My system became infected with the Trojan-spy.html.Smitfraud.c virus. I read all the threads on here I could find about the virus and proceeded to follow the recommended steps to clean it. It appears that I removed, at least part of the virus as for I know longer have the "Blue Error Screen" and have been able to replace my wallpaper with no problem. However, the following symptoms remain:
- My Web Browser remains HighJacked. (It is constantly going to uncommanded sites)
- I have about ten unwanted Icons on my desk top I can't remove
- About every five minutes I get a "Error #317 Microsoft Security Warning" stating my computer is corrupted with spy ware virus.
- Following that warning I get " Desktop & Homepage are authorized and have passed windows authorization" Messege.
Things I have tried to clean my system include:
- Updating and running my virus scanner (AntiVir XP)
- HighJack This
- RegLite
- Killbox
- CWshredder
- HSremover
- Adware
- Spybot
I've been unable to run any of the recommended online virus scanners as for about every five minutes, my web browser will switch to an uncommanded website closing the virus scanner.
I'm about at my wits end with this one. Figured I'd give you guys a try before crashing the thing and starting over. Thanks for any and all help. See my HighJack this log below:
*Notice on the log: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0171/ *This is the address my home page is set to and it want let me change it. Further, HighJack this won't delete this line.
Logfile of HijackThis v1.99.1
Scan saved at 4:10:54 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HighJacker\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0171/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - Startup: CuteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://195.190.118.1....chm::/file.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe