Win32.agent.at/ Smitfraud-c.toolbar888/ Psapianalyzer, Cannot Remove Persistent Browser Hijacker Options

[Uralten]

About a week ago, I caught some kind of malware that I cannot get rid of. I'm not even sure how I caught it...I check AdAware and Spybot almost every day for updates, run scans whenever those programs are updated, use the Immunization feature of Spybot, keep all my Windows patches and updates completely up-to-date, and have current versions of ZoneAlarm's firewall and McAfee's Security Center with VirusScan 11 running on my computer all the time. There's also a router between my computer and the internet. Still, something got through....

I first noticed the problem because Internet Explorer is suffering from pop-ups that take me to various advertising sites. I immediately ran both AdAware and Spybot scans when I first noticed this behavior. AdAware doesn't seem to find much, but SpyBot consistently finds Win32.Agent.at with four sub-entries, the first for a browser helper object, the second for a Class ID, and the last two for Root Classes Psapianalyzer.1 and Psapianalyzer. It was by Googling Psapianalyzer that I found this website.

I followed all the steps in your "Preparation Guide for Use" before posting, except that I did not download a different virus scanner, but just used my installed McAfee instead. Stinger found nothing. When I installed and tried to run HJT, it generated a log file, but also an error message that said that it had generated errors, was being closed by Windows, and would have to be re-started. I rebooted, reinstalled, and tried again, with similar results. However, if I click the button to just run the program, and then from the main program screen click the button to just run a scan (in other words, to just scan, rather than scan and write a log), it will complete the scan without crashing, and that scan looks just like the one created during the crash, but without the running processes section. I suppose that means this is a complete log file, even though it seems way shorter than the other ones I've seen while researching this problem on other web sites.

The only real remedial step I've taken (before seeking expert help, anyway) was to download Registrar Lite and try to take possession of the two Psapianalyzer root-class entries and delete them, but that didn't work. They come back as soon as they are deleted. On some SpyBot scans, it simply removes both of them when I click on the "Fix Problems" button, while on others, it says it cannot do so without a reboot, and asks permission to run on reboot. When that permission is given, SpyBot runs by itself before the desktop loads, finds the same four Win32.Agent.at entries, and claims to have deleted them. A quick check with the registry editor shows they immediately come back.

I also note that there are a couple of new entries in the "System Startup" listing in SpyBot's Tools tab since this has started. They are entries for combd (loading from c:\winnt\inf\combd.dll), hggebaa (loading from hggebaa.dll), and nnlkj (loading from C:\winnt\system32\nnlkj.dll). SpyBot says these are loading from System.ini, but I've looked at my System.ini file and there's no mention of these files (or much of anything else) in there. As with the Psapianalyzer entries that SpyBot finds, when I check these to disable them, new non-disabled ones regenerate on reboot. The underlying files also cannot be deleted, because they are "in use by Windows."

Here is the (maybe partial) log that HJT generated before it crashed. Any suggestions would be greatly appreciated.

Uralten

Logfile of HijackThis v1.99.1
Scan saved at 9:52:26 PM, on 6/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programs\VPN\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Programs\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Programs\Utils\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Programs\Utils\FileEx\FileEx.exe
C:\Programs\Utils\Corral\iconcorl.exe
C:\Programs\Utils\KeyText\KeyText.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programs\Utils\Moon\MoonIcon.exe
C:\System\Mouse\MouseWare\system\em_exec.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programs\Utils\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINNT\system32\xcjdlmen.dll",realset
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: File-Ex.lnk = C:\Programs\Utils\FileEx\FileEx.exe
O4 - Global Startup: Icon Corral.lnk = C:\Programs\Utils\Corral\iconcorl.exe
O4 - Global Startup: KeyText.lnk = C:\Programs\Utils\KeyText\KeyText.exe
O4 - Global Startup: Moon Phase Icon.lnk = C:\Programs\Utils\Moon\MoonIcon.exe
O4 - Global Startup: Password Keeper.lnk = C:\Programs\Utils\PassKeep\PassKeep.exe
O4 - Global Startup: TrayDay.lnk = C:\Programs\Utils\TrayDay\TrayDay.exe
O4 - Global Startup: OnTime.lnk = C:\Programs\OTW\OTWIN.EXE
O4 - Global Startup: VPN Client.lnk = C:\Programs\VPN\ipsecdialer.exe
O4 - Global Startup: Organizer.lnk = C:\Lotus\organize\org6.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programs\VPN\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe