i surfed the net & now my pc has spyware pop ups,i copied the highjacker file for you to help me out

ok but at least we are nearly finished send me the next message to let me know in uk time when you want to start again,if its 4.10pm here it must be 12.10am there sorry for keeping you up,goodnight bruce,one thing i can say we are both doing well,its nearly finished

 

sorry to tell you this but theres nothing on the desktop nothing new anyway,all the items that are on there now are items that we had on there before there were only one new folder on its own with no name on it & inside the folder it was empty,plus there was an office word file or what do you call it but when i tried to open it up i couldn't it was like it was invisable looking like & also it said it cant open it up because it is corrupted & i hear some popping sound on the pc sometimes & when you want to reboot sometimes you get that box that opens up with that round circle in it with the red x & it makes that bad sound ,

it says that it has failed to finish properly inishalizing something along them lines,

so i cant find no fixstool on here,im stuck from after doing the reboot,because what it says on here never happened ,so im down to the last line which is 3 lines under the script where it says type y,im on the script where it says where the pc restarts the fixtool will run again & complete the removal process then display finished i never saw that ha

 

Ok, skip that part and download the second tool (SmitFraudFix) and do the cleaning process.

 

ok,remember in the uk the clocks went forward one hour last night,i will do the cleaning task,iv'e saved it to my desktop is that ok,yesterday the good news was that the yellew little windows update came on to my start up menu & i updated it then inernet explorer came on onits own so i allowed it to download no7,after that everything was ok,until i think i put a add on on then this window pops up like it did before when this problem started,it only comes on now whenever you open up internet explorer 7,warning w42.myzor.fx@ is a virus that infects files with exe.extentions.it atempts to steel passwords,i cant write the rest of it its too long,so theres the update for you so far,i know that most of the things we all download has exe extentions in them so what do we do,i will have to try to keep these softwares to use them in future when explorer 7 gives me these problems,or do you have a desktop software that like an antivirus software it works its self or you just prompt it to work,should i get rid of explorer 7,i have got already avant browser & i got firefox beta 3,its just that my e-mail address & windows live i think are maybe linked up to it or can another browser do the same thing,the reason why i worry in the last 2 weeks when after latley i uninstalled explorer 7,when i tried do download or open certain items it told me that these extions could only be oppened by explorer 7

 

ok,remember in the uk the clocks went forward one hour last night,i will do the cleaning task,iv'e saved it to my desktop is that ok,yesterday the good news was that the yellew little windows update came on to my start up menu & i updated it then inernet explorer came on onits own so i allowed it to download no7,after that everything was ok,

until i think i put a add on on then this window pops up like it did before when this problem started,it only comes on now whenever you open up internet explorer 7,

warning w42.myzor.fx@ is a virus that infects files with exe.extentions.it atempts to steel passwords,i cant write the rest of it its too long,so theres the update for you so far,i know that most of the things we all download has exe extentions in them so what do we do,i will have to try to keep these softwares to use them in future when explorer 7 gives me these problems,

or do you have a desktop software that like an antivirus software it works its self or you just prompt it to work,should i get rid of explorer 7,i have got already avant browser & i got firefox beta 3,its just that my e-mail address & windows live i think are maybe linked up to it or can another browser do the same thing,

the reason why i worry in the last 2 weeks when after latley i uninstalled explorer 7,when i tried do download or open certain items it told me that these extions could only be oppened by explorer 7

 

ive closed all progras & clicked 2 to clean it said it might reboot but nothing is happening or moving do i have to press one to search,

 

You need to press 1 to search for it first and give me a report.

Don't click on any pop ups or anything that looks suspicious, we don't want any more infections coming in!

 

ok bruce,good morning to you

 

i clicked 1 for seach & nothing happened then i took off the 1 & 2 then i spaced them out this time then i pressed enter,then it just disapeard,its still on my desktop

 

iv'e done it,what it was all i had to do was click onto number 2 then press enter,you didn't tell me that so i thought of trying it again & iv'e done it,you must be busy i sent you 2 messages alredy but im glad this was the one you were waiting for,send me back the details on what to do next,i will be back at 12.15 up to 12.45pm maybe even earlier,

SmitFraudFix v2.309

Scan done at 10:41:17.25, 30/03/2008
Run from C:\Documents and

Settings\EDDY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] -

Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

\CurrentVersion\Explorer\SharedTaskScheduler]
"{d70e9b0f-aabc-4066-8176-c6de84d92fa1}"="bimacula

te"

[HKEY_CLASSES_ROOT\CLSID\{d70e9b0f-aabc-4066-817

6-c6de84d92fa1}\InProcServer32]
@="C:\WINDOWS\system32\kknwg.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{d70e

9b0f-aabc-4066-8176-c6de84d92fa1}\InProcServer32]
@="C:\WINDOWS\system32\kknwg.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\kknwg.dll ->

Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\kknwg.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\375013\ Deleted
C:\DOCUME~1\EDDY\FAVORI~1\Online Security

Test.url Deleted
C:\Program Files\NetProject\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet

NIC - Packet Scheduler Miniport
DNS Server Search Order: 62.30.112.39
DNS Server Search Order: 194.117.134.19

HKLM\SYSTEM\CCS\Services\Tcpip\..\{99525DF8-A407-

4756-8479-1E90AA2806D3}:

NameServer=62.30.112.39,194.117.134.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{99525DF8-A407-

4756-8479-1E90AA2806D3}:

NameServer=62.30.112.39,194.117.134.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{99525DF8-A407-

4756-8479-1E90AA2806D3}:

NameServer=62.30.112.39,194.117.134.19


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After

SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Ok, answer this question for me.

