IE redirection - spyware knight/spysoldier

By syrinx312
Feb 3, 2007
Topic Status:
Not open for further replies.
  1. Hi all and many thanks for this forum...

    I was recently attacked by a variety of spyware/malware. I think I've managed to clean it all up, except for one last annoying thing. I've seen other posts about this issue.

    Internet explorer redirects me to a page saying I'm infected with Trojan.Dloader/LX and then tries to sell me spyware knight or spy soldier. I've followed all the instructions in the "Preliminary removal instructions" thread to no avail.

    Symantec Antivirus, SS&D, AdAware, AVG, and the 4 other tools (Look2me, Vundofix, etc) all say I'm clean but the redirect is still happening.

    I've attached my HJT log and AVG log. I have some older logs showing some of the malware removed in my earlier attempts if they will help.

    I noticed the AVG log doesn't look like a normal text file. Is this normal or did I do something wrong?

    Any help would be greatly appreciated.

    Tim
  2. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    Hello and welcome to TechSpot.

    It seems like you have a smitfraud infection.

    Download and run SmitfraudFix from here. Then post the log file. After running SmitfraudFix, post a fresh AVG and HJT log.

    Regards :)

    This thread is for the use of neowing only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
  3. syrinx312

    syrinx312 Newcomer, in training Topic Starter

    Hi Kitty,

    Thanks for the fast response. I had run smitfraudfix earlier but I booted into safe mode and ran it and AVG again. Afterwards, I rebooted into normal mode and reran HJT. All logs are attached.

    I noticed that smitfraud told me it was removing the same file (windows/system32/oiso.bin) both times I ran it. I checked and the file still exists, but it is a 0 byte file.

    Tim
  4. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    Hmm. I'm not sure about the running process regsrvc.exe, but we'll leave that alone for now.

    First of all, delete C:\Windows\System32\oiso.bin.

    Now, have HJT fix these entries:

    O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
    O4 - HKLM\..\Run: [{C8559CA6-063E-1033-1029-030211070001}] "C:\Program Files\Common Files\{C8559CA6-063E-1033-1029-030211070001}\Update.exe" rpcss
    O4 - HKLM\..\Run: [winsock32] winsock32
    O4 - HKLM\..\RunServices: [winsock32] winsock32

    Now set Windows Explorer to show all files and folders, including hidden and system (see how here).

    Go into C:\Windows\System32 and delete asgp32.dll.

    Go into C:\Program Files\Common Files and delete the folder {C8559CA6-063E-1033-1029-030211070001}.

    Now rehide your protected files and post a fresh HJT log. If there's still bad stuff, somebody with more experience is gonna have to help out.

    Regards :)

    This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
  5. syrinx312

    syrinx312 Newcomer, in training Topic Starter

    problem solved

    Pow! I think you nailed it. IE seems to be working fine now. I'm still posting a follow-up hjt log in case there's still something else to worry about.

    Many thanks for your time Kitty. You made my weekend.
  6. kitty500cat

    kitty500cat Newcomer, in training Posts: 2,407   +6

    Cool. Glad to know I helped. Have HJT fix this entry yet:
    O4 - HKCU\..\Run: [winsock32] winsock32

    I think I forgot to tell you to do that earlier.

    I believe RegSrvc.exe is legitimate, so your system will be clean after doing that.

    If you got any more problems, please post them in this thread.

    Regards :)

    This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.