I think it's SmitFraud

j_r_2 · Nov 15, 2006

Hi, I've got an evil little warning icon in the system tray that says: "Security warning: your computer may be infected with harmful or unwanted software!" It is a dark-red / brown circle with an exclamation point in it. My HJT, Spybot S&D, and SmitFraudFix v2.121 logs are here:

Logfile of HijackThis v1.99.1
Scan saved at 4:04:04 AM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\sysk.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
G:\Program Files\Analog Devices\Core\smax4pnp.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
G:\WINDOWS\BCMSMMSG.exe
G:\Program Files\Winamp\winampa.exe
G:\Program Files\Common Files\{C4BC0BAE-0A21-1033-0826-040416030001}\Update.exe
G:\Program Files\Dell Support\DSAgnt.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
G:\Program Files\PowerMenu\PowerMenu.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
G:\PROGRA~1\FREEDO~1\fdm.exe
g:\program files\common files\aol\1136666216\ee\aexplore.exe
G:\WINDOWS\system32\cmd.exe
G:\WINDOWS\system32\cmd.exe
G:\HJT\Scanner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.58.224.114 www.bbc.co.uk
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - G:\Program Files\Common Files\{34BC0BAE-0A21-1033-0826-040416030001}\MyToolBar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - G:\Program Files\Common Files\{34BC0BAE-0A21-1033-0826-040416030001}\MyToolBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CAVRID] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe G:\WINDOWS\system32\drvtus.dll,startup
O4 - HKCU\..\Run: [DellSupport] "G:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = G:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = G:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - g:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://G:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://G:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://G:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://G:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sysk - G:\WINDOWS\SYSTEM32\sysk.dll
O20 - Winlogon Notify: winmfu32 - G:\WINDOWS\SYSTEM32\winmfu32.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Spybot - Search & Destroy:
Smitfraud-C.Toolbar888: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-492894223-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}

Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{C004DEC2-2623-438e-9CA2-C9043AB28508}

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

Smitfraud-C.Toolbar888: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C004DEC2-2623-438e-9CA2-C9043AB28508}

Smitfraud-C.Toolbar888: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-492894223-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C004DEC2-2623-438E-9CA2-C9043AB28508}\iexplore

Smitfraud-C.Toolbar888: IE toolbar (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C004DEC2-2623-438e-9CA2-C9043AB28508}

Smitfraud-C.Toolbar888: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MyToolBar.MyToolBarObj

Smitfraud-C.Toolbar888: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MyToolBar.MyToolBarObj.1

Smitfraud-C.Toolbar888: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C004DEC2-2623-438e-9CA2-C9043AB28508}

Smitfraud-C.Toolbar888: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToolBar888

Smitfraud-C.Toolbar888: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}

Smitfraud-C.Toolbar888: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}

YazzleSudoku: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin

YazzleSudoku: Executable (File, nothing done)
G:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

Microsoft.Windows.RedirectedHosts: Redirected host (Redirected host, nothing done)
auto.search.msn.com=127.0.0.1

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-10 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-10 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-10 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-10 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-10 Includes\PUPSC.sbi (*)
2006-11-10 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-10 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-10 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-03 Includes\Trojans.sbi (*)
2006-11-10 Includes\TrojansC.sbi (*)

SmitFraudFix v2.121

Scan done at 4:29:12.03, Wed 11/15/2006
Run from G:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» G:\

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system32

G:\WINDOWS\system32\drvtus.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» G:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» G:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks for any help you can give; I've already tried to fry this bug once, but its back now

guess I should have asked for help first.

Shaba · Nov 15, 2006

Hi

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
  - Click on Update on the toolbar.
  - Under Manual update, click on the Start Update button.
  - Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
AVG manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.
______________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.
[/list]Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:

c:\rapport.txt
combofix report
AVG Anti-Spyware log
A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

j_r_2 · Nov 19, 2006

!Thank you! I do believe it's gone...

