http://www.dslreports.com/forum/r20399428 en Fri, 29 Aug 2008 23:20:13 EDT Fri, 29 Aug 2008 23:20:13 EDT http://www.dslreports.com/forum/remark,20401164 TheJoker : Hi hilldweller

Your HijackThis log shows that the infection had not been completely removed (before you chose to reformat).
The infection could have been removed.

Now that you have reformatted and reinstalled, here are some recommendations.

Please check your ActiveX security settings (Start -> Settings -> Control Panel -> Internet Options, Security Tab -> Internet -> Custom Level) and reset as recommended:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Script ActiveX controls marked safe for scripting (Prompt)
* Launching programs and files in an IFRAME (Prompt)
* Navigate sub-frames across different domains (Prompt)

I recommend installing a software firewall. I didn't see one in your HijackThis log (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). Two free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-software.com/Kerio.cfm, and Zone Alarm from zonelabs.com http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp. There is a tutorial on understanding firewalls at http://www.bleepingcomputer.com/forums/tutorial60.html and and a tutorial from Markus Jansson on setting up ZoneAlarm at http://www.markusjansson.net/eza.html. If you install ZoneAlarm (an excellent firewall), I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com here.

There is a newer version of AVG available, version 8. If you use the free version, that has also been released:
http://free.grisoft.com/ww.download?prd=afe

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/winhelp2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at http://www.spywarewarrior.com/uiuc/resource.htm.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://forums.spywareinfo.com/index.php?showtopic=60955

Edit: URL fixed
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,20401164 Mon, 28 Apr 2008 17:14:40 EDT http://www.dslreports.com/forum/remark,20399428 hilldweller : Problems came back, reformated and reinstalled.]]> http://www.dslreports.com/forum/remark,20399428 Mon, 28 Apr 2008 12:14:51 EDT http://www.dslreports.com/forum/remark,20136432 hilldweller : I have ran Spybot Search and Destroy, AVG Antivirus and CA online scans, Adaware does not run, errors out on updating.
Please review for furthe problems.

Thanks for your service :)

I am posting the Spybot and Hijackthis logs:

--- Report generated: 2008-03-09 11:48 ---

SpyLocked.FakeAlert: [SBI $636BCE49] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert

VirusProtect: [SBI $21D7A104] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{0979850F-6C3E-4294-B225-B3D3C4A6F2A1}

VirusProtect: [SBI $08A67F25] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68}

VirusProtect: [SBI $DCDE6275] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245}

VirusProtect: [SBI $7DEC7ECA] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{44A923CA-F430-4F85-9F84-5153ECDB882E}

VirusProtect: [SBI $40334284] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{4E6E21EC-9D72-4164-8A53-74786A467872}

VirusProtect: [SBI $AE26764B] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{631E9E48-B066-43DA-92AC-6DADF61B173B}

VirusProtect: [SBI $943F4215] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{65C1361C-E696-4AF0-9E21-81910193F352}

VirusProtect: [SBI $723426D5] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{77DCE805-C8CE-48AA-A47F-BFA6CC7704B3}

VirusProtect: [SBI $BFAF0A61] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8D42769F-07D8-494D-AAB4-AA1652C541FA}

VirusProtect: [SBI $1F67FF17] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A1922071-390C-418D-916D-91209E95D286}

VirusProtect: [SBI $EDB577AC] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A1F8CD95-CFB3-43D1-A956-63441CC058C1}

VirusProtect: [SBI $122EA804] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A63B46AD-96A7-4A2C-BD8F-8CD097E1593A}

VirusProtect: [SBI $6B445D72] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A65F98DD-2360-468C-B76E-B1B84C0D547C}

VirusProtect: [SBI $F574529F] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{AE2AEED0-BE1B-4BA2-826E-20D1991081B8}

VirusProtect: [SBI $36BBE026] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{D7F73787-6206-4BBA-BDC0-7CFA9940DBCB}

VirusProtect: [SBI $21FAEE5D] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{E770F739-2968-4ED9-A63C-DC1938DC82A2}

VirusProtect: [SBI $925637FC] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{CFAFA83C-855B-4E3D-92B9-A587995B675A}

Win32.Renos: [SBI $7B2A75E0] Executable (File, fixed)
C:\Documents and Settings\Jim\Local Settings\Temp\laf4.exe

Smitfraud-C.: [SBI $10577975] Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\some

Smitfraud-C.: [SBI $8F732AAF] Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\start

Win32.Renos: [SBI $3A39BF54] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{917f93bf-6714-4e11-8982-59db2e0f88fc}

Win32.Renos: [SBI $71F2A583] Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{917f93bf-6714-4e11-8982-59db2e0f88fc}

Zlob.Downloader.vdt: [SBI $F73BCA8D] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software

Zlob.Downloader.oid: [SBI $D9A7F62E] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}

Zlob.Downloader.oid: [SBI $4D3C8FCD] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{C2A1C5CB-C0EF-4689-9436-F62CCA1C5383}

Zlob.Downloader.vdt: [SBI $9098130D] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1659004503-1454471165-725345543-1004\Software\NetProject

Zlob.Downloader.vdt: [SBI $00788CF1] Program directory (Directory, fixed)
C:\Program Files\NetProject\

Zlob.Downloader.vdt: [SBI $3E9924D8] Executable (File, fixed)
C:\Program Files\NetProject\uninst.exe

Zlob.Downloader.vdt: [SBI $673E8E06] Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\videoPl.chl\

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-09 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-05 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-05 Includes\DialerC.sbi (*)
2008-03-05 Includes\HeavyDuty.sbi (*)
2008-03-05 Includes\Hijackers.sbi (*)
2008-03-05 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-05 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-27 Includes\Malware.sbi (*)
2008-03-05 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-03-05 Includes\PUPSC.sbi (*)
2008-03-05 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-05 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-03-05 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-27 Includes\Trojans.sbi (*)
2008-03-05 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:22 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.battle.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - »www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - »www.explorertool.net/redirect.php (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - »www.ca.com/us/securityadvisor/vi···scan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »fpdownload2.macromedia.com/get/s···lash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D82AF55E-1798-4B19-B9AE-307287EF818B}: NameServer = 206.13.29.12,206.13.30.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5887 bytes]]> http://www.dslreports.com/forum/remark,20136432 Sun, 09 Mar 2008 16:44:34 EDT