I attempted to follow your advice but i appear to have encountered a few obstacles... Nothing to do with your instructions, they were very clear and precise, however after launching the smitrem batch file i was greeted by a windows error statement saying "no disk in drive, drive not ready / harddrive 2 / DR3" and my machine froze up!
I rebooted back into safe mode and tried again - Same result.
I rebooted a second time into normal windows mode and ran the batch again, this time it seemed to run however there was loads of scrolling text saying "file not found" and "invalid file" or things to that effect. Disk cleanup initiated ok as far as i could tell but then that disk error statment came up again and i had to reboot again, into normal mode.
When i started Adaware i selected full system scan (usually i only run a smart scan) and i got around 7000 files into it when it froze up! i closed that down, selected smart scan and that removed about 9 items.
The ewido and panda software seemed to run ok, both claiming to have uncovered malicious items.
The logs are posted below.
P.S. i had an icon in my taskbar with an occasional text bubble saying"you are infected, click here to protect your computer", this dodgy popup seems to be gone now. When i rebooted after doing all the above i got a RUNDLL error statement saying that a file was not found.
Hijackthis log after fixing the two items advised above...
Logfile of HijackThis v1.99.1
Scan saved at 11:05:57, on 11/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\System32\ctfmon.exe
I:\Documents and Settings\Lord Morbius\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://morwillsearch...id=fish&sub_id=R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://morwillsearch...id=fish&sub_id=R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://morwillsearch...id=fish&sub_id=O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - I:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - I:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "I:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "I:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "I:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ABIT uGuru] I:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] I:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] I:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] I:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwxpuzrt] i:\windows\system32\gwxpuzrt.exe -start
O4 - HKCU\..\Run: [CTFMON.EXE] I:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1041.dll,InstantAccess
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} -
http://akamai.downlo..._1041_EN_XP.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1120388988000O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
http://morwillsearch.com/mwsearch.cabO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - I:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - I:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - I:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - I:\WINDOWS\system32\ZoneLabs\vsmon.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:01:56, 11/07/2005
+ Report-Checksum: E7C7D8CC
+ Scan result:
I:\Documents and Settings\Lord Morbius\Cookies\lord morbius@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
I:\WINDOWS\Downloaded Program Files\mwsearch.dll -> Spyware.Morwill : Cleaned with backup
I:\WINDOWS\eg_auth_1041.dll -> Trojan.Wintrim : Cleaned with backup
I:\WINDOWS\p2esocks_1041.dll -> Trojan.Wintrim : Cleaned with backup
I:\WINDOWS\system32\fvp.dll -> TrojanDownloader.Agent.oc : Cleaned with backup
I:\WINDOWS\system32\intel32.exe -> Trojan.Agent.ff : Cleaned with backup
I:\WINDOWS\system32\oleadm.dll -> Trojan.Agent.ff : Cleaned with backup
::Report End
Panda Activescan report...
Incident Status Location
Adware:Adware/NaviPromo No disinfected Windows Registry