I was infected recently from a bad .exe I downloaded. I scanned my PC using AVG free edition and I managed to heal the trojans smit or virt downloaded. I scanned with spybot and it said it fixed virt but not smit. I searched these forums and saw others had similar problems and the path to removing this smit is gonna be a long and painful road.

Here's my hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:20 AM, on 8/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\AmerikanMade\sccs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\VideoLAN\VLC\vlc.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\AmerikanMade\sccs.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218142267093
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll mdxlnm.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\AMERIK~1\LOCALS~1\Temp\wndutl32.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6064 bytes

Here's my SDFIX report, I read others did this step also so I thought you may ask for it in case.


SDFix: Version 1.220
Run by AmerikanMade on Fri 08/29/2008 at 07:35 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\ELGE.EXE - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\rodqgpvlwmk.dll - Deleted
C:\WINDOWS\rvoelbxt.exe - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 07:42:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:35,7b,fb,ac,ce,ba,7f,5d,4d,80,3e,7f,62,df,e8,ee,7d,cf,60,fa,13,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,31,f9,e0,90,bf,f7,7b,13,59,90,2f,43,6f,ef,42,bb,97,..
"khjeh"=hex:7f,ab,9e,d9,bd,4e,02,36,0e,a7,17,3d,06,9c,cc,ec,be,56,39,68,2e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:fb,21,3c,eb,48,bb,5a,0b,e4,fe,01,a1,1b,10,15,f2,6e,19,14,76,06,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:35,7b,fb,ac,ce,ba,7f,5d,4d,80,3e,7f,62,df,e8,ee,7d,cf,60,fa,13,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,31,f9,e0,90,bf,f7,7b,13,59,90,2f,43,6f,ef,42,bb,97,..
"khjeh"=hex:7f,ab,9e,d9,bd,4e,02,36,0e,a7,17,3d,06,9c,cc,ec,be,56,39,68,2e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:fb,21,3c,eb,48,bb,5a,0b,e4,fe,01,a1,1b,10,15,f2,6e,19,14,76,06,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000012b

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Bohemia Interactive\\ArmA\\arma.exe"="C:\\Program Files\\Bohemia Interactive\\ArmA\\arma.exe:*:Enabled:ArmA"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 29 Aug 2008 73,728 ..SH. --- "C:\Documents and Settings\AmerikanMade\MediaTubeCodec_ver1.1463.0.exe"
Fri 29 Aug 2008 103,936 ..SH. --- "C:\Documents and Settings\AmerikanMade\sccs.exe"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 7 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

The

"C:\Documents and Settings\AmerikanMade\MediaTubeCodec_ver1.1463.0.exe"

and

"C:\Documents and Settings\AmerikanMade\sccs.exe"

look awkward to me and they're also in awkward places, I never put any files in that folder.

Oh yeah, I forgot to mention after that sdfix process, I started up my computer and teatimer is asking me this

Catagory: System Start Up Global Entry
Change: Value Deleted
Entry: SpyBotSnD
Old Data: "C:\programs\spybot directory\spybotSD.exe" / autocheck

I don't know if I should click allow change or deny, lol.
----------------------------------------------------

Do NOT run 'FIXES' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806 )

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'FIXES' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806 )

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Oops, sorry about that, I was reading a thread about the smit removal, and I got up to Malwarebytes' Anti-Maleware. It managed to remove the maleware that was causing the problems but now I still have a dirty PC, or whatever that trojan did to my PC. Like my desktop is white, I can't change it back to my default wallpaper, my start up wallpaper is still the wallpaper the trojan put for me.

I have been infected with Smitfraud-C and Virtumonde, I think I managed to clean it out the trojans and malware because spybot, AVG and Malwarebytes' Anti-Maleware all detect no maleware or trojans but I think my pc is still dirty from the mess they caused.

When I go to desktop properties, in the desktop tab, I have 2 files, swsys1 and swsys2. These files display no picture for wallpaper so I think they're causing my desktop to display no wallpapers I set it too. I'm not sure what else Smitfraud-C and Virtumonde did to my PC either.

New topic: http://forums.spybot.info/showthread.php?t=33406

:)