PDA

View Full Version : Smitfraud-C/Zlobdownloader.vcd Infestation



WKAlv
2007-12-31, 14:49
I have had for several days an infestation of the above. Spybot -- S & D (runnng normally) shows them being removed but they are there again when you run it a second time. In the safe mode, they don't show up the second time, but reappear when in the normal mode. It seems to be morphing. I always have three entries for Smitfraud-C, but what they are changes. Just today, I have an ugly red desktop wall paper hawking "privacy protection software".

I downloaded SmitFraudFix v 2.274 a few days ago and ran "Search Only".

I have followed the steps in http://forums.spybot.info/showthread.php?t=288 with the following results. Hope someone can give me some guidance with getting rid of this abomination.

(a) HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:09, on 30-Dec-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/William%20K.%20Alverson/My%20Documents/My%20Webs/WKAHomeP/index.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193087558250
O21 - SSODL: xcvwer - {DC22B0EA-AA42-4F3A-AA6A-878D3A467FC3} - C:\WINNT\xcvwer.dll
O21 - SSODL: hjoqor - {43E0E204-AAAA-4BE3-8924-99EE63A8F905} - C:\WINNT\hjoqor.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5060 bytes

(b) Kaspersky log report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, 29 December, 2007 15:18:01
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 69943
Number of viruses found: 7
Number of infected objects: 55
Number of suspicious objects: 370
Duration of the scan process: 01:56:52


Hmmm! It wouldn't take the full thing showing that there were a total of 216,777 characters as compared to 20,000 characters max. I guess that would take a total of 22 separate posts to do. Suggestions? Anyhow, that is the beginning of the Kaspersky log.

Simon V.
2008-01-01, 21:24
Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Can you please post the SmitfraudFix report? It can be found here: C:\rapport.txt.

Let's try this to make the Kaspersky Online Scan report shorter:

Please download FixEdit (http://downloads.malwareremoval.com/Fixedit/FixEdit.exe).

Double-click on FixEdit.exe to open the program.
Go to File > Open, select the Kaspersky Online Scan report and click on Open.
Click on the Make Global Changes tab.
In the upper part (red lines), select Does NOT Contain the Test Key anywhere.
In the Test Key Text box, enter the text in the quotebox below:


Object is locked skipped

Make sure Retain only the lines that pass the Test Parameter, Discard the Rest is checked.
Click OK.
Now, click on the Show/Edit Current Text tab. Your Kaspersky Online Scan report should be a lot shorter now. Go to File > SaveAs and save the file to your desktop.
Please post the contents of that file in your next reply, along with the SmitfraudFix report (C:\rapport.txt) and a new HijackThis log.

WKAlv
2008-01-04, 13:23
Thanks, the smitfraudfix log is posted below. This is several days old by now.

I will work on the other instructions in you last and post again with the results.

SmitFraudFix v2.274

Scan done at 20:08:15.48, Sun 30-12-2007
Run from C:\Buffer1\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\binret.exe FOUND !
C:\WINNT\ttvbon???.dll FOUND !
C:\WINNT\xcvwer.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1

C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\WILLIA~1.ALV\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA VT6105 Rhine III Fast Ethernet Adapter
DNS Server Search Order: 192.168.254.254
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

WKAlv
2008-01-04, 14:15
I am having trouble getting the FixEdit to work. If I follow the instructions and save the results as a .txt file (or alternatively cut and paste to Notepad and do the same) I get a file that is no longer readable, but seems to be nothing but zeros.

Also, looking at the original smitfraudfix log which I had saved as a .txt file, I see that the phrase
"Object is locked[tab]skipped" rather than
"Object is locked skipped" appears often and is not removed after specifying the latter. The difference appears to be a tab character rather than space.

On originally loading the file, I get "file contains UniCode or Database Null character. Use Fixedit to open in plain text with the nulls removed?" and the only choice is yes or cancel.

??

Simon V.
2008-01-04, 14:16
Did you save the initial Kasperksy log as a .txt file?

WKAlv
2008-01-04, 15:23
Yes, it was, in fact, saved as a .txt file. It shows up quite readable into fix edit when I open it. And it is readable after I get through the Global changes. It is only after I save the edited version and then go back and reopen it that the problem occurs. I have tried saving it in Fixedit (I give a name with the extension .txt -- it doesn't give me any file types to select from) or copying and pasting into notepad and saving as a text file. I got the same results both ways.

