[Notnefmail]

Hello, after successfully wiping my computer of malware, winfix has returned, but also something else which brought up 'spySheriff' and now my desktop says: 'your system is infected!!! and claims spyware activity has been detected.'

i've tried running ewido and adaware but its still here:
here is my HJT log, hope its helpful. ooh, and I think ive caught whatever I have from downloading pohrn if that helps
Thanks and I greatly look forward to a reply.

Edited by Notnefmail, 28 September 2005 - 10:34 AM.

[Advertisements]

Hi Notnefmail and welcome to geekstogo

Can you please post your HiJackthis log, make sure its not attached.


thanks,



Excal

[Excal]

Hi Notnefmail and welcome to geekstogo

Can you please post your HiJackthis log, make sure its not attached.


thanks,



Excal

[Notnefmail]

Logfile of HijackThis v1.99.1
Scan saved at 18:23:32, on 28/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\Qtim.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\?ttrib.exe
C:\winstall.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cavio.cust.vaioni.com/register
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Windows Qtime] Qtim.exe
O4 - HKLM\..\Run: [Microsoft Update 32] scvhost.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows Qtime] Qtim.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] scvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac....mote/wficat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122311688328
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: style2 - C:\WINDOWS\q632187.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe (file missing)

ty

[Excal]

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\System32\?ttrib.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.


DOWNLOAD PROGRAMS

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Download CWShredder here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

We will be using this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Microsoft SSL (ssl) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Please do the same with this service: Loading Outpost Connections (KDE)

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

6. Open up and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 - HKLM\..\Run: [Windows Qtime] Qtim.exe
O4 - HKLM\..\Run: [Microsoft Update 32] scvhost.exe
O4 - HKLM\..\RunServices: [Windows Qtime] Qtim.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] scvhost.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q632187.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe (file missing)

10. click the Fix Checked box

11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\winstall.exe
C:\WINDOWS\q632187.dll
C:\WINDOWS\System32\cmdtel.exe
C:\WINDOWS\System32\ssl.exe
Use start>search for these:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
Qtim.exe
scvhost.exe <===Make sure its SCVhost and no other!

12. Run the program CleanUp!

13. Delete Bad Service:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• click on "delete an NT service"
• Copy and paste this in the box: ssl
• Click "ok", then reboot

Please do the same with this service: KDE

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido Log and a fresh HiJackThis log. Let me know how your computer is running.

[Notnefmail]

from findfile.bat
Volume in drive C is TCM24-T4
Volume Serial Number is 50AC-646E

Directory of C:\WINDOWS\System32

29/08/2002 05:00 11,264 attrib.exe
08/09/2005 14:43 401,408 ?ttrib.exe
2 File(s) 412,672 bytes

Directory of C:\Documents and Settings\Liam\Desktop

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 19:54:40, on 28/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\Qtim.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\?ttrib.exe
C:\winstall.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cavio.cust.vaioni.com/register
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Windows Qtime] Qtim.exe
O4 - HKLM\..\Run: [Microsoft Update 32] scvhost.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows Qtime] Qtim.exe
O4 - HKLM\..\RunServices: [Microsoft Update 32] scvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac....mote/wficat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122311688328
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: style2 - C:\WINDOWS\q632187.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINDOWS\System32\ssl.exe (file missing)

ty

[Excal]

did you have any problems with the fix? your log looks almost exactly the same.



Excal

[Notnefmail]

Right heres what I have for you:
HJT LogLogfile of HijackThis v1.99.1
Scan saved at 09:50:22, on 29/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cavio.cust.vaioni.com/register
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac....mote/wficat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122311688328
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay10...ex/HMAtchmt.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 09:36:32, 29/09/2005
+ Report-Checksum: F2BC3319

+ Scan result:

C:\WINDOWS\system32\msudp4.sys -> TrojanSpy.Goldun.bf : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\K5A7052J\p5e[1].jpg -> Backdoor.IRCBot.ex : Cleaned with backup
C:\Documents and Settings\Liam\Local Settings\Temp\Cookies\liam@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Liam\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Liam\Local Settings\Temp\Cookies\liam@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Liam\Local Settings\Temp\dima2.exe -> TrojanDropper.Agent.py : Cleaned with backup
C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\backups\backup-20050907-155015-399.dll -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Liam\Cookies\liam@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079862.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079863.EXE -> Backdoor.Delf.ach : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079864.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079865.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079866.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP188\A0091030.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP188\A0091031.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0107757.EXE -> Backdoor.Small.eo : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0108670.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0108671.dll -> TrojanSpy.Goldun.bp : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0108672.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0108673.exe -> Worm.Bagz.m : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0108674.exe -> Backdoor.IRCBot.ex : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110678.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110679.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110696.exe -> Adware.SpySheriff : Cleaned with backup
C:\optix.exe -> Backdoor.Optix.Pro.13 : Cleaned with backup
C:\winstall.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\winld32.dll -> TrojanDownloader.Small.anu : Cleaned with backup


