I've got 1. ULWindowSeek & ULWindowURL popups 2. System Integrity Scan Wizard 3. Not one but 2 instances of the wheelchair/red crossout icon in my taskbar informing me of a Virus and directs me to the SpyWareQuake website 4. My homepage is permanently set to www.topsecuritysite.net 5. Porn sites popping up every once in a while 6. Party Poker and all the other great sites popping up once in a while I've ran Norton Antivirus, Spybot, and Adware and nothing is working whatsoever here is my HT Log Logfile of HijackThis v1.99.1 Scan saved at 10:12:52 PM, on 6/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Norton AntiVirus\SAVScan.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\ZoomingHook.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\1510c1e5.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Documents and Settings\Valued Customer\Desktop\HijackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vhiha.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gcpkkli.exe O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TCtryIOHook] c:\WINDOWS\System32\TCtrlIOHook.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [Notebook Maximizer] C:\Program Files\Notebook Maximizer\maximizer_startup.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [1510c1e5.exe] C:\WINDOWS\system32\1510c1e5.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [1510c1e5.exe] C:\Documents and Settings\Valued Customer\Local Settings\Application Data\1510c1e5.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: *.skillport.com O15 - Trusted Zone: *.skillsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141764162843 O20 - AppInit_DLLs: C:\WINDOWS\system32\ntvdm.dll O20 - Winlogon Notify: winwil32 - C:\WINDOWS\SYSTEM32\winwil32.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I will be forever indebted to anyone who can help me.
Heres my SmitfraudFix log as well but I have no idea what im doing. SmitFraudFix v2.55 Scan done at 22:17:48.96, Tue 06/06/2006 Run from C:\Documents and Settings\Valued Customer\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\country.exe FOUND ! C:\WINDOWS\kl1.exe FOUND ! C:\WINDOWS\toolbar.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\dcomcfg.exe FOUND ! C:\WINDOWS\system32\hp???.tmp FOUND ! C:\WINDOWS\system32\hp????.tmp FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\simpole.tlb FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! C:\WINDOWS\system32\ts.ico FOUND ! C:\WINDOWS\system32\ucbrrt.dll FOUND ! C:\WINDOWS\system32\1024\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Valued Customer\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{c3786a8d-6426-4c29-a23f-f36e47b31e0c}"="hillman" [HKEY_CLASSES_ROOT\CLSID\{c3786a8d-6426-4c29-a23f-f36e47b31e0c}\InProcServer32] @="C:\WINDOWS\system32\ucbrrt.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{c3786a8d-6426-4c29-a23f-f36e47b31e0c}\InProcServer32] @="C:\WINDOWS\system32\ucbrrt.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus" [HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32] @="C:\WINDOWS\system32\asxbbx.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32] @="C:\WINDOWS\system32\asxbbx.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Hi hohn. You don't have a firewall on your computer. Download and install one firewall. These are good (free) firewalls: ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com Ok, you got some infections on your computer.... Cleaning instructions: Move HijackThis into its own folder C:\HJT Download and install Ewido anti-malware -> http://www.ewido.net/en/download Update it, but do NOT run a scan yet. We'll use it later. Please download Brute Force Uninstaller to your desktop. http://www.merijn.org/files/bfu.zip -> Right-click the BFU folder on your desktop, and choose Extract All -> Click Next -> In the box to choose where to extract the files to, -> Click Browse -> Click on the + sign next to My Computer -> Click on Local Disk ( C: ) or whatever your primary drive is -> Click Make New Folder -> Type in BFU -> Click Next, and Uncheck the Show Extracted Files box and then click Finish. RIGHT-CLICK the following link and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones -> http://downloads.subratam.org/Lon/qooFix.bat Save it in the same folder you made earlier (c:\BFU). Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat Choose option #1 (Qoolfix autofix) and follow the prompts. Please be patient, it will take about five minutes. Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\vhiha.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gcpkkli.exe O4 - HKLM\..\Run: [1510c1e5.exe] C:\WINDOWS\system32\1510c1e5.exe O4 - HKCU\..\Run: [1510c1e5.exe] C:\Documents and Settings\Valued Customer\Local Settings\Application Data\1510c1e5.exe O20 - Winlogon Notify: winwil32 - C:\WINDOWS\SYSTEM32\winwil32.dll Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Delete these files (if found): C:\WINDOWS\system32\1510c1e5.exe C:\WINDOWS\SYSTEM32\winwil32.dll C:\Documents and Settings\Valued Customer\Local Settings\Application Data\1510c1e5.exe When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Warning : Running option 2 in a clean computer will delete your desktop wallpaper. Scan and clean your computer with Ewido and save the report. Clean the Recycle bin. Go to here -> http://www.virustotal.com -> Press "Browse" -> Browse to this file C:\WINDOWS\system32\ntvdm.dll -> Press "Send" -> Wait for the scan to end and copy the results to here. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log -> Contents of C:\Rapport.txt -> Results from the Virustotal scan
