I just did a new scan, and that wasn't in there.

•

•

•

•

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

Okay, this one just will not stay fixed! I check the box and click Fix Checked, and when I re-scan, it comes back!

No... I just re-booted and Avast still says I have viruses and SpyDoctor still says I have spyware. This is just frustrating me.

EDIT: Okay, I cleaned some of the stuff in the third quote box, just re-booted my computer and I didn't get any "You have a virus!" messages or "You have spyware!" messages (they usually appear within five seconds of logging on to my desktop, and it's been like two minutes and they haven't appeared yet), so I think I fixed it. If any more problems come up I'll post here.

You need to delete this in safe mode. Or its going to keep coming back.


C:\WINDOWS\SYSTEM32\winm32.dll


In fact fix all in safe mode from now on. If you still cant boot into it let me no.

If you do get in, I just discovered that the taskdir is a trojan. So fix the following.


C:\WINDOWS\System32\taskdir.exe

O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe

O4 - HKCU\..\Run: [Acid trust] C:\DOCUME~1\MYSTIC~1\APPLIC~1\64MFCD~1\wave new hole.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - Global Startup: Event Reminder.lnk = ?

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll



Then delete in safe mode the following files.


C:\WINDOWS\SYSTEM32\winm32.dll

C:\WINDOWS\System32\taskdir.exe

C:\WINDOWS\System32\kernels8.exe


Empty recycle bin, reboot, rescan, repost log. If that files comeback, we wil ltry somthing else.

Okay, I was able to get into Safe Mode. However, I can't log into my own desktop in Safe Mode; there was only "Administrator" and "AutumnRose," which is my mom. There was no password for "Administrator," so I went into that and fixed everything in the list above that was actually in the HJT list. However, I didn't see the following:

C:\WINDOWS\System32\taskdir.exe

Most of the O4 entries except for "O4: Global Startup: Event Reminder.Ink = ?" were not in the HJT log either.

And even in safe mode, "O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll" keeps coming back. And it's not in the folder specified, either. I also didn't see the taskdir.exe application, but I did find kernels8.exe, so I deleted that.

Okay, now I'm really, really hungry, and I want to get off the computer for today, so I'll check this tomorrow, or perhaps later tonight.

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:58:19 PM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ProDsl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir...0&plcid=0x0409
F2 - REG:system.ini: Shell=explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\MysticalChicken\My Documents\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVS.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] "C:\Program Files\Pinnacle\Instant PhotoAlbum\programs\PSDrvCheck.exe" -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1140587785733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140587770655
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Well, besides this your looking pretty clean. Im not sure how to procees on this one. Maybe someone else will know how to knock it out.


O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

I dunno if ya already did this,, but did ya set it to show hidden files/microsoft window files?

Alrite ,Mystical Chicken, fix a couple more things:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

(to tayspern)
Do ya kno about
O4 - HKCU\..\Run: [Microsoft Server Applacations] qsosrv.exe ? It looks sorta suspicious.

Also (tayspern again), ya might wanna try using Pocket Killbox for 2 reasons.. 1) itl kill it if its there, and 2) it'l definitely tell ya if its not.

Thanks.

Ahh my bad, 1 more mystical chicken:

O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL

Yea, I pointed a few of those out. But they seem to be reappering . I agree about that on entry.

This is a Haxdoor variant...not good at all

This means there is the possibility that your PC has been compromised

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Carrying on with the fix..

Download haxfix.exe -Save it to your desktop.
-Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
-When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
-A red "dos window" (dos box) will open.
This message will appear:
At this point please type the following:
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog when you return.

Download Blacklight
http://www.f-secure.com/blacklight/try.shtml
-Hit I accept. It will take you to download page.
-Download blbeta.exe and save it to the Desktop.
-Once saved... double click blbeta.exe to install the program.
-Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
-If it displays any items...don't do anything with them yet. Just hit exit (close)
-It will drop a log on Desktop that starts with fsbl....big number
-Please post contents of log.

Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
-Open the C:\WinPFind folder and double-click on WinPFind.exe.
-Click on Configure Scan Options.
-Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All
-Uncheck Run Addon's and click Apply.
-Click on the Start Scan button and wait for it to finish.
-A log will be created C:\WinPFind\WinPFind.txt, attach this for me

So I need several logs when you return

EDIT: FOLLOW THE DIRECITONS ABOVE


Heh alrite, KILLIN TIME...if ya could, please reboot into safe mode. Then, open My Computer > Tools > Folder Options. Open this, go under the 'View' tab, and click 'Show Hidden Files,' and uncheck 'Hide Protected Operating System Files.'

Then, close out and find the following files and delete them if they're there:

C:\Program Files\Partypoker
C:\WINDOWS\SYSTEM32\winm32.dll


After this, reboot into normal mode, and install Ewido and CCleaner (links for both can be found in my signature). Update both, and run scans for both, fixing everything. Save the Ewido log for post here.

THEN, open this page and follow directions for clearing ALL temporary files (just do it).

http://www.daniweb.com/techtalkforums/thread27570.html

After all of this, restart you're computer, run a HJT scan, and post it along with the Ewido results in a reply.

Heh sry, its alotta stuff.

Thanks.

EDIT: FOLLOW DIRECTIONS ABOVE

O yeah, we tried to delete that one file (C:\WINDOWS\SYSTEM32\winm32.dll) at least 5 times. It wouldnt delete. SO i knew it ahd to be somthing big!

Good luck, sorry I couldnt help more.

-T