Solved smithfraud- Virus alert

[Resolved] smithfraud- Virus alert

Hi, my computer is infected with smithfraud, the task manager is disabled. I removed the smithfraud through spybot but it came back again. Most of the options from the start menu have dissapeared.
I have posted the hijack this log. Please help.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-10-03 11:12:22
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13: VIRUS ALERT!, on 03/10/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAM FILES 2\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\code clean\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0067C4B0-20B9-4D5C-A665-1FC6135FC7FA} - C:\WINDOWS\system32\wvUmNEUO.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6FB13DD6-4650-4556-AE18-27142F0B5C9F} - C:\WINDOWS\system32\fccaYsrr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: dkwqgnbe - {106198B5-9A3D-4D97-8DEF-845A1FDCD787} - C:\WINDOWS\dkwqgnbe.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [TuneClone] D:\Program Files\TuneClone\TuneClone.exe /silence
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe "
O4 - HKLM\..\Run: [787d3d28] rundll32.exe "C:\WINDOWS\system32\wvxtfljr.dll ",b
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [] C:\Documents and Settings\Administrator\Application Data\Adobe\Player.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {DC11F230-5717-4C25-BAD7-37B879C19655} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://dionysus13.myphotoalbum.com/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: neksolda - {6F1FF7A7-D2D9-4E43-9B85-99C97380729C} - C:\WINDOWS\neksolda.dll
O21 - SSODL: xgpsarbm - {C5246F63-9069-4913-9C6C-462C64CC3C76} - C:\WINDOWS\xgpsarbm.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\PROGRAM FILES 2\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - D:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - D:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:WHBaruNRJarHJM:http://www.ntferro.com/shop/images/N.webcopy.jpg
O24 - Desktop Component 1: (no name) - http://bp3.blogger.com/_R5KTOlGTgaE...6QSXo/S240/1251650855052741287S425x425Q85.jpg
O24 - Desktop Component 2: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9176 bytes

-- Files created between 2008-09-03 and 2008-10-03 -----------------------------

2008-10-03 11:12:49 0 d-------- C:\Program Files\Trend Micro
2008-10-03 10:44:43 0 d-------- C:\Program Files\SpywareBlaster
2008-10-03 10:35:10 0 d--hs---- C:\FOUND.056
2008-10-02 22:06:17 80512 --a------ C:\WINDOWS\system32\wvxtfljr.dll
2008-10-02 22:05:21 401542 --ahs---- C:\WINDOWS\system32\OUENmUvw.ini2
2008-10-02 18:16:40 0 d--hs---- C:\FOUND.055
2008-10-02 18:06:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-10-02 18:06:35 364544 --a------ C:\WINDOWS\nkefbltdxvk.dll
2008-10-02 18:06:35 266240 --a------ C:\WINDOWS\neksolda.dll
2008-10-02 18:06:35 86016 --a------ C:\WINDOWS\fkebanrw.exe
2008-10-02 18:06:35 94208 --a------ C:\WINDOWS\evmd.exe
2008-10-02 18:06:35 212992 --a------ C:\WINDOWS\dkwqgnbe.dll
2008-10-02 12:35:26 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-10-02 12:18:26 0 d-------- C:\Program Files\Common Files\PC Tools
2008-10-02 12:13:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-10-01 20:54:24 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-10-01 20:54:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\skypePM
2008-10-01 20:52:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Skype
2008-10-01 20:52:38 0 d-------- C:\Program Files\Common Files\Skype
2008-10-01 20:51:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-09-21 10:20:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-09-21 09:45:32 0 d--hs---- C:\FOUND.054
2008-09-20 20:28:15 0 d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-20 20:27:42 0 d-------- C:\Program Files\Bonjour
2008-09-20 20:24:04 0 d-------- C:\Program Files\Apple Software Update
2008-09-09 22:03:15 0 d-------- C:\Program Files\Panda Security
2008-09-09 14:00:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-09-09 14:00:37 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-09-09 14:00:15 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Google
2008-09-09 14:00:14 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-09-08 09:39:56 0 d--hs---- C:\FOUND.053


-- Find3M Report ---------------------------------------------------------------

2008-08-30 11:22:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-08-29 09:53:50 61440 --a------ C:\WINDOWS\system32\dnssd.dll <Not Verified; Apple Inc.; Bonjour>
2008-08-23 10:26:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-08-23 10:26:02 0 d-------- C:\Program Files\AskSBar
2008-08-19 12:51:18 93632 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-08-18 12:44:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\CameraWindowDC
2008-08-18 12:44:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\CANON INC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0067C4B0-20B9-4D5C-A665-1FC6135FC7FA}]
C:\WINDOWS\system32\wvUmNEUO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FB13DD6-4650-4556-AE18-27142F0B5C9F}]
C:\WINDOWS\system32\fccaYsrr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
23/08/2008 10:26: VIRUS ALERT! 262144 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} "= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [23/08/2008 10:26: VIRUS ALERT! 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor "= "ALCXMNTR.EXE" [03/04/2003 20:35: VIRUS ALERT! C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [10/02/2004 17:55: VIRUS ALERT!]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [10/02/2004 17:51: VIRUS ALERT!]
"AGRSMMSG "= "AGRSMMSG.exe" [16/01/2004 12:34: VIRUS ALERT! C:\WINDOWS\AGRSMMSG.exe]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [31/10/2003 19:42: VIRUS ALERT!]
"NeroCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 15:20: VIRUS ALERT!]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04/03/2004 21:16: VIRUS ALERT!]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38: VIRUS ALERT!]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [18/02/2004 23:25: VIRUS ALERT!]
"Nokia Tray Application "= "C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [10/02/2003 14:30: VIRUS ALERT!]
"PCSuiteTrayApplication "= "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [26/04/2006 08:29: VIRUS ALERT!]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [20/12/2007 20:46: VIRUS ALERT!]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27: VIRUS ALERT!]
"TuneClone "= "D:\Program Files\TuneClone\TuneClone.exe" []
"AppleSyncNotifier "= "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [03/09/2008 20:12: VIRUS ALERT!]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [06/09/2008 15:09: VIRUS ALERT!]
"iTunesHelper "= "D:\Program Files\iTunesHelper.exe" [10/09/2008 17:40: VIRUS ALERT!]
"787d3d28 "= "C:\WINDOWS\system32\wvxtfljr.dll" [02/10/2008 22:06: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync "= "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/04/2006 17:52: VIRUS ALERT!]
"DAEMON Tools Lite "= "C:\Program Files\DAEMON Tools Lite\daemon.exe" [17/01/2008 22:21: VIRUS ALERT!]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [27/06/2008 13:03: VIRUS ALERT!]
"Google Update "= "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [27/09/2008 16:00: VIRUS ALERT!]
"@ "= "C:\Documents and Settings\Administrator\Application Data\Adobe\Player.exe" [01/10/2008 11:10: VIRUS ALERT!]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [16/09/2008 12:16: VIRUS ALERT!]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert "=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/12/2004 4:53:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts "=0 (0x0)
"HideLogoffScripts "=0 (0x0)
"RunLogonScriptSync "=1 (0x1)
"RunStartupScriptSync "=0 (0x0)
"HideStartupScripts "=0 (0x0)
"DisableRegistryTools "=1 (0x1)
"DisableTaskMgr "=1 (0x1)
"NoDispCPL "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize "=1 (0x1)
"StartMenuLogoff "=1 (0x1)
"NoStartMenuMorePrograms "=1 (0x1)
"NoSetFolders "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6FB13DD6-4650-4556-AE18-27142F0B5C9F} "= C:\WINDOWS\system32\fccaYsrr.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"neksolda "= {6F1FF7A7-D2D9-4E43-9B85-99C97380729C} - C:\WINDOWS\neksolda.dll [02/10/2008 14:48: VIRUS ALERT! 266240]
"xgpsarbm "= {C5246F63-9069-4913-9C6C-462C64CC3C76} - C:\WINDOWS\xgpsarbm.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\wvUmNEUO

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "




-- End of Deckard's System Scanner: finished at 2008-10-03 11:14:43 ------------

 

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.


