Results 1 to 8 of 8

Thread: smitfraud-c.toolbar888

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Location
    Nashville, TN
    Posts
    10

    Default smitfraud-c.toolbar888

    This PC had lots of bad stuff on it. I think I have cleaned up everything except smitfraud-c.toolbar888 which keeps coming back. This is the first time I have posted and the first time I have had to ask for help but I am stumped. Attached is hijackthis log. I ran smitfraudfix using instructions from your website but it did not fix the problem and the log for it is huge because I use the mvps.org custom hosts file and it listed every line of it.

    Thanks,
    madmike


    Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:29:32 AM, on 3/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0CAD80BE-41C6-42EF-8DC9-DB4B8C602913} - C:\WINDOWS\Registration\vddca.dll (file missing)
    O2 - BHO: (no name) - {26E8DA9B-2170-4B60-99AF-8B86F14AEE6d} - C:\WINDOWS\system32\watriktn.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7970FC93-4007-4FE6-A541-BB475838A7C0} - C:\WINDOWS\system32\ijmhlbfw.dll (file missing)
    O2 - BHO: (no name) - {B11991F4-5D6E-47B2-B19B-F0BEDF2C42Fa} - C:\WINDOWS\system32\ijmhlbfw.dll (file missing)
    O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\kdenihlm.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\ldgkkrub.dll",setvm
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://www.charter.msn.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120234461468
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37240.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: vddca - C:\WINDOWS\Registration\vddca.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to the forum, is your version of Spybot completely up to date? The reason I am asking is this:
    http://forums.spybot.info/showthread.php?t=8668 This false positive is supposed to be fix, if you are up to date you can ignore it. You do have junk that need to go and it looks like it is mostly dead stuff, let's remove it and see how it goes.

    Looks to me like you had a Vundo infection, if I need to see the Smitfraudfix log later, you can edit out the host lines before posting it, we will see.


    1) First do this: Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.

    2) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    3) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    4) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    Open Windows Defender, Click on Tools, General Settings.
    Scroll down and uncheck Turn on real-time protection (recommended).
    After you uncheck this, click on the Save button and close Windows Defender.
    After all of the fixes are complete it is very important that you enable Real-time Protection again.

    5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: (no name) - {0CAD80BE-41C6-42EF-8DC9-DB4B8C602913} - C:\WINDOWS\Registration\vddca.dll (file missing)
    O2 - BHO: (no name) - {26E8DA9B-2170-4B60-99AF-8B86F14AEE6d} - C:\WINDOWS\system32\watriktn.dll (file missing)
    O2 - BHO: (no name) - {7970FC93-4007-4FE6-A541-BB475838A7C0} - C:\WINDOWS\system32\ijmhlbfw.dll (file missing)
    O2 - BHO: (no name) - {B11991F4-5D6E-47B2-B19B-F0BEDF2C42Fa} - C:\WINDOWS\system32\ijmhlbfw.dll (file missing)
    O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\kdenihlm.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\ldgkkrub.dll",setvm
    O20 - Winlogon Notify: vddca - C:\WINDOWS\Registration\vddca.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    6) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\system32\ldgkkrub.dll <<< delete that file if there

    7) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post the uninstall list, a new HJT log and any comments you think will help.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Location
    Nashville, TN
    Posts
    10

    Default steps taken

    pskelley,

    First off thanks for helping me, I am not a novice but I am no expert either and I am stumped.

    Notes from your instructions:

    I am running Spybot 1.4 with latest detection updates of 2007-03-07, it shows it is current. It is giving the smitfraud-c.toolbar889 finding on HKEY_LOCAL_MACHINE\SOFTWARE\Araf15.

    The only symptoms I am currently seeing is long monitor blinks but I told a friend of mine it was like this machine had a beacon that was attracting spypware and adware, I've been cleaning it up for days. This was my son's machine and it was protected by F-secure which his ISP provided. F-secure said it was clean but it wasn't running right and when I put on Avast it had lots of problems. I read good reviews on F-secure but I would not recommend it.

    In step 4 I couldn't shut down Windows Defender from my id even though it has administator privilidge, I had to reboot to safe mode as administrator to turn it off.

    In step 6 I did have ldgkkrub.dll but it was in use or protected and I couldn't delete it, I went back to safe mode administrator id and deleted it.

    Here are the logs you requested:

    Uninstall List:

    Ad-Aware SE Personal
    Adobe Reader 7.0
    avast! Antivirus
    Belarc Advisor 7.2
    Broadcom Management Programs
    Conexant D850 56K V.9x DFVc Modem
    Conexant SmartHSFi V.9x 56K DF PCI Modem
    Dell Digital Jukebox Driver
    Dell Media Experience
    Dell Solution Center
    Digital Line Detect
    Event Planner
    Hallmark Card Studio 2004
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    Hijackthis 1.99.1
    HijackThis 1.99.1
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    HP Memories Disc
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 1200 series
    hp psc 1200 series
    Intel(R) Extreme Graphics Driver
    Internet Explorer Default Page
    J2SE Runtime Environment 5.0 Update 11
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Pro 8 Dell Edition
    Learn2 Player (Uninstall Only)
    MailFrontier Desktop
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft .NET Framework 3.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Baseline Security Analyzer 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Encarta Encyclopedia Standard 2004
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2004
    Microsoft Money 2004 System Pack
    Microsoft National Language Support Downlevel APIs
    Microsoft Picture It! Photo Premium 9
    Microsoft Streets and Trips 2004
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Windows Journal Viewer
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works 2004 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Helper
    MSXML 4.0 SP2 (KB927978)
    MSXML 6.0 Parser (KB927977)
    MUSICMATCH® Jukebox
    NetWaiting
    QuickTime
    Railroad Tycoon II
    RealOne Player
    Security Update for Microsoft .NET Framework 2.0 (KB917283)
    Security Update for Microsoft .NET Framework 2.0 (KB922770)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Shockwave
    Sonic DLA
    Sonic RecordNow!
    Sonic Update Manager
    Sound Blaster Live!
    Spybot - Search & Destroy 1.4
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB900930)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB931836)
    URGE
    Windows Backup Utility
    Windows Communication Foundation
    Windows Defender
    Windows Genuine Advantage v1.3.0254.0
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Workflow Foundation
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB887797
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    Windows XP Service Pack 2
    ZoneAlarm

