Vcodec; Smitfraud-C; SpyQuake

[Fusion Dan]

I have some items on my computer that I cannot get rid of.

I have been running Spybot S&D, and Adaware SE, in safe mode. Both locate Vcodec and Smitfraud, and say that they remove it successfully.

When I then open my computer in normal mode, I get pop-ups (some of which are embarrassing).

When I switched on my computer this morning Spybot ran before anything else had opened up. It found Vcodec, and said that it removed it. When windows fully opened up I had SpyQuake on my screen. I have seen SpyQuake before, and uninstalled it.

I shut down the computer; opened it in safe mode; uninstalled SpyQuake; ran Spybot (located and removed Vcodec; Smitfraud-C; SpyQuake); ran Adaware SE (found 13no critical objects, and removed them).

When I then restarted my computer a small red box keeps popping up in the bottom right of my screen, stating that a critical error has occurred, and that I should click in the box to install some antivirus software. I ignore this box, as am scared it may just be more evil...

I do not know what to do.

I have seen that people post HijackThis logs on here, so here is mine:

Logfile of HijackThis v1.97.7
Scan saved at 10:11:41, on 20/04/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mssearchnet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MI05E6~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan.FUSION\Desktop\HijackThis.exe

O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINNT\system32\hpD1AE.tmp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Please can you help me, this problem is making work a nightmare...

Cheers

Dan :(

[pskelley]

Hi Dan and welcome to the forum. Let's see if I can get you started down the right path. First, Ad-aware and Spybot are good programs for removing a lot of the nasty adware out there, but it will not remove this trojan.

Please be advised that most forums Pin the information you need at the top of the page. This link is a must before you can proceed because your version of HJT is probably two years old, so you need to upgrade to version 1.99.1, and I suggest you review all Pinned information.
http://forums.spybot.info/showthread.php?t=288

The information you need to go after the infection is also posted there:
SpywareQuake/SpywareFalcon HiJack
http://forums.spybot.info/showthread.php?t=3261

Thanks...pskelley
Safer Networking Forums

[tashi]

This topic is closed due to lack of a response.
If you need it re-opened please send me a pm and provide a link to the thread.