Bullguard Free Antivirus Forum

The original version of this page can be found at : http://forum.bullguard.com/forum/10/Cannot-remove-virus-from-pc_55067.html

Posted By : jezaus - 10-20-2007 3:55

i have run spyware s&d, avg anti spyware, adawares se,and canot remove virus.avast picks finds the virus but cannot get rid of it.thge message i receive is that an example of win32:trojan-gen {other} is there i have attached a copy of my hijack this log. any help in sorting this out will be appreciated thanks.Logfile of HijackThis v1.99.1
Scan saved at 15:44:44, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspkfnd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll
O3 - Toolbar: The htunistock - {B02534D7-8D91-49BE-A864-97DFB8E0BAB4} - C:\WINDOWS\optnet.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_SC0.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186785630093
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: hostctrl - {A293A67A-8F1A-4962-B3D4-6EFD908C0D78} - C:\WINDOWS\hostctrl.dll
O21 - SSODL: hstsys - {90FD22A8-3687-4D04-8653-21B6E0CCE01D} - C:\WINDOWS\hstsys.dll (file missing)
O21 - SSODL: msmhost - {5665A400-8D26-4690-8133-B17495897F8A} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {A5C1C279-EAB8-4F6C-A69D-FC7536371EFA} - C:\WINDOWS\msmdev.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Posted By : Touch - 10-20-2007 4:40

Hi jezaus

Please download http://siri.urz.free.fr/Fix/SmitfraudFix.exe (by S!Ri)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (normally C:), and launch from there.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, normally C:\rapport.txt

Post a fresh hijackthis log with rapport txt, and tell how your computer are behaving

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Posted By : jezaus - 10-20-2007 5:38

I used the smitfraudfix cleaner and rechecked operation of pc.it is still coming up with virus prompt. i have attached new hijack this result and rapporttxt.Logfile of HijackThis v1.99.1
Scan saved at 17:23:07, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspkfnd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll
O3 - Toolbar: (no name) - {B02534D7-8D91-49BE-A864-97DFB8E0BAB4} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_SC0.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186785630093
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: hostctrl - {A293A67A-8F1A-4962-B3D4-6EFD908C0D78} - C:\WINDOWS\hostctrl.dll
O21 - SSODL: hstsys - {90FD22A8-3687-4D04-8653-21B6E0CCE01D} - (no file)
O21 - SSODL: msmhost - {8F1A6AC3-3756-4A22-9E9B-E3BBD1D7D672} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {3C7ED1FA-BC95-478A-B11D-970BBD6C0DE0} - C:\WINDOWS\msmdev.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

SmitFraudFix v2.240

Scan done at 17:10:25.45, 20/10/2007
Run from C:\Documents and Settings\Jez\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7999c5e2-b500-4ba5-8e9a-99639eca65fc}"="celtiberi"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3871489E-B3CC-4F26-B448-A642D1859CAA}: DhcpNameServer=62.231.32.10 62.231.32.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DFBBE5E3-A938-4AD3-A03D-FAA82583AF4C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3871489E-B3CC-4F26-B448-A642D1859CAA}: DhcpNameServer=62.231.32.10 62.231.32.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DFBBE5E3-A938-4AD3-A03D-FAA82583AF4C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3871489E-B3CC-4F26-B448-A642D1859CAA}: DhcpNameServer=62.231.32.10 62.231.32.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DFBBE5E3-A938-4AD3-A03D-FAA82583AF4C}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7999c5e2-b500-4ba5-8e9a-99639eca65fc}"="celtiberi"

»»»»»»»»»»»»»»»»»»»»»»»» End

Posted By : jezaus - 10-20-2007 6:16

these are the warnings i am getting.and they seem to be popping up every few minutes now.C:\DOCUME~1\Jez\LOCALS~1\Temp\ac8zt2\main_uninstaller.exWin32:Trojan-gen {Other}Virus/Worm
C:\DOCUME~1\Jez\LOCALS~1\Temp\ac8zt2\msmdev.dllWin32:Agent-LTS [Trj]Trojan Horse

:\DOCUME~1\Jez\LOCALS~1\Temp\ac8zt2\nsduo.dllWin32:Trojan-gen {Other}Virus/Worm
C:\DOCUME~1\Jez\LOCALS~1\Temp\ac8zt2\rmv.exeWin32:Trojan-gen {Other}Virus/Worm
hopefully this can give you some more help with wat is going on ok.thanks

Posted By : Touch - 10-20-2007 7:08

Please download Free Version of Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Please download ATF Cleaner:

http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.

Click fix checked.

O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspkfnd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll

O3 - Toolbar: IE Custom Tools - {062F3F8B-CB94-4D76-A98A-EF800A438F01} - C:\Program Files\Video Add-on\ictmdl.dll

O21 - SSODL: hostctrl - {A293A67A-8F1A-4962-B3D4-6EFD908C0D78} - C:\WINDOWS\hostctrl.dll
O21 - SSODL: hstsys - {90FD22A8-3687-4D04-8653-21B6E0CCE01D} - (no file)
O21 - SSODL: msmhost - {8F1A6AC3-3756-4A22-9E9B-E3BBD1D7D672} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {3C7ED1FA-BC95-478A-B11D-970BBD6C0DE0} - C:\WINDOWS\msmdev.dll (file missing)

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot to Safe mode

Delete the following files or folders (delete item in bold). Please do not be concerned if

any of the items are not found as they may have been automatically removed by actions I had

you take earlier in the cleaning process.

Open Folder Options in Controlpanel >view and check your settings:

Select

Show hidden files and folders

Display the contents of system folders

Uncheck: Hide protected operating system files

Delete:

Files:

C:\WINDOWS\ntspkfnd.dll
C:\WINDOWS\hostctrl.dll
C:\WINDOWS\msmhost.dll

Folders:

C:\Program Files\Video Add-on\isfmdl.dll

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch (Windows XP) only.
Java Cache

Recycle Bin

NB. It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Start Superantispyware.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log, and tell how things are running ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Posted By : jezaus - 10-20-2007 10:46

carried out the repairs as u requested.pc seems to be running fine at the moment.thankyou for your help in sorting this problem.just on a quick note why could i not solve this with the use of the other anti virus and spy/adware products.and here are the posts you asked for as well.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/20/2007 at 10:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3328
Trace Rules Database Version: 1329

Scan type : Complete Scan
Total Scan Time : 00:27:00

Memory items scanned : 417
Memory threats detected : 0
Registry items scanned : 4456
Registry threats detected : 145
File items scanned : 30778
File threats detected : 15

Trojan.Net-MSM/NMC
HKLM\Software\Classes\CLSID\{053D07EA-B09F-45BF-B97F-C521CAF6A73F}
HKCR\CLSID\{053D07EA-B09F-45BF-B97F-C521CAF6A73F}
HKCR\CLSID\{053D07EA-B09F-45BF-B97F-C521CAF6A73F}\InProcServer32
C:\WINDOWS\MSMHOST.DLL
HKLM\Software\Classes\CLSID\{08BC2B15-11F8-4FA6-916F-7C23249BDB13}
HKCR\CLSID\{08BC2B15-11F8-4FA6-916F-7C23249BDB13}
HKCR\CLSID\{08BC2B15-11F8-4FA6-916F-7C23249BDB13}\InProcServer32
HKLM\Software\Classes\CLSID\{09EBB1A3-9442-4CA3-BECA-D520380C462A}
HKCR\CLSID\{09EBB1A3-9442-4CA3-BECA-D520380C462A}
HKCR\CLSID\{09EBB1A3-9442-4CA3-BECA-D520380C462A}\InProcServer32
HKLM\Software\Classes\CLSID\{0A086BE0-3A8D-4FFA-803B-FB161873C198}
HKCR\CLSID\{0A086BE0-3A8D-4FFA-803B-FB161873C198}
HKCR\CLSID\{0A086BE0-3A8D-4FFA-803B-FB161873C198}\InProcServer32
HKLM\Software\Classes\CLSID\{0D035101-7576-49A5-A7E0-57C411221F54}
HKCR\CLSID\{0D035101-7576-49A5-A7E0-57C411221F54}
HKCR\CLSID\{0D035101-7576-49A5-A7E0-57C411221F54}\InProcServer32
HKLM\Software\Classes\CLSID\{113F28B9-CD12-4B32-8CFB-B4978B114352}
HKCR\CLSID\{113F28B9-CD12-4B32-8CFB-B4978B114352}
HKCR\CLSID\{113F28B9-CD12-4B32-8CFB-B4978B114352}\InProcServer32
HKLM\Software\Classes\CLSID\{1626938E-B3D8-45EA-8210-6150584F37B5}
HKCR\CLSID\{1626938E-B3D8-45EA-8210-6150584F37B5}
HKCR\CLSID\{1626938E-B3D8-45EA-8210-6150584F37B5}\InProcServer32
HKLM\Software\Classes\CLSID\{1D231D08-062A-46C7-A6DC-5F87AEC1BE14}
HKCR\CLSID\{1D231D08-062A-46C7-A6DC-5F87AEC1BE14}
HKCR\CLSID\{1D231D08-062A-46C7-A6DC-5F87AEC1BE14}\InProcServer32
HKLM\Software\Classes\CLSID\{1F37E0E3-5303-4D44-8353-C96182E43E33}
HKCR\CLSID\{1F37E0E3-5303-4D44-8353-C96182E43E33}
HKCR\CLSID\{1F37E0E3-5303-4D44-8353-C96182E43E33}\InProcServer32
HKLM\Software\Classes\CLSID\{270CB46F-6E82-4E5E-96C9-E33B7B4C5FD3}
HKCR\CLSID\{270CB46F-6E82-4E5E-96C9-E33B7B4C5FD3}
HKCR\CLSID\{270CB46F-6E82-4E5E-96C9-E33B7B4C5FD3}\InProcServer32
HKLM\Software\Classes\CLSID\{2A6E254F-6CD4-4F8B-8E51-D12A2F591E13}
HKCR\CLSID\{2A6E254F-6CD4-4F8B-8E51-D12A2F591E13}
HKCR\CLSID\{2A6E254F-6CD4-4F8B-8E51-D12A2F591E13}\InProcServer32
HKLM\Software\Classes\CLSID\{2A7965AB-C727-4902-9B1E-0778BFC3C290}
HKCR\CLSID\{2A7965AB-C727-4902-9B1E-0778BFC3C290}
HKCR\CLSID\{2A7965AB-C727-4902-9B1E-0778BFC3C290}\InProcServer32
HKLM\Software\Classes\CLSID\{2B5B86BC-CD46-48E4-95D1-009C774EA91D}
HKCR\CLSID\{2B5B86BC-CD46-48E4-95D1-009C774EA91D}
HKCR\CLSID\{2B5B86BC-CD46-48E4-95D1-009C774EA91D}\InProcServer32
HKLM\Software\Classes\CLSID\{2B981B95-5950-4522-AA5D-9A7E4D16EF58}
HKCR\CLSID\{2B981B95-5950-4522-AA5D-9A7E4D16EF58}
HKCR\CLSID\{2B981B95-5950-4522-AA5D-9A7E4D16EF58}\InProcServer32
HKLM\Software\Classes\CLSID\{2CF1F371-D43B-417C-BA6F-D3DAEA68FA5D}
HKCR\CLSID\{2CF1F371-D43B-417C-BA6F-D3DAEA68FA5D}
HKCR\CLSID\{2CF1F371-D43B-417C-BA6F-D3DAEA68FA5D}\InProcServer32
HKLM\Software\Classes\CLSID\{2F5C7327-3A45-4601-BB5C-96C268593224}
HKCR\CLSID\{2F5C7327-3A45-4601-BB5C-96C268593224}
HKCR\CLSID\{2F5C7327-3A45-4601-BB5C-96C268593224}\InProcServer32
HKLM\Software\Classes\CLSID\{3D5FA6A2-E834-446D-9CEE-7D55B9032341}
HKCR\CLSID\{3D5FA6A2-E834-446D-9CEE-7D55B9032341}
HKCR\CLSID\{3D5FA6A2-E834-446D-9CEE-7D55B9032341}\InProcServer32
HKLM\Software\Classes\CLSID\{3F22FA87-5642-4020-B5BF-AD6F982CCCC3}
HKCR\CLSID\{3F22FA87-5642-4020-B5BF-AD6F982CCCC3}
HKCR\CLSID\{3F22FA87-5642-4020-B5BF-AD6F982CCCC3}\InProcServer32
HKLM\Software\Classes\CLSID\{48C338C7-4AFF-4CF6-B9CB-3CCE66A68E2F}
HKCR\CLSID\{48C338C7-4AFF-4CF6-B9CB-3CCE66A68E2F}
HKCR\CLSID\{48C338C7-4AFF-4CF6-B9CB-3CCE66A68E2F}\InProcServer32
HKLM\Software\Classes\CLSID\{552D39FA-C70B-4EC4-8817-7566730A9E85}
HKCR\CLSID\{552D39FA-C70B-4EC4-8817-7566730A9E85}
HKCR\CLSID\{552D39FA-C70B-4EC4-8817-7566730A9E85}\InProcServer32
HKLM\Software\Classes\CLSID\{5665A400-8D26-4690-8133-B17495897F8A}
HKCR\CLSID\{5665A400-8D26-4690-8133-B17495897F8A}
HKCR\CLSID\{5665A400-8D26-4690-8133-B17495897F8A}\InProcServer32
HKLM\Software\Classes\CLSID\{74DF9BE2-470F-4BFD-ADA5-64CF5503AED8}
HKCR\CLSID\{74DF9BE2-470F-4BFD-ADA5-64CF5503AED8}
HKCR\CLSID\{74DF9BE2-470F-4BFD-ADA5-64CF5503AED8}\InProcServer32
HKLM\Software\Classes\CLSID\{756A35C7-059F-4549-9ED1-AEF1E990A189}
HKCR\CLSID\{756A35C7-059F-4549-9ED1-AEF1E990A189}
HKCR\CLSID\{756A35C7-059F-4549-9ED1-AEF1E990A189}\InProcServer32
HKLM\Software\Classes\CLSID\{75C8EA61-338A-4439-8266-3B116412B5E5}
HKCR\CLSID\{75C8EA61-338A-4439-8266-3B116412B5E5}
HKCR\CLSID\{75C8EA61-338A-4439-8266-3B116412B5E5}\InProcServer32
HKLM\Software\Classes\CLSID\{7E57AC29-079C-4286-943A-DC9EF56ADAB4}
HKCR\CLSID\{7E57AC29-079C-4286-943A-DC9EF56ADAB4}
HKCR\CLSID\{7E57AC29-079C-4286-943A-DC9EF56ADAB4}\InProcServer32
HKLM\Software\Classes\CLSID\{81D72A53-389A-45FE-9384-1CA48127F7C2}
HKCR\CLSID\{81D72A53-389A-45FE-9384-1CA48127F7C2}
HKCR\CLSID\{81D72A53-389A-45FE-9384-1CA48127F7C2}\InProcServer32
HKLM\Software\Classes\CLSID\{830D6AF0-837A-407B-84C9-92D3DC694B16}
HKCR\CLSID\{830D6AF0-837A-407B-84C9-92D3DC694B16}
HKCR\CLSID\{830D6AF0-837A-407B-84C9-92D3DC694B16}\InProcServer32
HKLM\Software\Classes\CLSID\{830EFD1A-7250-4AA0-A100-C49B381BC228}
HKCR\CLSID\{830EFD1A-7250-4AA0-A100-C49B381BC228}
HKCR\CLSID\{830EFD1A-7250-4AA0-A100-C49B381BC228}\InProcServer32
HKLM\Software\Classes\CLSID\{869386CC-0BDD-44D8-A111-A7BA51A19783}
HKCR\CLSID\{869386CC-0BDD-44D8-A111-A7BA51A19783}
HKCR\CLSID\{869386CC-0BDD-44D8-A111-A7BA51A19783}\InProcServer32
HKLM\Software\Classes\CLSID\{8B7CEF98-BECF-4232-B170-D2ADD33E4642}
HKCR\CLSID\{8B7CEF98-BECF-4232-B170-D2ADD33E4642}
HKCR\CLSID\{8B7CEF98-BECF-4232-B170-D2ADD33E4642}\InProcServer32
HKLM\Software\Classes\CLSID\{8F1A6AC3-3756-4A22-9E9B-E3BBD1D7D672}
HKCR\CLSID\{8F1A6AC3-3756-4A22-9E9B-E3BBD1D7D672}
HKCR\CLSID\{8F1A6AC3-3756-4A22-9E9B-E3BBD1D7D672}\InProcServer32
HKLM\Software\Classes\CLSID\{916A6679-E035-4470-9046-DAD429CE0EBC}
HKCR\CLSID\{916A6679-E035-4470-9046-DAD429CE0EBC}
HKCR\CLSID\{916A6679-E035-4470-9046-DAD429CE0EBC}\InProcServer32
HKLM\Software\Classes\CLSID\{91C3DC19-44CF-46BC-9F67-B4C0346C3352}