    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:43:33 AM, on 3/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://www.charter.msn.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120234461468
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37240.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning the information and the feedback, I am sure you saw what the folks at the Spybot forum had to say about that toolbar, we will do what we can then it might require a registry edit to remove it?

    First, let me say the HJT log appears clean of malware, that item you removed was no doubt a trojan:
    http://www.google.com/search?hl=en&q...=Google+Search The hackers change the names so often even google can't keep up.

    Uninstall List: I am looking for security issues and malware products, it's a great chance for you to look for programs no longer needed.

    Hijackthis 1.99.1
    HijackThis 1.99.1 <<< may be a glitch but if it is installed twice, delete one copy.

    J2SE Runtime Environment 5.0 Update 11
    I may be wrong, but would you open the Java Console in the Control Panel, click the update tab and check for an update.

    All in all this looks very good. I was hoping to spot something. I will say this. I also use Windows Media Player and I see you are running several other media players, if you do not use them you may want to consider uninstalling them, save some resources and free up some space.

    Now that we have removed that trojan, and a bunch of other junk, I am wondering if the computer has improved in it's performance? If we still have the same issues, then I need to start with a look at a report from Smitfraudfix. It is important that you use the newest version, delete all verions onboard and download it fresh from here:
    http://siri.geekstogo.com/SmitfraudFix.php follow only these instructions:
    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    If I am correct, running Search will change nothing, but if we need to run Clean, it will clean the hosts file. In the event we do need to move to that, you will want to make a record of the hosts file you have set so you can return to it when we are finished. For the C:\report.txt you may edit out all hosts files items, please place a line telling me you have done this.

    Let's see what this tells us, if it does not help and problems persist we will have to start looking for other hidden malware, perhaps even a hidden rootkit infection?

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Mar 2007
    Location
    Nashville, TN
    Posts
    10

    Default

    pskelley,

    I think I am clean. I ran spybot, deleted the problem, rebooted and ran spybot again and it did not show up. PC seem to be running good.

    You were right, I had Hijackthis installed twice and I fixed it.

    J2SE Runtime Environment 5.0 Update 11 is current, I check it. It was one of the items I had found and updated earlier.

    I'll review the media players and clean them up.

    I have a question. On my old Windows ME system I run Avast, Spybot, Adaware, Zonealarm and a custom hosts file and have no problems.

    On this XP system I have Avast, Spybot, Adaware, Zonealarm, a custom hosts file and Windows Defenfer (which is currently deactivated) and I saw a recommendation that I should add Spyware Blaster. Have I got the right things ? Too much or too little ? Do I need to add Spyware Blaster ? Should I ture Windows Defender back on ? Appreciate some guidance.

    I think I am fixed. Could not have gotten here without you. Thank you very much.

    madmike

    rapport.txt log:

    SmitFraudFix v2.148

    Scan done at 15:41:35.32, Tue 03/13/2007
    Run from C:\Documents and Settings\Dee Ayers\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dee Ayers


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dee Ayers\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DEEAYE~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    OK Madmike, that sounds good. First, Smitfraudfix scan is clean. I am going to post links from experts, once you have reviewed them, if you still have questions post them and I will try to answer them. Just a little feedback, I have run SpywareBlaster/SpywareGuard and IE-Spyad on all of my computers for years. I also run Spybot S&D and Ad-aware (probably one to many there, since they do about the same thing but since they do not run, they only use disk space of which I have plenty) We know to run one good antivirus program and one firewall, but the jury is still out on how many realtime spyware programs are too many. Windows Defender is new and free and if I was having malware issues, I might add it, but the programs I run block the junk from getting on and Spybot/Adware remove adware if it sneaks in and I have few other problems. See what the experts say, you are going to hears "layered" and that is a key.
    I don't believe you will want to make a change as long as Windows Defender does the job. Let's clean those System Restore files,
    System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    Here is a good one: http://users.telenet.be/bluepatchy/m...wcomputer.html
    Review that information and let me hear how things are going in 48 hours, post any questions you have then, and I'll close the topic at that point.

    Thanks...Phil
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  7. #7
    Junior Member
    Join Date
    Mar 2007
    Location
    Nashville, TN
    Posts
    10

    Default looking good

    pskelley,

    everything on this machine is looking good. I think you should carve another notch on your monitor (or do whatever it is you do when you score another success) and go ahead and close this incident.

    I sincerely thank you for your help Phil.

    Mike Ayers

  8. #8
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    As the problem appears to be resolved this topic has been closed.

    If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

    Anyone else with similar problems please start a new topic.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •