Hi everybody, first off thanks you guys are great.
I completed the self removal instructions that Tashi posted and at the end it asks me to post my rapport file and the HJT log so here goes. If I misunderstood and am being bad sorry!
Jeremy
Logfile of HijackThis v1.99.1
Scan saved at 8:03:43 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\LEXBCES.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\LEXPPS.EXE
G:\WINDOWS\Explorer.EXE
G:\Program Files\Ahead\InCD\InCD.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Support.com\bin\tgcmd.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Program Files\ewido anti-malware\ewidoctrl.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Alwil Software\Avast4\setup\avast.setup
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] G:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BJCFD] G:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "H:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "H:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ccleaner] "G:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Help - {13E62863-6C4D-46B2-A962-64E08CFFCDE6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {3970E5E0-6713-47F1-9C0B-9258387EE297} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {CEC115B3-891B-4654-BEF7-B691B5A3B0C1} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - G:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and

SmitFraudFix v2.162

Scan done at 19:48:57.86, Tue 04/03/2007
Run from G:\Documents and Settings\Jeremy King\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1cb82d6d-f9a3-40c4-8ad5-6d7ea00ed6ad}"="haefner"

[HKEY_CLASSES_ROOT\CLSID\{1cb82d6d-f9a3-40c4-8ad5-6d7ea00ed6ad}\InProcServer32]
@="G:\WINDOWS\system32\yronl.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1cb82d6d-f9a3-40c4-8ad5-6d7ea00ed6ad}\InProcServer32]
@="G:\WINDOWS\system32\yronl.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

G:\WINDOWS\system32\yronl.dll -> Hoax.Win32.Renos.gen.k
G:\WINDOWS\system32\yronl.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

G:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
G:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
G:\Program Files\SpywareLocked\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5C081414-7871-4237-B64E-0A648BB603DD}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5C081414-7871-4237-B64E-0A648BB603DD}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5C081414-7871-4237-B64E-0A648BB603DD}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Welcome to the forum and yes you did have a Smitfraud infection and it does look like Smitfraudfix was successful in removing it. There has been an update to SmitFraudFix v2.163. If you wish to be sure nothing was missed with the old version, delete it and download from here:
http://siri.geekstogo.com/SmitfraudFix.php
and "Search" ONLY with the new version. If it finds nothing DO NOT run more than than, the tool can damage the Desktop if the infection is not present. This scan is your option.

Now to your HJT log and what I see. First:
You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html

G:\Program Files\Alwil Software\Avast4\
G:\Program Files\Common Files\Symantec Shared\Security Center\
I suggest you decide which program you wish to run and remove the other from your computer.

G:\Program Files\ewido anti-malware\ <<< this program is obsolete, purchased by Grisoft, they released AVG Avti-Spyware 7.5 to replace it. It is no longer supported, I suggest you uninstall it, wasting resources and doing nothing for you.

O4 - HKLM\..\Run: [ComcastSUPPORT] G:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start see this information:
http://www.castlecops.com/startuplist-637.html this one is for your information, I would take it up with ComCast to see what they say if I were you.

Post a new log for me to check if you wish. If I can do more, let me know.

Thanks

Again, I really appreciate what you guys do with this sit and program. Its like a small piece of justice in an unjust world. I am curious what you saw with the last item, the castle cops thing. What does this tgkill thing do? Also how can I research what the, and here I don't even have the right vocabulary, items that show up in HJT do and where they are etc. I hope that makes sense basically I am trying to make sense of what I see in those long lists. Thanks again!
Jeremy

PS I am getting rid of the programs you suggest to get rid of and cleaning up the system, thanks for the info!
Jeremy

Here is a HJT tutorial if it helps: http://www.bleepingcomputer.com/tutorials/tutorial42.html

As far as this item: O4 - HKLM\..\Run: [ComcastSUPPORT] G:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
Since I do not use ComCast and it is not "malware" but soething that is probably useless according to the main data data bast I use, did you click on it to see what CastleCops said:
http://www.castlecops.com/startuplist-637.html If CC's is correct, at the very least this is a resource waster, running everytiume you start you computer and using your resources. It is also probably doing noting for you for those resources. I search Google for the executable:
tgkill.exe Have a look at what other websites say about it.
http://www.google.com/search?hl=en&q=tgkill.exe&btnG=Google+Search like http://www.winpatrol.com/db/freesample/tgcmd.html


Mysteryware - TGCMD.EXE
TGCMD.EXE, sometimes considered spyware, was originally created by Tioga/Support.com. If you're an @Home subscriber, this was probably installed with your Comcast @home software or other broadband provider.
If you own a Sony Vaio system, it was probably factory installed along with the Sony Support software.

This program collects data on the programs that you use and websites you browse. It is unclear if anything is being done with the data.
If you have a need to support in this manner you can safely leave it alone but we don't recommend having it running at all times from your startup list.

Hope that information helps

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.