Smitfraud-C/Zlobdownloader.vcd Infestation

[WKAlv]

I have had for several days an infestation of the above. Spybot -- S & D (runnng normally) shows them being removed but they are there again when you run it a second time. In the safe mode, they don't show up the second time, but reappear when in the normal mode. It seems to be morphing. I always have three entries for Smitfraud-C, but what they are changes. Just today, I have an ugly red desktop wall paper hawking "privacy protection software".

I downloaded SmitFraudFix v 2.274 a few days ago and ran "Search Only".

I have followed the steps in http://forums.spybot.info/showthread.php?t=288 with the following results. Hope someone can give me some guidance with getting rid of this abomination.

(a) HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:09, on 30-Dec-07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/William%20K.%20Alverson/My%20Documents/My%20Webs/WKAHomeP/index.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193087558250
O21 - SSODL: xcvwer - {DC22B0EA-AA42-4F3A-AA6A-878D3A467FC3} - C:\WINNT\xcvwer.dll
O21 - SSODL: hjoqor - {43E0E204-AAAA-4BE3-8924-99EE63A8F905} - C:\WINNT\hjoqor.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5060 bytes

(b) Kaspersky log report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, 29 December, 2007 15:18:01
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/12/2007
Kaspersky Anti-Virus database records: 499999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
B:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 69943
Number of viruses found: 7
Number of infected objects: 55
Number of suspicious objects: 370
Duration of the scan process: 01:56:52


Hmmm! It wouldn't take the full thing showing that there were a total of 216,777 characters as compared to 20,000 characters max. I guess that would take a total of 22 separate posts to do. Suggestions? Anyhow, that is the beginning of the Kaspersky log.

[Simon V.]

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Can you please post the SmitfraudFix report? It can be found here: C:\rapport.txt.

Let's try this to make the Kaspersky Online Scan report shorter:

Please download FixEdit.

• Double-click on FixEdit.exe to open the program.
• Go to File > Open, select the Kaspersky Online Scan report and click on Open.
• Click on the Make Global Changes tab.
• In the upper part (red lines), select Does NOT Contain the Test Key anywhere.
• In the Test Key Text box, enter the text in the quotebox below:
  
  
  Code:

  Object is locked skipped

• Make sure Retain only the lines that pass the Test Parameter, Discard the Rest is checked.
• Click OK.
• Now, click on the Show/Edit Current Text tab. Your Kaspersky Online Scan report should be a lot shorter now. Go to File > SaveAs and save the file to your desktop.
• Please post the contents of that file in your next reply, along with the SmitfraudFix report (C:\rapport.txt) and a new HijackThis log.

[WKAlv]

Thanks, the smitfraudfix log is posted below. This is several days old by now.

I will work on the other instructions in you last and post again with the results.

SmitFraudFix v2.274

Scan done at 20:08:15.48, Sun 30-12-2007
Run from C:\Buffer1\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\binret.exe FOUND !
C:\WINNT\ttvbon???.dll FOUND !
C:\WINNT\xcvwer.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\William K. Alverson\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1

C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\WILLIA~1.ALV\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\WILLIA~1.ALV\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA VT6105 Rhine III Fast Ethernet Adapter
DNS Server Search Order: 192.168.254.254
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8FE8B8AE-B201-4129-B829-F5668C288B0C}: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[WKAlv]

I am having trouble getting the FixEdit to work. If I follow the instructions and save the results as a .txt file (or alternatively cut and paste to Notepad and do the same) I get a file that is no longer readable, but seems to be nothing but zeros.

Also, looking at the original smitfraudfix log which I had saved as a .txt file, I see that the phrase
"Object is locked[tab]skipped" rather than
"Object is locked skipped" appears often and is not removed after specifying the latter. The difference appears to be a tab character rather than space.

On originally loading the file, I get "file contains UniCode or Database Null character. Use Fixedit to open in plain text with the nulls removed?" and the only choice is yes or cancel.

??

[Simon V.]

Did you save the initial Kasperksy log as a .txt file?

[WKAlv]

Yes, it was, in fact, saved as a .txt file. It shows up quite readable into fix edit when I open it. And it is readable after I get through the Global changes. It is only after I save the edited version and then go back and reopen it that the problem occurs. I have tried saving it in Fixedit (I give a name with the extension .txt -- it doesn't give me any file types to select from) or copying and pasting into notepad and saving as a text file. I got the same results both ways.

I can't remember exactly what I did to save the original, uneditied, file, but the instructions show that the program gives the choice to "save as text" and thus I must have done it that way instead of cutting and pasting into notepad and saving as a text file (in the latter case, I might have missed an opening or closing character if I didn't use select all.)

I guess I could run the Kasperski again. It takes a bloody long time, but I guess this time I won't have to go through all the down load time again.

How about the tab versus space thing?

Bill