i woke up this morning & when i switched on the pc i started recieving popups informing me my pc was infected. i have panda antivirus 2007, spyware doctor, avg 7.5 pro, avg antispyware(previously known as ewido), ad-aware 6 pro, registry fix & a squared anti dialer installed on my pc.. i also have zonealarm pro, nod32 & a few others on disks but not yet installed, so i didnt think it was something i had done. i later found out from my daughter that my son was on the pc all morning. on my desktop were 3 new icons that werent there when i went to bed the night before. 1 called online security guide, another i can't remember as after i scanned with nod32 it disappeared. the last one was a program called porn pass manager. everytime i tried to go online i notice my browser has been hijacked & the site is called safeiepage.com & there is another window that pops up saying:- warning w32.Myzor.fk@yf is a virus that affects files with .exe. extensions & attempts to steal passwords & private information.. it also says its 138,293 bytes long & under technical details it says:- 1) creates files in %windir%\ by default this is c:\windows 2) adds values to registry keys: HKEY_LOCAL_MNACHINE\ (NOTICE MACHINE ISNT SPELLED CORRECTLY, BUT THATS HOW IT IS)Software\Microsoft\Windows\CurrentVersion\Run3 3) scans the hard drive for .exe files & infects any executable files. searches for passwords/information which it may send to a remote attacker. it then goes on to say click OK to download officialy approved security software. always keep your patch levels up to date. i would appreciate any help in ridding my pc of any trojans/malware/spyware etc. i ran rootkit hook analyzer & it found 9 kernal hooks, but i dont know how to work this program as it was referred by someone on a forum. everytime i scan with avg, spyware doctor, nod32 or even panda antivirus 2007 it eventually comes back my system is clean, i go to the panda online activescan & it finds even more?? i also noticed a thing called boonty games & have checked up on google & it appears to be a site where you can download games. i know for a fact that i have not downloaded this so could this be what my son downloaded & could this be the culprit? i also ran smitfraudfix & it found 3 infected files. i will put the smitfraudfix log after the hijackthis log... thanks for any help i recieve. here is my hijackthislog:- Logfile of HijackThis v1.99.1 Scan saved at 23:12:36, on 28/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe C:\WINDOWS\SYSTEM32\cidaemon.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Grisoft\AVG7\avgw.exe C:\Program Files\Grisoft\AVG7\avgwa.dat C:\Program Files\Panda Software\Panda Antivirus 2007\AvltMain.exe C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\a-squared Anti-Dialer\a2adguard.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe c:\program files\panda software\panda antivirus 2007\WebProxy.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\neil dougal\Desktop\HijackThis_v1.99.1.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\PornPass Manager\isaddon.dll (file missing) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\NEILDO~1\LOCALS~1\Temp\{7C1645DC-9D36-4539-ACF1-1A4C7FBDD1F4}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009" O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O8 - Extra context menu item: Post Image to Blog - C:\WINDOWS\ImageShackT...r.dll/5003 O8 - Extra context menu item: Tag This Image - C:\WINDOWS\ImageShackT...r.dll/5002 O8 - Extra context menu item: Upload All Images to ImageShack - C:\WINDOWS\ImageShackT...r.dll/5000 O8 - Extra context menu item: Upload Image to ImageShack - C:\WINDOWS\ImageShackT...r.dll/5001 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O15 - Trusted Zone: toolbar.imageshack.us O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - toolbar.imageshack.us/...oolbar.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com/...asinst.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - www.systemrequirements...reqlab.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe SmitFraudFix v2.115 Scan done at 17:06:44.92, 28/10/2006 Run from C:\Documents and Settings\neil dougal\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\Program Files\PornPass Manager\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
Here something i would delete.... here what you have... Virus Name: W32.Myzor.FK@yf Category: Worm Risk Level: Medium Symptoms: Displays a pop-up warning: W32.Myzor.FK@yf is a virus that infects files with .exe extentions. It attempts to steal passwords and private information from the infected computer.Also displays a fake pop-up message saying that your computer is infected usually in the taskbar by the time O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\PornPass Manager\isaddon.dll (file missing) DELETE THIS!! O15 - Trusted Zone: toolbar.imageshack.us (if you know what this is do not delete otherwise i would delete it) O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - www.systemrequirements...reqlab.cab (Same for this one) Try using KasperSky Anti-Virus found here http://www.kaspersky.com do a full system scan in safe mode
