TechSpot

IE redirection - spyware knight/spysoldier

By syrinx312
Feb 3, 2007
  1. Hi all and many thanks for this forum...

    I was recently attacked by a variety of spyware/malware. I think I've managed to clean it all up, except for one last annoying thing. I've seen other posts about this issue.

    Internet explorer redirects me to a page saying I'm infected with Trojan.Dloader/LX and then tries to sell me spyware knight or spy soldier. I've followed all the instructions in the "Preliminary removal instructions" thread to no avail.

    Symantec Antivirus, SS&D, AdAware, AVG, and the 4 other tools (Look2me, Vundofix, etc) all say I'm clean but the redirect is still happening.

    I've attached my HJT log and AVG log. I have some older logs showing some of the malware removed in my earlier attempts if they will help.

    I noticed the AVG log doesn't look like a normal text file. Is this normal or did I do something wrong?

    Any help would be greatly appreciated.

    Tim
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello and welcome to TechSpot.

    It seems like you have a smitfraud infection.

    Download and run SmitfraudFix from here. Then post the log file. After running SmitfraudFix, post a fresh AVG and HJT log.

    Regards :)

    This thread is for the use of neowing only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
     
  3. syrinx312

    syrinx312 TS Rookie Topic Starter

    Hi Kitty,

    Thanks for the fast response. I had run smitfraudfix earlier but I booted into safe mode and ran it and AVG again. Afterwards, I rebooted into normal mode and reran HJT. All logs are attached.

    I noticed that smitfraud told me it was removing the same file (windows/system32/oiso.bin) both times I ran it. I checked and the file still exists, but it is a 0 byte file.

    Tim
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hmm. I'm not sure about the running process regsrvc.exe, but we'll leave that alone for now.

    First of all, delete C:\Windows\System32\oiso.bin.

    Now, have HJT fix these entries:

    O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
    O4 - HKLM\..\Run: [{C8559CA6-063E-1033-1029-030211070001}] "C:\Program Files\Common Files\{C8559CA6-063E-1033-1029-030211070001}\Update.exe" rpcss
    O4 - HKLM\..\Run: [winsock32] winsock32
    O4 - HKLM\..\RunServices: [winsock32] winsock32

    Now set Windows Explorer to show all files and folders, including hidden and system (see how here).

    Go into C:\Windows\System32 and delete asgp32.dll.

    Go into C:\Program Files\Common Files and delete the folder {C8559CA6-063E-1033-1029-030211070001}.

    Now rehide your protected files and post a fresh HJT log. If there's still bad stuff, somebody with more experience is gonna have to help out.

    Regards :)

    This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
     
  5. syrinx312

    syrinx312 TS Rookie Topic Starter

    problem solved

    Pow! I think you nailed it. IE seems to be working fine now. I'm still posting a follow-up hjt log in case there's still something else to worry about.

    Many thanks for your time Kitty. You made my weekend.
     
  6. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Cool. Glad to know I helped. Have HJT fix this entry yet:
    O4 - HKCU\..\Run: [winsock32] winsock32

    I think I forgot to tell you to do that earlier.

    I believe RegSrvc.exe is legitimate, so your system will be clean after doing that.

    If you got any more problems, please post them in this thread.

    Regards :)

    This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...