My computer is also infected with the Win32:Zlob-BN. I'm using Avast Antivirus and Kerio Personal Firewall. Although Avast deletes the virus, it comes back over and over again. I've just read the other people's posts and hints. I look forward to your quick help. Thank you in anticipation. Here's my HijakcThis log and SmitFraudFix log. Logfile of HijackThis v1.99.1 Scan saved at 10:12:15, on 2006-06-20 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\spoolsv.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe E:\Program Files\Winamp\winampa.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\WINDOWS\system32\ctfmon.exe E:\Program Files\Messenger\msmsgs.exe E:\Program Files\Gadu-Gadu\gg.exe E:\PROGRA~1\INCRED~1\bin\IncMail.exe E:\Program Files\Konnekt\konnekt.exe E:\Program Files\Skype\Phone\Skype.exe E:\WINDOWS\twain_32\C6U14K\WATCH.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe E:\Program Files\Kerio\Personal Firewall\persfw.exe E:\WINDOWS\system32\svchost.exe E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe E:\Program Files\Alwil Software\Avast4\ashWebSv.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Internet Explorer\iexplore.exe C:\totalcmd\TOTALCMD.EXE E:\Program Files\Alwil Software\Avast4\ashSimpl.exe E:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [WhenUSearchWHSE] "E:\Program Files\WhenUSearch\whse.exe" O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [ImInstaller_IncrediMail] E:\DOCUME~1\mikey\USTAWI~1\Temp\ImInstaller\IncrediMail\IncrediMail_Install.exe -startup -product IncrediMail O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [Free Download Manager] E:\Program Files\Free Download Manager\fdm.exe -autorun O4 - HKCU\..\Run: [IncrediMail] E:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [Konnekt] "E:\Program Files\Konnekt\konnekt.exe" /autostart O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = E:\WINDOWS\twain_32\C6U14K\WATCH.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - E:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - E:\Program Files\Kerio\Personal Firewall\persfw.exe SmitFraudFix v2.62 Scan done at 10:22:00,78, 2006-06-20 Run from E:\Documents and Settings\mikey\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» E:\ »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32 E:\WINDOWS\system32\ld????.tmp FOUND ! E:\WINDOWS\system32\ot.ico FOUND ! E:\WINDOWS\system32\regperf.exe FOUND ! E:\WINDOWS\system32\stdole3.tlb FOUND ! E:\WINDOWS\system32\ts.ico FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\mikey\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\mikey\Ulubione E:\DOCUME~1\mikey\Ulubione\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop E:\DOCUME~1\ALLUSE~1\Pulpit\Online Security Guide.url FOUND ! E:\DOCUME~1\ALLUSE~1\Pulpit\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Moja bieľĄca strona gˆ˘wna" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst" [HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32] @="E:\WINDOWS\system32\xuefh.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32] @="E:\WINDOWS\system32\xuefh.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
Hi majkelos, Delete this program via add/remove programs in control panel: WhenUSearch After that, restart your computer to the safemode http://www.pchell.com/support/safemode.shtml In safe mode, first delete this folder if it exists E:\Program Files\->WhenUSearch. Then open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Post also a new HijackThis log.