I can't remember exactly what I did to save the original, uneditied, file, but the instructions show that the program gives the choice to "save as text" and thus I must have done it that way instead of cutting and pasting into notepad and saving as a text file (in the latter case, I might have missed an opening or closing character if I didn't use select all.)

I guess I could run the Kasperski again. It takes a bloody long time, but I guess this time I won't have to go through all the down load time again.

How about the tab versus space thing?

Bill

Simon V.
2008-01-04, 15:26
Let's do it differently. I might have to revise my FixEdit instructions, but in order to do that I'll need the original Kasperksy rapport. Please upload it to Rapidshare (http://www.rapidshare.com/) and give me the link where I can download it.

Simon V.
2008-01-04, 16:51
Hi :)

Note: Kaspersky report received through PM.

Step 1

Please disable TeaTimer, as it may interfere with the fix. This is done in two steps:

First step: Right-click the Spybot icon in your system tray (looks like a blue and white calendar with a padlock symbol).

For version 1.5: Click once on Resident Protection, then right-click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the system tray should now be colorless.
For version 1.4: Click on Exit Spybot S&D Resident.

Second step: Open Spybot Search & Destroy.

Click Mode, choose Advanced Mode. When prompted, answer Yes.
Go to the bottom of the vertical panel to the left, click Tools.
Click Resident (a white and red shield, located in the panel to the left).
If your firewall gives you a warning, allow it.
Uncheck the box labeled Resident "Tea-Timer" (Protection of over-all system settings) active.
OK any prompts.
Go to File > Exit to close Spybot Search & Destroy.
Reboot your computer for the changes to take effect.

Note: Be sure to enable TeaTimer when you are clean!

Step 2

Please download and install AVG Anti-Spyware (http://free.grisoft.com/doc/5390/us/frt/0?prd=asf).

After the installation, open AVG Anti-Spyware and do the following:

Under Status, click on Change state, next to Resident shield (this will change from Active to Inactive)
Under the Update tab, click on Start update.
Under Scanner, click on the Settings tab:

Under How to act?, click on Recommended actions, and select Quarantine.
Under Reports, select Do not automatically generate reports.

Close AVG Anti-Spyware. Do not let it scan yet.

Note: If you have problems getting the update, you can download an installer for the full database here (http://downloads.ewido.net/avgas-signatures-full-current.exe). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed, then double-click on avgas-signatures-full-current.exe to install the database.

Step 3

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1). Double-click on ATF-Cleaner.exe to start the program.

Under the Main tab, put a check next to Select All.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

If you use the Firefox browser:
Click on Firefox at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

If you use the Opera browser:
Click on Opera at the top and put a check next to Select All.
If you would like to keep your saved passwords, click No at the prompt.
Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 4

Print these instructions or copy them to Notepad and save it to your desktop, as you won't be able to access internet in Safe Mode.

Please reboot into Safe Mode. To do this, go to Start > Turn off Computer, and select Restart. Rapidly tap F8 just before Windows starts to load. In the menu that appears, select Safe Mode (Without Networking).

Log in to your usual account.

Step 5

Double-click on Smifraudfix.exe.

A screen will pop up. Select Option 2 (Clean) by typing 2 and hit Enter.
You will be prompted: Registry Cleaning - Do you want to clean the registry? Answer Yes by typing Y and press Enter in order to clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file; answer Yes by typing Y and hit Enter.
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart Windows into Safe Mode.
A text file will appear onscreen, with results from the cleaning process; please save it to a convenient location. The report can also be found at C:\rapport.txt.

Note: running Option 2 (Clean) on a computer that is not infected will remove your desktop background.

Step 6

Please open AVG Anti-Spyware.

Click on the Scan tab.
Click on Complete System Scan to start the scan process.
After the scan, do the following:

Important: Don't click on the Save Scan Report button before you hit the Apply all Actions button.

Make sure that Set all elements to: shows Quarantine (1). If not, click on the link and select Quarantine from the popup menu (2).
At the bottom of the window click on the Apply all Actions button (3).
When done, click the Save Report (4) button, and save the file to your desktop.

http://i147.photobucket.com/albums/r301/DFW_photos/scanavgjk2.jpg

Reboot into Normal Mode.

