when i first got it, i didnt realize it was a virus because i got it along with a ton of adware and spyware, and i assumed it was part of that. i got rid of most everything else im pretty sure, ive done recent scans with SpyBot and AdAware SE, and neither have found anything now. i also did 2 online scans with trendmircro's housecall and the first one came up with 11 infected files (i didnt check what they were exactly) and the second scan came up clean. when i first go the virus i got the same "Security Warning" background tha everyone gets, but it sort of went away and now i just have a plain black background (the color that i used behind the actual picture that i had as my desktop) but i still only get the two tabs "screensaver" and "settings" i just did the first hijackthis scan, after reading other threads on this and downloading it.
here's the log:
/auto
O4 - HKLM\..\Run: [bokysy] c:\windows\system32\vwmnyqh.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
any help is appreciated
::Edit::
i dunno if this helps, and im sure the experts like bananafanafo know about it but i've noticed that something (the smitfraud virus i assume, unless i got something else too) creates an exe in the windows\system32 folder with 8 or so seemingly random letters. it shows up as a process and whenever you end that process it starts a new one with a different random filename, also it seems that removing it from the startup list in msconfig doesn't stop it. Deleting the .exe in the system32 folder doesn't seem to work either.
Edited by senor135, 26 April 2005 - 02:05 AM.