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:09 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
G:\Program Files\Analog Devices\Core\smax4pnp.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
G:\WINDOWS\BCMSMMSG.exe
G:\Program Files\Winamp\winampa.exe
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Dell Support\DSAgnt.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
G:\Program Files\PowerMenu\PowerMenu.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\VCOM\PowerDesk\pdfind.exe
G:\HJT\Scanner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.58.224.114 www.bbc.co.uk
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E67A629-9F5B-3E4E-FCC4-0B879D45A7F1} - G:\WINDOWS\system32\hknrtjd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CAVRID] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [zbqddwj.dll] G:\WINDOWS\system32\rundll32.exe G:\WINDOWS\system32\zbqddwj.dll,edubfad
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "G:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = G:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = G:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - g:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://G:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://G:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://G:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://G:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sysk - G:\WINDOWS\SYSTEM32\sysk.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

AVG Anti-Spyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:21:22 AM 11/19/2006

+ Scan result:

G:\Downloads\SetupPoker.exe -> Adware.Casino : Cleaned with backup (quarantined).
:mozilla.30:G:\Documents and Settings\Members.MEMBER-COMPUTER\Application Data\Mozilla\Firefox\Profiles\5ck3te4n.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned.
:mozilla.65:G:\Documents and Settings\Members\Application Data\Mozilla\Firefox\Profiles\ma3qtj2a.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.83:G:\Documents and Settings\Members\Application Data\Mozilla\Firefox\Profiles\ma3qtj2a.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
G:\WINDOWS\system32\winmfu32.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).

::Report end

ComboFix:

Administrator - 06-11-19 2:49:35.73 Service Pack 2
ComboFix 06.11.9 - Running from: "G:\downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

G:\WINDOWS\system32\ishost.exe
G:\WINDOWS\system32\ismini.exe
G:\WINDOWS\system32\isnotify.exe
G:\WINDOWS\system32\issearch.exe
G:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
G:\WINDOWS\system32\ixt0.dll
G:\WINDOWS\system32\ixt1.dll
G:\Program Files\Safety Bar
G:\WINDOWS\system32\components
G:\Program Files\Common Files\{34BC0BAE-0A21-1033-0826-040416030001}
G:\Program Files\Common Files\{C4BC0BAE-0A21-1033-0826-040416030001}

((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))

2006-11-16 17:11 94,208 --a------ G:\WINDOWS\system32\zbqddwj.dll
2006-11-16 17:11 71,680 --a------ G:\WINDOWS\system32\hknrtjd.dll
2006-11-15 01:04 59,392 --a------ G:\WINDOWS\system32\drvtus.dll
2006-10-27 07:00 44,644 --a------ G:\sysk.exe
2006-10-27 05:54 15,872 --a------ G:\WINDOWS\system32\winmfu32.dll
2006-10-22 00:45 26,787 --a------ G:\WINDOWS\system32\drivers\vetmonnt.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-19 02:50 -------- d-------- G:\Program Files\Common Files
2006-11-19 02:48 -------- d-------- G:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2006-11-19 00:00 -------- d-------- G:\Program Files\Greetings Workshop
2006-11-15 05:55 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Free Download Manager
2006-11-15 00:56 -------- d-------- G:\Program Files\Debugging Tools for Windows
2006-11-06 09:13 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Azureus
2006-11-05 06:29 -------- d-------- G:\Program Files\Yahoo!
2006-11-05 05:41 -------- d-------- G:\Program Files\Azureus
2006-11-05 05:40 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Sun
2006-11-05 00:46 -------- d-------- G:\Program Files\Viewpoint
2006-11-05 00:46 -------- d-------- G:\Program Files\AOL
2006-11-05 00:46 -------- d-------- G:\Program Files\AOD
2006-11-01 03:55 -------- d-------- G:\Program Files\ffdshow
2006-11-01 02:47 -------- d-------- G:\Program Files\Malicious Software Removal Tool
2006-11-01 02:42 -------- d-------- G:\Program Files\AutoPatcher
2006-11-01 02:32 -------- d---s---- G:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-22 00:45 629264 --a------ G:\WINDOWS\system32\drivers\VetEFile.sys
2006-10-22 00:45 108592 --a------ G:\WINDOWS\system32\drivers\VetEBoot.sys
2006-10-19 07:13 -------- d-------- G:\Program Files\Google
2006-10-08 02:58 -------- d-------- G:\Program Files\Cablenut
2006-10-07 23:43 73216 --a------ G:\WINDOWS\ST6UNST.EXE
2006-10-07 23:43 249856 --------- G:\WINDOWS\Setup1.exe
2006-09-23 22:32 -------- d-------- G:\Program Files\Themes
2006-08-21 07:21 16896 --a------ G:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ G:\WINDOWS\system32\fltmc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"G:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"G:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"G:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"swg"="G:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="G:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"CAVRID"="\"G:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"Zone Labs Client"="\"G:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"NvCplDaemon"="RUNDLL32.EXE G:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE G:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMAXPnP"="G:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"CoolSwitch"="G:\\WINDOWS\\system32\\taskswitch.exe"
"HostManager"="G:\\Program Files\\Common Files\\AOL\\1136666216\\ee\\AOLSoftware.exe"
"iTunesHelper"="\"G:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"G:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BCMSMMSG"="BCMSMMSG.exe"
"WinampAgent"="G:\\Program Files\\Winamp\\winampa.exe"
"IPHSend"="G:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"CTDrive"="rundll32.exe G:\\WINDOWS\\system32\\drvtus.dll,startup"
"zbqddwj.dll"="G:\\WINDOWS\\system32\\rundll32.exe G:\\WINDOWS\\system32\\zbqddwj.dll,edubfad"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"kernel32.dll"="G:\\WINDOWS\\system32\\isnotify.exe"
"ishost.exe"="ishost.exe"
"issearch.exe"="issearch.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"cussers"="{ff170564-36c8-43f7-9100-559e166405cf}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=dword:00000002
"VETMSGNT"=dword:00000002
"NVSvc"=dword:00000002
"NMSAccess"=dword:00000002
"NetSvc"=dword:00000003
"iPodService"=dword:00000003
"IIYGW"=dword:00000003
"IDriverT"=dword:00000003
"EJ"=dword:00000003
"DUGZEARGERS"=dword:00000003
"DAHQGBN"=dword:00000003
"CAISafe"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-19 2:51:23.67
G:\ComboFix.txt ... 06-11-19 02:51

