Infected with Rogue Anti-Spyware Product/Smitfraud via 'Rich Video Codec v1.6'

I am running Windows XP SP2 fully updated and Trend Micro Internet Security 2008, Mozilla Firefox. I downloaded and installed 'Video Codec v1.6' from a site because they claimed I need it to look at the posters they advertise there. It turned out to be a malicious Smitfraud that installed itself to give me zillion virus warnings and installed three links on my desktop ( ErrorCleaner, Privacy Protector and Spyware/Malware Protection) who contain links to URL's and are undeletable. I did not go to any of the websites they link to.
From I got Smitfraudfix.exe and run in in Safe Mode. Everything appeared to be fine BUT, some hours later the Desktop Icons re-appear out of nothing (I am connected to the www though) and the Pop-up windows came on again.  I followed the procedure at but it did not help.
This is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:26 PM, on 2007/11/20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\JulaPan.exe
C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} - C:\WINDOWS\popnetmtq.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: The jokwmp - {6BA27973-068D-4F85-BE84-1251E0B20FD3} - C:\WINDOWS\jokwmp.dll
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Screen Control.lnk = C:\Program Files\GALTWARE\SCREEN CONTROL\screencontrol.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: JulaPan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - (no file)
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-03EAED169C47} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-58DF9415AE9B} - C:\WINDOWS\rmvgor.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

End of file - 7338 bytes

In addition to the Trend Micro Internet Security Suite 2008 I use System Mechanic, RegVac, A1Click Ultra PcCleaner, Belarc Advisor and Process Explorer
Who is Participating?
johnb6767Connect With a Mentor Commented:
O2 - BHO: MSVPS System - {6A78E352-B1FA-4C18-9C48-96DD03979770} - C:\WINDOWS\popnetmtq.dll
O18 - Protocol: exalead - {39076C07-7014-41FF-A3CD-841360B1C2EC} - (no file) (do you recognize this one?)
O21 - SSODL: sapnet - {66BA9E5D-033B-4C46-A0F5-03EAED169C47} - C:\WINDOWS\sapnet.dll
O21 - SSODL: rmvgor - {11A3A6B8-B392-438B-B95E-58DF9415AE9B} - C:\WINDOWS\rmvgor.dll

Those are the 4 nasty things I see....Virtumundo infections if I am not mistaken....

If Smitfraudfix above doesnt help, please do the following....

Install and update Super Anti Spyware and reboot to Safe Mode.

Then do a full scan, and see what it finds. Then you can even do an Online Virusscan for Housecall if you use Safe mode w/ networking. - AntiAdware, AntiSpyware, AntiMalware!
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection)

Housecall Online Free Virus Scanner
Great to do an online Scan in Safe Mode w/ networking
IndiGenusConnect With a Mentor Commented:
Still looks very much like Smitfraud is present here. Although some of those random files are not in the changelog. That's interesting. I would recommend you remove your current version of Smitfraudfix and download a fresh one. Then follow the steps after to make sure it doesn't reappear.

Download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to clean up temp files, cookies, ect... and to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

Use ATFCleaner to clean up temp files, ect...

AVG AS link:
johnb6767Connect With a Mentor Commented:
And start>run>cmd.exe

netsh winsock reset

will repair that protocol error from HJT....
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

slcthomasAuthor Commented:
Downloaded latest version of Smitfraudfix.exe and did a scan exactly as you recommended. Everything seemed to be ok, even after rebooting. The Trend Micro Internet Security Suite started to put files into quarantine, telling me to wait until they offer a fix. ( troj_agent_yt) BUT this morning the links/icons were back on the desktop. Currently I am running Superantispyware and will notify you on the results.
The quarantined files are: rmv.exe, msmdev.dll and  main_uninstaller.exe in the 'virus'secion of TMISS and adware agent int the spyware section. Could it be that the recurrence of the threat's got to do with system restore still runnning ? must I shut it down? set a restore point manually? is it better to run superantispyware in safe mode ? shoukd i send you the log after the scan finished?
(I reset the winsock, thanks)
johnb6767Connect With a Mentor Commented:
Yes, update SAS, and run it in Safe Mode......

And you can also disable System restore to clear out the files in it, and always re enable it again once youre clean...

Also, in SAS, go to the preferences button>Scanning (2nd tab I think, check all the boxes there. Then go to Safe Mode, and do a Complete Scan....
IndiGenusConnect With a Mentor Commented:
Wonder if there is a backdoor running here too? If the above doesn't work give SDFix a try, then run Smitfraudfix again.

Download SDFix and save it to your Desktop. 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to
slcthomasAuthor Commented:
Ok guys, I took advice from another site called PC Hell because there is someone who's got exactly the same problems and got rid of everything. I downloaded RogueRemover and followed the tips there. 
After rebooting 3 times I did not see the entries in HijackThis any more and I am free from the stuff, for now.
I've got SDFix, too but did not use it until now. We've got quite a time difference between the US of A and South Africa, so I close everything down now and we'll see how it goes tomorrow morning.
Thanks for now
slcthomasAuthor Commented:
That was it! PPC is healthy again. SmitfraudFix &  RogueRemover run in safe mode did the trick together with the fix it function of HijackThis. I used SAS as as well but it didn't do the whole job. Thanks for the quick response.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.