Step 7

Open HijackThis.

Click on the Config button.
Click on the Misc Tools button.
Click on the Open Uninstall Manager button.
Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

Step 8

In your next reply, please post:

the SmitfraudFix report (C:\rapport.txt)
the AVG Anti-Spyware report
the Uninstall List (uinstall_list.txt)
a new HijackThis log

WKAlv
2008-01-07, 22:15
There was some sort of problems with smitfraudfix. In doing the temporary file removal it evidently called Window's Disk Cleanup which seemed to be running simultaneously. smitfraudfix finished and wrote the file with Disk Cleanup continuing to run but never finishing. This is a long running program anyhow, but I left it on long enough to make it sure it had acutally locked up.


I left my computer on (to hibernate after the time out period) last night rather than sending it into hibernation directly. So far this morning I haven't seen anything amiss, but I guess I need to run it a few more days to make sure.

I ran Spybot S&D and found Smitfraud-C.MSVP
SBI $6FE8300C Text File C:\WINNT\data.txt

but let S S&D fix it and in two subsequent runs (separated by a couple of hours) it didn't reappear.

SmitFraudFix v2.274

Scan done at 20:08:15.48, Sun 30-12-2007
Run from C:\Buffer1\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\binret.exe FOUND !
C:\WINNT\ttvbon???.dll FOUND !
C:\WINNT\xcvwer.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1

C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\WILLIA~1.ALV\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA VT6105 Rhine III Fast Ethernet Adapter
DNS Server Search Order: 192.168.254.254
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End






---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:23:26 06-Jan-08

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1645522239-2146965837-839522115-1000\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
C:\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Eudora5.1\Eudora5.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Attachment with no filename vul -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Untitled -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\Untitled1 -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\nicepicture -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.hta -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.jpg.{3050f4d8-98b5-11cf-bb82-00aa00bdce0b} -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).
E:\WKA Backup\Program Files\Qualcomm\Eudora7.1\Attach\viewthis.zlv -> Not-A-Virus.Exploit.VBS.GFI.a : Cleaned with backup (quarantined).


::Report end




uinstall_list.txt follows



Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Antioch
AutoCAD LT 97
AVG Anti-Spyware 7.5
DePopper 2.x
Easy CD & DVD Creator 6
Eudora
Family Tree Maker 8.0
F-PROT Antivirus for Windows
Google Earth
HijackThis 2.0.2
Hotfix for MDAC 2.81 (KB927779)
Image Data Converter SR
IrfanView (remove only)
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
Jasc Paint Shop Pro 9.01 Patch
Kaspersky Online Scanner
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English
Memorex exPressit Label Design Studio
Microsoft AutoRoute 2006
Microsoft FrontPage 2000 SR-1
Microsoft Internet Explorer 6 SP1
Microsoft Office Converter Pack
Microsoft Streets and Trips 2004
Microsoft Word 2000 SR-1
Personal Ancestral File 5
PGPfreeware 6.5.8
ProSavage and Utilities
S3Display
S3Gamma2
S3Overlay
Savings Bond Wizard
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for DirectX 8 (KB941568)
Security Update for DirectX 9 (KB941568)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Steel Panthers World At War v8.20
Update Rollup 1 for Windows 2000 SP4
VIA Audio Driver Setup Program
WavePad Uninstall
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917344
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB942615
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
WinZip 11.1
ZoneAlarm




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:21, on 06-Jan-08
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BDEX System - {7F719D62-623C-4F70-9244-8CAEC58B041B} - C:\WINNT\ttvbonfwt.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193087558250
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4914 bytes

Hopefully this does it. Do you see anything remaining?

Simon V.
2008-01-07, 22:22
Hi :)

We'll make sure nothing is left by running an Online Scan.

Step 1

Open HijackThis, perform a scan and put a check next to the following items (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: BDEX System - {7F719D62-623C-4F70-9244-8CAEC58B041B} - C:\WINNT\ttvbonfwt.dll (file missing)

Close all programs except HijackThis and click on Fix checked.

Step 2

Please visit TotalScan (http://www.nanoscan.com/as/v1).

Under Scan Now click the Full Scan button.
Follow the prompts to install the Active X if necessary.
It will take a while, let it run unhindered.
When the scan is finished, a report will be generated.
Next to Scan Details click the small Save button and save the report to your desktop.

