Smitfraud, Hijacker.Agent.jh, Trojan.BHO.g

[cicero]

Note: After reviewing many forums, the SpyBot S&D appears to be the better organized. Thanks!

April 11, 2007: Any one have ideas on how to remedy another case of smitfraud, Hijacker.Agent.jh and Trojan.BHO.g?

System:
: HP Pavilion, 2.6 GHz, 512 MB, 56% free disk space, Windows XP
: Internet Connection Firewall enabled in Network Connections
: Running Internet Explorer v6.026 w/ Panicware popup blocker enabled
: Dialup connection through external USR modem using ATT WorldNet
: Norton AV 2002 does not detect any viruses

Symptoms: (began appearing March 2007)
: Modem began behaving differently, receiving data before login acknowledgement
: Modem intermittently receiving data after web page contents downloaded
: Internet Explorer window seemed to flash briefly on occasion.
: Nuisance pop-up windows becoming more numerous over time
: Slow Internet access
: Situation degrades over time
: Spybot 1.4 detects smitfraud-c-toolbar888, but cannot cure.
>> Numerous postings are describing SpyBot detecting smifraud as a false positive

First Fix Attempt
: Search Google for smitfraud and was taken in by the XoftSpySE ad
: Downloaded XoftSpySE on April 8, 2007, paid $39.95
: Ran XoftSpySE, which detected and removed some items, but could not fix symptoms.
: XoftSpySE also kept noting an apparent registry issue with default IE home page, but could not fix.

Note: After running fixes described below, the XoftSpySE update give error message: “XoftSpySE is unable to download the latest update, ... Does you firewall setting grant access to XoftSpySE to connect to the Internet?”

Will try to delete and reload XoftSpySE, but am not pleased with the product nor their home page.

*******************************************************************
Second Fix Attempt
Printed out, reviewed and followed instructions on these documents:
http://forums.spybot.info/showthread.php?t=9190
>> did not have C:\windows\svchost.exe or p2pnetworking.exe

http://forums.techguy.org/security/5...88-spybot.html
>> did not try Brute Force Uninstaller or Panda's ActiveScan

http://forums.techguy.org/security/5...oolbar888.html
>> did not try Killbox, OTMoveIt by OldTimer, or Dr.Web CureIt.

http://forum.piriform.com/index.php?showtopic=9284
>> did not try Superantispyware

http://www.short-media.com/forum/showthread.php?t=54915
>> did not try Panda ActiveScan as it requires access to the Internet and PC is infected and I have a slow dialup connection.

An analysis of the postings above, and others, led me to take the following common steps:
Ran HijackThis and did system scan and none of the entries matched ones noted in links above.
>> did notice O2 - BHO: (no name) regarding system/32/forarp.dll. Could not find any data on this dll.
>> did not select any items to remove

Ran Vundo Fix, which found and removed C:\WINDOWS\System32\tmp5.tmp.dll
>> I searched C: and also found this dll in Doc-Settings/Owner/local setting/temp internet files

Ran ATF Cleaner after rebooting into Safe Mode (F8).
>> found items and I clicked “Empty Selected”
>> Spybot had already been set to normal mode and TeaTimer was unchecked

Ran SmitfraudFix after rebooting into Safe Mode and selected option 2 Clean and deleted infected files

Ran AVG Anti-Spyware 7.5 after rebooting into Safe Mode following instructions in the postings.
>> Had downloaded AVG on Monday, April 9. PC degraded more and could not download latest update.

Reset Web Settings option in Control Panel - Internet Options.
Made new Restore Point, ran disk cleanup and deleted old Restore Points

Rebooted, setup desktop again which had been changed. Rebooted again, connected to Internet and the nuisance pop-ups began appearing again within 5 minutes.

*******************************************************************
Third Fix Attempt
PC system state accessing Internet 5 minutes after cleaning steps noted above:

Ran Vundo Fix, and no problems were found this time even though receiving nuisance pop-ups.