rapport_before:

SmitFraudFix v2.121

Scan done at 3:00:14.70, Sun 11/19/2006
Run from G:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"

[HKEY_CLASSES_ROOT\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="G:\WINDOWS\system32\cfltygd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff170564-36c8-43f7-9100-559e166405cf}\InProcServer32]
@="G:\WINDOWS\system32\cfltygd.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

G:\WINDOWS\system32\ot.ico Deleted
G:\WINDOWS\system32\ts.ico Deleted
G:\WINDOWS\system32\drvtus.dll Deleted
G:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
G:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
G:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
G:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

j_r_2 · Nov 19, 2006

cont'd

rapport_after:

SmitFraudFix v2.121

Scan done at 4:34:47.79, Sun 11/19/2006
Run from G:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» G:\

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» G:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» G:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» G:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» G:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Shaba · Nov 19, 2006

Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [zbqddwj.dll] G:\WINDOWS\system32\rundll32.exe G:\WINDOWS\system32\zbqddwj.dll,edubfad
O20 - Winlogon Notify: sysk - G:\WINDOWS\SYSTEM32\sysk.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

Close all windows including browser and press fix checked.

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

G:\WINDOWS\system32\zbqddwj.dll
G:\WINDOWS\system32\hknrtjd.dll
G:\WINDOWS\system32\drvtus.dll
G:\sysk.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report

j_r_2 · Nov 20, 2006

Hi, I did everything you said, with the exception of \windows\system32\sysk.exe and \sysk.exe . These files are from Soft-Central SC-KeyLog 2.25, see http://www.majorgeeks.com/SC-KeyLog_d4136.html . That program is used to monitor this computer, and is put in place by the admins. Unless this program is inherently dangerous / malicious, they wish to keep it.

:

Killbox:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ Monday, November 20, 2006, 2:50 AM

# 1 [Files to Delete]
Path = G:\WINDOWS\system32\zbqddwj.dll
*File Was Deleted

# 2 [Files to Delete]
Path = G:\WINDOWS\system32\hknrtjd.dll
*File Was Deleted

# 3 [Files to Delete]
Path = G:\WINDOWS\system32\drvtus.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 2:55:50 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ Monday, November 20, 2006, 2:58 AM

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:05:16 AM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
G:\Program Files\Analog Devices\Core\smax4pnp.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\BCMSMMSG.exe
G:\Program Files\Winamp\winampa.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Dell Support\DSAgnt.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
G:\Program Files\PowerMenu\PowerMenu.exe
G:\WINDOWS\notepad.exe
G:\WINDOWS\system32\NOTEPAD.EXE
G:\WINDOWS\system32\NOTEPAD.EXE
G:\WINDOWS\system32\NOTEPAD.EXE
G:\hjt\Scanner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.58.224.114 www.bbc.co.uk
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E67A629-9F5B-3E4E-FCC4-0B879D45A7F1} - G:\WINDOWS\system32\hknrtjd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CAVRID] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "G:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = G:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = G:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - g:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://G:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://G:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://G:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://G:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sysk - G:\WINDOWS\SYSTEM32\sysk.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

