I did everything you said but I'm definately still infected.
Here is the HJT log:Logfile of HijackThis v1.99.1
Scan saved at 4:58:07 PM, on 8/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Works\WkDetect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jasko-Blackshear\Desktop\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cabO21 - SSODL: Age of Empires 2.0 - {E5B4B3F1-9AC4-3397-8500-ABE117FC67AB} - c:\program files\microsoft games\age of empires ii\hlrn32.dll (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
Here is the activescan:Incident Status Location
Adware:adware program No disinfected C:\WINDOWS\stsheets.dat
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/yoursearchengineNo disinfected C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\FAVORITES\ DATING.url
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Virus:Trj/Agent.AJX Disinfected C:\Program Files\BroadJump\Client Foundation\dxfi32.dll
Possible Virus. No disinfected C:\Program Files\Continuum\Continuum.exe
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/RazeSpyware No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059873.exe
Virus:W32/Smitfraud.D Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP629\A0061948.dll
Virus:W32/Smitfraud.D Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064115.dll
Adware:Adware/StartPage.AFK No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064288.exe
Virus:Trj/Sapilayr.A Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064290.dll
Adware:Adware/StartPage.AFK No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064291.com
Virus:Trj/Sapilayr.A Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064293.exe
Virus:Trj/Downloader.DFM Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064295.exe
Adware:Adware/StartPage.AFK No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064296.com
Adware:Adware/AzeSearch No disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064298.dll
Virus:Trj/Zhenya.A Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064301.dll
Virus:Trj/Agent.AJX Disinfected C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064308.dll
Adware:Adware/StartPage.AFK No disinfected C:\WINDOWS\system32\shdocvn.dll
Here is the Ewido log:---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 4:01:29 PM, 8/29/2005
+ Report-Checksum: 3C277D64
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\UPnP Device Host\Description\{CC1850FA-DACF-42F3-ACD3-EC685677A203}\UDN Mappings\DummyUDN -> Spyware.WebSearch : Cleaned with backup
[692] C:\WINDOWS\System32\birdihuy32.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Microsoft Games\Age of Empires II\hlrn32.dll -> TrojanDownloader.Murlo.ar : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059870.com -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059871.com -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059872.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059874.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059875.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059895.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0059897.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0060034.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP624\A0060035.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064260.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064271.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP655\A0064284.dll -> TrojanDownloader.Agent.ns : Cleaned with backup
C:\WINDOWS\notepad.com -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\WINDOWS\system32\384398125.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
C:\WINDOWS\system32\384409171.exe -> TrojanDropper.Agent.ro : Cleaned with backup
C:\WINDOWS\system32\birdihuy32.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\WINDOWS\system32\drivers\acpiz.old -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\msCMTsrvc.exe -> TrojanDownloader.Presario : Cleaned with backup
C:\WINDOWS\system32\notepad.com -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\WINDOWS\system32\svcnt32.exe -> TrojanDownloader.Delf.ks : Cleaned with backup
C:\WINDOWS\system32\tmp.dat -> TrojanDownloader.Murlo.ar : Cleaned with backup
C:\WINDOWS\system32\zolker010.dll -> Spyware.Zbar : Cleaned with backup
C:\WINDOWS\system32\ztoolb010.dll -> Spyware.Zbar : Cleaned with backup
::Report End
Here is the smitfiles log:smitRem log file
version 2.3
by noahdfear
The current date is: Mon 08/29/2005
The current time is: 14:08:43.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ShudderLTD key present! Running LTDFix!
ShudderLTD key was successfully removed!
Pre-run Files Present
~~~ Program Files ~~~
PSGuard
~~~ Shortcuts ~~~
PSGuard spyware remover
quick launch PSGuard spyware remover.lnk
~~~ Favorites ~~~
~~~ system32 folder ~~~
intell32.exe
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
Starting replacement procedure.
~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~
~~~~ dllcache\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~
~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~
~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~
~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~
~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~
~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~
~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll not present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean!
~~~~
I hope that helps.