Smitfraud C. Koowo and much more

[grancher]

I don't get anything at all when I hit ctrl. alt. del., and th Ctrl. shift Esc. changes my input method.

I tried uninstalling ComboFix. I got the little Combofix loading bar, but after I my mouse button became an hourglass for a second, but nothing started and there were no error messages.

I installed the MPVS Hosts file as it said on the website.

 

[Shaba]

Is C:\QooBox folder gone?

And do those popups still occur?

 

[grancher]

The C:/Qoobox folder is still there, and all the contents, except the contents of the Quarantine folder which I emptied, seem to be intact.

The pop-ups have stopped.

 

[Shaba]

OK, so partial success

Delete C:\Qoobox folder as well as ComboFix.exe.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

And tell me if Spyware Doctor still finds something.

 

[grancher]

I deleted Combofix and QooBox, and turned System Restore on and off.

The Pop-ups have returned, again they are the little in-window ones, only in Netscape, it's probably a problem I can solve by upgrading to Firefox.

Here is what I got from Spyware Doctor I had to copy by hand because Spyware Doctor won't let me copy from the report screen directly, so there may be typos:



Trojan-PWS.OnlineGames
C:\WINDOW\SYSTEM32\smdsbsrv.sys
C:\WINDOW\SYSTEM32\xscqbhlp.sys

Application.NirCmd
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, sanpshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance

HKEY_LOCAL_MACHINE\SOFTWARE\swearwar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

Trojan-PWS.OnlineGames.AHRG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, DisplaName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF

Trojan-PWS.OnlineGames.ASGB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ImagaPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Object Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, List
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL

Trojan.Generic
HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget

 

[Shaba]

Some them are real threats but these are not:

Application.NirCmd
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swarewar, sanpshot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000, DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000,Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme, Group
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum, NextInstance

HKEY_LOCAL_MACHINE\SOFTWARE\swearwar
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

They are part of catchme and legit. So they can be ignored.

As for the rest:

Delete these:

C:\WINDOW\SYSTEM32\smdsbsrv.sys
C:\WINDOW\SYSTEM32\xscqbhlp.sys

Go to Start > Run
Type regedit and click OK.

• On the leftside, click to highlight My Computer at the top.
• Go up to "File > Export"
  • Make sure in that window there is a tick next to "All" under Export Branch.
  • Leave the "Save As Type" as "Registration Files".
  • Under "Filename" put backup
• Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
• Click Save and then go to File > Exit.

Open Notepad and copy the contents of the following box to a new file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL]

[-HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget]

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this ->

Reboot.

Re-run spyware doctor and tell me what it finds now.

Go to Desktop, double-click fix.reg and merge the infomation with the registry.

 

[grancher]

Before merging fix.reg with the directory Spyware Doctor reported this

Trojan-PWS.OnlineGames.AHRG
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF, DisplaName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\MNSF

Trojan-PWS.OnlineGames.ASGB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, ImagaPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Object Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL, List
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security, Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\SERVICES\SEICTRL

Trojan.Generic
HKEY_USERS\S-1-5-21-3231341158-1705325488-3968787312-500\Software\Wget



After merging fix.reg Spyware doctor reported nothing

 

[Shaba]

Great

Any other issues left other than task manager one?

 

[grancher]

I guess that's about it, the computer seems to be shutting down at a normal speed again.

 

[Shaba]

Let's check this then:

Copy text below to Notepad and save it as check.bat (save it as all files, *.*)

@ECHO OFF
REG EXPORT HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\taskmgr.txt
notepad C:\taskmgr.txt

It should look like this ->

Doubleclick check.bat; black dos windows will flash, that's normal.

Text file will open in Notepad.

Please post contents of that file here.

 

[grancher]

It was empty, but it did ask me if I wanted to create the file taskmgr.txt, I clicked yes.

 

[Shaba]

Does taskmgr.exe exist in c:\windows\system32 folder?

 

[grancher]

no, there is a taskman.exe though.

 

[Shaba]

So that is the reason.

Task manager can't work because it doesn't exist.

Follow these instructions and let me know if it works after that.

 

[grancher]

I don't have a Windows CD and when I followed the instructions on the page for people without Windows CDs, the computer still asked me for one.

 

[Shaba]

Any specific reason why you don't have windows CD?

 

[grancher]

This is my girlfriends computer and she has a way of misplacing things, I really don't know if she ever had one or not, I've been told they stopped giving you one when you buy a new computer. I did find her restore CD though, that was enough to get SFC.EXE /SCANNOW to work, but there is still no taskmgr.exe. I found the file on the restore CD can I just copy it into system32?

 

[Shaba]

Yes, you can try that.

 

[grancher]

Hey! That worked! I didn't expect it to.

 

[Shaba]

Good

Still some issues left?