-8F73-4E84-9A13-7C02F22C0B41} - (no file)
O2 - BHO: (no name) - {714CCB98-1E9C-4F8B-85D4-01660E27C410} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {A903C099-E909-4264-86E8-D86E4B87AC42} - (no file)
O2 - BHO: (no name) - {CA2DD0EA-F7EE-489A-81C4-526C80309532} - (no file)
O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\cguatyus.dll
O2 - BHO: (no name) - {E48E8D74-5ABC-401E-B34A-390EBF5C313D} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {F49ED2B3-08F5-4BA3-8536-2DAEE8C8409B} - C:\WINDOWS\system32\xxyvvuu.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\irwkmepa.dll",realset
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1561f3ac...p/RdxIE601.cab
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O20 - Winlogon Notify: xxyvvuu - xxyvvuu.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

(this is very important, this is a very bad file)

C:\WINDOWS\system32\irwkmepa.dll <<< delete that file

6) Use the instructions in the following link to run AVG Anti-Spyware, delete or at least quarantine anything it finds and save the scan report to post:
http://forums.security-central.us/showthread.php?t=3165

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post that scan report and a new HJT log. Let me know how the computer is running and add any comments you think will help.

Thanks...Phil

[Cozi41]

Hi Phil

[Cozi41]

hi phil

i'm going through you pointd, all ok up to point 5. I have located the irwkmepa.dll file but it won't let me delete it. I keep getting access denied or file in use.

Do I proceed with the items 6 and 7 or can you providefurther guidance on item 6 and removing this bad file.

Thanks

[pskelley]

Now this is your computer, if you have a file that is bad that can't be deleted, boot to safe mode and do it there where it is not running. In this case, try this tool:

How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tuto...42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\irwkmepa.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

continue with the rest of the instructions.

Thanks

[Cozi41]

Hi Phil

I managed to remove that file in safe mode and on reboot checked to see if it was still there. No it wasn't.

I ran the AVG spyware and the log is below. I did put the resident shield on before running the ATF cleaner in item 7. Not sure if that was right to do ???.

Machine is running better. One observation is that I have ETrust anti virus and firewall. I get the Windows security centre warning saying my antivirus says it's out of date but my license run until Oct 2007 and it's on auto update. It's been doing this for some time and still is. Is this relevant ????

Anyyway logs are:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:25:53 12/05/2007

+ Scan result:



C:\System Volume Information\_restore{1A3C7C7B-96FA-4FA0-AB6D-9CD86058F1D3}\RP185\A0319857.dll -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Ian & Dawn\Cookies\ian_&_dawn@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 18:40:13, on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\cozi41.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCPitStopEraser] C:\Program Files\PCPitstop\Erase\PCPitStopErase.exe /remindme
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk.disabled
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/Cl.../OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146069213453
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor...fo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Cozi41]

Hi phil,

Forgot to say Outlook is running a bit slow ???. Seems to be struggling a bit. Any thoughts ???

[pskelley]

Thanks for the feedback, let me say first that your HJT log appears clean of malware, great job

Let's look at these other issues. Fitst, keep in mind that your system just went trough some major trauma, not only the junk that got on it and the changes it may have made to programs? But also the tools and our efforts to remove the junk. While we are on that subject, you may rename HJT.exe if you wish and remove all programs we downloaded during the fix. The one exception is ATF-Cleaner, it is a nice cleaning tool and you may keep it if you wish. The one item AVG found is in your System Restore files, let clean them now like this: System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

One observation is that I have ETrust anti virus and firewall. I get the Windows security centre warning saying my antivirus says it's out of date but my license run until Oct 2007 and it's on auto update. It's been doing this for some time and still is. Is this relevant ????

Start > Control Panel > Security Center. Make sure all three items are green for go. The junk does make changes in settings so if anything is turned off, use the drop down menu to start it running again. I you still have problems with eTrust, I suggest you contact their technical support and check with them, they may have you do a reinstall. Everything running right for Zone Alarm?
You did say:

One observation is that I have ETrust anti virus and firewall.

There is not another Firewall running beside ZA is there? You want only one antivirus program, one firewall and at least one good anti-spyware program running in realtime. Are you getting any messages from the Security Center? If so post it "word for word"

Forgot to say Outlook is running a bit slow ???. Seems to be struggling a bit. Any thoughts ???

You are talking about the office program "Outlook" and not Outlook Express"...correct. It may be the malware damaged a file/files. I would try this first.
If there are any missing or corrupt System Files causing the problem, this Windows tool will fix that:
http://www.updatexp.com/scannow-sfc.html

You can also look at the Google to see if anything will help:
http://www.google.com/search?hl=en&q...=Google+Search

And as a last resort, a reinstallation of the program should fix the problem.

Some great information for you:
Help! My computer is slow!
http://users.telenet.be/bluepatchy/m...wcomputer.html
How to prevent Malware
http://users.telenet.be/bluepatchy/m...revention.html

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[Cozi41]

Hi phil

Mnay thanks for your help, it been great having your assistance. I will look at the various websites on safe surfing you have provided.

I updated and reran Spybot. It picked up the Smitfraud-tolbar888 again in the HKey area. I removed it at the end of the scan, rebooted and reran spybot again. The scan showed no further trace. So hopefully that is the last of that.

I did mean Microsotf Office Outlook express, when I go to view an email from the inbox, it freezes and I have to shut it down. I wonder if it's worth reinstalling, any comments ???.

The windows security centre shows both my firewall and antivirus as a warning. It says "EZ Firewall/Antivirus is installed, but its status is unknown/Reports that it might be out of date". Do you think it might be worth contact ETrust for their comments ??.

Once again, many thanks for your help.

[pskelley]

You are sure welcome, for starters, since you said you have the newest data bases for Spybot, then you can ignore that worning, it's a false positive, see this information:
http://forums.spybot.info/showthread.php?t=8668

I did mean Microsotf Office Outlook express: Outlook Express I have not used in many years, preferring hotmail and gmail which are both available free. Here are troubleshooting sites for OE:
http://www.google.com/search?hl=en&q...=Google+Search

http://get.live.com/gbb/?vendor=google
https://www.google.com/accounts/Serv...t&ltmplcache=2

As far as your firewall/antivirus, I would definately get with technical support to see if that program should be reinstalled.
http://www.google.com/search?hl=en&q...rt&btnG=Search

Thanks

[Cozi41]

Hi Phil

Your a star. I have run the scannow and it appear to work normally.

Many thanks for your help. I'll keep scanning with AVG, Spybot etc on a regular basis to ensure I'm not infected.

Thank so much.

Cozi41