[RESOLVED] SpyAxe (Smitfraud-C.) problem

Howdy, Aremah, and welcome back to A2K. You know, there's a lot more here than yuckware help - you might wanna check out some of the other forums - never know what you'll find.

Anyhow, this is my take on what you should do -

These recommendations are tested and proven safe and effective when used as directed; if you go this way, please follow the steps as laid out, and understand you proceed at your own risk. I suggest you print out these instructions and gather the recommended downloads and/or updates before continuing; some of the following will be conducted while in safe mode and/or not connected to the internet. You may find it convenient to click "Turn on email updates" down at the bottom right of this page; that will cause a notification to be sent to the email address you used at the time you registered with A2K whenever a reply is posted to this thread.

If you have not already done so, download DelDomains.inf. When it has downloaded (should take just a few seconds), click on the file to run it. If the link above displays text instead of downloading the file, then copy & paste the text into notepad and save the file as DelDomains.inf. To use it, right-click and select "Install". Note: This will remove all entries in your "Trusted Zone" and "Ranges".

Update Microsoft Antispyware Beta. Don't do anything with it, just update it and close it.

Update EWIDO; don't do anything else with it at this point, just update it and close it.

Go to Trend Micro Housecall and, following the instructions there, perform a full scan-and-clean with the application. When it has completed, save the report to post in your next reply.

Download Noahdfear's SmitRem.exe, saving the self-extracting file to your desktop. When it has downloaded, double click the file's icon to extract it to it's own folder on the desktop. Don't do anything with it yet, just download and extract it.

Next, download Option Explicit's Pocket Killbox - to a folder on your desktop is fine. When it has downloaded, extract it, then launch it. In the dialog box labled "Full Path of File to Delete", enter the following (be exact):

C:\WINDOWS\system32\mssearchnet.exe

Select "Delete on Reboot" from the options on the left below the dialog box, then click the "Delete File" button at the far right from the dialog box - the red circle with a white "X" - and reboot normally when prompted.

Now, go to Panda Activescan and perform a runthrough of the free online scan there.

Once you are on the Panda site click the "Scan your PC" button

• A new window will open. Click the "Check Now" button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click "Send"
  
• Select either "Home User" or "Company" as applicable
  
• Click the "Scan Now" button
  
• If you are prompted to allow the installation an ActiveX control, allow the component to install
  
• It will start downloading the files it requires for the scan (Note: This may take a few minutes - be patient)
  
• When the file download is complete, click on "Local Disks" to start the scan
  
• When the scan completes, click the "See Report" button, then "Save Report" and save it to a convenient location

You might find it useful to create a desktop shortcut to ActiveScan; to do so, click-and-drag the link to ActiveScan from this post to your desktop. An icon named "Panda Free Online Scan" will appear on your desktop; in the future when you click on that icon while connected to the internet, you will be taken directly to the ActiveScan web page.


Next, boot into safe mode, locate and launch HijackThis. When it has completed its scan, place a checkmark next to ONLY the following entries (if found):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

Click "Fix Checked" and allow the process to complete. Do not reboot.

Now, locate and open the SmitRem folder, then double-click the file named "RunThis.bat" (DO NOT CLICK ANY OF THE OTHER FILES IN THAT FOLDER) to launch the tool, which will open in a Command box. Place your mouse cursor in that box, click, and follow the prompts as they appear. Wait for the process to complete; following the scan-and-clean, the tool will initiate a Windows Disk Cleanup routine; allow all of this to finish. SmitRem will create a log named "smitfiles.txt" in the root of your main drive or partition, eg; "Local Disk C:" or in the root of the drive or partition on which your Windows is resident. We will want that log in your next reply. When SmitRem has completed, open Control Panel (Start>Settings>Control Panel) and click Display>Desktop>Customize Desktop>Web. Uncheck any of the following, if present:

• Security Info
  
• Warning Message
  
• Security Desktop
  
• Warning Homepage

(Note: SmitRem will revert your desktop to Windows Default; you can reset your desktop to your preference by right-clicking anywhere in a blank area of the desktop, selecting "Properties", and adjusting the settings as you see fit when the cleanup procedure has been completed)

Next, run a full cleanup with CCleaner, then reboot back into safe mode, locate and launch EWIDO, having it run a full system scan-and-clean. Save the log to post with your next reply.

