Hi I´m not the only one I see, but how do I do to get rid of the http://www.syssecuritysite.com/ homepage from IE and my pc? I´m not a vice guy at computers. And mayby someone can tell me why the pc taking so long time to start up? This is my HiJack file: Logfile of HijackThis v1.99.1 Scan saved at 00:03:33, on 2006-06-28 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\Program\AliasWavefront\Maya6.0\docs\Wrapper.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe D:\Program\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\id2scaps.exe D:\Program\AliasWavefront\Maya7\docs\wrapper.exe D:\Program\Max8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe D:\Program\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe D:\Program\iTunesHelper.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\QuickTime\qttask.exe D:\Program\ZoneAlarm\zlclient.exe D:\Program\ewido anti-spyware 4.0\ewido.exe D:\Program\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe D:\Program\AliasWavefront\Maya6.0\docs\jre\bin\java.exe D:\Program\AliasWavefront\Maya7\docs\jre\bin\java.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAM\ZONEAL~1\MAILFR~1\mantispm.exe C:\Documents and Settings\Jag\Desktop\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!ewido] "D:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [PcSync] D:\Program\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\OfficeXP\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe (file missing) O12 - Plugin for .sgn: D:\Program\Netscape4.7\Program\PLUGINS\npSign.dll O16 - DPF: {4E8A3661-FB5B-4AEF-BF60-B0E9712FAE49} (Silverwire Image Uploader 3.0 Control) - http://www.fotowire.com/download/client/uploader/ImageUploader3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program\AliasWavefront\Maya6.0\docs\Wrapper.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program\AliasWavefront\Maya7\docs\wrapper.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Program\Max8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi Dret, Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip Unzip it (folder named SmitFraudFix) to your desktop: Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Ok, now I have done that, what do I do with this then? »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\dxole32.exe FOUND ! C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\simpole.tlb FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jag\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jag\FAVORI~1 C:\DOCUME~1\Jag\FAVORI~1\Antivirus Test Online.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems" [HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32] @="C:\WINDOWS\system32\guxxa.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32] @="C:\WINDOWS\system32\guxxa.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End I´m most greaful for your help, many thanks.
Restart your computer to safe mode http://www.pchell.com/support/safemode.shtml When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files. You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys. The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter". The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode. A textfile will appear after the cleaning process, copy this file and paste it to here. Tha log is saved to your local diskdrive, usually C:\rapport.txt. Post also a new HijackThis log
First comes my Smithfraud rapport: SmitFraudFix v2.65 Scan done at 19:03:10,10, 2006-07-10 Run from C:\Documents and Settings\Jag\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems" [HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32] @="C:\WINDOWS\system32\guxxa.dll" [HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32] @="C:\WINDOWS\system32\guxxa.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\guxxa.dll -> Missing File »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\system32\dxole32.exe Deleted C:\WINDOWS\system32\ld????.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\regperf.exe Deleted C:\WINDOWS\system32\simpole.tlb Deleted C:\WINDOWS\system32\stdole3.tlb Deleted C:\DOCUME~1\Jag\FAVORI~1\Antivirus Test Online.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
And here comes hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 19:33:07, on 2006-07-10 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\Program\AliasWavefront\Maya6.0\docs\Wrapper.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe D:\Program\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\id2scaps.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe D:\Program\AliasWavefront\Maya7\docs\wrapper.exe D:\Program\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe D:\Program\Max8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE D:\Program\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe D:\Program\ZoneAlarm\zlclient.exe D:\Program\ewido anti-spyware 4.0\ewido.exe D:\Program\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe D:\Program\AliasWavefront\Maya6.0\docs\jre\bin\java.exe D:\Program\AliasWavefront\Maya7\docs\jre\bin\java.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAM\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jag\Desktop\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program\Nokia PC Suite\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [!ewido] "D:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [PcSync] D:\Program\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe /NoDialog O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\OfficeXP\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe (file missing) O12 - Plugin for .sgn: D:\Program\Netscape4.7\Program\PLUGINS\npSign.dll O16 - DPF: {4E8A3661-FB5B-4AEF-BF60-B0E9712FAE49} (Silverwire Image Uploader 3.0 Control) - http://www.fotowire.com/download/client/uploader/ImageUploader3.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - D:\Program\AliasWavefront\Maya6.0\docs\Wrapper.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: iD2 Smart Card Server (id2scaps) - iD2 Technologies - C:\WINDOWS\system32\id2scaps.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Program\AliasWavefront\Maya7\docs\wrapper.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Program\Max8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Should I do anything more? Best regards Dret
If you don't like your homepage, fix this (looks suspicious): R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html Then log should look clean or do you have still some problems
