# Solved: Avast Keeps finding Win32:Agent-LTS [Trj]



## X-Fusi0n (Sep 30, 2007)

Hi Everyone. I'm Using WinXP OS n Avast Antivirus. Recently Avast keeps finding a Trojan named Win32:Agent-LTS [Trj]. I have performed a boot time scan and disabled System Restore, but to no avail. Should I delete some registery keys, if so which ones & how do I find out ?

This is the file name detected by Avast: C:\DOCUME~1\Ruben\LOCALS~1\Temp\ac8zt2\msmdev.dll

I suspect it came from another user of this computer, is that possible ?

Thanking You in Advance


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## X-Fusi0n (Sep 30, 2007)

I've Done the scan n Here's the Log File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:50 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: msmdev - {1ABBA00D-65A2-467F-A6DE-D9B81142CEB5} - C:\WINDOWS\msmdev.dll (file missing)
O21 - SSODL: msmhost - {45431DA5-91DB-4BD7-94EF-30705829C97F} - C:\WINDOWS\msmhost.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7156 bytes


----------



## cybertech (Apr 16, 2002)

Please download (save) *SmitfraudFix* (by *S!Ri*) to your desktop. 
Extract the content (a folder named *SmitfraudFix*) to your Desktop. Select all of the contents and Extract them
to a new folder called *SmitfraudFix*.

*You should print out the remainder of these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.*

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.

*Please post the C:\rapport.txt and a new HJT log in your next reply.*


----------



## X-Fusi0n (Sep 30, 2007)

SmitFraudFix v2.235

Scan done at 20:43:29.96, Wed 10/03/2007
Run from C:\Documents and Settings\Ruben\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\main_uninstaller.exe Deleted
C:\WINDOWS\msmhost.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{B44AEA39-EEE7-41F0-B8B5-610D414B7381}]
C:\WINDOWS\nsduo.dll Deleted
C:\WINDOWS\privacy_danger\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E4049CF6-9785-4962-BD73-C514502A9E36}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E4049CF6-9785-4962-BD73-C514502A9E36}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E4049CF6-9785-4962-BD73-C514502A9E36}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Hey Thanks !

Err, I just completed the scan and So Far so Good, avast has not detected any viruses yet. Does this mean that my System is clean ?


----------



## X-Fusi0n (Sep 30, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:37 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6226 bytes


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

*Close all applications and browser windows before you click "fix checked".*

Let's run this just to be sure.

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply with a new hijackthis log.*

Click *Close* to exit the program.


----------



## X-Fusi0n (Sep 30, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:57 AM, on 10/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6233 bytes


----------



## cybertech (Apr 16, 2002)

SUPERAntiSpyware came back clean?

If so remove all of the files and folders associated with SmitfraudFix.

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


----------



## X-Fusi0n (Sep 30, 2007)

No, It wasn't clean, It Just took soooo long that I fell asleep ! Here, the Log

First Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2007 at 02:08 AM

Application Version : 3.9.1008

Core Rules Database Version : 3318
Trace Rules Database Version: 1319

Scan type : Complete Scan
Total Scan Time : 00:47:00

Memory items scanned : 486
Memory threats detected : 0
Registry items scanned : 5835
Registry threats detected : 9
File items scanned : 53388
File threats detected : 52

Trojan.Net-MSV/VPS
HKLM\Software\Classes\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\InprocServer32
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\InprocServer32#ThreadingModel
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\ProgID
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\Programmable
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\TypeLib
HKCR\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}\VersionIndependentProgID
C:\WINDOWS\NSDUO.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Ruben\Cookies\[email protected][2].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][1].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][2].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][3].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][3].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt

Second Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/05/2007 at 07:55 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:41:25

Memory items scanned : 527
Memory threats detected : 0
Registry items scanned : 5838
Registry threats detected : 0
File items scanned : 53475
File threats detected : 52

Adware.Tracking Cookie
C:\Documents and Settings\Ruben\Cookies\[email protected][2].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][1].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][1].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][2].txt
C:\Documents and Settings\Ruben\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\terrence [email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][3].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][2].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][3].txt
C:\Documents and Settings\Terrence Albert\Cookies\[email protected][1].txt


----------



## cybertech (Apr 16, 2002)

OK, the log looks fine now. Any problems?


----------



## X-Fusi0n (Sep 30, 2007)

Nope, none @ All ! Thx Heaps


----------



## cybertech (Apr 16, 2002)

You can and *should* remove smitfraudfix I requested you to download and/or folders associated with it now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

It's a good idea to Flush your System Restore after removing malware: 
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405

Here are some additional links for you to check out to help you with your computer security.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

You're welcome!


----------

