security toolbar 7.1

eastratton · 2007/09/30

computer seems to be infected with Security Toolbar 7.1, antivirgear 3.8 have run a hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:57 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Online Video Add-on\isfmntr.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Online Video Add-on\isfmm.exe
C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\ed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ieffse32.msdn_hlp - {C1C6426B-FB16-4123-ACBE-74D94FB0E663} - C:\WINDOWS\system32\ieffse32.dll
O2 - BHO: (no name) - {D579A683-0CC7-4023-BAE7-0544D0D1DA3A} - C:\Program Files\Online Video Add-on\isfmdl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: IE Custom Tools - {41F6170D-6AF8-4188-8D92-9DDAB3C71A78} - C:\Program Files\Online Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [AntiVirGear 3.8] "C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" /h
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O22 - SharedTaskScheduler: homeridae - {95dde900-8bf3-428c-b9be-8345c9d194f7} - C:\WINDOWS\system32\vzfhprk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6615 bytes

I also ran a dss log

Deckard's System Scanner v20070905.67
Run by ed on 2007-09-30 14:38:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
106: 2007-09-30 18:38:56 UTC - RP283 - Deckard's System Scanner Restore Point
105: 2007-09-30 07:00:15 UTC - RP282 - Software Distribution Service 3.0
104: 2007-09-30 02:09:51 UTC - RP281 - System Checkpoint
103: 2007-09-29 02:08:47 UTC - RP280 - System Checkpoint
102: 2007-09-28 01:30:04 UTC - RP279 - System Checkpoint

-- First Restore Point --
1: 2007-07-02 22:07:25 UTC - RP178 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:57 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Online Video Add-on\isfmntr.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Online Video Add-on\isfmm.exe
C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\ed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ieffse32.msdn_hlp - {C1C6426B-FB16-4123-ACBE-74D94FB0E663} - C:\WINDOWS\system32\ieffse32.dll
O2 - BHO: (no name) - {D579A683-0CC7-4023-BAE7-0544D0D1DA3A} - C:\Program Files\Online Video Add-on\isfmdl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: IE Custom Tools - {41F6170D-6AF8-4188-8D92-9DDAB3C71A78} - C:\Program Files\Online Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [AntiVirGear 3.8] "C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" /h
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O22 - SharedTaskScheduler: homeridae - {95dde900-8bf3-428c-b9be-8345c9d194f7} - C:\WINDOWS\system32\vzfhprk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6615 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 PciCon - d:\pcicon.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PSC 2100 Series
Device ID: USB\VID_03F0&PID_2811&MI_02\6&28EE9246&0&0002
Manufacturer:
Name: PSC 2100 Series
PNP Device ID: USB\VID_03F0&PID_2811&MI_02\6&28EE9246&0&0002
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-09-30 03:00:00 490 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 14:36:07 0 d-------- C:\Program Files\Trend Micro
2007-09-29 23:16:45 4 --a------ C:\WINDOWS\system32\bsnzafqa.bin
2007-09-29 23:15:27 31232 --a------ C:\WINDOWS\system32\regmod.exe <Not Verified; Microsoft; RegMode>
2007-09-29 23:15:27 19456 --a------ C:\WINDOWS\system32\ieffse32.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer>
2007-09-29 23:15:27 569 --a------ C:\WINDOWS\system32\cfg.dat
2007-09-29 23:15:26 0 d-------- C:\Program Files\AntiVirGear 3.8
2007-09-29 23:15:22 0 d-------- C:\Program Files\Online Video Add-on
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\ed\Application Data\MSN6
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-09-19 13:01:36 0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-19 10:52:51 0 d-------- C:\Program Files\Download Manager
2007-09-19 10:52:40 0 d-------- C:\Documents and Settings\ed\Application Data\IGN_DLM
2007-09-19 10:21:43 0 d-------- C:\Program Files\GameSpy Arcade
2007-09-12 11:37:21 88 -r-hs---- C:\WINDOWS\system32\CB78CF27A8.sys
2007-09-12 11:35:12 0 d-------- C:\Documents and Settings\ed\Application Data\Corel
2007-09-12 11:35:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-09-12 11:34:14 0 d-------- C:\Program Files\Common Files\Corel
2007-09-12 11:31:03 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-12 11:28:29 0 d-------- C:\Program Files\Corel
2007-09-12 11:22:11 0 d-------- C:\Program Files\Wondershare
2007-09-06 18:25:13 0 d-------- C:\Progam Files

