Help remove trojan & viruses causing random IE popups

Hi guys, i've been having this problem for the past 2 weeks or so. My anti virus/spyware software keeps detecting Trojan Horse Collected 11.B and Trojan Horse Generic 4.OUN all the time. All the infected files are .dll files and all of the infected files are from my Temp/ Temporary Internet Files folder. I've tried to remove this using AVG AntiSpyware and Spybot but it keeps coming back.. Spybot also detected SMITFRAUD Toolbar in my system. It keeps coming back as well even though i've removed it several times.

IE also keeps popping up randomly and keeps trying to access this page

http://89.188.16.10/trafc-2/rfe.php?cmp=nm_ff_ron&uid=56E9C3D4055311DC87DE003048895BFC&nid=ik&guid=d4f78d6a+6174F7FBE5C349CA80ED2DECA1DF6985&url=http:%2F%2Fwww.tribalfootball.com%2Farticle.php%3Fid=41875&affid=67508&lid=http>

and also displays this error message from time to time:

Warning: Invalid argument supplied for foreach() in /usr/local/www/data-dist/trafc-2/advdb/lmts.php on line 142

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/data-dist/trafc-2/advdb/lmts.php:142) in /usr/local/www/data-dist/trafc-2/utl.php on line 129

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/data-dist/trafc-2/advdb/lmts.php:142) in /usr/local/www/data-dist/trafc-2/utl.php on line 147

Here is my Hijack This log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:00 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
E:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\nybqecjt.dll ",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [j6261234] rundll32 C:\WINDOWS\system32\j6261234.dll sook
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WordWeb.lnk = E:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC52722E-765C-4101-A188-52FE2FC3FB97}: NameServer = 202.88.130.15,202.88.130.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

Do i need to post any other log files? Please help!!!
Thanks

homerj

 

Hello and welcome to WindowsBBS Forums sorry for the delay

Before we proceed we need to disable Spybot's TeaTimer. It will interfere with any fixes we make. Disable TeaTimer by doing the following:

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts

You can reenable TeaTimer once your system is clean.

First thing I'd like you to do is to rename the HijackThis executable, hijackthis.exe to <anything of your choice> .exe, as long you change it's name.

What you may have here is a Vundo infection, please do as instructed below. Updated May 21, 2007 v6.4.1
Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

 

Thanx for your reply man, but i've fixed the problem. The popups and trojans were destroyed as was SmitFraud. Found a post for a similar problem on another forum. Do you have any suggestions as to what anti spyware I should use? Should I use a separate firewall as well??

thanks,
homerj

 

Glad you got things handled.

Please follow the links below to ensure the highest possible level of protection against any further invasions. The links and the apps are some of the most highly regarded apps in the field of security/protection & detection. Run AdAware & Spybot at least once a week, depending on your surfing habits.
Spybot Search & Destroy v1.4
Ad-Aware SE Free v1.06r

With AdAware and Spybot: DL, install then check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next.

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable Internet Explorer protection, and your done! I don't recommend using 'Restricted Sites' protection in SpywareBlaster nor the 'Immunize' feature in Spybot, you can get far greater coverage with IE-SPYADs, listed below.

To avoid known malware infested sites from loading in IE install IE-SPY ADS.
And MVPS Hosts File will provide another layer of protection.

And to prevent unknown applications from being installed on your machine install WinPatrol 2007 v11.2.2007.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Tutorials for all can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!
Tom

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.