IE redirection - spyware knight/spysoldier

[syrinx312]

Hi all and many thanks for this forum...

I was recently attacked by a variety of spyware/malware. I think I've managed to clean it all up, except for one last annoying thing. I've seen other posts about this issue.

Internet explorer redirects me to a page saying I'm infected with Trojan.Dloader/LX and then tries to sell me spyware knight or spy soldier. I've followed all the instructions in the "Preliminary removal instructions" thread to no avail.

Symantec Antivirus, SS&D, AdAware, AVG, and the 4 other tools (Look2me, Vundofix, etc) all say I'm clean but the redirect is still happening.

I've attached my HJT log and AVG log. I have some older logs showing some of the malware removed in my earlier attempts if they will help.

I noticed the AVG log doesn't look like a normal text file. Is this normal or did I do something wrong?

Any help would be greatly appreciated.

Tim

 

[kitty500cat]

Hello and welcome to TechSpot.

It seems like you have a smitfraud infection.

Download and run SmitfraudFix from here. Then post the log file. After running SmitfraudFix, post a fresh AVG and HJT log.

Regards

This thread is for the use of neowing only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.

 

[syrinx312]

Hi Kitty,

Thanks for the fast response. I had run smitfraudfix earlier but I booted into safe mode and ran it and AVG again. Afterwards, I rebooted into normal mode and reran HJT. All logs are attached.

I noticed that smitfraud told me it was removing the same file (windows/system32/oiso.bin) both times I ran it. I checked and the file still exists, but it is a 0 byte file.

Tim

 

[kitty500cat]

Hmm. I'm not sure about the running process regsrvc.exe, but we'll leave that alone for now.

First of all, delete C:\Windows\System32\oiso.bin.

Now, have HJT fix these entries:

O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O4 - HKLM\..\Run: [{C8559CA6-063E-1033-1029-030211070001}] "C:\Program Files\Common Files\{C8559CA6-063E-1033-1029-030211070001}\Update.exe" rpcss
O4 - HKLM\..\Run: [winsock32] winsock32
O4 - HKLM\..\RunServices: [winsock32] winsock32

Now set Windows Explorer to show all files and folders, including hidden and system (see how here).

Go into C:\Windows\System32 and delete asgp32.dll.

Go into C:\Program Files\Common Files and delete the folder {C8559CA6-063E-1033-1029-030211070001}.

Now rehide your protected files and post a fresh HJT log. If there's still bad stuff, somebody with more experience is gonna have to help out.

Regards

This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.

 

[syrinx312]

problem solved

Pow! I think you nailed it. IE seems to be working fine now. I'm still posting a follow-up hjt log in case there's still something else to worry about.

Many thanks for your time Kitty. You made my weekend.

 

[kitty500cat]

Cool. Glad to know I helped. Have HJT fix this entry yet:
O4 - HKCU\..\Run: [winsock32] winsock32

I think I forgot to tell you to do that earlier.

I believe RegSrvc.exe is legitimate, so your system will be clean after doing that.

If you got any more problems, please post them in this thread.

Regards

This thread is for the use of syrinx312 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.