-- Find3M Report ---------------------------------------------------------------

2007-09-30 14:18:15 3392 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-30 13:54:23 0 d-------- C:\Documents and Settings\ed\Application Data\LimeWire
2007-09-29 20:28:38 128542 --a------ C:\logfile
2007-09-27 20:38:20 0 d-------- C:\Program Files\Trillian
2007-09-27 04:55:33 12800 --a-s---- C:\WINDOWS\system32\vzfhprk.dll
2007-09-21 04:30:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files
2007-09-19 10:00:26 0 d-------- C:\Program Files\EA Games
2007-09-13 04:18:54 0 d-------- C:\Program Files\thorui
2007-09-06 18:29:04 0 d-------- C:\Documents and Settings\ed\Application Data\U3
2007-09-05 08:04:45 0 d-------- C:\Program Files\StarWarsGalaxies
2007-08-25 17:05:38 0 d-------- C:\Program Files\Steam
2007-08-24 22:07:07 33626 --a------ C:\Documents and Settings\ed\Application Data\NMM-MetaData.db
2007-08-23 16:59:05 0 d-------- C:\Documents and Settings\ed\Application Data\Sony Corporation
2007-08-19 10:12:33 0 d-------- C:\Program Files\Sony
2007-08-19 10:12:16 0 d-------- C:\Program Files\Sony Corporation
2007-08-19 10:09:27 0 d-------- C:\Program Files\Common Files\Sony Shared
2007-08-13 13:10:03 0 d---s---- C:\Program Files\Xfire
2007-08-13 13:09:44 0 d-------- C:\Documents and Settings\ed\Application Data\Xfire
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\PCSuite
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\Nokia
2007-08-12 14:35:28 0 d-------- C:\Program Files\Nokia
2007-08-12 14:34:59 0 d-------- C:\Program Files\PC Connectivity Solution
2007-08-12 11:49:05 0 d-------- C:\Documents and Settings\ed\Application Data\Nokia Multimedia Player
2007-08-03 05:17:58 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-01 16:58:19 0 d-------- C:\Program Files\Motorola Phone Tools
2007-08-01 16:57:54 0 d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-01 16:54:40 0 d-------- C:\Program Files\Avanquest update

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C6426B-FB16-4123-ACBE-74D94FB0E663}]
09/29/2007 11:15 PM 19456 --a------ C:\WINDOWS\system32\ieffse32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}]
09/30/2007 02:21 PM 11776 --a------ C:\Program Files\Online Video Add-on\isfmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{41F6170D-6AF8-4188-8D92-9DDAB3C71A78} "= C:\Program Files\Online Video Add-on\ictmdl.dll [09/29/2007 11:15 PM 64000]

[-HKEY_CLASSES_ROOT\CLSID\{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL "= "RTHDCPL.EXE" [06/28/2006 02:54 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr "= "ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [02/06/2007 05:09 PM]
"Logitech Hardware Abstraction Layer "= "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [07/19/2006 01:03 PM]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [07/19/2006 01:03 PM C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [08/04/2004 01:56 AM C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"SNM "= "C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"AntiVirGear 3.8 "= "C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" [09/28/2007 07:17 AM]
"Corel Photo Downloader "= "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/21/2007 11:54 PM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/2007 03:22 PM]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 08:04 PM]
"igndlm.exe "= "C:\Program Files\Download Manager\DLM.exe" [03/05/2007 05:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"Nokia.PCSync "=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\ed\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [7/2/2007 1:07:31 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"start "=C:\Program Files\Online Video Add-on\isfmntr.exe
"some "=C:\Program Files\Online Video Add-on\icthis.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{95dde900-8bf3-428c-b9be-8345c9d194f7} "= C:\WINDOWS\system32\vzfhprk.dll [09/27/2007 04:55 AM 12800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=C:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0302891178765690mcinstcleanup]
C:\DOCUME~1\ed\LOCALS~1\Temp\030289~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2007-09-30 14:40:29 ------------

if you need anymore information please feel free to ask.

