Hi,
I too am having trouble with smitfraud.
I tried to run the eTrust Antivirus Web Scanner on that computer but it resulted in a blue screen (of death).
I should note that that I previously tried some removal tools and tutorials, if that information is helpful.
Looking through other similar problems on this forum I have already run VundoFix.
Below are my HJT and VundoFix logs.
If there is any information I left out or it is not formatted correctly please tell me so I can fix it as soon as possible.
Thanks.
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 2:48:20 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\WINDOWS\system32\owintodv.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\CATHYW~1\APPLIC~1\SSEMBL~1\winlogon.exe
C:\Documents and Settings\Cathy Wolf\My Documents\?ymantec\tracert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\kill button\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11B1AD47-6EA5-1E03-F63A-68E34FE3FB9F} - C:\WINDOWS\system32\ply.dll
O2 - BHO: (no name) - {2E9AC12A-5A75-4F73-899D-46989096C12c} - C:\WINDOWS\system32\kabnxaan.dll
O2 - BHO: (no name) - {4794E1F0-33F7-463D-B8E4-55F0D47F84D4} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb103\Dealio.dll
O2 - BHO: (no name) - {6FA6A171-A683-442D-AE71-2B4B9C4EFE70} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: 0 - {7497BE1C-CB9B-4677-16B0-CE5B30384AF5} - C:\Program Files\Online Services\zyrikucat773.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A9CDE63E-E103-4B9F-B219-DC8DEC1E8FA6} - C:\Program Files\Windows NT\vigyqeb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\iiffgdb.dll
O2 - BHO: (no name) - {f86cbf13-8a30-4b42-821f-5de9b14f0ea8} - C:\WINDOWS\system32\DELhcp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb103\Dealio.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owintodv.exe SKY003
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [{1C-C8-82-2F-ZN}] C:\windows\system32\nsdsregr.exe SKY003
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\rqsfgrdw.dll",realset
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HijackThis startup scan] C:\temp\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\CATHYW~1\APPLIC~1\SSEMBL~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Bajaq] "C:\Documents and Settings\Cathy Wolf\My Documents\?ymantec\tracert.exe"
O4 - Startup: Shortcut to pccguide.lnk = C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owintodv.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb103\Dealio.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\rlls.dll' missing
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O20 - Winlogon Notify: DELhcp - C:\WINDOWS\SYSTEM32\DELhcp.dll
O20 - Winlogon Notify: iiffgdb - C:\WINDOWS\SYSTEM32\iiffgdb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
VundoFix:
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 8:54:28 PM 5/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tmp1D2.tmp.dll
C:\WINDOWS\system32\tmp1D2.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\c_8res.dll
C:\WINDOWS\system32\c_8res.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 9:19:02 PM 5/6/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp80.tmp.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 10:17:44 PM 5/6/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 2:04:30 AM 5/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\pmkhf.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\igonjmae.dll
C:\WINDOWS\system32\igonjmae.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmkhf.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.21
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 2:35:32 AM 5/7/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...