Another smitfraud annoyance

Discussion in 'malware problems & news' started by sw2001, Aug 7, 2005.

Thread Status:
Not open for further replies.
  1. sw2001

    sw2001 Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    13
    Location:
    Canada
    It is a bit different from the other smitfraud posts, thats why I opened a new thread.
    I removed every possible pest following all the instructions here. Everything seems to be clean. But as soon as I open IE and go online, that crap (intell32.exe) comes back and starts a hard drive scan.
    I already tried Xoftspy AdAware Spybot AVG.
    Would like to do an online scan (Panda), but can't use IE online.
    How can I get rid of that without reinsalling?
    It's a 98 (no SE) computer.
     
  2. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    did you try to scan with spybot? or try a2 free and do a scan...
    Good Luck.
     
  3. sw2001

    sw2001 Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    13
    Location:
    Canada
    thanks for your reply
    but unfortunately no success
    spybot I had already
    a2 found it and removed it, but it keeps coming back.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  5. sw2001

    sw2001 Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    13
    Location:
    Canada
    the strange thing is, HijackThis doesn't show anything suspect.
    It is so short, that I'll post it here to demonstrate only.
    There is no use to analyse that log.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:35:32 PM, on 07/08/05
    Platform: Windows 98 Gold (Win9x 4.10.1998 )
    MSIE: Internet Explorer v5.00 (5.00.2314.1000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\_CC\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LVCOMSX] c:\windows\SYSTEM\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] c:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - htlp://www.pandasoftware.com/activescan/as5free/asinst.cab
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    You're right, that is strange.

    Are u sure u are copying and pasting the whole log?

    There should be a lot more entries than that. I'm not sure what's going on there....

    Maybe u could post the log as is over there, explaining your issues and see if they can figure out whats happening.

    Just a thought...

    When Wilders used to analyse HJT i remember seeing very short logs but i can't recall what the problems were.



    snowbound
     
  7. sw2001

    sw2001 Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    13
    Location:
    Canada
    Gone :D

    yes snowbound that's the whole log.
    I took out everything bad and unnecessary plugins (yahoo, msn, ...)
    No scan got rid of the infected part of wininet.dll and that was the reason why it came back everytime. So I copied it on a floppy disk and did some online scans on another system. Panda didn't find anything, neither did AVG. Next try was Kaspersky, which found the trojan, but didn't disinfect it. The online scanner from F-Secure found and disinfected the file :-*

    Hope that might help others too.
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Good show! :D

    Nice to see u got rid of it. ;) :D


    snowbound
     
  9. daviidneylon

    daviidneylon Registered Member

    Joined:
    Aug 12, 2005
    Posts:
    21
    I tried to find the online scan you mentioned by googling f-secure; found a company by that name but couldn't find anything aboout on-line scanning. Can you give me the link?

    Thanks.
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I asumme this might be it?

    http://support.f-secure.com/enu/home/ols.shtml


    snowbound
     
Thread Status:
Not open for further replies.