noahdfear · 2007/09/30

Hi eastratton

Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Post the contents of C:\rapport.txt and a fresh dss log.

eastratton · 2007/09/30

SmitFraudFix v2.181

Scan done at 15:57:53.60, Sun 09/30/2007
Run from C:\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{95dde900-8bf3-428c-b9be-8345c9d194f7} "= "homeridae "

[HKEY_CLASSES_ROOT\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{95dde900-8bf3-428c-b9be-8345c9d194f7} "= "homeridae "

[HKEY_CLASSES_ROOT\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

»»»»»»»»»»»»»»»»»»»»»»»» End

and the dss

Deckard's System Scanner v20070905.67
Run by ed on 2007-09-30 16:02:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:11 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Online Video Add-on\isfmntr.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Online Video Add-on\isfmm.exe
C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ieffse32.msdn_hlp - {C1C6426B-FB16-4123-ACBE-74D94FB0E663} - C:\WINDOWS\system32\ieffse32.dll
O2 - BHO: (no name) - {D579A683-0CC7-4023-BAE7-0544D0D1DA3A} - C:\Program Files\Online Video Add-on\isfmdl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: IE Custom Tools - {41F6170D-6AF8-4188-8D92-9DDAB3C71A78} - C:\Program Files\Online Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [AntiVirGear 3.8] "C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" /h
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O22 - SharedTaskScheduler: homeridae - {95dde900-8bf3-428c-b9be-8345c9d194f7} - C:\WINDOWS\system32\vzfhprk.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6856 bytes

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 15:52:31 25088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-30 15:52:31 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-09-30 14:36:07 0 d-------- C:\Program Files\Trend Micro
2007-09-29 23:16:45 4 --a------ C:\WINDOWS\system32\bsnzafqa.bin
2007-09-29 23:15:27 31232 --a------ C:\WINDOWS\system32\regmod.exe <Not Verified; Microsoft; RegMode>
2007-09-29 23:15:27 19456 --a------ C:\WINDOWS\system32\ieffse32.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer>
2007-09-29 23:15:27 569 --a------ C:\WINDOWS\system32\cfg.dat
2007-09-29 23:15:26 0 d-------- C:\Program Files\AntiVirGear 3.8
2007-09-29 23:15:22 0 d-------- C:\Program Files\Online Video Add-on
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\ed\Application Data\MSN6
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-09-19 13:01:36 0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-19 10:52:51 0 d-------- C:\Program Files\Download Manager
2007-09-19 10:52:40 0 d-------- C:\Documents and Settings\ed\Application Data\IGN_DLM
2007-09-19 10:21:43 0 d-------- C:\Program Files\GameSpy Arcade
2007-09-12 11:37:21 88 -r-hs---- C:\WINDOWS\system32\CB78CF27A8.sys
2007-09-12 11:35:12 0 d-------- C:\Documents and Settings\ed\Application Data\Corel
2007-09-12 11:35:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-09-12 11:34:14 0 d-------- C:\Program Files\Common Files\Corel
2007-09-12 11:31:03 2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-12 11:28:29 0 d-------- C:\Program Files\Corel
2007-09-12 11:22:11 0 d-------- C:\Program Files\Wondershare

-- Find3M Report ---------------------------------------------------------------

2007-09-30 15:57:56 3392 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-30 13:54:23 0 d-------- C:\Documents and Settings\ed\Application Data\LimeWire
2007-09-29 20:28:38 128542 --a------ C:\logfile
2007-09-27 20:38:20 0 d-------- C:\Program Files\Trillian
2007-09-27 04:55:33 12800 --a-s---- C:\WINDOWS\system32\vzfhprk.dll
2007-09-21 04:30:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files
2007-09-19 10:00:26 0 d-------- C:\Program Files\EA Games
2007-09-13 04:18:54 0 d-------- C:\Program Files\thorui
2007-09-06 18:29:04 0 d-------- C:\Documents and Settings\ed\Application Data\U3
2007-09-05 08:04:45 0 d-------- C:\Program Files\StarWarsGalaxies
2007-08-25 17:05:38 0 d-------- C:\Program Files\Steam
2007-08-24 22:07:07 33626 --a------ C:\Documents and Settings\ed\Application Data\NMM-MetaData.db
2007-08-23 16:59:05 0 d-------- C:\Documents and Settings\ed\Application Data\Sony Corporation
2007-08-19 10:12:33 0 d-------- C:\Program Files\Sony
2007-08-19 10:12:16 0 d-------- C:\Program Files\Sony Corporation
2007-08-19 10:09:27 0 d-------- C:\Program Files\Common Files\Sony Shared
2007-08-13 13:10:03 0 d---s---- C:\Program Files\Xfire
2007-08-13 13:09:44 0 d-------- C:\Documents and Settings\ed\Application Data\Xfire
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\PCSuite
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\Nokia
2007-08-12 14:35:28 0 d-------- C:\Program Files\Nokia
2007-08-12 14:34:59 0 d-------- C:\Program Files\PC Connectivity Solution
2007-08-12 11:49:05 0 d-------- C:\Documents and Settings\ed\Application Data\Nokia Multimedia Player
2007-08-03 05:17:58 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-01 16:58:19 0 d-------- C:\Program Files\Motorola Phone Tools
2007-08-01 16:57:54 0 d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-01 16:54:40 0 d-------- C:\Program Files\Avanquest update

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C6426B-FB16-4123-ACBE-74D94FB0E663}]
09/29/2007 11:15 PM 19456 --a------ C:\WINDOWS\system32\ieffse32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}]
09/30/2007 04:01 PM 11776 --a------ C:\Program Files\Online Video Add-on\isfmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{41F6170D-6AF8-4188-8D92-9DDAB3C71A78} "= C:\Program Files\Online Video Add-on\ictmdl.dll [09/29/2007 11:15 PM 64000]

[-HKEY_CLASSES_ROOT\CLSID\{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL "= "RTHDCPL.EXE" [06/28/2006 02:54 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr "= "ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [02/06/2007 05:09 PM]
"Logitech Hardware Abstraction Layer "= "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [07/19/2006 01:03 PM]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [07/19/2006 01:03 PM C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [08/04/2004 01:56 AM C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"SNM "= "C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"AntiVirGear 3.8 "= "C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" [09/28/2007 07:17 AM]
"Corel Photo Downloader "= "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/21/2007 11:54 PM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/2007 03:22 PM]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 08:04 PM]
"igndlm.exe "= "C:\Program Files\Download Manager\DLM.exe" [03/05/2007 05:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"Nokia.PCSync "=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\ed\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [7/2/2007 1:07:31 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"start "=C:\Program Files\Online Video Add-on\isfmntr.exe
"some "=C:\Program Files\Online Video Add-on\icthis.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{95dde900-8bf3-428c-b9be-8345c9d194f7} "= C:\WINDOWS\system32\vzfhprk.dll [09/27/2007 04:55 AM 12800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=C:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0302891178765690mcinstcleanup]
C:\DOCUME~1\ed\LOCALS~1\Temp\030289~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2007-09-30 16:02:45 ------------

noahdfear · 2007/09/30

You used an old version of SmifraudFix. Please delete the copy you have, then download it from the link I supplied above and run the tool again in safe mode. Post the new logs.

eastratton · 2007/09/30

sorry forgot i had both on there . Thank you
SmitFraudFix v2.234

Scan done at 21:03:33.09, Sun 09/30/2007
Run from C:\Documents and Settings\ed\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{95dde900-8bf3-428c-b9be-8345c9d194f7} "= "homeridae "

[HKEY_CLASSES_ROOT\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{95dde900-8bf3-428c-b9be-8345c9d194f7}\InProcServer32]
@= "C:\WINDOWS\system32\vzfhprk.dll "

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\vzfhprk.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\vzfhprk.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ieffse32.dll Deleted
C:\WINDOWS\system32\regmod.exe Deleted
C:\Program Files\AntiVirGear 3.8\ Deleted
C:\Program Files\Online Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7A08BCCA-FC63-4F39-A873-6DF9EEEADEF1}: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.9.16.30 68.9.16.25 68.100.16.30

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End
Deckard's System Scanner v20070905.67
Run by ed on 2007-09-30 21:07:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:37 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ed.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5770 bytes

-- Files created between 2007-08-30 and 2007-09-30 -----------------------------

2007-09-30 15:52:31 25088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-09-30 15:52:31 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-09-30 14:36:07 0 d-------- C:\Program Files\Trend Micro
2007-09-29 23:16:45 4 --a------ C:\WINDOWS\system32\bsnzafqa.bin
2007-09-29 23:15:27 569 --a------ C:\WINDOWS\system32\cfg.dat
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\ed\Application Data\MSN6
2007-09-21 21:21:44 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files\EasyInfo
2007-09-19 13:01:36 0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-19 10:52:51 0 d-------- C:\Program Files\Download Manager
2007-09-19 10:52:40 0 d-------- C:\Documents and Settings\ed\Application Data\IGN_DLM
2007-09-19 10:21:43 0 d-------- C:\Program Files\GameSpy Arcade
2007-09-12 11:37:21 88 -r-hs---- C:\WINDOWS\system32\CB78CF27A8.sys
2007-09-12 11:35:12 0 d-------- C:\Documents and Settings\ed\Application Data\Corel
2007-09-12 11:35:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-09-12 11:34:14 0 d-------- C:\Program Files\Common Files\Corel
2007-09-12 11:31:03 2672 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-12 11:28:29 0 d-------- C:\Program Files\Corel
2007-09-12 11:22:11 0 d-------- C:\Program Files\Wondershare

-- Find3M Report ---------------------------------------------------------------

2007-09-30 21:03:36 3392 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-30 13:54:23 0 d-------- C:\Documents and Settings\ed\Application Data\LimeWire
2007-09-29 20:28:38 128542 --a------ C:\logfile
2007-09-27 20:38:20 0 d-------- C:\Program Files\Trillian
2007-09-21 04:30:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-20 04:57:04 0 d-------- C:\Program Files\Common Files
2007-09-19 10:00:26 0 d-------- C:\Program Files\EA Games
2007-09-13 04:18:54 0 d-------- C:\Program Files\thorui
2007-09-06 18:29:04 0 d-------- C:\Documents and Settings\ed\Application Data\U3
2007-09-05 08:04:45 0 d-------- C:\Program Files\StarWarsGalaxies
2007-08-25 17:05:38 0 d-------- C:\Program Files\Steam
2007-08-24 22:07:07 33626 --a------ C:\Documents and Settings\ed\Application Data\NMM-MetaData.db
2007-08-23 16:59:05 0 d-------- C:\Documents and Settings\ed\Application Data\Sony Corporation
2007-08-19 10:12:33 0 d-------- C:\Program Files\Sony
2007-08-19 10:12:16 0 d-------- C:\Program Files\Sony Corporation
2007-08-19 10:09:27 0 d-------- C:\Program Files\Common Files\Sony Shared
2007-08-13 13:10:03 0 d---s---- C:\Program Files\Xfire
2007-08-13 13:09:44 0 d-------- C:\Documents and Settings\ed\Application Data\Xfire
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\PCSuite
2007-08-12 14:35:29 0 d-------- C:\Program Files\Common Files\Nokia
2007-08-12 14:35:28 0 d-------- C:\Program Files\Nokia
2007-08-12 14:34:59 0 d-------- C:\Program Files\PC Connectivity Solution
2007-08-12 11:49:05 0 d-------- C:\Documents and Settings\ed\Application Data\Nokia Multimedia Player
2007-08-03 05:17:58 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-01 16:58:19 0 d-------- C:\Program Files\Motorola Phone Tools
2007-08-01 16:57:54 0 d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-01 16:54:40 0 d-------- C:\Program Files\Avanquest update

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL "= "RTHDCPL.EXE" [06/28/2006 02:54 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr "= "ALCMTR.EXE" [05/03/2005 06:43 AM C:\WINDOWS\Alcmtr.exe]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [02/06/2007 05:09 PM]
"Logitech Hardware Abstraction Layer "= "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [07/19/2006 01:03 PM]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [07/19/2006 01:03 PM C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [08/04/2004 01:56 AM C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"SNM "= "C:\Program Files\SpyNoMore\SNM.exe" []
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"PCSuiteTrayApplication "= "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"Corel Photo Downloader "= "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [08/28/2007 12:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/21/2007 11:54 PM]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/2007 03:22 PM]
"MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [08/13/2007 08:04 PM]
"igndlm.exe "= "C:\Program Files\Download Manager\DLM.exe" [03/05/2007 05:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe
"Nokia.PCSync "=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\ed\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [7/2/2007 1:07:31 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
backup=C:\WINDOWS\pss\Loadout Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0302891178765690mcinstcleanup]
C:\DOCUME~1\ed\LOCALS~1\Temp\030289~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2007-09-30 21:08:10 ------------

noahdfear · 2007/09/30

Looks like we got it.

Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Close HijackThis.

Now delete the following files and folders.

SmitfraudFix.exe
My Documents\SmitfraudFix
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\tmp.reg

Gonna kill another file with the command prompt. Click Start>Run and type cmd then hit Enter to open a command window. Highlight and copy the bolded command below, then right click>Paste the command into the command window and hit Enter.

attrib -r -h -s C:\WINDOWS\system32\CB78CF27A8.sys

Now copy the next command and paste it in as well, then hit Enter.

del /q C:\WINDOWS\system32\CB78CF27A8.sys

Now, please go to jotti, click browse and navigate to then select the following file. Submit it for analysis and wait for the results, then copy and save them for posting back here.

C:\WINDOWS\system32\bsnzafqa.bin

When done, please analyze this file too.

C:\WINDOWS\system32\cfg.dat

Next, download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

Now please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log. I'd like to see those results from jotti too.

eastratton · 2007/10/01

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 01, 2007 11:43:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 1/10/2007
Kaspersky Anti-Virus database records: 425930
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 103101
Number of viruses found: 15
Number of infected objects: 52
Number of suspicious objects: 0
Duration of the scan process: 00:59:53

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\br2C.exe/data0006 Infected: not-a-virus:FraudTool.Win32.AntiVirGear.d skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\br2C.exe NSIS: infected - 1 skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\laf1.exe Infected: Trojan-Downloader.Win32.Small.fwj skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\laf2.exe/EXE-file Infected: Trojan-Downloader.Win32.VB.bla skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\laf2.exe Embedded EXE: infected - 1 skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\laf2.exe UPX: infected - 1 skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\laf2.exe PE_Patch.UPX: infected - 1 skipped
C:\Deckard\System Scanner\20070930160208\backup\DOCUME~1\ed\LOCALS~1\Temp\nst2B.tmp\cup.dll Infected: Trojan-Downloader.Win32.Zlob.czj skipped
C:\Documents and Settings\ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ed\Desktop\saviour\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\saviour\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\saviour\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ed\Local Settings\History\History.IE5\MSHist012007100120071002\index.dat Object is locked skipped
C:\Documents and Settings\ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ed\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\smitfraud\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\smitfraud\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030394.exe Infected: Trojan-Downloader.Win32.Zlob.cyy skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030447.dll Infected: Trojan-Downloader.Win32.Zlob.czc skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030448.exe Infected: Trojan-Downloader.Win32.Zlob.cyz skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030449.exe Infected: Trojan-Downloader.Win32.Zlob.czd skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030460.dll Infected: Trojan-Downloader.Win32.Zlob.czc skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030461.exe Infected: Trojan-Downloader.Win32.Zlob.cyz skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP282\A0030462.exe Infected: Trojan-Downloader.Win32.Zlob.czd skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030487.dll Infected: Trojan-Downloader.Win32.Zlob.czc skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030488.exe Infected: Trojan-Downloader.Win32.Zlob.cyz skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030489.exe Infected: Trojan-Downloader.Win32.Zlob.czd skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030495.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030495.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030495.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030503.dll Infected: Trojan-Downloader.Win32.Zlob.czc skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030504.exe Infected: Trojan-Downloader.Win32.Zlob.cyz skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030505.exe Infected: Trojan-Downloader.Win32.Zlob.czd skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030511.dll Infected: Trojan-Downloader.Win32.Small.fwk skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030512.dll Infected: Trojan-Downloader.Win32.VB.bla skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030515.exe Infected: not-a-virus:FraudTool.Win32.AntiVirGear.d skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030521.exe Infected: Trojan-Downloader.Win32.Zlob.cyz skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030522.exe Infected: Trojan-Downloader.Win32.Zlob.cyv skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030523.dll Infected: not-a-virus:AdWare.Win32.Agent.le skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030524.exe Infected: Trojan-Downloader.Win32.Zlob.cze skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030525.exe Infected: Trojan-Downloader.Win32.Zlob.cyw skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030526.dll Infected: Trojan-Downloader.Win32.Zlob.czc skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030527.exe Infected: Trojan-Downloader.Win32.Zlob.czd skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP283\A0030528.exe Infected: Trojan-Downloader.Win32.Zlob.cyx skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP284\A0030544.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP284\A0030544.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP284\A0030544.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP284\A0030553.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{1262098D-C807-4D87-ADAC-F5EAC46D9E03}\RP284\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:25 AM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5648 bytes

Service load: 0% 100%

File: bsnzafqa.bin
Status: OK
MD5: 03c623a3bd5af879d846b2b258f37293
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 01 Oct 2007 02:10:00 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Service load: 0% 100%

File: cfg.dat
Status: OK
MD5: 79c5e773af0b936a87a480fbf9b5b0f3
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 01 Oct 2007 02:13:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

noahdfear · 2007/10/01

I'm recommending you delete those two files I had you submit to jotti. If you look at your first dss log excerpt below, you'll see that they were created in the same timeframe you were infected. The red items are what SmitfraudFix removed.

2007-09-29 23:16:45 4 --a------ C:\WINDOWS\system32\bsnzafqa.bin
2007-09-29 23:15:27 31232 --a------ C:\WINDOWS\system32\regmod.exe <Not Verified; Microsoft; RegMode>
2007-09-29 23:15:27 19456 --a------ C:\WINDOWS\system32\ieffse32.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer>
2007-09-29 23:15:27 569 --a------ C:\WINDOWS\system32\cfg.dat
2007-09-29 23:15:26 0 d-------- C:\Program Files\AntiVirGear 3.8
2007-09-29 23:15:22 0 d-------- C:\Program Files\Online Video Add-on

Delete the following files and folders as well. There will be updated versions available if ever required again.

dss.exe
C:\Deckard
C:\smitfraud\SmitfraudFix
C:\Documents and Settings\ed\Desktop\saviour\SmitfraudFix.exe
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix
C:\Documents and Settings\ed\Desktop\tools\SmitfraudFix.exe
C:\Documents and Settings\ed\My Documents\SmitfraudFix

Now empty the recycle bin.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

Surf safe!

Is there a reason you do not have any Antivirus or Firewall protection on your computer?

Log in or Sign up

security toolbar 7.1

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

security toolbar 7.1

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

eastratton Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches