smitfraud, aurora, and various other issues

i'm having a lot of trouble with the trojan-spy.html.smitfruad trojan and others, as well as having aurora. i downloaded and tried to run all the programs that were listed in the thread saying to run them before asking for help, but it wont let me finish running the programs. None of them have been able to finish before the system would freeze up and then i would have to try to start again...what should i do next, i am attempting to download and run hijackthis so i can post a log because i dont know what else to do.....please let me know what i should do and if you can help...

thanks a lot

joe

 

i managed to get spybot, ccleaner, and adaware to run but i still have the blue desktop screen and im still getting popups, i also ran the ABI remover....any help would be greatly appreciated....

thanks,

joe

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

thank you for responding, i have attached a fresh HJ log...

thanks,

joe

 

i ran some of the other programs that i saw in other posts about smitfraud and aurora, such as ABI remover and Hoster.....still getting lots of popups and cant get rid of the PS spyware program that keeps coming back....here is the latest HJT log...

thanks,

joe

 

Your Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix your current problems, you must get updated. You need to install Service Pack 2 for security purposes.

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

i have a new issue apparently....i started the panda online scan but my computer froze halfway through and so i restarted....after i restarted it wouldnt allow me to get back on the internet....a box keeps popping up saying "the application has failed to start because WININET.DLL was not found. Re-installing the application may fix the problem." so since i cant get online to run the other programs what should i do now, how can i get around this?? i am posting this from another computer....thanks for helping..


joe

 

Can you download the tools and some other things to a CD or something to transfer them to the infected machine?

 

yeah, i can download the tools to this computer and burn them to a cd and use that on the other machine...so i should get the Qoologic and RKFiles tools, and are there any other ones that i should go ahead and put on there now as well?

thanks

 

Yes, they are a few I need to add to the list. You may have some of these but just in case you don't. Add these along with the Qoologic Tool RKFiles Tools.

Spybot S&D
Spybot Updates

Ad-Aware SE
Reference file

Ewido Security Suite

Hijack This 1.99.1

 

ok, once i get all of these loaded onto the infected machine do you want me to run them in any certain order? i guess im just asking what the next step is and if you want me to post a log after i run them...thanks

 

i was able to get back online by downloading the winint.dll file and unzipping it into the windows\system32 area and now that is working again....so i am running the qoologic and RKFiles and the panda scan and will have those 3 logs posted soon...thanks again

 

i ran the panda scan and RKFiles, however qoologic did not go all the way, it said there was an error and then it said to retry, abort, or fail.....i just aborted and tried again but no success....here are the logs from RKFiles and panda scan....

thanks

joe

 

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\etb ←–– Delete this whole folder if it exist!

C:\Program Files\CMAPP ←–– Delete this whole folder if it exist!

C:\Program Files\Cas ←–– Delete this whole folder if it exist!

C:\Program Files\Aprps ←–– Delete this whole folder if it exist!

C:\Program Files\CasStub ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\rmkk ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\r?gedit.exe
(The ? represents a unprintable character. Manually locate this file and delete when found!)


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\ru.exe
C:\WINDOWS\tgnssvc.exe
C:\WINDOWS\visfxun.exe
C:\WINDOWS\zbjkdll.exe
C:\WINDOWS\zbjkenc.exe
C:\WINDOWS\Adult_Chat.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\1e10x.sys
C:\WINDOWS\ttext.dll

C:\WINDOWS\system32\intel32.exe
C:\WINDOWS\system32\rttxugdt.dll
C:\WINDOWS\system32\1e10x.sys
C:\WINDOWS\system32\03y56w.dll
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\system32\certcclie.exe
C:\WINDOWS\system32\Shex.exe

C:\Program Files\Windows Media Player\wmplayer.exe.tmp

C:\Documents and Settings\Owner\Application Data\wo.tmp
C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll


After you have complete the steps above, reboot and attach a fresh HJT log.

 

Ok, i went through those steps although i could not find C:\WINDOWS\system32\r?gedit.exe although i did find something similar in that folder, regedt32.exe, but i didnt delete it because i wasnt sure....also when i restart my computer i get two boxes that pop up, one says "error loading AUNPS2.DLL the specified module could not be found" and the other is the same except it is for cfgmgr52.dll dont know if this is just something that will get fixed in the next few steps or not, i just thought id point it out...and i have attached a fresh HJT log...thanks very much for working with me....

 

First, please uninstall Ewido so it will not block anything we try to fix!


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [p72k3se] lig0_32.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\oqnaba.exe reg_run
O4 - HKLM\..\Run: [Shaitan1678] gabber.exe
O4 - HKLM\..\Run: [Trayz] pizda.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [YwtqRiK5V] lfgupdll.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [rmkk] C:\PROGRA~1\COMMON~1\rmkk\rmkkm.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [FLKPT] StatusCheck.exe
O4 - HKCU\..\Run: [NsCplTray] 34763.exe
O4 - HKCU\..\Run: [MON76234] iehelper.exe
O4 - HKCU\..\Run: [Hwt] C:\WINDOWS\System32\r?gedit.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/toolbar/rr-toolbar.cab
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\tgnssvc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Command Service (cmdService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate Windows VisFx Components and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\T3duZXIA ←–– Delete this whole folder if it exist!

C:\Program Files\apsi ←–– Delete this whole folder if it exist!

C:\Program Files\SurfSideKick 3 ←–– Delete this whole folder if it exist!

C:\Program Files\CMAPP ←–– Delete this whole folder if it exist!

C:\Program Files\Cas ←–– Delete this whole folder if it exist!

C:\Program Files\PSGuard ←–– Delete this whole folder if it exist!

C:\Program Files\WildTangent ←–– Delete this whole folder if it exist!

C:\Program Files\WareOut ←–– Delete this whole folder if it exist!

C:\Program Files\Common Files\rmkk ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\r?gedit.exe
(Again, this file is there, it will not look normal as the ? represents an unprintable character. Manually locate it and delete it. The file regedt32.exe is a legit file so do not delete this one.)

NOW:
You will have to search for each of these files. They should be in the C:\WINDOWS or C:\WINDOWS\System32 folder.

lig0_32.exe

gabber.exe

pizda.exe

AUNPS2.dll

StatusCheck.exe

lfgupdll.exe

34763.exe

iehelper.exe


Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\ttupt.exe

C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\oqnaba.exe

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and get me 3 new logs from post 6 along with a fresh HJT log.

 

hey, i had a few problems with some of the steps that you told me to carry out....when i tried to run services.msc a box would pop up saying the "microsoft management console has encountered a problem and needs to close" and would not let me use that function....so i was unable to complete those steps...also when i searched for those 8 files you told me to delete i was unable to find any of them, i searched manually and also did search from the start menu but found nothing.......i did use killbox and was able to carryout the other steps....what should i do now? should i post the new logs or find a way to finish the other steps?? thanks again for your help.....

joe

 

Run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows VisFx Components

(cmdService)

You may be told to reboot at this point. Do not reboot just exit HijackThis as we will be restarting in a moment.

After you complete the above, procede with attaching the new logs. If you cant procede with the above, just continue we will get them after I check the logs.

 

i have attached the logs for the RKFiles scan, the panda scan and a fresh HJT log, but i was still unable to run the FindQoologic program....it would start and then it would say "Data error reading device" and then give me the option to retry, abort, or fail....

thanks,

joe

 

here is the RKFiles log..

 

Scan with HijackThis and Check the Boxes for the following:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXIA\command.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe

C:\WINDOWS\SYSTEM\QBUninstaller.exe

C:\WINDOWS\SYSTEM32\loadctr32.exe

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

NEXT:
Run CCleaner to clean up cookies and temp files.

Reboot to Normal Windows , Scan with HijackThis and attach the new log and let me know if any problems remain.

 

hey thanks a lot for helping and i apologize for the delay between posts, i had to go out of town this past week....but here is the most recent hijackthis log.....everything seems to be much better....i do have a question though...is there any software that you would recommend dowloading or purchasing to help keep track of and delete spyware and viruses? Also earlier in one of your posts you said i needed to get servicepack 2 for XP...can i just dowload this from the internet? thanks a lot for your time and help....

joe

 

Download the following package, please note its 266 MB and may take about 15 minutes on Cable/DSL.

Windows XP Service Pack 2

After download is complete, double click to install.

After you have completed the install, reboot and let me know if you have any problems.