Before rebooting, locate and launch Microsoft Antispyware, select "Advanced Tools", then "Browser Restore". Place a checkmark in the "Select All" box at the bottom of the left-hand panel, then click "Restore" and confirm. This should reset your Start Page and Search Assistants to Microsoft defaults; you can always reset them to your own preferences if you wish, but its good to start from a known-safe point.

Now, reboot normally, connect to the internet, revist Panda ActiveScan, and repeat the scan-and-clean process as before, again saving the report. Following that, again reboot normally, and when the machine has fully booted, immediately run a scan-and-save-log-only with HijackThis.

Navigate back to this thread and post all the saved logs/reports requested (Housecall, 2 Panda ActiveScan, smitfiles.txt, EWIDO, and HJT).

Hey. I only found out yesterday (and by accident) that there is more to these forums than just this one. I'll check them out when I have the time. Onto your instructions.

Trend Micro Housecall
I failed to find the option to generate a report, even though I scanned twice. The first time, it removed a few files; the second time, it only found one: mscornet.exe in /system32 - but it had been there the first time as well, so apparently Housecall couldn't deal with it (it looks like it has subsequently been removed by smitRem, as you can see below).

First Activescan

Adware:Adware/DoZa Not desinfected C:\Program Files\Tlen.pl\plugins\DozaKultury.tpl
Adware:Adware/SpyAxe Not desinfected C:\WINDOWS\system32\1024\ld82A1.tmp
Adware:adware/securityerror Not desinfected C:\WINDOWS\system32\mscornet.exe

smitfiles.txt

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Wersja 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
mscornet.exe


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

Second Activescan

Adware:Adware/DoZa Not desinfected C:\Program Files\Tlen.pl\plugins\DozaKultury.tpl

(This file is an ad plugin for a communicator I rarely use; I don't think it's hostile, but I could, of course, be wrong)

EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:35:22, 2005-12-17
+ Report-Checksum: 2620338

+ Scan result:

C:\!KillBox\mssearchnet.exe -> Downloader.Zlob.by : Cleaned with backup


::Report End

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:00:02, on 2005-12-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: skaner.mks.com.pl
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa Auto-Protect w programie Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

What next, if anything?

Looks fairly decent - some missing files that could be cleaned up with HJT, but nothing critical at the moment. How's the machine behaving?

Nothing to report, everything looks fine (but then the only thing that was wrong before was that Spybot couldn't remove the smitfraud file; there was no visible indication of anything after I removed what I could prior to posting this).

Well, besides a problem I'm having with the computer wailing like a siren from time to time. I've been unable to locate info on what that kind of beep code means.

Dunno what your machine is singing there - but as far as yuckware goes, I'd say you're rid of what we went after; your logs are clean.

You could have HJT get rid of these:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE - this is just a nag to register your soundcard

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) - this is related but not critical to RealPlayer; I don't see that you use RealPlayer, but in any case, this refers to a registry entry that pertains to a file not in existence on your machine. If you remove it then find RealPlayer functionality impaired (which I doubt would be the case), uninstall RealPlayer (via Add/Remove Programs), then download and install RealPlayer's latest version.

One other entry there that some folks might have you remove is this one:

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) - I don't suggest removing it, as it is not uncommon for HJT to wrongly flag this as a no name/missing file; it in fact is a legitimate component of MSN software's Instant Messenger client, and if you have MSN software (MSN Messenger in particular) and it works, that file is there. If you don't have MSN software, then removing it prolly would do no harm. Still, my call is leave it alone.

Thanks for all the help. I do use MSN Messenger.

The thing is, I didn't get to all this until today, and today, I have another issue. Redirect, JavaScript monit, download, all that jazz. New thread coming up in a bit. *sigh*