Ran XoftSpySE and found High Risk registry value changed and removed it:
"software\microsoft\internet explorer\main\start page\about:blank:@:about:blank
>> For reference, my PC default home page is about:blank

Ran HijackThis and did system scan (see log below), and did not select and remove any items.
>> Concerned about these two entries, but they may be normal:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll (dated 4/6/2007 – no apps loaded 4/6)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll (dated 5/15/2002)

Ran SpyBot v1.4 and received the same error “smitfraud-c-toolbar888” and removed error.
>> hkey_local_machine\software\Araf15
>> hkey_users\…..\Software\Microsoft\aldd

Ran ATF Cleaner, selected all and removed items.

Booted into Safe Mode (as admin this time):
Ran SmitfraudFix and selected option 2 Clean and deleted infected files
Ran AVG Anti-Spyware 7.5 after downloading ewido-signatures4-full-current (dated 4/10/07) from work.
>> Found Hijacker.Agent.jh with 19 traces – associated with IE start/search pages.
>> Found Trojan.BHO.g attached to temp2.tmp.dll and tempe.tmp.dll in system 32 directory.
>> Applied all Actions to remove these, though they had been found and removed in second fix attempt above.

Ran SpyBot v1.4 from SafeMode, and it could not find “smitfraud-c-toolbar888”.
Ran ATF Cleaner from SafeMode
Ran Cleandisk and rebooted to Normal mode and did not open IE or connect to Internet.
Ran SpyBot v1.4 and found “smitfraud-c-toolbar888” again in the same registry locations noted above.

Does anyone have ideas on what is “sticking” between fixes/ reboots to continue causing this Trojan intrusion?
R

*******************************************************************
Logs from Third Fix Attempt

SmitFraudFix v2.166

Scan done at 19:58:06.38, Tue 04/10/2007
Run from C:\Temp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End


*******************************************************************
VundoFix V6.3.19
Interesting, that VundoFix found C:\WINDOWS\System32\tmp5.tmp.dll, but did not find temp2.tmp.dll and tempe.tmp.dll noted by AVG Anti-Spyware 7.5. Hence, Vundo did not create a log.

*********************************************
Logfile of HijackThis v1.99.1
Scan saved at 8:10:30 PM, on 4/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\data\hardware_763n\virus\downloads\hijackthis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: CSMHelperObj Class - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll
O2 - BHO: (no name) - {4a867545-75a5-4e20-ad00-6d247d356fe1} - C:\WINDOWS\system32\forarp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\cbxutr.dll",realset
O4 - Global Startup: EzTune.lnk = C:\Program Files\Gateway\EzTune\dthtml.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O20 - AppInit_DLLs:
O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\dtsrvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

*******************************************************************
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:29:22 PM 4/10/2007
+ Scan result:
C:\Program Files\Ahead\InCD\InCD.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\HPSelect\frontend\ct.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\WinPortrait\wpctrl.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\SMINST\RECGUARD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\NeroCheck.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hphmon04.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lsasss.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ps2.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system\hpsysdrv.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\hp\KBD\KBD.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmp2.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tmpE.tmp.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end

END

Edit:
"BEFORE you POST"

[cicero]

I read through the link you added in the reply and am confused as was trying to help troubleshoot. Should I just post this section to the forum to get advice?

************************
April 11, 2007: Any one have ideas on how to remedy another case of smitfraud, Hijacker.Agent.jh and Trojan.BHO.g?

System:
: HP Pavilion, 2.6 GHz, 512 MB, 56% free disk space, Windows XP
: Internet Connection Firewall enabled in Network Connections
: Running Internet Explorer v6.026 w/ Panicware popup blocker enabled
: Dialup connection through external USR modem using ATT WorldNet
: Norton AV 2002 does not detect any viruses

Symptoms: (began appearing March 2007)
: Modem began behaving differently, receiving data before login acknowledgement
: Modem intermittently receiving data after web page contents downloaded
: Internet Explorer window seemed to flash briefly on occasion.
: Nuisance pop-up windows becoming more numerous over time
: Slow Internet access
: Situation degrades over time
: Spybot 1.4 detects smitfraud-c-toolbar888, but cannot cure.
>> Numerous postings are describing SpyBot detecting smifraud as a false positive
************************

[cicero]

After reading again through multiple stickys, I will repost so this posting can be deleted.

