smitfraud-c and smitfraud-c.toolbar888 have been found by spybot SD, been fixed BUT constantly coming back, sometimes porn sites automatically load on my browser (FF2.01) and occasionally my avast av informs a site containing virus (when im not even browsing the net)

hope you can help me...

here is my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 7:53:54 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\TEMP\winD.tmp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\win10.tmp.exe
C:\Documents and Settings\Moty\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7510289C-BAD2-8109-8724-08E4C2920395} - C:\WINDOWS\system32\lpjbmbh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win10.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrad.dll,startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\FILES\PFILES\MSOFFICE\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Moty\Application Data\Mozilla\Firefox\Profiles\3qviavkr.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Moty\Application Data\Mozilla\Firefox\Profiles\3qviavkr.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABC40344-B178-47DE-BDFF-CAAD3038C998}: NameServer = 192.115.106.35 62.219.186.7
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

simultaniusly when i wrote the above post i run a test on spybot, when i finished writing i've found that not only smitfraud-c and smitfraud-c.toolbar888 but also
Win32.agent.azk

Welcome to the forum, if you still need help and are not receiving it elsewhere, let's start like this.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\wineil32.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

4) Start > Control Panel > Add Remove Programs and uninstall Adware.MyToolbar, MaxiFiles, MaxSearch, Toolbar888 or any other program you know does not belong there.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {7510289C-BAD2-8109-8724-08E4C2920395} - C:\WINDOWS\system32\lpjbmbh.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win10.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrad.dll,startup
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

(please delete the total contents of the TEMP folder in red...NOT THE FOLDER)

C:\WINDOWS\TEMP\winD.tmp.exe

C:\WINDOWS\TEMP\win10.tmp.exe

C:\WINDOWS\system32\drvrad.dll <<< delete that file

C:\WINDOWS\SYSTEM32\wineil32.dll <<< delete that file

6) Follow the instructions in this link to run AVG Anti-Spyware, make sure you delete or at least quarantine anything located and save the scan report, I must see it.
http://forums.security-central.us/showthread.php?t=3165

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan results, a new HJT log and any comments you think will help. Tell me how the computer is running now, use Post Reply, stay in this topic.

Thanks

hi there, thanks a lot for your help!
I must add that I've been trying to remove the threats myself, I've searched the forum here and used other people's topics but eventually it didn't worked,

I followed all your instructions and these are comments I've gathered:
uninstall: nothing new / suspicious was there.
TMP: i've erased everything BUT one file that was in use (maybe it was use by AVAST?)

AVG found and removed threats but didn't find any smitfraud toolbar 888
while the spybot found it (while writing these lines) once again after all what we've been doing...



here are the logs:

AVG log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:41:06 PM 2/12/2007

+ Scan result:



C:\WINDOWS\Downloaded Program Files\launcher.ocx -> Adware.I2ISolutions : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{7E260A3E-A5FF-468A-BA85-ADD87152D787}\{B13174D1-6B8D-4F6A-ACE4-9F6824CC6B87}.exe/{B13174D1-6B8D-4F6A-ACE4-9F6824CC6B87}.exe -> Downloader.Tiny.fk : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{7E260A3E-A5FF-468A-BA85-ADD87152D787}\{C68C0BE0-4840-41A3-96FD-05A2D57CC0B8}.exe/{C68C0BE0-4840-41A3-96FD-05A2D57CC0B8}.exe -> Downloader.Tiny.fk : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{7E260A3E-A5FF-468A-BA85-ADD87152D787}\{EEE32A8C-65E3-4F96-B09B-7F76CBA313D7}.exe/{EEE32A8C-65E3-4F96-B09B-7F76CBA313D7}.exe -> Downloader.Tiny.fk : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{C16360F8-A8E2-4316-A94C-37873B3EB628}\{B4800D0F-6AEC-41B1-B36B-3A727B5E2992}.exe/{B4800D0F-6AEC-41B1-B36B-3A727B5E2992}.exe -> Downloader.Tiny.fk : No action taken.
C:\WINDOWS\system32\v6.exe -> Downloader.Tiny.fk : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{7E260A3E-A5FF-468A-BA85-ADD87152D787}\{12D4859F-AEF8-42C6-BD55-39ECDA6E3E5F}.tmp/{12D4859F-AEF8-42C6-BD55-39ECDA6E3E5F}.tmp -> Trojan.Agent.qt : No action taken.
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{C16360F8-A8E2-4316-A94C-37873B3EB628}\{49331C0D-A352-49BC-BB00-17D070418C87}.tmp/{49331C0D-A352-49BC-BB00-17D070418C87}.tmp -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvkaf.dll -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvkal.dll -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvmin.dll -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvpok.dll -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvvoh.dll -> Trojan.Agent.qt : No action taken.
C:\WINDOWS\system32\drvwos.dll -> Trojan.Agent.qt : No action taken.


::Report end



HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:47:19 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Moty\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\FILES\PFILES\MSOFFICE\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Moty\Application Data\Mozilla\Firefox\Profiles\3qviavkr.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Moty\Application Data\Mozilla\Firefox\Profiles\3qviavkr.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABC40344-B178-47DE-BDFF-CAAD3038C998}: NameServer = 192.115.106.35 62.219.186.7
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

i've just saw the log i've posted and the msg that there was no action taken by AVG... this is weird i thought i deleted the files...
running AVG again...

Thanks, as you can see AVG identified a lot of nasty junk, make sure you restart the computer so the changes can go into effect before you create and post the HJT log.

well something weird is going on here indeed!
first thing, after that SB found smitfraud toolbar888 and fixed it,
as it did before... only this time second check gave no results (everything was clean),
same for second AVG scan, nothing was found (despite what the last scan log said that no action was taken - I did restart the computer after all the scans)

and another important thing... before we started to fix things up there was a notification on my msn that a user is trying to add my to his list, the user was Removed at first I thought that maybe its someone from this forum wants to help me so I allowed him to add me, then I looked for this person on my list (the add to list was already gray - means that user is already on the list)
I didn't found this guy on my list so I thought that maybe it's a scam? hijack? etc...?

what do you think?

ok so let’s sum it: the bad news is that after all we've done SB founds again the problem
the good news is it didn't come back after it was repaired...

and another important thing... before we started to fix things up there was a notification on my msn that a user is trying to add my to his list, the user was Removed at first I thought that maybe its someone from this forum wants to help me so I allowed him to add me, then I looked for this person on my list (the add to list was already gray - means that user is already on the list) I didn't found this guy on my list so I thought that maybe it's a scam? hijack? etc...?
I have no idea what that is about and would take it up with MSN or hotmail support if it occurs again.
You had issues that were causing you problems, but it is very unlikely this: smitfraud-c.toolbar888 had anything to do with them.
See this information: FALSE POSITIVE http://forums.spybot.info/showthread.php?t=8668
This was supposted to have been fixed, are you sure your Spybot S&D version is up to date.

You can use HJT to remove that line if you wish, it is just clutter

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.