HKCR\CLSID\{91C3DC19-44CF-46BC-9F67-B4C0346C3352}
HKCR\CLSID\{91C3DC19-44CF-46BC-9F67-B4C0346C3352}\InProcServer32
HKLM\Software\Classes\CLSID\{A1D80BB7-2678-4085-B806-D9F7BDD2FC18}
HKCR\CLSID\{A1D80BB7-2678-4085-B806-D9F7BDD2FC18}
HKCR\CLSID\{A1D80BB7-2678-4085-B806-D9F7BDD2FC18}\InProcServer32
HKLM\Software\Classes\CLSID\{B5E4D89E-C004-4FCD-80D9-5C985A30E243}
HKCR\CLSID\{B5E4D89E-C004-4FCD-80D9-5C985A30E243}
HKCR\CLSID\{B5E4D89E-C004-4FCD-80D9-5C985A30E243}\InProcServer32
HKLM\Software\Classes\CLSID\{BF937593-6F06-4A0F-A62E-75DA8631F940}
HKCR\CLSID\{BF937593-6F06-4A0F-A62E-75DA8631F940}
HKCR\CLSID\{BF937593-6F06-4A0F-A62E-75DA8631F940}\InProcServer32
HKLM\Software\Classes\CLSID\{C9DF81C4-AD22-4F50-8C28-FA56C8147A69}
HKCR\CLSID\{C9DF81C4-AD22-4F50-8C28-FA56C8147A69}
HKCR\CLSID\{C9DF81C4-AD22-4F50-8C28-FA56C8147A69}\InProcServer32
HKLM\Software\Classes\CLSID\{D16A755D-1143-418A-83E7-3AD242E9681F}
HKCR\CLSID\{D16A755D-1143-418A-83E7-3AD242E9681F}
HKCR\CLSID\{D16A755D-1143-418A-83E7-3AD242E9681F}\InProcServer32
HKLM\Software\Classes\CLSID\{D600C691-B719-435A-8342-3EE7987B0228}
HKCR\CLSID\{D600C691-B719-435A-8342-3EE7987B0228}
HKCR\CLSID\{D600C691-B719-435A-8342-3EE7987B0228}\InProcServer32
HKLM\Software\Classes\CLSID\{D7F10D43-6A9A-4CB9-BB1E-6418E00168A9}
HKCR\CLSID\{D7F10D43-6A9A-4CB9-BB1E-6418E00168A9}
HKCR\CLSID\{D7F10D43-6A9A-4CB9-BB1E-6418E00168A9}\InProcServer32
HKLM\Software\Classes\CLSID\{DA526418-75B7-409E-9542-8369E655F084}
HKCR\CLSID\{DA526418-75B7-409E-9542-8369E655F084}
HKCR\CLSID\{DA526418-75B7-409E-9542-8369E655F084}\InProcServer32
HKLM\Software\Classes\CLSID\{DC505D57-597D-43B3-904B-DCD933D99EB2}
HKCR\CLSID\{DC505D57-597D-43B3-904B-DCD933D99EB2}
HKCR\CLSID\{DC505D57-597D-43B3-904B-DCD933D99EB2}\InProcServer32
HKLM\Software\Classes\CLSID\{DDD3E932-CF42-437E-8E1A-5DF167027A42}
HKCR\CLSID\{DDD3E932-CF42-437E-8E1A-5DF167027A42}
HKCR\CLSID\{DDD3E932-CF42-437E-8E1A-5DF167027A42}\InProcServer32
HKLM\Software\Classes\CLSID\{E93A0118-235F-4024-AAD0-BB35C0B90402}
HKCR\CLSID\{E93A0118-235F-4024-AAD0-BB35C0B90402}
HKCR\CLSID\{E93A0118-235F-4024-AAD0-BB35C0B90402}\InProcServer32
HKLM\Software\Classes\CLSID\{ED312F9C-187D-4A38-9596-12373B56C62A}
HKCR\CLSID\{ED312F9C-187D-4A38-9596-12373B56C62A}
HKCR\CLSID\{ED312F9C-187D-4A38-9596-12373B56C62A}\InProcServer32
HKLM\Software\Classes\CLSID\{EDA2C868-782A-47CA-94DE-E1814F7B004A}
HKCR\CLSID\{EDA2C868-782A-47CA-94DE-E1814F7B004A}
HKCR\CLSID\{EDA2C868-782A-47CA-94DE-E1814F7B004A}\InProcServer32
HKLM\Software\Classes\CLSID\{F111DB17-9B98-4F40-A216-57181FA0028C}
HKCR\CLSID\{F111DB17-9B98-4F40-A216-57181FA0028C}
HKCR\CLSID\{F111DB17-9B98-4F40-A216-57181FA0028C}\InProcServer32
HKLM\Software\Classes\CLSID\{F6ABD977-EFA7-4532-818A-6792D4373197}
HKCR\CLSID\{F6ABD977-EFA7-4532-818A-6792D4373197}
HKCR\CLSID\{F6ABD977-EFA7-4532-818A-6792D4373197}\InProcServer32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4212DEEA-78D8-4A28-B99B-C0BE77FA782E}\RP96\A0018205.DLL

Trojan.Smitfraud Variant-Gen/PQ
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{B02534D7-8D91-49BE-A864-97DFB8E0BAB4}

Adware.Tracking Cookie
C:\Documents and Settings\Jez\Cookies\jez@www.malwareburn.txt
C:\Documents and Settings\Jez\Cookies\jez@overture.txt
C:\Documents and Settings\Jez\Cookies\jez@msnportal.112.2o7.txt
C:\Documents and Settings\Jez\Cookies\jez@indextools.txt
C:\Documents and Settings\Jez\Cookies\jez@questionmarket.txt

Trojan.Net-MSV/VPS-H
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20071020-214641-259.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4212DEEA-78D8-4A28-B99B-C0BE77FA782E}\RP97\A0018299.DLL

Trojan.Media-Codec/V4
C:\PROGRAM FILES\VIDEO ADD-ON\ICTMDL.DLL
C:\PROGRAM FILES\VIDEO ADD-ON\ICTUN.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ICUN.EXE
C:\PROGRAM FILES\VIDEO ADD-ON\ISFUN.EXE

Trojan.Smitfraud Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4212DEEA-78D8-4A28-B99B-C0BE77FA782E}\RP87\A0017470.DLL

Trojan.Net-HST/NMC
C:\WINDOWS\HOSTCTRL.DLL

Logfile of HijackThis v1.99.1
Scan saved at 22:44:28, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_SC0.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186785630093
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

again i thank you for your help.i will be recommending you to any who are requiring assistance in the future.i will also contact you myself if the need arises again.
regards
Jezaus

Posted By : Touch - 10-21-2007 10:00

We need to use special fix tools to some specific infections, including the one You´ve got, and Superantispyware are (My humble opinion) the best Spywarescanner ;-)

You may want to read TonyKlein´s article about how to prevent against spyware/hijackers in the future

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Need Support? Write to:

| Forum Help Manual

Download free trial version of Bullguard