I have just gotten the virus but i am computer illiterate and unsure what to do. So far i have used HijackThis and SmitFraudFix v2.53 the These are the logs, but now i am unsure of what to do next could you please guide me and tell me the next step. thnx Logfile of HijackThis v1.99.1 Scan saved at 7:06:19 AM, on 2/06/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Norton Personal Firewall\NISUM.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\program files\zango\zango.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe c:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\ZoneLabs\isafe.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D87A5D7E4F213DC2 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\System32\hp100.tmp (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp100.tmp (file missing) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing) O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe O4 - HKLM\..\Run: [newname] c:\\newname2.exe O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe" O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.ex" -silent O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [qkif] C:\PROGRA~1\COMMON~1\qkif\qkifm.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\mcrui.dll (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe SmitFraudFix v2.53 Scan done at 7:07:01.51, Fri 02/06/2006 Run from C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNERY~1.001\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular" [HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Hi flippas, you got a nice malware collection there... We'll start te cleaning with this: Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop IMPORTANT: Before continuing, you MUST do the following: ->Print this or save as a textfile ->Click start -> run -> services.msc -> ok ->Check that this service is running or its startuptype is automatic Secondary logon ->Disconnect from internet (unplug your network cable) ->Close ALL antivirus programs (this is essential!) ->Close all windows before continuing. ->Double-click Look2Me-Destroyer.exe to run it. ->Put a check next to Run this program as a task. ->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK ->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. ->Once it's done scanning, click the Remove L2M button. ->You will receive a Done Scanning message, click OK. ->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. ->Your computer will then shutdown. ->Turn your computer back on. ->Please post the contents of C:\Look2Me-Destroyer.txt If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX So post the contents of C:\Look2Me-Destroyer.txt and a new HijackThis log to here. Then we'll continue the cleaning, you're not clean yet!
yeah i downloaded look2medestroyer and have done the following steps you told me here are the logs for look2medestroyer and HijackThis v1.99.1 Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 3/06/2006 12:20:10 AM Infected! C:\WINDOWS\system32\mcrui.dll Attempting to delete infected files... Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53F9ED8E-61BE-48A8-B557-FA76EAEC6EEF}" HKCR\Clsid\{53F9ED8E-61BE-48A8-B557-FA76EAEC6EEF} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded Logfile of HijackThis v1.99.1 Scan saved at 12:30:35 AM, on 3/06/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Norton Personal Firewall\NISUM.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE c:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\program files\zango\zango.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\System32\ZoneLabs\isafe.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D87A5D7E4F213DC2 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\System32\hp100.tmp (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp100.tmp (file missing) O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing) O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe O4 - HKLM\..\Run: [newname] c:\\newname2.exe O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe" O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.ex" -silent O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [qkif] C:\PROGRA~1\COMMON~1\qkif\qkifm.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Ok lets continue... You seem to have 2 firewall and antivirus programs running at the same time, Norton and ZoneAlarm. (You have the ZoneAlarm version that includes the antivirus, right?) This is not recommended because it may cause serious conflicts. You should remove one of them. So go to Go to Control Panel -> Add/Remove programs -> Remove ZoneAlarm or Norton Cleaning instructions: Download and install Ewido anti-malware -> http://www.ewido.net/en/download Update it, but do NOT run a scan yet. We'll use it later. Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. Download BFU.zip -> http://www.merijn.org/files/bfu.zip Unzip it to folder C:\BFU Download this removal script, right-click, "save target as" -> http://metallica.geekstogo.com/alcanshorty.bfu Download this removal script, right-click, "save target as" -> http://metallica.geekstogo.com/MediaGateway.BFU Download this removal script, right-click, "save target as" -> http://downloads.subratam.org/Lon/sidekickFix.bat And save those to the same folder than where BFU was installed earlier (c:\BFU). Do NOT use those yet! Go to Control Panel -> Add/Remove programs -> Remove SurfSideKick, Zango, DAP, Download Accelerator Pro, BearShare, Grokster, WhenUSave if found Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: Zango Search Assistant Helper /fleok=1D8A83A5C5E315789FA575760EA83FA5EF80752B94E3D87A5D7E4F213DC2 - {56F1D444-11BF-4879-A12B-79CF0177F038} - c:\program files\zango\zangohook.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe O4 - HKLM\..\Run: [newname] c:\\newname2.exe O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe" O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe O4 - HKCU\..\Run: [qkif] C:\PROGRA~1\COMMON~1\qkif\qkifm.exe O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE Open Notepad -> copy the following lines into a new document: @echo off sc stop Network Monitor sc delete Network Monitor Save the document to your desktop as Removal.bat and filetype: All Files Go to your desktop and run the file Removal.bat and answer yes to any questions. Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Delete these folders (if found): [/b] C:\Program Files\Network Monitor C:\Program Files\SurfSideKick C:\Program Files\Grokster C:\Program Files\BearShare C:\Program Files\Save C:\Program Files\Common Files\qkif C:\Program Files\DAP C:\Program Files\Dopewars Press Start -> My Computer -> Go to folder C:\BFU -> Run BFU by doubleclicking BFU.exe -> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu -> Click Execute and let it do its work (You should see a progressbar if you did this right) -> Wait for the "Complete script execution" box and click OK. -> Click Exit in order to quit BFU. -> Run BFU by doubleclicking BFU.exe -> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\MediaGateway.BFU -> Click Execute and let it do its work (You should see a progressbar if you did this right) -> Wait for the "Complete script execution" box and click OK. -> Click Exit in order to quit BFU. ->Go to C:\BFU and run the file sidekickFix.bat ->Click YES and follow the instructions, when it asks about restarting the pc, answer NO. Run ATF Cleaner -> Check select all -> Press Empty selected Scan and clean your computer with Ewido and save the report. Clean the Recycle bin and make your hidden files visible again. Restart your computer normally. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log Then we'll continue the cleaning....
Yup so far i have done everything as you told me here are the logs for HiJackThis and Ewido Anti-malware. There should be more results in the report for ewido anto-malware except that my brother accidently cancelled the firt scan. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:01:08 AM, 3/06/2006 + Report-Checksum: AD314131 + Scan result: C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll -> Downloader.Small : Cleaned with backup C:\WINDOWS\Downloaded Program Files\minicliptoolbar.dll -> Adware.MegaSearch : Cleaned with backup C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.f : Cleaned with backup C:\WINDOWS\iNetPal\bolae9in3l.exe -> Dropper.Mudrop.r : Cleaned with backup C:\WINDOWS\Minidump\Mini102505-01.dmp -> Worm.Randon.t : Cleaned with backup C:\WINDOWS\NDNuninstall5_64.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\togon1.exe -> Backdoor.Rbot.agn : Cleaned with backup ::Report End Logfile of HijackThis v1.99.1 Scan saved at 7:08:52 AM, on 3/06/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\System32\ZoneLabs\isafe.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\System32\hp100.tmp (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.ex" -silent O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Ok looking much better, we'll continue... So your ZoneAlarm includes an antivirus, right? If it doesn't include, install one: These are good (free) antiviruses: AVG Antivirus --> http://www.grisoft.com Avast --> http://www.avast.com Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip Unzip it (folder named SmitFraudFix) to your desktop: Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist) Post the contents of this textfile to here. (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Yup no need fo antivirus Zonealarm comes with anti-virus and spyware protection. I completed the search and here are the logs for SmitFraudFix SmitFraudFix v2.53 Scan done at 17:02:06.26, Sat 03/06/2006 Run from C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OWNERY~1.001\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular" [HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
Ok, good... Fix this entry with HijackThis: O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\System32\hp100.tmp (file missing) Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Warning : Running option 2 in a clean computer will delete your desktop wallpaper. Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe Run the file mwav.exe and unzip it to its default location, C:\Kaspersky 1. Updating the scanner (close the eScan window if open) -> Go to My Computer -> C:\ -> Kaspersky -> Run the file kavupd.exe, it starts downloading updates -> When downloading is finished, go to C:\Downloads -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V -> Answer Yes to all when it asks about replacing files -> Now the scanner has been updated 2. Scanner settings -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe) -> The scanner window opens -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg -> When ready, press the Scan Clean button -> Scanning for infections begins 3. Posting the results -> When the scan has finished (scan may take a quite long time), you'll need to post the findings -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg -> Click the field, press CTRL+A, CTRL+C -> Then open Notepad and paste the findings into a new document by pressing CTRL+V -> Save the document to your desktop -> Post the contents of that textfile to here BTW, you seem to have many unnecessary processes running, after we have get you cleaned, do you want that we take those off? When you're ready, post a new HijackThis log, contents of C:\rapport.txt and eScan findings to here.
