Smitraud-CToolbar 888 reappearing

Smitraud-CToolbar 888 keeps reappearing, probably using the files assist.exe (Kerio) and winlogon.exe.

I have cleaned the computer with Avast, Housecall, BItDefender, Spybot. Spybot find&Clean - but when I reboot a explorer window opens ... and we're back, infected.:cry

So - I just attach the files, and hope someone can help me.

Oh, yes, there were problems running the utilities, so maybe the files are not fully as they should?

 

Thank you; I have in the meantime read the "malware" posting today, and followed the advice there.

Presto - my firewall is back, no windows starting.

However, Vundo didn't finish cleaning one last file. I got a message saying that one of the Vundo files was corrupted, possibly a disk problem.

As the reports I posted first also ran with fault messages, I guess maybe there is a disk problem. So, at the present I am running the WIN2000 disk-check-tool, and hope to come back telling what happened when that is done.

 

When you are complete, please attach the logs from Halo's previous post and we will get started.

 

Than you!

More weird thigs keep happening, so I just post the logs three first here ...

 

next ...

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Fellesfiler

Ipwindows

Outerinfo

VSAdd-in

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ipwins.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {B677213B-E98D-E65F-FBEF-E7FBFF132390} - C:\WINNT\system32\pdz.dll

O2 - BHO: (no name) - {1553AD8D-8D6F-4851-B708-A8C6057E8DA5} - C:\WINNT\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Programfiler\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {69577F8E-6A3F-5396-F0BF-0663E235466D} - C:\WINNT\system32\xpungkf.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINNT\system32\wqwkhljj.dll (file missing)
O2 - BHO: (no name) - {94590FD5-B445-4270-B532-D9CB163E73AD} - C:\WINNT\system32\byxywtu.dll (file missing)
O2 - BHO: (no name) - {A203EE6B-DAA2-4F2F-BB08-0B664BDB751C} - C:\WINNT\system32\rqronmm.dll
O2 - BHO: (no name) - {B677213B-E98D-E65F-FBEF-E7FBFF132390} - C:\WINNT\system32\pdz.dll
O2 - BHO: (no name) - {D085F6E9-698C-40A5-896A-AA7A6702655B} - C:\WINNT\system32\gebcc.dll

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Programfiler\VSAdd-in\VSAdd-in.dll (file missing)

O4 - HKLM\..\Run: [{102F22C9-02DE-1044-0418-01030828002f}] "C:\Programfiler\Fellesfiler\{102F22C9-02DE-1044-0418-01030828002f}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvtal.dll,startup
O4 - HKLM\..\Run: [fjrohxf.dll] C:\WINNT\system32\rundll32.exe "C:\Documents and Settings\spesial.NILS1\Lokale innstillinger\Programdata\fjrohxf.dll",sfsdsad
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\rnditicx.dll",setvm
O4 - HKLM\..\Run: [IpWins] C:\Programfiler\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Uttp] "C:\WINNT\CROSOF~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [Nvgjujo] "C:\WINNT\?ystem32\mshta.exe" 99001162

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} - http://akamai.downloadv3.com/binaries/one2one/one2oneSvcEN.cab

O20 - Winlogon Notify: gebcc - C:\WINNT\system32\gebcc.dll
O20 - Winlogon Notify: rqronmm - C:\WINNT\SYSTEM32\rqronmm.dll
O20 - Winlogon Notify: windtl32 - C:\WINNT\SYSTEM32\windtl32.dll

O23 - Service: COM+ Messages - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to COM+ Messages
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteCOM+ Messages into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Programfiler\Fellesfiler ← Delete this whole folder if it exist!

C:\Programfiler\Ipwindows ← Delete this whole folder if it exist!

C:\Programfiler\Outerinfo ← Delete this whole folder if it exist!

C:\Programfiler\VSAdd-in ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thank you for your help; I'll go straight to work.

The above, however, is worrying me a little.

The folder "fellesfiler" is in English called something like "Common Files" under "Program Files", and contains data for several installed programs and "System".

Should I *really* delete all this?


So, I'll go on as far as I can without taking this decision.

 

Now I have gone though the list of "to-do".

I found some of the programs in Add Remove Programs. The trouble is - VSAdd-in is not possible to remove that way. Nothing happens.

I have now found the name for "fellesfiler" - it is "Shared Files." If I knew what to look for, I can go through the catalogue and look for it.

I have also, at the request of Sunbelt Kerio, removed and reinstalled the Kerio Personal Firewall.

The result so far is:

I've got a much faster computer
But still, sometimes a small window open to tell that it cannot connect to the Internet. Or, if the computer is connected, there is some exchange going on. :cry

So, here's the last HijakThis log file. (Some entries have come back.)

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate VsAdd-in and uninstall this way. Probably would be better to do this In Safe Mode. Once you do this uninstall, run a Panda scan and then attach a fresh HJT log with the Panda log.

You will have a few more issues but let's take then one at a time.

 

Done that; lots of trouble using Panda Scan - IE was very difficult to run.
I also tried removing three of the lines in the HJT log, but at least one keep reappearing.

Anyway, here are the logs - shorter this time.

 

First, uninstall CounterSpy and disable any other antivirus and antispyware programs you have.

Let's start by downloading two tools we will need

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of gebcc.dll, urexrlqj.dll and rqronmm.dll once and then click the kill button. After you have killed all of the gebcc.dll, urexrlqj.dll and rqronmm.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of gebcc.dll, urexrlqj.dll and rqronmm.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {54454562-72B3-49FE-A225-80014553C4CF} - C:\WINNT\system32\gebcc.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINNT\system32\urexrlqj.dll
O2 - BHO: (no name) - {A203EE6B-DAA2-4F2F-BB08-0B664BDB751C} - C:\WINNT\system32\rqronmm.dll
O20 - Winlogon Notify: gebcc - C:\WINNT\system32\gebcc.dll
O20 - Winlogon Notify: rqronmm - C:\WINNT\SYSTEM32\rqronmm.dll
O20 - Winlogon Notify: windtl32 - C:\WINNT\SYSTEM32\windtl32.dll

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot, run and post a fresh Panda log and a new HJT log.

 

This is almost fun ;-)

OK, here's the logs - am I right we are close to the end?

... and I really do appreciate the help!

 

Are you familiar with SiteAdvisor? If not, look in Add/Remove Programs and uninstall it.

Also, your HJT log seems to be from Safe Mode, can you attach a fresh one from normal mode. I noticed your Panda Log wasn't correct for some reason. Can you try to upload a fresh one so we can remove any leftovers?

 

I don't quite understand this?

Yes, I have McAfee SitAdvisor installed in some of my browsers. Do you mean that this is a program that create more problems than it solves?

Anyway, here are the logs. Hope I got it right this time.

 

It's fine if your ok with it.

You didn't attach anything?

 

That's strange. Well I'll make another attempt.

But then ... an old problem reappeared. I get two extra "windows" in the top right window of explorer, IE, Firefox ... One is a square like the middle of the three normal ones in the top; the other is like a small down arrow. It is somehow linked to the ATI graphics software/driver.

I have tried to make a new Panda scan, but it doesn't work. It never comes to the part where I choose what to scan.

So.here is the two from before this happened.

 

After some more or less "random" search on a computer that once again was going "haywire" - I started thinking.

The reason for disabling msconfig: I run win2000, so there is nothing there. But I have used Startup Inspector to close things I don't want to have running; maybe that can have contributed?

So, I removed that, and have started the procedure once again. I will also look for the problems indicated in the previous answers, hoping to avoid posting the same problems.

I'll also run some of the other programs to see what happens.

 

Ok, here are the files, and how things went.

The programs to delete -

I had done the Firefox upgrade;
Java was ok,
Could not find (YourUninstaller)
Norton
OIN
Outerinfo
Vsaddin.

(Think I did this earlier in the process.)

After the Killbox operation, a small window in the middle of the screen appeared, saying something like "Install com component". (In Norwegian, my re-translation may be inaccurate.)

I got error messages running both getrunkey and newfiles, but files were produced.

The error message was sometning like this:

"C:\WINNT\system32\cmd.exe"
"C:\Program~1\Symantec\S32event1.dll"
"A temporary unit driver could not initialize "

I chose the "ignore", and whatever happened, files were produced.

The extra upper right corner of most windows are gone, the computer run quite quietly, and while I am writing this, the CPUs are running at around 20% with some peaks to near 50%; memory use is stable and low.

One question: I am (for some months until I get fiber optic broadband) sharing a WIFI LAN with a couple of neighbours, and use this (the infected) computer as gateway to a LINUX PC (Kubuntu 6.10) over my private ethernet LAN, mainly for downloads. Are there any special risks using this computer as gateway?

Thank you so very much for the help!

 

First - thank for your patience!

Everything went smoothly until the GetRunKey and ShowNew.

After trying to tix the registry, I get the message (roughly translated):

"C:\WINNT\system32\cmd.exe
System\CurrentControlSet\Control\VirtualDevice\srivers.vdd
temporary unit driver format in registry not valid."

GetRunKey, however, after some time, produced a log.
ShowNew stalled and I had to restart because all the icons on the desktop disappeared. And yes, I did go for a nice cup of tea to give thigs time to eventually happen.

I did try following the Microsoft advice, but somehow things did not happen as written - or I make mistakes due to the Norwegian version of WIN2000.

The key now is like this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]VDD=REG_MULTI_SZ

So, I am now still not able to produce all the log files; only GetRunKey and HJT this time.

 

I have gone on a little, trying to fix the newfiles error.

First I looked in the registry of another WIN2000 computer, and found an error; so I corrected it.

This gave me the file runkeys2.txt - but no change in the behaviour of NewFiles.

Then I installed the fix for the problems message I do *not* get (the 16 bit stuff); still no change.

Reboot, and I still get the message indicated earlier, but now I have to "Ignore" just once, and I got a newfiles.txt.

In case this would produce another runkeys log, I ran one more, called runkeys3.txt

 

Thank you so very much, both of you who have helped me here!

I'll go straight back to the folding - the first thing I disabled when the computer started to slow down. These problems obviously have been going on for quite a long time.

... of course I will join from this site!