Thread: smsse.exe not found, RPC Error and Continual Pop Ups
View Single Post
Old 01-15-2006, 12:50 PM   #5 (permalink)
rikkker
Registered User
 
rikkker's Avatar
 
Join Date: Jul 2005
Location: Canada
Posts: 213
OS: xp-pro


Hi Tom,you got Kaspersky right.All it does is id the bad guys for us.

Also it is important that you run BFU and Ewido again in the order that i have listed as your computer was badly infected and we want to make sure they get what they missed on the first pass.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

====================Additional Downloads=================


Please download Cleanup! and install it. <<<=Skip this step if you still have it installed. Do NOT run it yet.


* CleanUp! will not create any backups!!

If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

----------------------

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
When you have finished updating, EXIT Ewido

If you are having problems with the updater, you can use this link to manually update Ewido

--------------------

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

--------------------

Download Track qoo (TQ.zip) http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

----------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip <<<=if you still have it installed skip this step.
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Checkmark the following boxes:
  • Use settings specified in script for the above option
  • Show log after script ends


Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix


If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

----------------------

Download KillBox (it's important that you get version v2.0.0.175) <<<=skip this step if you still have it installed.

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy


C:\WINDOWS\system32\cmd.ftp
C:\WINDOWS\system32\crtpes15.dll
C:\WINDOWS\system32\epanuii.dll
C:\WINDOWS\system32\fdcdbjj.exe
C:\WINDOWS\system32\frlwk.dll
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe
C:\WINDOWS\system32\pbvky.dat
C:\WINDOWS\system32\queecsvc.dll
C:\WINDOWS\system32\skgsdff.dll
C:\WINDOWS\system32\wrkcop.exe
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\system32\l4dsds.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr52C8
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgij.exe
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\!update-3195[1].0000

* Go to the File menu, and choose Paste from Clipboard
* Click the unregister .dll Before Deleting (if not greyed out)
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


Quote:
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

====================Reboot to Safe Mode=================

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

========================Hjt Fixes======================

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll (file missing)
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - (no file)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O15 - Trusted Zone: *.elitemediagroup.net

Please remember to close all other windows, including browsers then click Fix checked.


===================File and Folder Deletions================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\apsi
C:\WINDOWS\System32\l?gonui.exe <<<=if you find 2 logonui.exe in the system32 folder, the legit one is less than 100KB .and the the bad one is usually 400+ KB.

=======================Tools==========================

Run Cleanup! using the following configuration:
  1. Click Options...
  2. Set the slider to Standard CleanUp!
  3. Uncheck the following:
    • Delete Newsgroup cache
    • Delete Newsgroup Subscriptions
    • Scan local drives for temporary files
  4. Click OK
  5. Press the CleanUp! button to start the program.
  6. Do NOT Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

==========================================================

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

-----------------

==========================================================

Reboot your system in Normal Mode.

==========================================================

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

==========================================================

Empty your Norton quarantine folder.

*If you do not know how to do this,please go Here

==========================================================

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.


==========================================================

In your next post i will need logs from:

1)HijackThis log
2)Bfu log
3)Ewido log
4)WinPFind.txt log
5)Track qoo.vbs log
6)Panda ActiveScan log

==========================================================

I resubscribed to the thread again.
Last edited by rikkker; 01-15-2006 at 12:52 PM.
rikkker is offline