[pawntoking]

Logfile of HijackThis v1.99.1
Scan saved at 7:55:14 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Ewido\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINNT\system32\hpD2BE.tmp
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} - http://download.acti...SFViewerWeb.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Advertisements]

Hi and welcome to GTG

I'm Jet Ian , and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

[Jag11]

Hi and welcome to GTG

I'm Jet Ian , and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

[pawntoking]

Hi Jet, glad to hear from you. This is my first time using any type of forum. I wanted to add more information, but wasn't sure I would "bump" my post. Here's more detail.

This problem started when I opened Explorer one night and a message said I had a virus and that I should purchase PestTrap etc. I closed the message and kept surfing. AdWatch popped up with a message saying something was being blocked. This happened a couple of thousand times (about every half second) while I was surfing. I moved the window as far off the screen as I could, so I could keep going. Not good. Of course I didn't record anything. While online the next morning, Nod32 started popping up frequently with "Virus Detected" messages. I followed Nod32 instructions to close the message window. Logged off. Tried Spybot S&D, which said I had PestTrap, Vcodec & Smitfraud-C, but it couldn't remove them. Tried AdAware, but it couldn't clean them either. Ran TrojanHunter, no luck. Ran Ewido, no luck. Ran Nod32 which would find stuff and remove it, but every time I would open up Explorer, I would get the original virus warning screen, which at this point I knew was bogus. So I posted here in desperation.

The latest: While online, one of the virus screens from Nod32 (that are constantly appearing at this point) requested the file for analysis. I just about broke my mouse trying to hit the send button. I got Nod32's usual message that the virus sig had been updated. Hmmm. Ran Nod32 again. It removed Zlob.NAP, Zlob.JG, and 2 others I can't remember. Ran Spybot S&D next, it found and removed PestTrap, Vcodec & Smitfraud-C. Ran AdAware next, it said things were clean. Got on line, thing looked good. Got off line, ran Nod32 again, just for kicks. It found 1 more trojan, removed it. Listed next.


File C:\System Volume Information\_restore{6879208B-9D12-4016-96A1-40260D21D142}\RP5\A0000389.exe is infected with a variant of Win32/TrojanDownloader.Zlob.JG trojan. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.


No problems since. My latest HJT log is next.


Logfile of HijackThis v1.99.1
Scan saved at 8:41:32 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} - http://download.acti...SFViewerWeb.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

UH OH!!! Ran Nod32 and it just found the following again:

File C:\System Volume Information\_restore{6879208B-9D12-4016-96A1-40260D21D142}\RP5\A0000389.exe is infected with a variant of Win32/TrojanDownloader.Zlob.JG trojan. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed.

Looks like I still have a problem.

Edited by pawntoking, 30 March 2006 - 01:31 PM.

[Jag11]

That file nod found is your System Restore point, we'll flush it after we finish cleaning you from spywares.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Download Tools

Please download these tool(s) first before we proceed to the next steps:

1. smitRem.exe

• Save it to your Desktop.
• Double-click the file to extract it to it's own folder on the desktop.

2. Update Ewido Anti-Malware - I see that you already have this so we'll just update it.

• Launch Ewido.
• The program will now open the main screen.
• You will need to update ewido to the latest definition files
  • On the left hand side of the main screen click update.
  • Then click on the Start Update button.
• The update will start and a progress bar will show the updates being installed.
• After it has finished, close Ewido, we will use it later.
• If you are having problems with the updater, you can use this link to manually update ewido » Ewido manual updates.

==========================================================

Show Hidden Files and Folders. Click Start » My Computer » Tools » Folder Options. Select the View tab. Check Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm, then OK to exit.

==========================================================

Boot into Safe Mode. Please restart your computer and as soon as it starts to boot, tap F8 repeatedly. A menu should appear, select Safe Mode from the menu and then hit Enter on your keyboard. (this will take a while, so don't worry, just wait)

==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINNT\system32\hpD2BE.tmp

After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Find and delete this file:

C:\WINNT\system32\hpD2BE.tmp

==========================================================

Run smitRem

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in C:\smitfiles.txt. I will need you to post that later.

==========================================================

Run Ewido

• Click on scanner.
• Click on Complete System Scan and the scan will begin. (please don't use the computer while scanning)
• You will be prompted to clean the first infection:
  • Sometimes Ewido reports legit files as malware, so you need to Remove these one-by-one, if you see a legit file being reported, just select None.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.
• Close ewido security suite.

==========================================================

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

==========================================================

Restart your computer back to Normal again.

==========================================================

Run an online scan at Panda's ActiveScan

• Please go here and perform a full system scan.
• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the big Check Now button.
• Enter your Country.
• Enter your State/Province.
• Enter your Valid Email and click send.
• Select either Home User or Company.
• Click the big Scan Now button.
• If it wants to install an ActiveX component allow it.
• It will start downloading the files it requires for the scan.
• Click on Local Disks to start the scan.
• Save the log file created to your Desktop.

==========================================================

Just a review of the log(s) we need to see on your next reply:

• HijackThis (new)
• Panda
• Ewido
• smitRem log (C:\smitfiles.txt)

Please also provide details of any problems you encountered while performing the above steps and update us on how the computer behaves now.

[pawntoking]

Hi Jet,

Here's the blow by blow;

I could not find and delete the file C:\WINTT\system32\hpD2BE.tmp

When I restarted my computer after leaving Safe Mode, Ad-Watch detected registry modification attempts
and asked if I wanted to allow or block the mods. The attempts were all blocked. The Ad-Watch event log
is included below.

Thanks again for your help

-----------------------------------------------------------------------------------------------------------
Here is the latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:55:24 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} - http://download.acti...SFViewerWeb.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

-----------------------------------------------------------------------------------------------------

Here is the Panda log

Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Jack M. Vaughn\Cookies\jack m. vaughn@apmebf[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jack M. Vaughn\Cookies\jack m. [email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jack M. Vaughn\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jack M. Vaughn\Desktop\smitRem.exe[Process.exe]

------------------------------------------------------------------------------------------------------

Here is the Ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:37:17 PM, 3/30/2006
+ Report-Checksum: 825A14A4

+ Scan result:

HKU\S-1-5-21-602162358-1580818891-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Jack M. Vaughn\Cookies\jack m. [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINNT\system32\interf.tlb -> Trojan.Small : Cleaned with backup


::Report End

---------------------------------------------------------------------------------------------------------------------

Here is the smitRem log

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 03/30/2006
The current time is: 20:27:14.20

Running from
C:\Documents and Settings\Jack M. Vaughn\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

---------------------------------------------------------------------------------------------------------

Here are the Ad-Watch event logs

Ad-Watch Logfile, exported on 3/30/2006
Total number of events:11
===============================================
3/30/2006 8:42:36 PM - Definitions file SE1R101 27.03.2006 loaded successfully.
Build:SE1R101 27.03.2006
Total Signatures :52824
Target Families :865
Target Categories :6
CSI data Size :138720

File Size :1937446
===============================================
3/30/2006 8:42:36 PM - User preferences file loaded.
Ad-Watch preference file loaded.
Applying user settings
C:\Documents and Settings\Jack M. Vaughn\Application Data\Lavasoft\Ad-Aware\awsettings.awc
Initialization complete.
===============================================
3/30/2006 8:42:36 PM - Sites file loaded.
Sites file loaded successfully.
C:\PROGRA~1\Lavasoft\AD-AWA~1\sites.txt
Total entries : 3223
===============================================
3/30/2006 8:53:01 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:DisableTaskMgr
Data:
New Data:0
===============================================
3/30/2006 8:55:33 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoActiveDesktop
Data:
New Data:0
===============================================
3/30/2006 8:57:15 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoActiveDesktopChanges
Data:
New Data:0
===============================================
3/30/2006 9:03:28 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:Default_Search_URL
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
===============================================
3/30/2006 9:03:38 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoSaveSettings
Data:
New Data:0
===============================================
3/30/2006 9:03:47 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:ClassicShell
Data:
New Data:0
===============================================
3/30/2006 9:03:54 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoThemesTab
Data:
New Data:0
===============================================
3/30/2006 9:04:00 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:ForceActiveDesktopOn
Data:
New Data:0
===============================================

[Jag11]

That (log of Adwatch) doesn't have to do with the fix so don't worry about that. Your log looks clean now, we blasted smitFraud out.

If you have any other questions, please post back.

Congratulations you're clean now!

Before I leave you with the steps to keep your computer clean and prevent re-infection, please post one more time to confirm that you don't have any more problems - so we can mark this thread as SOLVED.

Have a good day!

==========================================================

1.) Re-Hide System Files and Folders:

• Click Start
• Open My Computer
• Select the Tools menu and click Folder Options
• Select the View tab
• Deselect the Show hidden files and folders option
• Select the Hide protected operating system files option
• Click Yes to confirm
• Click OK

2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• Click Start » Run » ( type: SYSDM.CPL ) » OK
• Click the System Restore tab.
• Check - Turn off System Restore.
• Click Apply.
• Uncheck - Turn off System Restore.
• Click OK.

3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools » Windows Update, and follow the online instructions from there.
• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
• Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
• Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
  Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

[pawntoking]

Hi Jet,

No problems!!!

Here's the latest HJT logfile.

Thanks again for your help.



Logfile of HijackThis v1.99.1
Scan saved at 7:16:17 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1143824043718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A31CCCB0-46A8-11D3-A726-005004B35102} - http://download.acti...SFViewerWeb.cab
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Jag11]

Good, your log is clean!

Glad we could help.

Jet Ian.

[therock247uk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.