Did you do SmitfraudFix scan in normal mode or safe mode? You should NOT do it in safe mode.

 

Good job, now let's do the following:

Run SDFix

Double click SDFix.exe and it will extract the files to C:\.

Please then reboot your computer in Safe Mode (Restart then press F8 before Windows starts)

[*] Open the extracted SDFix folder in C:\ and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] Press any Key to restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open.
(Report.txt)
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

Go!

~Ltangel~

 

i did it on number 2 where it says clean (safe) mode recommended,
but there is another clean on there number 5 search & clean dns hijack
shall i do no 5 then send you the report then i will leave after that & come back,

im only going by what instructions you told me to go by bruce ,read what you asked me to click onto & read again after what i asked of you

 

It's not necessary to run option 5, just run SDFix, as I've posted earlier. Go!

 

ive done all of what you told me to do its just that after the final reboot the fixtool did not come onto the desktop to finish off its job

 

Go to the SDFix folder and see if there is a report.txt there and psot here for me to see.

Please also post me a fresh HijackThis log.

 

there is a folder sdfix & its got 5 different types of files in it one is a yellow ghost effect look alike & its called appa then you have the second square box looks like a microwave its called catchme.exe then you have the 3rd one ghosty look alike its called dummy.sys system file 1kb then the 4th one is sdfix_readme_online internet shortcut then the fith one is another microwave look alike this is called runthis.bat ms-dos batch file,there is also a report.txt which is just on the desk top itsself, i will send you that as well now

SmitFraudFix v2.309

Scan done at 10:41:17.25, 30/03/2008
Run from C:\Documents and Settings\EDDY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d70e9b0f-aabc-4066-8176-c6de84d92fa1}"="bimaculate"

[HKEY_CLASSES_ROOT\CLSID\{d70e9b0f-aabc-4066-8176-c6de84d92fa1}\InProcServer32]
@="C:\WINDOWS\system32\kknwg.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{d70e9b0f-aabc-4066-8176-c6de84d92fa1}\InProcServer32]
@="C:\WINDOWS\system32\kknwg.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\kknwg.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\kknwg.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\375013\ Deleted
C:\DOCUME~1\EDDY\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\NetProject\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 62.30.112.39
DNS Server Search Order: 194.117.134.19

HKLM\SYSTEM\CCS\Services\Tcpip\..\{99525DF8-A407-4756-8479-1E90AA2806D3}: NameServer=62.30.112.39,194.117.134.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{99525DF8-A407-4756-8479-1E90AA2806D3}: NameServer=62.30.112.39,194.117.134.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{99525DF8-A407-4756-8479-1E90AA2806D3}: NameServer=62.30.112.39,194.117.134.19


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Where is your HijackThis log?

 

here it is in plain black & white

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41:26, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\IObit\IObit SmartDefrag\IObit

SmartDefrag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows

Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\MemInfo\meminfo.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\In

ternet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper -

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BigDogPath]

C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program

Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe"

/StartUp
O4 - HKLM\..\Run: [SM_IAN] C:\Program

Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WinPatrol Helper DLL] C:\Program

Files\BillP Studios\WinPatrol\patrolpro.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program

Files\Windows Live\Messenger\msnmsgr.exe"

/background
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program

Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpyShredder] C:\Program

Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [DS Clock] "C:\Program Files\DS

Clock\dsclock.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'Default

user')
O4 - Startup: MemInfo.lnk = C:\Program

Files\MemInfo\meminfo.exe
O4 - Startup: WordWeb.lnk = C:\Documents and

Settings\EDDY\My Documents\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel

-

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/30

00
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/

V5Controls/en/x86/client/wuweb_site.cab?1201727103

468
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/

V5Controls/en/x86/client/muweb_site.cab?1201727078

062
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

(Java Runtime Environment 1.6.0) -

http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-wi

ndows-i586-jc.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{99525DF8-A407-

4756-8479-1E90AA2806D3}: NameServer =

62.30.112.39,194.117.134.19
O18 - Protocol: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) -

Lavasoft - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. -

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program

Files\Kontiki\KService.exe

--
End of file - 6276 bytes

 

That is really difficult to read. Please reopen HijackThis log in notepad and then go to Format and ensure that there isn't a tick beside "Word wrap". Post the HijackThis log again after doing that.