theguardservices.com home page hijack + taskbar spyware

Any help is greatly appreciated!!!

My IE home page is being hijacked to theguardservices.com and I also have two icons in my windows taskbar that appear to be spyware of some sort that try and sell virus protection products. One flashes between a handicapped sign and a red crossed out circle and the other is a yellow triangle that says "security alert!"

I've tried every spyware scanning program pretty much. Please help!Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:03:25 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1132672704\ee\AOLSoftware.exe
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MASCon.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chad\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpA6BF.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RecoverFromReboot.SS] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132672704\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Chad\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud12.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {0D6F5DC7-9439-6D79-5B82-255644C965B4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {169CE3C1-36B2-3207-5007-58410C6DB686} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {26EB4247-E49F-7571-743A-3EAA351057D4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22ee11265170e847cc16/netzip/RdxIE601.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {5FB74C78-B6EB-054B-BC3A-70B778D77C2F} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123631754468
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2614.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

 

Hi chadbrand.

You don't have a firewall on your computer. Download and install one firewall.

These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com

Then you have two antiviruses running at the same time. You should remove one of them. Go to Control Panel -> Add/Remove Programs -> Remove McAfee OR Norton

Ok, you got some infections....

Cleaning instructions:

Move HijackThis into its own folder C:\HJT

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
We'll use this later.

Ok before the cleaning, I need some logs...

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Download Blacklight and save it to your desktop http://www.f-secure.com/blacklight/try.shtml

Doubleclick blbeta.exe, accept agreement, click > Scan, then > Next

You'll see a list what have been found. There will appear a log in desktop named fsbl.xxxxxxx.log (xxxxxxx will be random numbers ).

Don't choose Rename if something was found!

Post the following logs to here:
-> log from smitfraudfix
-> contents from fsbl.xxxx.log (blacklight log from your desktop).

 

Thanks JaPK! Here you go...
----------------------------------------------------------------------

LOG FROM SMITFRAUDFIX:

SmitFraudFix v2.37

Scan done at 0:05:57.74, Wed 05/03/2006
Run from C:\Documents and Settings\Chad\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chad\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!! Attention, follow keys are not inevitably infected !!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------------------------------

THE BLACKLIGHT SCAN SAID NOTHING WAS FOUND

HERE IS THE LOG:

05/03/06 00:08:17 [Info]: BlackLight Engine 1.0.36 initialized
05/03/06 00:08:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/03/06 00:08:17 [Note]: 7019 4
05/03/06 00:08:17 [Note]: 7005 0
05/03/06 00:08:26 [Note]: 7006 0
05/03/06 00:08:26 [Note]: 7011 1792
05/03/06 00:08:26 [Note]: 7026 0
05/03/06 00:08:27 [Note]: 7026 0
05/03/06 00:08:42 [Note]: FSRAW library version 1.7.1015
05/03/06 00:17:16 [Note]: 2000 1006
05/03/06 00:17:32 [Note]: 7007 0

----------------------------------------------------------------------
Thanks in advance!

 

Hi again chadbrand.

Cleaning instructions:

Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

O16 - DPF: {0D6F5DC7-9439-6D79-5B82-255644C965B4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {169CE3C1-36B2-3207-5007-58410C6DB686} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentral...
O16 - DPF: {26EB4247-E49F-7571-743A-3EAA351057D4} - http://85.255.113.214/1/gdnUS2218.exe
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22ee11265170e847cc16/netzip/RdxIE601.cab
O16 - DPF: {5FB74C78-B6EB-054B-BC3A-70B778D77C2F} - http://85.255.113.214/1/gdnUS2218.exe

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Restart your computer normally.

Scan and clean your computer with Ewido and save the log file.

Post the following logs to here:
-> fresh HijackThis log
-> Ewido's log
-> contents of C:\rapport.txt

 

Here's Round 2:
----------------------------------------------------------------------
FRESH HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:56 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Chad\Desktop\hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud12.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123631754468
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - https://music.msn.com/client/msnmusax2614.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4749/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

----------------------------------------------------------------------
EWIDO'S LOG:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:43:14 AM, 5/3/2006
+ Report-Checksum: 56DE9F2A

+ Scan result:

:mozilla.44:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Chad\Application Data\Mozilla\Firefox\Profiles\sn956f90.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@-1shz2prbmdj6wvny-1sez2pra2dj6wfkychazwfqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1ncpmgogydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4opcjmepaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkosmcpicqq2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoukdzwcqqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyohajodowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyunczkkqaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlisldjskpgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliuodpoboqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloujcpkepa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmisoczakqa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygmc5ibpwwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temp\Cookies\chad@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyogc5kgogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\45UN0PY7\gdnUS2218[1].exe -> Downloader.Small.ayl : Cleaned with backup
C:\Documents and Settings\Chad\Local Settings\Temporary Internet Files\Content.IE5\XJCL65WT\thexxxarchive[1].htm -> Not-A-Virus.Exploit.HTML.Iframe.FileDownload : Cleaned with backup
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc29.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc30.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc31.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc32.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc33.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc34.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc35.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc36.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc37.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc38.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc39.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc40.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\RECYCLER\S-1-5-21-4211684999-2382317117-2604735499-1006\Dc41.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1028\A0065602.dll -> Adware.MegaSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1032\A0065942.exe -> Trojan.Dialer.u : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1034\A0066035.exe -> Not-A-Virus.PornDownloader.Win32.TibSystems : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1038\A0066070.dll -> Adware.Aws : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1040\A0066073.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1040\A0066074.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1040\A0066075.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1040\A0066076.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1040\A0066077.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1042\A0066180.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1043\A0066207.exe -> Not-A-Virus.PornDownloader.Win32.TibSystems : Cleaned with backup
C:\WINDOWS\SYSTEM32\regperf.exe -> Downloader.Zlob.mx : Cleaned with backup
C:\WINDOWS\Temp\bggolomd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\Temp\jcmlcnmd.exe -> Trojan.Dialer.ay : Cleaned with backup


::Report End

----------------------------------------------------------------------
RAPPORT.TXT CONTENTS:

SmitFraudFix v2.37

Scan done at 9:11:42.35, Wed 05/03/2006
Run from C:\Documents and Settings\Chad\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End
----------------------------------------------------------------------

 

I havent seen any taskbar pop ups in a few hours so it looks like things are better. How do the logs look? Might I be out of the woods? I have not tried to open IE yet, but am using Firefox without any issues...

 

Hi chadbrand.

I would like you to do something for me

Open Ewido
-> Press "Quarantine" button
-> Select this file C:\WINDOWS\SYSTEM32\regperf.exe (Downloader.Zlob.mx)
-> Press "Restore" button
-> Answer "Yes" if asks something

Then:

Go to here -> http://www.thespykiller.co.uk/forum/index.php?board=1.0
and make a new topic. Name it eg. smitfraud/regperf.exe

Then search and upload this file to there, if found -> C:\WINDOWS\SYSTEM32\regperf.exe

(here are the instructions for uploading -> http://www.thespykiller.co.uk/forum/index.php?topic=5.0)

Paste the contents from the following link to your message ->
http://forums.afterdawn.com/thread_view.cfm/338260

You seem to have a new variant of a certain pest and this would be a big help...

Then tell me if you did/didn't do this and we'll continue.

 

I believe I deleted all of the stuff in the quarantine section when I ran the program last. Was I not supposed to do that? Is there any way to get it back in order to do as you requested? Thanks.

 

It is ok then

You're clean now, are you having any problems?

 

looks good so far... thanks so much!!!

 

You're welcome =)