ComboFix:

Administrator - 06-11-20 3:01:17.29 Service Pack 2
ComboFix 06.11.9 - Running from: "G:\downloads"

((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))

2006-11-19 04:34 3,386 --a------ G:\WINDOWS\system32\tmp.reg
2006-11-19 02:53 3,968 --a------ G:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 07:00 44,644 --a------ G:\sysk.exe
2006-10-22 00:45 26,787 --a------ G:\WINDOWS\system32\drivers\vetmonnt.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-20 02:58 -------- d-------- G:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2006-11-20 02:55 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Free Download Manager
2006-11-19 06:20 -------- d-------- G:\Program Files\Mozilla Firefox
2006-11-19 02:52 -------- d-------- G:\Program Files\Grisoft
2006-11-19 02:50 -------- d-------- G:\Program Files\Common Files
2006-11-19 00:00 -------- d-------- G:\Program Files\Greetings Workshop
2006-11-15 00:56 -------- d-------- G:\Program Files\Debugging Tools for Windows
2006-11-06 09:13 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Azureus
2006-11-05 06:29 -------- d-------- G:\Program Files\Yahoo!
2006-11-05 05:41 -------- d-------- G:\Program Files\Azureus
2006-11-05 05:40 -------- d-------- G:\Documents and Settings\Administrator\Application Data\Sun
2006-11-05 00:46 -------- d-------- G:\Program Files\Viewpoint
2006-11-05 00:46 -------- d-------- G:\Program Files\AOL
2006-11-05 00:46 -------- d-------- G:\Program Files\AOD
2006-11-01 03:55 -------- d-------- G:\Program Files\ffdshow
2006-11-01 02:47 -------- d-------- G:\Program Files\Malicious Software Removal Tool
2006-11-01 02:42 -------- d-------- G:\Program Files\AutoPatcher
2006-11-01 02:32 -------- d---s---- G:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-22 00:45 629264 --a------ G:\WINDOWS\system32\drivers\VetEFile.sys
2006-10-22 00:45 108592 --a------ G:\WINDOWS\system32\drivers\VetEBoot.sys
2006-10-19 07:13 -------- d-------- G:\Program Files\Google
2006-10-08 02:58 -------- d-------- G:\Program Files\Cablenut
2006-10-07 23:43 73216 --a------ G:\WINDOWS\ST6UNST.EXE
2006-10-07 23:43 249856 --------- G:\WINDOWS\Setup1.exe
2006-09-23 22:32 -------- d-------- G:\Program Files\Themes
2006-08-21 07:21 16896 --a------ G:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ G:\WINDOWS\system32\fltmc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"G:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"G:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"G:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ypager.exe\" -quiet"
"swg"="G:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="G:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"CAVRID"="\"G:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"Zone Labs Client"="\"G:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"NvCplDaemon"="RUNDLL32.EXE G:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE G:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMAXPnP"="G:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"CoolSwitch"="G:\\WINDOWS\\system32\\taskswitch.exe"
"HostManager"="G:\\Program Files\\Common Files\\AOL\\1136666216\\ee\\AOLSoftware.exe"
"iTunesHelper"="\"G:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"G:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BCMSMMSG"="BCMSMMSG.exe"
"WinampAgent"="G:\\Program Files\\Winamp\\winampa.exe"
"IPHSend"="G:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!AVG Anti-Spyware"="\"G:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=dword:00000002
"VETMSGNT"=dword:00000002
"NVSvc"=dword:00000002
"NMSAccess"=dword:00000002
"NetSvc"=dword:00000003
"iPodService"=dword:00000003
"IIYGW"=dword:00000003
"IDriverT"=dword:00000003
"EJ"=dword:00000003
"DUGZEARGERS"=dword:00000003
"DAHQGBN"=dword:00000003
"CAISafe"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sysk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061120-024947-432
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
backup-20061120-024947-514
O4 - HKLM\..\Run: [zbqddwj.dll] G:\WINDOWS\system32\rundll32.exe G:\WINDOWS\system32\zbqddwj.dll,edubfad
Completion time: 06-11-20 3:03:10.40
G:\ComboFix.txt ... 06-11-20 03:03

Shaba · Nov 20, 2006

Hi

Ok, you can then keep it

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: (no name) - {4E67A629-9F5B-3E4E-FCC4-0B879D45A7F1} - G:\WINDOWS\system32\hknrtjd.dll (file missing)

Close all windows including browser and press fix checked.

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report

j_r_2 · Nov 21, 2006

I deleted \Downloads\BSINSTALL.exe, mentioned in the Kaspersky report.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:32 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
G:\Program Files\Analog Devices\Core\smax4pnp.exe
G:\WINDOWS\system32\taskswitch.exe
G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
G:\WINDOWS\BCMSMMSG.exe
G:\Program Files\Winamp\winampa.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Dell Support\DSAgnt.exe
G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\PowerMenu\PowerMenu.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
g:\program files\common files\aol\1136666216\ee\aexplore.exe
G:\PROGRA~1\FREEDO~1\fdm.exe
G:\WINDOWS\system32\NOTEPAD.EXE
G:\hjt\Scanner.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.58.224.114 www.bbc.co.uk
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CAVRID] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CoolSwitch] G:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HostManager] G:\Program Files\Common Files\AOL\1136666216\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] G:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IPHSend] G:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "G:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.0.lnk = G:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerMenu.lnk = G:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - g:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://G:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://G:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://G:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://G:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://G:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - G:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "G:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sysk - G:\WINDOWS\SYSTEM32\sysk.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - G:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 21, 2006 1:15:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/11/2006
Kaspersky Anti-Virus database records: 243368
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 57858
Number of viruses found: 4
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:41:06

Infected Object Name / Virus Name / Last Action
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\Documents and Settings\Administrator\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
G:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
G:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
G:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006112120061122\index.dat Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\Temp\ZLT00660.TMP Object is locked skipped
G:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
G:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\Administrator\NTUser.dat.LOG Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\89b3ed3c9ce6b3724e2bb2e41828ef29_efeed72a-93a8-43ea-8ad3-deac0fb28535 Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f7b5c995c0e640c9ecb888176684712_efeed72a-93a8-43ea-8ad3-deac0fb28535 Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7788a65d95949462cf1695e32f89221_efeed72a-93a8-43ea-8ad3-deac0fb28535 Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
G:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
G:\Downloads\BSINSTALL.exe/WISE0023.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\Downloads\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\Downloads\BSINSTALL.exe WiseSFX: infected - 2 skipped
G:\Downloads\BSINSTALL.exe WiseSFX Dropper: infected - 2 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{BE9E143A-1140-4D97-A334-5E1A07FFBA9D}\RP459\change.log Object is locked skipped
G:\Tools\Sysinternals\PsTools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
G:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
G:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
G:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
G:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
G:\WINDOWS\Internet Logs\MEMBER-COMPUTER.ldb Object is locked skipped
G:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
G:\WINDOWS\SchedLgU.Txt Object is locked skipped
G:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
G:\WINDOWS\Sti_Trace.log Object is locked skipped
G:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
G:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
G:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\default Object is locked skipped
G:\WINDOWS\system32\config\default.LOG Object is locked skipped
G:\WINDOWS\system32\config\SAM Object is locked skipped
G:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
G:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\SECURITY Object is locked skipped
G:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
G:\WINDOWS\system32\config\software Object is locked skipped
G:\WINDOWS\system32\config\software.LOG Object is locked skipped
G:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\system Object is locked skipped
G:\WINDOWS\system32\config\system.LOG Object is locked skipped
G:\WINDOWS\system32\h323log.txt Object is locked skipped
G:\WINDOWS\system32\sysk.dll Infected: Trojan-Spy.Win32.SCKeyLog.at skipped
G:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
G:\WINDOWS\wiadebug.log Object is locked skipped
G:\WINDOWS\wiaservc.log Object is locked skipped
G:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba · Nov 21, 2006

Hi

Because this is legit on your system -> G:\WINDOWS\system32\sysk.dll Infected: Trojan-Spy.Win32.SCKeyLog.at skipped and you deleted bsinstall.exe, logs are ok.

Do you still have problems?

j_r_2 · Nov 21, 2006

ty

No, no more probs, thanks very much!!!

:bigthumb:

Shaba · Nov 21, 2006

Great!

You're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

I think it's SmitFraud

j_r_2

New member

Shaba

Security Expert: Emeritus

j_r_2

New member

j_r_2

New member

Shaba

Security Expert: Emeritus

j_r_2

New member

Shaba

Security Expert: Emeritus

j_r_2

New member

Shaba

Security Expert: Emeritus

j_r_2

New member

Shaba

Security Expert: Emeritus