::Report End

ActiveScan:
Incident Status Location

Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\scvhost.exe
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\?ttrib.exe
Adware:Adware/Startpage.AIR No disinfected C:\WINDOWS\system32\paytime.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\gihtxawzfa.html
Adware:adware/ilookup No disinfected C:\WINDOWS\system32\xbox_round1.bmp
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Virus:W32/Gaobot.KJD.worm Disinfected C:\WINDOWS\system32\Windows.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\hardcore1.exe
Virus:Trj/Downloader.FAW Disinfected C:\WINDOWS\loadnew.exe
Possible Virus. No disinfected C:\WINDOWS\kl.exe
Virus:Trj/Downloader.EUY Disinfected C:\WINDOWS\tool1.exe
Virus:Trj/Multidropper.AUQ Disinfected C:\WINDOWS\tool3.exe
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\desktop.html
Virus:Trj/Qhost.CG Disinfected C:\WINDOWS\hosts
Adware:Adware/Beginto No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\runescape cheats\Self Extracting.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\backups\backup-20050907-155015-741.dll
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\backups\backup-20050928-172741-871.dll
Possible Virus. No disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Adware:Adware/PurityScan No disinfected C:\Program Files\rbra\ehri.exe

I still cant change my desktop picture from the warning sign:(

[Excal]

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download the Killbox.


1. Please run Killbox.

• Select "Delete on Reboot".
• Copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  
  C:\WINDOWS\system32\osconfig.dll
  C:\WINDOWS\system32\?ttrib.exe
  C:\WINDOWS\system32\paytime.exe
  C:\WINDOWS\system32\gihtxawzfa.html
  C:\WINDOWS\system32\xbox_round1.bmp
  C:\WINDOWS\system32\InstallerV3.exe
  C:\WINDOWS\kl.exe
  C:\WINDOWS\tool1.exe
  C:\WINDOWS\tool3.exe
  C:\WINDOWS\desktop.html
  C:\Documents and Settings\Liam\My Documents\Unzipped\runescape cheats\Self Extracting.exe
  C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
  C:\Program Files\rbra\ehri.exe
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

2. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

4. Next go to Control Panel click appearance and themes>click Display > Desktop Tab> click Customize Desktop > Web tab > Uncheck anthing in there if present.

5. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\rbra

6. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

7. Please post the Active scan log, smitfiles.txt log and a fresh HiJackThis log(from normal mode). Let me know how your computer is running.


thanks,



Excal

[Notnefmail]

doing the killbox bit nw, but after clicking yes for delete on reboot i get an error prompt:
PendingFileRenameOperations Registry Data has been removed by external process.
?

[Excal]

reboot manually



Excal

[Notnefmail]

Just running the active scan, here is the smitfiles.txt hile i run it:

smitRem log file
version 2.5

by noahdfear

The current date is: 29/09/2005
The current time is: 13:02:05.42

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

[Notnefmail]

heres the active scan:

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\?ttrib.exe
Adware:Adware/Startpage.AIR No disinfected C:\WINDOWS\system32\paytime.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\gihtxawzfa.html
Adware:adware/ilookup No disinfected C:\WINDOWS\system32\xbox_round1.bmp
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Virus:Trj/Banker.AWB Disinfected C:\WINDOWS\kl.exe
Adware:Adware/Beginto No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\runescape cheats\Self Extracting.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\backups\backup-20050907-155015-741.dll
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\backups\backup-20050928-172741-871.dll
Virus:Trj/Agent.APH Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Virus:Trj/Agent.APH Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Trj/Agent.APH Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP179\A0077543.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP179\A0077544.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP179\A0077545.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP180\A0077565.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP180\A0077566.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP180\A0077567.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP180\A0077568.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079593.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079594.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079595.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079596.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079597.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079598.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079599.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079605.exe
Adware:Adware/Lop No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP185\A0079606.exe
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110675.DLL
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110676.DLL
Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110677.DLL
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110687.dll
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110702.exe
Virus:Bck/OptixPro.AB Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110703.exe
Adware:Adware/Spywad No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110704.exe
Virus:Trj/Downloader.EFA Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110705.dll
Virus:W32/Gaobot.gen.worm Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110723.exe
Virus:W32/Gaobot.KJD.worm Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110724.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP199\A0110725.exe
Virus:Trj/Downloader.FAW Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110895.exe
Virus:Trj/Downloader.EUY Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110896.exe
Virus:Trj/Multidropper.AUQ Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110897.exe
Spyware:Spyware/MarketScore No disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110901.dll
Virus:W32/Gaobot.KGE.worm Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110905.exe
Virus:Trj/Banker.AWB Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110920.exe
Virus:Trj/Agent.APH Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110921.exe
Virus:Trj/Agent.APH Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110922.dll
Virus:Trj/Agent.APH Disinfected C:\System Volume Information\_restore{C39DF4B0-C3CF-475F-9C39-C9F173F17665}\RP200\A0110923.dll
Adware:Adware/PurityScan No disinfected C:\Recycled\Dc1\ehri.exe
and the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 14:08:43, on 29/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Liam\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cavio.cust.vaioni.com/register
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.uclan.ac....mote/wficat.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122311688328
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay10...ex/HMAtchmt.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

ty

[Excal]

1. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

2. Please remove just the files from the following paths using Windows Explorer (if present):


C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\gihtxawzfa.html
C:\WINDOWS\system32\xbox_round1.bmp
C:\WINDOWS\system32\InstallerV3.exe
C:\Recycled\Dc1\ehri.exe

Go into yout system32 folder. Look for a file named Attrib.exe. The file your looking for will have been made on 08/09/2005 14:43 and file size of 401,408 bytes. Make sure its this one and not the legit one. More than likely it will have no icon.

3. Run the program CleanUp!

4. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

5. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Excal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.