Step 3

In your next reply, please post:

the TotalScan report
a new HijackThis log
How is your computer currently running?

WKAlv
2008-01-08, 14:42
Well, I can't get TotalScan to load and run. I tried it on my wife's machine (running on the same LAN into the same router and DSL modem). It also has pretty much the same software as mine before some changes under this string (Win 2KPro with Zone Alarm, SpyBot S&D and F-prot. It opens on hers, that is I get the start screen, I haven't bothered to run it. On mine I get a blank screen at nanoscan.com. I shut AVG down and got another blank screen at infectedornot.com. In both cases, I think I have left it on long enough to make sure it wasn't just a crowded site trying to download.

I have made some changes in Internet Explorer Internet Options recommended in the Jason Levine site referenced herein. In particular I made the change to prevent a website from reading clipboard information and set first and third party cookies to prompt. Allowing cookies with TotalScan doesn't make any difference.

Suggestions?

Simon V.
2008-01-08, 17:45
Hi :)

Do you experience this problem with any other site?

You can try to run another online scan:

Please perform a scan with the Eset Online Scanner (http://www.eset.com/threat-center/cac.php). Note: Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, a log will be saved here: C:\Program Files\esetonlinescanner\log.txt. Please post it in your next reply.

WKAlv
2008-01-09, 15:00
Okay, The Eset log follows

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2776 (20080109)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f47979933a8ee1459625515d89abcd2f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-01-09 12:35:57
# local_time=2008-01-09 07:35:57 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=130050
# found=3
# scan_time=5536
E:\NLA Backup\Program Files\Qualcomm\Eudora5.1\Trash.mbx HTML/Phishing.gen trojan 5F51553A165DC25F6051191F340C695B
E:\NLA Backup\Program Files\Qualcomm\Eudora5.1\Trash.mbx »MIME HTML/Phishing.gen trojan 00000000000000000000000000000000
E:\NLA Backup\Program Files\Qualcomm\Eudora5.1\Trash.mbx »MIME »part000.htm HTML/Phishing.gen trojan 00000000000000000000000000000000

This was in the trash mailbox of an old version of Eudora which I had backed up from my wife's computer. There is no point keeping a trash mailbox anyway, so I erased the whole thing with PGP's wipe which gets the code as well as the directory entry. I guess I ought to check her's with Eset too since I think the old Eudora is still there though she uses 7.1.0.9 now.

After this, the HJT log was

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:47:51, on 09-Jan-08
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/William%20K.%20Alverson/My%20Documents/My%20Webs/WKAHomeP/index.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193087558250
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4979 bytes

WKAlv
2008-01-09, 16:34
Incidentally, after all this, Tea Timer no longer runs on reboot. I have to go to the program folder and start it manually from there. Is there anyway I can fix this without just reinstalling Spybot S&D?

Simon V.
2008-01-09, 16:41
Hi :)

To re-enable Teatimer, do the following:

Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
On the left hand side, click on Tools.
Check (tick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
Exit Spybot Search & Destroy.
Restart your computer for the changes to take effect.

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

You can now delete the following program(s):

SmitfraudFix

Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt.
Change the Download unsigned ActiveX controls to Disable.
Change the Initialise and script ActiveX controls not marked as safe to Disable.
Change the Installation of desktop items to Prompt.
Change the Launching programs and files in an IFRAME to Prompt.
Change the Navigate sub-frames across different domains to Prompt.
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ (http://update.microsoft.com/) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutorials/tutorial43.html

Install Ad-Aware - Download and install Ad-Aware (if you have Ad-Aware SE note that it is outdated, and you should update to Ad-Aware 2007). You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutorials/tutorial48.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place? (http://www.castlecops.com/p35268-So_how_did_I_get_infected_in_the_first_place.html#35268)

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! (http://www.malwarecomplaints.info/index.php) - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Smitfraud.

WKAlv
2008-01-10, 13:35
Thanks for your help. It is good to know that this place exists. I have never before had an problem with a virus, trojan or whatever, what with my AV program (F-Prot) and, later, Spybot-S&D, but neither of them was able to do anything about this one.

Simon V.
2008-01-10, 17:37
You're welcome, glad we could be of assistance.

Happy surfing and stay safe! :)