0

Hi can someone help me clean my computer. I am being inundated by pop-ups that end in mainly .com/tau.html. I have downloaded HijackThis, and here is a copy of my log. Thanks in advance:!:


Logfile of HijackThis v1.99.1
Scan saved at 12:56:56 PM, on 6/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SmFzb24\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Network Monitor\wnetmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] "C:\Documents and Settings\Jason\My Documents\SpywareBeGone.exe" -FastScan
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\en2ul1f91.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFzb24\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

3
Contributors
6
Replies
7
Views
11 Years
Discussion Span
Last Post by crunchie
0

Please go here & install ALL critical updates required for your system, including service pack 1a for both XP and IE6.
Most malware is designed to attack unpatched XP systems - exploiting the available 'holes' - and can bypass third-party protection on an unpatched system. The most that can be done with an unpatched system is put a temporary bandage on it. Your system can potentially be reinfected within minutes of cleaning it.

==

Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK.
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning[/color\ message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

0

Thanks for your help. Here are the 2 logs:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/8/2006 2:57:11 PM

Infected! C:\WINDOWS\system32\mv0ml9d11.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007275.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007286.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007294.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007306.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007317.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007329.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007337.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007349.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007351.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007363.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007382.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007386.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP51\A0007397.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007413.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007425.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007444.dll
Infected! C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007448.dll
Infected! C:\WINDOWS\system32\mahtml.dll
Infected! C:\WINDOWS\system32\mv0ml9d11.dll
Infected! C:\WINDOWS\system32\n26q0cj5efo.dll
Infected! C:\WINDOWS\system32\nhwrsptb.dll
Infected! C:\WINDOWS\system32\pjustab.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mv0ml9d11.dll
C:\WINDOWS\system32\mv0ml9d11.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007275.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007275.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007286.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007286.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007294.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007294.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007306.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP48\A0007306.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007317.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007317.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007329.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007329.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007337.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007337.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007349.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007349.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007351.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007351.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007363.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007363.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007382.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007382.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007386.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP50\A0007386.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP51\A0007397.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP51\A0007397.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007413.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007413.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007425.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP52\A0007425.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007444.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007444.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007448.dll
C:\System Volume Information\_restore{F63DFFF8-E9C0-4A71-9FA9-59E3439C82AE}\RP55\A0007448.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mahtml.dll
C:\WINDOWS\system32\mahtml.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mv0ml9d11.dll
C:\WINDOWS\system32\mv0ml9d11.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n26q0cj5efo.dll
C:\WINDOWS\system32\n26q0cj5efo.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nhwrsptb.dll
C:\WINDOWS\system32\nhwrsptb.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pjustab.dll
C:\WINDOWS\system32\pjustab.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 3:05:31 PM, on 6/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Jason\My Documents\SpywareBeGone.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\SmFzb24\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\NetMeeting\callcont.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] "C:\Documents and Settings\Jason\My Documents\SpywareBeGone.exe" -FastScan
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFzb24\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

0

im 75% sure that these 2 are malware and key processes for the pop-ups

C:\WINDOWS\SmFzb24\command.exe
C:\Program Files\Network Monitor\netmon.exe

0

Please go here & install ALL critical updates required for your system, including service pack 1a for both XP and IE6.
Most malware is designed to attack unpatched XP systems - exploiting the available 'holes' - and can bypass third-party protection on an unpatched system. The most that can be done with an unpatched system is put a temporary bandage on it. Your system can potentially be reinfected within minutes of cleaning it.

Doesn't look like you have done this yet?

==

Can you please do the following.

===============

Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

Command Service (cmdService) owner ... (C:\WINDOWS\SmFzb24\command.exe)
Network Monitor owner ... (C:\Program Files\Network Monitor\netmon.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\winupdates\winupdates.exe
C:\WINDOWS\SmFzb24\command.exe
C:\Program Files\Network Monitor\netmon.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HiJackThis, then check(tick) the following, if present:


O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFzb24\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\winupdates
C:\WINDOWS\SmFzb24
C:\Program Files\Network Monitor

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Thanks for your help. My pc started working fine yesterday after i completed the first steps. And today i realised i hadnt installed the service pack so i did that before i checked your next posts, and ive followed the rest of your instructions and its working great. One problem though, and it might be unrelated, but i installed a windows update this morning (before the service pack) and than it prompted me to reboot, and when my computer came back on, it was running with 6?bit colour (the lowest) and the lowest resolution. Ive tried to change this in the display properties but it wont allow it. So know i dont really know what to do. Id be really really grateful if you could help me with this problem as well. Thanks :)


Logfile of HijackThis v1.99.1
Scan saved at 2:38:54 PM, on 6/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SmFzb24\command.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\outlook\outlook.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Jason\My Documents\SpywareBeGone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Movie Maker\wmm2ae.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] "C:\Documents and Settings\Jason\My Documents\SpywareBeGone.exe" -FastScan
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149853085670
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFzb24\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

0

First off I would suggest a system restore to before installing the windows update. I should have been more specific and told you not to install SP2 until your PC was clean, but to only install SP1, but all I wrote was to install SP1. SP2 is known to create issues on an infected PC.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.