Hi, and welcome to DaniWeb. Please run HJT again, select Do system scan only. Then check these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht! http://69.50.164.12/exp/mht/sext01.c...aInstaller.e xe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
Close ALL browsers and click Fix Checked
________________________________________________________
Begin by downloading CCleaner , and specifically choosing the most recent version.
Then, follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
C:\Windows\Temp
C:\Temp
C:\Documents and Settings\\Local Settings\Temp
C:\Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\\Local Settings\History
C:\Documents and Settings\\Cookies
C:\Windows\Prefetch
After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.
Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.
________________________________________________________
Download Hoster .Unzip Hoster to C:\Hoster .
Run Hoster.exe from its new home
Click "Make Hosts Writable?" in the upper right corner (If available) .
Click Restore Original Hosts and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
________________________________________________________
Download about:buster Here .
Download CWShredder Here .
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Update About:BusterUnzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster
Update CWShredderOpen CWShredder and click I AGREE
Click Check For Update
Close CWShredder
Boot into Safe Mode
(by hitting the F8 key repeatedly until at the bootup screen until a menu shows up and choose Safe Mode from the list)
Please run about:buster:Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to log-off/reboot at the end, if it does please do so.
_______________________________________________________
Download haxfix.exe .
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:
Insert the haxdoor notify subkey without the numbers,
and then press enter:
At this point please type the following:winm32.dll
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.
_______________________________________________________
Please download Pocket Killbox by O^E .Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Windows\system32\winbrume.dll
C:\WINDOWS\inet20001\socks.exe
C:\WINDOWS\System32\6e730662.exe
C:\winstall.exe
C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\inet20001\winlogon.exe
C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
C:\WINDOWS\System32\obp.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
________________________________________________________
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
________________________________________________________
Then please run ewido and post that log, along with the aboutbuster, haxfix, smitfraudfix, and a new HJT log.
HANG IN THERE, YOU ARE LOADED!
