!@#$% Trojan-Spy.HTML.Smitfraud.c !@#$%

Unknown · May 2005

This latest piece of !@#$ malware has managed to slip past my firewall and anti-virus and spyware and burn me. I got the desktop straight, except for some persisitent icons my daughter shouldn't see! Here is my hijack log file. I'd very much appreciate your help. I've tried many things including the preliminary items in this forum.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:02 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
D:\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
D:\WINDOWS\System32\hpoipm07.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\ldl\Local Settings\Temp\Temporary Directory 4 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {B0EBF866-16A6-41A8-AE6D-AB1C7F7DE245} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0EBF866-16A6-41A8-AE6D-AB1C7F7DE245} - (no file) (HKCU)
O12 - Plugin for .mid: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111020390641
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {B0EBF866-16A6-41A8-AE6D-AB1C7F7DE245} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0EBF866-16A6-41A8-AE6D-AB1C7F7DE245} - (no file) (HKCU)

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\wp.exe
C:\wp.bmp
c:\bsw.exe
c:\bsw.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\Log Files
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard

Reboot your computer to go back to normal mode and post a new hijackthis log.

ldl · May 2005

I appreciate your help and have seen others have luck with this exact procedure but no matter what I do that R0 value keeps coming back and the problem is still there. The process is running in my system tray. I have several porno site shortcuts on my desktop that come right back when I delete them. Amazing. Here's my log file after runnning that process you posted.

Logfile of HijackThis v1.99.1
Scan saved at 7:40:48 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
D:\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
D:\WINDOWS\System32\hpoipm07.exe
D:\Documents and Settings\ldl\Desktop\Hi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .mid: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111020390641
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Please download DLLCompare from here (unless you have downloaded it previously) http://downloads.subratam.org/DllCompare.exe

*Save it to your desktop and run it.
*Click 'Run Locate.com'to scan.
*When the scan has completed, click 'Compare'.
*When completed, click "Make a Log of What Was Found".
*Please Copy/Paste the entire contents of the logfile to this thread.

Note: If you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.

ldl · May 2005

Still trying to run the compare dll utility. It runs but hangs when trying to write the log. As soon as I fugure this out I'll post it. Why have none of the commercial spyware or anti-virus packages/vendors figured a standard way to eradicate this piece of work?

OK - got it to work but not much here that I can see.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

"
________________________________________________

1,165 items found: 1,165 files, 0 directories.
Total of file sizes: 216,238,886 bytes 206.22 M

Administrator Account = True

End log

Thanks again for your help.

Buckeye_Sam · May 2005

Nothing in that log. That is good!

Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe

Please disable Microsoft's Antispyware Real time protection. Then fix this line with hijackthis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode

Open CWShredder and click "Fix".

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply along with a new hijackthis log.

ldl · May 2005

At what point do I give up and format, remove IE and use Firefox ?

Here is log.txt

D:\Documents and Settings\ldl\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

D:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............

Files Found in all users windows Folder............

Finished
bye

Here is hijacklog.txt
Logfile of HijackThis v1.99.1
Scan saved at 9:39:03 PM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
D:\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\hpoipm07.exe
D:\Documents and Settings\ldl\Desktop\Hi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111020390641
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Let me know if you find this file.

C:\WINDOWS\system32\systr.dll

ldl · May 2005

No. And I have View Hidden files turned on

Buckeye_Sam · May 2005

I suspect that Microsoft Antispyware is preventing this from being fixed. I'd like you to uninstall it, then fix this line.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/

Reboot and post a new hijackthis log.

ldl · May 2005

Done and here's the log. This is the most persitent features of this trojan. I can change this in IE while Hijack is running and it will still set the start page to this. I can change it in the registry between hijack scans and it will change it back. Amazing. Do you think I should reinstall MS Anti Spyware now?

Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:56:45 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
D:\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\hpoipm07.exe
D:\Documents and Settings\ldl\Desktop\Battle\Hi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111020390641
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Please check for the existence of these files. Let me know if you have them.