Thanks. I am trying to follow the rules, but new to SpyBot.

[cicero]

Special note: I am not recommending or inferring to any user to implement steps without SpyBot moderator directions.

Purpose: Ask SpyBot for assistance on two inquiries.

#1 - Possible new malware for SpyBot to review.
After completing multiples scenarios using utilities noted below, I may have found the problem.
: ..\system32\forarp.dll (was dated 4/6/2007 on my PC)
: HijackThis showed this DLL as a Browser Object (BHO) and was listed as a 020 Winlogon Notify.
>> O2 - BHO: (no name) regarding system/32/forarp.dll.
>> O20 - Winlogon Notify: forarp - C:\WINDOWS\SYSTEM32\forarp.dll
: Used HijackThis to kill forarp from memory, and then rebooted to safe mode to select and remove entries.
: Though I am not sure, I believe this measure removed a second instance of explorer from running processes.
: Many other malware (smitfraud, Hijacker.Agent.jh, Trojan.BHO.g, redialer -- to name a few) had been removed, but forarp.dll 'stuck'.

I have not tried to log into the Internet from my home PC yet. Can the SpyBot forum moderator review my latest SpyBot, HJT, or AVGAS logs?


*******************************************************
#2 - SpyBot v1.4 with April updates detecting “smitfraud-c-toolbar888” after all other malware utilities mentioned below show 'all clear'.
I searched the false positives forum, and other SpyBot forums, and could not find these regsitry entries.
>> hkey_local_machine\software\Araf15
>> hkey_users\…..\Software\Microsoft\aldd

SpyBot removes them, but they appear again when running SpyBot after rebooting (safe or normal mode). For reference, all other malware utilities used could not detect any issues on my latest malware removal attempt except for XoftSpySE which also reflects a registry 'sticky' between reboots:
: "software\microsoft\internet explorer\main\start page\about:blank:@:about:blank
>> For reference, my PC default home page is about:blank

As folks learn, Trojan malware/viruses are persistent changing file names and taking over OS files. This #2 inquiry may be related to #1, but wanted to separate in case they are separate.


*******************************************************
System:
: HP Pavilion, 2.6 GHz, 512 MB, 56% free disk space
: Windows XP without SP1a or SP2 (will install as soon as malware is removed)
: Internet Connection Firewall enabled in Network Connections
: Running Internet Explorer v6.026 w/ Panicware popup blocker enabled
: Dialup connection through external USR modem using ATT WorldNet
: Norton AV 2002 does not detect any viruses

Symptoms: (began appearing late March 2007)
: Modem began behaving differently, receiving data before login acknowledgement (coincedence?)
: Modem intermittently receiving data after web page contents downloaded
: Internet Explorer window seemed to flash briefly on occasion.
: Nuisance pop-up windows becoming more numerous over time
: Slow Internet access
: Situation degrades over time

Fix Attempt
: Reading other postings, followed steps to run multiple utilities (from safe mode, and not in this order)
>> Spybot v1.4, XoftSpySE, Vundo Fix, ATF Cleaner, SmitfraudFix, HijackThis, AFW Find, AVG Anti-Spyware (April 10 definitions)
>> Ran XP's Disk Cleanup, made new Restore Point and deleted old ones

Thanks for any assistance.
...cicero

[cicero]

After some research and persistence on my own, running the utilities mentioned in my posting, figuring out (and how) to delete forarp.dll, and manually removing the registry entries producing the smitfraud entry on Spybot v1.4 scan all combined to remove the malware.

In addition, loaded XP service pack 1A, and then 2. PC running faster and Internet access no longer a problem.

Thread closed.
...cicero

[tashi]

Topics merged and closed.