Welcome

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident ".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm



Please delete Deckard's System Scanner
I:\code clean\dss.exe <--delete this file also


Go to your Add/Remove programs in the control panel remove/delete Ask Toolbar



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {0067C4B0-20B9-4D5C-A665-1FC6135FC7FA} - C:\WINDOWS\system32\wvUmNEUO.dll (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {6FB13DD6-4650-4556-AE18-27142F0B5C9F} - C:\WINDOWS\system32\fccaYsrr.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: dkwqgnbe - {106198B5-9A3D-4D97-8DEF-845A1FDCD787} - C:\WINDOWS\dkwqgnbe.dll
O4 - HKLM\..\Run: [787d3d28] rundll32.exe "C:\WINDOWS\system32\wvxtfljr.dll ",b
O4 - HKCU\..\Run: [] C:\Documents and Settings\Administrator\Application Data\Adobe\Player.exe

If you or one of your security programs did not set the registriction have HJT fix this entry
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O21 - SSODL: neksolda - {6F1FF7A7-D2D9-4E43-9B85-99C97380729C} - C:\WINDOWS\neksolda.dll
O21 - SSODL: xgpsarbm - {C5246F63-9069-4913-9C6C-462C64CC3C76} - C:\WINDOWS\xgpsarbm.dll (file missing)
O24 - Desktop Component 2: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Now reboot the computer and please boot back into safe mode to continue with the fix


Go to My Computer->Tools->Folder Options->View tab:[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files
(recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

Using Windows Explorer (right-click your "Start" button and select "Explore "), please navigate to and delete the following files/folders in bold text shown below

NOTE:
Several files need to be deleted, take your time and do not be intimidated. If one or more resist deletion go to the next.

C:\WINDOWS\dkwqgnbe.dll
C:\WINDOWS\system32\wvxtfljr.dll
C:\Documents and Settings\Administrator\Application Data\Adobe\Player.exe
C:\WINDOWS\system32\wvxtfljr.dll
C:\WINDOWS\system32\OUENmUvw.ini2
C:\WINDOWS\nkefbltdxvk.dll
C:\WINDOWS\neksolda.dll
C:\WINDOWS\fkebanrw.exe
C:\WINDOWS\evmd.exe
C:\WINDOWS\dkwqgnbe.dll
C:\WINDOWS\system32\wvUmNEUO.dll
C:\WINDOWS\system32\fccaYsrr.dll




Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the Code box below in it:
(don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0067C4B0-20B9-4D5C-A665-1FC6135FC7FA}]

[-HKEY_CLASSES_ROOT\CLSID\{0067C4B0-20B9-4D5C-A665-1FC6135FC7FA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6FB13DD6-4650-4556-AE18-27142F0B5C9F}]

[-HKEY_CLASSES_ROOT\CLSID\{6FB13DD6-4650-4556-AE18-27142F0B5C9F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
 "{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} "=-
 "{106198B5-9A3D-4D97-8DEF-845A1FDCD787} "=-

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}]

[-HKEY_CLASSES_ROOT\CLSID\{106198B5-9A3D-4D97-8DEF-845A1FDCD787}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "787d3d28 "=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" "=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 "DisableRegedit "=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "neksolda "=-
 "xgpsarbm "=-

[-HKEY_CLASSES_ROOT\CLSID\{6F1FF7A7-D2D9-4E43-9B85-99C97380729C}]

[-HKEY_CLASSES_ROOT\CLSID\{C5246F63-9069-4913-9C6C-462C64CC3C76}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
 "Authentication Packages "=hex(7):6d,73,76,31,5f,30,00,00

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards

Now reboot the computer.


If possible continue now in normal mode.


Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter ".
• Choose your usual account.

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter. You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:(C:rapport.txt) or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Warning : running option #2 on a non infected computer will remove your Desktop background.




NEXT**

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Yes and press Enter Notes

1. If you use SpywareBlaster and/or IE-SPYAD it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.




NEXT**
Download SDFix or from Here and save it to your Desktop



Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following
:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows
  icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.cmd to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load
  your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the
  forum).
• Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

In your next reply post:
Smitfraud C:rapport.txt
SDFix report.txt
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks...guess my computer is clean now...no virus found. Thanks

 

I can't give you the all clear till I can see the results logs from the scans I suggested you run.

 

Glad we could help.
Since this issue appears resolved ... this Topic is closed.