C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll

Download FindIt's.zip to your desktop:
http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please.

ldl · May 2005

Yes, those 3 files are present. Note: I did not delete them or take any action.

Here is the log file with the icon files matching those icons that I can not remove from my desktop.

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/17/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive D has no label.
Volume Serial Number is 98A6-017B

Directory of D:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive D has no label.
Volume Serial Number is 98A6-017B

Directory of D:\WINDOWS\system32

05/03/2005 07:13 PM 766 Air Tickets.ico
05/03/2005 07:13 PM 4,286 Big Tits.ico
05/03/2005 07:13 PM 766 BlackJack.ico
05/03/2005 07:13 PM 2,238 Britney Spears.ico
05/03/2005 07:13 PM 2,238 Car Insurance.ico
05/03/2005 07:13 PM 2,238 Cigarettes.ico
05/03/2005 07:13 PM 4,606 Credit Card.ico
05/03/2005 07:13 PM 2,238 Cruises.ico
05/03/2005 07:13 PM 2,238 Forex Trading.ico
05/03/2005 07:13 PM 4,286 Lesbian Sex.ico
05/03/2005 07:13 PM 2,238 MP3.ico
05/03/2005 07:13 PM 2,238 Online Betting.ico
05/03/2005 07:13 PM 766 Online Casino.ico
05/03/2005 07:13 PM 4,286 Oral Sex.ico
05/03/2005 07:13 PM 766 Party Poker.ico
05/03/2005 07:13 PM 766 Pharmacy.ico
05/03/2005 07:13 PM 766 Phentermine.ico
05/03/2005 07:13 PM 4,286 Pornstars.ico
05/03/2005 07:13 PM 4,534 Remove Spyware.ico
05/03/2005 07:13 PM 2,238 Viagra.ico
20 File(s) 48,784 bytes
0 Dir(s) 2,759,016,448 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Buckeye_Sam · May 2005

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
C:\WINDOWS\System32\param32.dll
C:\WINDOWS\System32\guninst.exe
C:\WINDOWS\System32\popup_bl.dll
C:\WINDOWS\System32\Air Tickets.ico
C:\WINDOWS\System32\Big Tits.ico
C:\WINDOWS\System32\BlackJack.ico
C:\WINDOWS\System32\Britney Spears.ico
C:\WINDOWS\System32\Car Insurance.ico
C:\WINDOWS\System32\Cigarettes.ico
C:\WINDOWS\System32\Credit Card.ico
C:\WINDOWS\System32\Cruises.ico
C:\WINDOWS\System32\Forex Trading.ico
C:\WINDOWS\System32\Lesbian Sex.ico
C:\WINDOWS\System32\MP3.ico
C:\WINDOWS\System32\Online Betting.ico
C:\WINDOWS\System32\Online Casino.ico
C:\WINDOWS\System32\Oral Sex.ico
C:\WINDOWS\System32\Party Poker.ico
C:\WINDOWS\System32\Pharmacy.ico
C:\WINDOWS\System32\Phentermine.ico
C:\WINDOWS\System32\Pornstars.ico
C:\WINDOWS\System32\Remove Spyware.ico
C:\WINDOWS\System32\Viagra.ico

[*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
[*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.

Fix this line with Hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0058/

Reboot and post a new hijackthis log.

ldl · May 2005

Once I changed the C: drive references to D: it fixed it! Please check my HiJack log below. I truly appreciate your help. Do you suppose my Zone Alarm fire wall on my gateway PC, updated anti-virus s/w and Microsoft's Anti Spyware is adequate protection or do you suggest other reasonable measures?

Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 8:51:24 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
D:\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
D:\WINDOWS\system32\hpoipm07.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Documents and Settings\ldl\Desktop\Battle\Hi\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = D:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111020390641
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O17 - HKLM\System\CS2\Services\Tcpip\..\{AB85138B-7D5E-4585-89D5-A632C5918FD6}: NameServer = 24.51.159.130,24.51.159.133
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam · May 2005

Your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

!@#$% Trojan-Spy.HTML.Smitfraud.c !@#$%

Comments