i have done as you have requested and here are the logs for the following HiJackThis EscanAntiVirus SmitFraudFix v2.53 Logfile of HijackThis v1.99.1 Scan saved at 1:41:38 AM, on 8/06/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\svchost.exe C:\Kaspersky\mwavscan.com C:\Kaspersky\kavss.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\ZoneLabs\isafe.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\hjt\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtpbs/wtBalanceSheet/portfoliomanagerwt.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe SmitFraudFix v2.53 Scan done at 5:35:57.78, Wed 07/06/2006 Run from C:\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{62eb0924-19d2-4226-b4b9-8ad1f70904c1}"="bronchovascular" [HKEY_CLASSES_ROOT\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{62eb0924-19d2-4226-b4b9-8ad1f70904c1}\InProcServer32] @="C:\WINDOWS\System32\hvnwm.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\System32\hvnwm.dll -> Missing File »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End EscanAntiVirus Log File C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\Desktop\XoftSpy415_121.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken. File C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\My Documents\My Received Files\Habbit(1).zip tagged as not-a-virus:Monitor.Win32.Perflogger.al. No Action Taken. File C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\My Documents\My Received Files\Habbit.zip tagged as not-a-virus:Monitor.Win32.Perflogger.al. No Action Taken. File C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Desktop\Dope Wars\dw22.exe tagged as not-a-virus:AdWare.Win32.Gator.3013. No Action Taken. File C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\My Documents\My Received Files\Habbit.zip tagged as not-a-virus:Monitor.Win32.Perflogger.al. No Action Taken. File C:\Program Files\BearShare\BearShareZangoInstaller.exe tagged as not-a-virus:AdWare.Win32.180Solutions.ao. No Action Taken. File C:\Program Files\BearShare\Installer\BSINSTALL.exe tagged as not-a-virus:AdWare.Win32.180Solutions.ao. No Action Taken. File C:\Program Files\BearShare\Installer\BSInstall5.2.1.2(1).exe tagged as not-a-virus:AdWare.Win32.SaveNow.bo. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\12EB00F0-CD82-4574-AFA6-B4C9AE\2CEF75FD-5682-438C-9460-BED16F tagged as not-a-virus:AdWare.Win32.SaveNow.bc. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\75C27E86-4237-4433-AE88-0A84A3\C5773B14-B74F-4447-80FA-63B33D tagged as not-a-virus:AdWare.Win32.SaveNow.z. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\988F3214-862A-4738-84FB-28D65D\32A95741-4F2E-4FD9-908A-1E43E6 tagged as not-a-virus:AdWare.Win32.SaveNow.z. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\E1888909-3FF9-4EC4-BAED-02D6D9\08D820A7-6B44-437D-874D-2E7847 tagged as not-a-virus:Monitor.Win32.PCAcme.63. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\E1888909-3FF9-4EC4-BAED-02D6D9\53664220-1682-4A0A-AC29-34D562 tagged as not-a-virus:Monitor.Win32.PCAcme.64. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\E1888909-3FF9-4EC4-BAED-02D6D9\A7ADA807-0124-4528-9A51-56C012 tagged as not-a-virus:Monitor.Win32.PCAcme.63. No Action Taken. File C:\Program Files\Microsoft AntiSpyware\Quarantine\ECA1A678-C9FC-4325-9738-9A4A61\F206A3D3-BA85-435D-96FC-E1D395 tagged as not-a-virus:AdWare.Win32.180Solutions. No Action Taken. File C:\Program Files\mIRC\backup\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. File C:\Volume Information\ •0d¡ .{00021401-0000-0000-C000-000000000046}\3976439939693260.{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\Stuff\Programs\BSINSTALL.exe tagged as not-a-virus:AdWare.Win32.180Solutions.ao. No Action Taken. File C:\Volume Information\ •0d¡ .{00021401-0000-0000-C000-000000000046}\3976439939693260.{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\Stuff\Programs\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. File C:\Volume Information\ •0d¡ .{00021401-0000-0000-C000-000000000046}\3976439939693260.{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\Stuff\sc shita\Dope Wars + Serial.zip tagged as not-a-virus:AdWare.Win32.Gator.3013. No Action Taken.
Ok... Go to Control Panel -> Add/Remove programs -> Remove BearShare if found Then disable system restore, instructions -> http://www.pchell.com/virus/systemrestore.shtml Make your hidden files visible. Restart your computer to the safemode. Delete the following files if found: C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\Desktop\XoftSpy415_121.exe C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\My Documents\My Received Files\Habbit(1).zip C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.000\My Documents\My Received Files\Habbit.zip Delete the following folders if found: C:\Program Files\BearShare C:\Documents and Settings\Owner.YOUR-UDIG6KT8M9.001\Desktop\Dope Wars Restart your computer normally and enable the system restore. If you had no problems when deleting the above items, you should be clean now At first you should update your windows with Service Pack 2 update, you can get it from Windows Update -> http://windowsupdate.microsoft.com -> Install SP2 -> Reboot your PC -> Get back to the windows update and install all remaining important updates You should update your Java (old version has all kinds of vulnerabilities) 1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup) 2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart. 3. If you can't make automatic update, get new version manually from here -> http://java.sun.com/j2se/1.5.0/download.jsp 4. After updating, uninstall the old Java if found from Add/Remove Programs, named as J2SE Runtime Environment 1.4.2 Update 3 or similar Now that you're clean, here are some tips how to stay clean. -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. -> Use CCleaner -> http://www.ccleaner.com Download and install CCleaner. Clean your registry and temporary files with it regularly. -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48 Download and install Ad-Aware. Update it and scan your computer regularly with it. -> Use Ewido -> http://www.ewido.net/en Download and install Ewido. Update it and scan your computer regularly with it. -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html SpywareBlaster will prevent spyware from being installed to your computer. -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm This prevents your computer from connecting to harmful sites. -> Change your browser to Firefox -> http://www.mozilla.org Firefox is faster, safer and quicker browser than Internet Explorer. -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com Visit Windows Update regularly. -> Keep your antivirus and firewall up-to-date Scan your computer regularly with your antivirus. -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html So how did I get infected in the first place? Stay clean
