0

I have the blue screen with the "Trojan-Spy.HTML.Smitfraud.c" on, and also "Virus Hunter Security" has created itself on my desktop, and I'm unable to delete it. My system is slower than usual and I've had innumerable trojans pop up from AVG (which I've healed or deleted, depending on the files location), but I'm really stuck for what to do, and my computer is extremely lagged and messed up right now.

HiJackThis Log:

Logfile of HijackThis v1.98.1
Scan saved at 11:57:18, on 30/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\Downloaded Program Files\html.exe
c:\wp.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\paytime.exe
D:\WINDOWS\System32\taskmgr.exe
D:\WINDOWS\tool.exe
D:\WINDOWS\System32\wkfix.exe
D:\WINDOWS\tool1.exe
D:\Program Files\Grisoft\AVG Free\avgwb.dat
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\newdial.exe
D:\DOCUME~1\Stardust\LOCALS~1\Temp\B214849932\build2.exe
D:\WINDOWS\system32\navupdts.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\taskmgr.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\system32\shdocpa.dll/security.htm#subID=PRFV;6784
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - D:\WINDOWS\System32\nsc3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101486464781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O19 - User stylesheet: D:\Documents and Settings\Stardust\My Documents\Random Crap\ban.css (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll

Help ASAP would be appreciated very much.

3
Contributors
10
Replies
11
Views
12 Years
Discussion Span
Last Post by dlh6213
0

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

D:\wp.exe
D:\wp.bmp
D:\bsw.exe
D:\Windows\sites.ini
D:\Windows\popuper.exe
D:\Windows\system32\hhk.dll
D:\Windows\System32\wldr.dll
D:\Windows\System32\helper.exe
D:\Windows\System32\intmon.exe
D:\Windows\System32\shnlog.exe
D:\Windows\System32\intmonp.exe
D:\Windows\System32\msmsgs.exe
D:\Windows\system32\msole32.exe
D:\Windows\System32\ole32vbs.exe
D:\WINDOWS\System32\paytime.exe
D:\WINDOWS\system32\svcnut32.exe
D:\WINDOWS\system32\navupdts.exe
D:\WINDOWS\System32\newdial.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

D:\Program Files\Search Maid
D:\Program Files\Virtual Maid
D:\Windows\System32\Log Files
D:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://D:\WINDOWS\system32\shdocpa.dll/security.htm#subID=PRFV;6784
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - D:\WINDOWS\System32\nsc3.dll

O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [FastStart] D:\WINDOWS\system32\svcnut32.exe home
O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe
O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A65ECF60-FFC4-4A66-BBC4-695C1FBEEEC9} - (no file) (HKCU)

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com

Close HiJackThis.

Reboot into normal mode.

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

0

I still cant run IE (I'm using firefox), thus I was unable to run ActiveScan. However, all instructions were followed, albeit the first (in my impatience I'd followed a "self help" instruction, which consisted of rebooting in safe mode and deleting the unrecognised icon). Having deleted the user account this occured on (not the main one) the blue screen is no longer a problem.

Trojan horse BackDoor.Small.27.AQ found in D:\WINDOWS\system32\.exe keeps coming up with AVG -- each time I heal it, but it still keeps coming back.

Here is the HijackThis Log:

Logfile of HijackThis v1.98.1
Scan saved at 19:24:36, on 30/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\System32\wkfix.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\WINDOWS\System32\lexpps.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\cmd.exe
D:\WINDOWS\system32\ftp.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101486464781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS2\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O20 - AppInit_DLLs: MsgPlusLoader.dll

Thanks for all the help so far, much appreciated.

UPDATE: Ran Hoster again, and can now get into IE - in the process of scanning with ActiveScan.

0

Apologies for double post, but I presume as I edited the post previously, it wont allow me to do so again. Anyway, the ActiveScan result:


Incident Status Location

Virus:W32/Sdbot.CUB.worm Disinfected Operating system
Spyware:Spyware/New.net No disinfected D:\WINDOWS\NDNuninstall*.exe
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected D:\WINDOWS\tool1.exe
Adware:Adware/PurityScan No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected D:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/FavoriteMan No disinfected Windows Registry
Adware:Adware/QuickSearch No disinfected D:\Program Files\QuickSearch
Adware:Adware/ISearch No disinfected D:\WINDOWS\isrvs
Adware:Adware/WildTangent No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected D:\WINDOWS\System32\thun.dll
Adware:Adware/IGuard No disinfected D:\WINDOWS\System32\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Application/Restart No disinfected C:\_RESTORE\ARCHIVE\FS55.CAB[A0006720.CPY]
Virus:Application/Restart No disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe
Virus:Trj/Agent.QW Disinfected C:\wp.exe
Adware:Adware/Adtomi No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212132-771.dll
Adware:Adware/PurityScan No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212133-253.inf
Adware:Adware/MediaTickets No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212134-553.inf
Adware:Adware/MediaTickets No disinfected C:\unzipped\hijackthis\backups\backup-20041125-212134-553.dll
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Dummy.class]
Virus:Trj/Shinwow.E Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected D:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv234.jar-6304da4f-3f2b991f.zip[Parser.class]
Spyware:Spyware/New.net No disinfected D:\Program Files\filesubmit\piratescaribbean4.zip\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected D:\Program Files\filesubmit\piratescaribbean4.zip\TBEZA127Q.exe
Virus:Trj/Qhost.Q Disinfected D:\WINDOWS\hosts
Adware:Adware/Adtomi No disinfected D:\WINDOWS\koc.sys
Spyware:Spyware/New.net No disinfected D:\WINDOWS\NDNuninstall6_22.exe
Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\9ca.dll
Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\b8fmu00.exe
Virus:Trj/Zapchast.D Disinfected D:\WINDOWS\system32\c.bat
Adware:Adware/KeenValue No disinfected D:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/nCase No disinfected D:\WINDOWS\system32\in3.dll
Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\koc.sys
Virus:Trojan Horse Disinfected D:\WINDOWS\system32\Microsoft.NET\msconfig.exe
Virus:W32/Gaobot.FDD.worm Disinfected D:\WINDOWS\system32\msnmgd32.exe
Virus:Bck/Cstrike.A Disinfected D:\WINDOWS\system32\navupdts.exe
Virus:W32/Sdbot.ftp No disinfected D:\WINDOWS\system32\o
Adware:Adware/KeenValue No disinfected D:\WINDOWS\system32\setup_incred_3.exe
Spyware:Spyware/ISTbar No disinfected D:\WINDOWS\system32\snapple.exe[1.exe]
Virus:W32/Sdbot.CEP.worm Disinfected D:\WINDOWS\system32\snapple.exe[2.exe]
Adware:Adware/Adsmart No disinfected D:\WINDOWS\system32\thun.dll
Adware:Adware/Adsmart No disinfected D:\WINDOWS\system32\thun32.dll
Virus:Application/Restart No disinfected D:\WINDOWS\system32\Tools\Restart.exe
Adware:Adware/Adtomi No disinfected D:\WINDOWS\system32\u88bawx.dll
Virus:Trj/Agent.QW Disinfected D:\WINDOWS\system32\wldr.dll
Virus:Trj/LowZones.EZ Disinfected D:\WINDOWS\tool.exe
Virus:Trj/Downloader.BBA Disinfected D:\WINDOWS\tool1.exe

Some backdoor trojans popped up in D:\Windows - 1.exe and 2.exe, both healed.

Also in D:\Windows\System32\.exe: Trojan horse IRC/BackDoor.SdBot.185.BE

A virus seems to be found that needs to be healed in the above every 10-20 mins.

0

You have a few things there that need removing...

-

Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.

===============

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

wkfix.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Internet2 Optimizer ... (wkfix.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

D:\WINDOWS\System32\wkfix.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe
O4 - HKCU\..\Run: [Internet2 Optimizer] wkfix.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

D:\WINDOWS\System32\wkfix.exe

You also need to delete the files that were not disinfected by activescan.

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

0

Logfile of HijackThis v1.99.1
Scan saved at 22:51:37, on 30/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\msnmgd32.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Offices] msnmgd32.exe
O4 - HKLM\..\RunServices: [Offices] msnmgd32.exe
O4 - HKLM\..\RunOnce: [Offices] msnmgd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101486464781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: iexplore - OTW\E.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\WINDOWS\System32\ScsiAccess.EXE

Theres the new log (all instructions followed, though wkfix.exe didnt appear anywhere).

0

You have a few more things there that need removing...

-

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

msnmgd32.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Offices ... (msnmgd32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

D:\WINDOWS\System32\msnmgd32.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [Offices] msnmgd32.exe
O4 - HKLM\..\RunServices: [Offices] msnmgd32.exe
O4 - HKLM\..\RunOnce: [Offices] msnmgd32.exe

O20 - Winlogon Notify: iexplore - OTW\E.dll (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

D:\WINDOWS\System32\msnmgd32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

0

I followed all the steps -- I found offices in services, but it wouldnt let me delete it. Again, it was found in processes (hijackthis misc) but I was unable to delete it. Continuining on, I fixed the things in HijackThis and deleted the file in safe mode, rebooted and none of the processes are running now. New log:

Logfile of HijackThis v1.99.1
Scan saved at 14:29:24, on 31/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
D:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Lexmark X74-X75\lxbbbmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X74-X75] "D:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [IntelliPoint] "D:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101486464781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC82A6D-21E8-49BA-9ACB-2EDA055190FC}: NameServer = 212.67.96.129 212.67.120.148
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\WINDOWS\System32\ScsiAccess.EXE

0

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

0

I generally use firefox most of the time -- it happened to be one day I reverted back to IE.

I already have (or should have) both a firewall, and AVG anti-virus, and the updates are constantly being downloaded.

The fix, I'm afraid, was only temporary, for reasons I cant establish, they keep installing themselves once more. Theres been mentions of both trojan IRC backdoors and worms from AVG, and msnmgd32.exe and wkfix.exe keep reinstalling themselves, and in temp something keeps installing itself -- it didnt occur to me to catch its name, but it began with r (unhelpful, and I apologise).

Perhaps its time for me to get my computer checked out properly, to completely solve this?

0

Crunchie will probably have some other ideas, but until he gets back to this, try these suggestions:

Get SilentRunners from here:
http://www.silentrunners.org/

Run it, and save the log that it generates.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Boot into Safe Mode and do a search for these files and delete any instances found (be sure your system is set to Show hidden files and folders):

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If you find any of these files, and any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally and delete any icons from your desktop that you did not put there..

Empty your Recycle Bin.

Close any open browser windows, scan with HJT, and post a new log along with the SilentRunners log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.