My daughter's laptop is infected. She forgot to update her anti-virus protection over a long period. I've been working at deleting everything possible that might harbour a bug, but no joy yet.

At the moment the D drive (CD) is not showing at all, the keyboard is not functioning as it should, - some keys print numbers instead of letters -,

An Error loading box pops up on startup, saying: Error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin\MSWBAR.DLL The specified module could not be found,

Online false anti-spyware pop-up windows appear when I try to access real anti-sypware/anti-virus downloads. The last one I tried was AdAware, and after a battle closing the constant barrage of popups it did download, but right afterwards my Broadband router went dead for 12 hours - which was scary even if it was a co-incidence ! Now I have a connection again, but it is not possible to update anything.

I checked with the online link that appraises Hijack This logs and it didn't find anything nasty.

When I try to boot up in Safe Mode the option given is to select First Boot Device, so I'm not sure what to do there. None of the options given lead to Safe Mode.

Does this give you any clues as to what might be happening and how I might be able to fix things ?

Recommended Answers

All 53 Replies

post a hijack log for someone to have a look at .

post a hijack log for someone to have a look at .

Logfile of HijackThis v1.99.1
Scan saved at 12:45:22, on 05/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Christianne\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {39E06389-D9D8-4B13-9139-2960BA17711C} - C:\WINDOWS\system32\lftmat.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [Chrontel TV] C:\WINDOWS\System32\ch_utility.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431A58-FADC-49D9-8463-E5C900990C0C}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1A7B83-A243-4946-8A6A-D8C7AA654F48}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O20 - AppInit_DLLs:
O20 - Winlogon Notify: lftmat - C:\WINDOWS\SYSTEM32\lftmat.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

hello wolffie.... for a start you have a vundo infection... these online scans are not all-seeing...
I would like you to download CCleaner from http://www.ccleaner.com/ and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's just a neater thing.
The silver bullet: download vundofix from this site:-
http://www.atribune.org/content/view/24/2/
This [an 85 kB file] is the latest version. Read the instructions on that webpage. Make these preparations [which may not strictly be necessary, but stopping vundo from copying/blocking is wise.]
-disconnect from the net.
-in a windows explorer folder > tools>folder options>view, and untick "hide protected operating system files"
-run CCleaner
-reboot to safe mode and run vundofix. If it recognises virus files then remove them.
-reboot to normal windows mode and move HiJackThis to a new folder alongside your program files. Run HT again and post a new log and then we'll fix some more mundane stuff.
Btw, your inet explorer could stand an updating, even if you stay with IE6.

forgot something... is there any big reason why you don't run xp sp2?

forgot something... is there any big reason why you don't run xp sp2?

Yes, the vundu virus blocked most downloads including the Windows Updates, but happily that issue is now sorted.

Yes, the vundu virus blocked most downloads including the Windows Updates, but happily that issue is now sorted.

You asked about the state of my Windows non-update...

Although I seem to be able to download things most of the time, and being able to update Windows was a big bonus, I'm not absolutely sure the problem is completely sorted. I was misdirected to the wrong website just now, Spybot updated, but crashed three times, and AdAware has just crashed after installing the new updates...but there is a definite improvement overall !

Any new information will be most welcome.

Some trojans etc do there level best to prevent antispy software running, or downloading updates, or block security websites, or all of the above. Please, from normal windows mode and with NO other windows/apps open, run another HT and post the log.

But first, you could go to control panel and remove MyWebSearch, then reboot into Safe Mode and run HiJackThis from there with NO other apps running, and NO net connection open..and fix these entries:-
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-37C9A5676A7} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
Next thing... i notice you use a proxy, but do you recognise these two IP's??
85.255.115.94
85.255.112.24
I have a feeling that they are bad.... perhaps you could use another puter to post your next scan? I mean, don't go on the web with your infected one.
...I'm still checking stuff.... i think somehow you have had some bad proxy addresses written into your puter, and that R1 entry is directing your puter to use them. so fix these also [STILL IN SAFE MODE]:-
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431A58-FADC-49D9-8463-E5C900990C0C}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1A7B83-A243-4946-8A6A-D8C7AA654F48}: NameServer = 85.255.115.94,85.255.112.24
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.24
Finally, please reboot into normal windows again, rescan and repost.

sorry about the broken posts, but i am working on other stuff... you'll be fine if you read em right thru before you do anything. lemme know how you go... And those IP's ARE BAD!!! I checked em out.

Hi gerbil,

Thanks for your patience.

The laptop won't let me get into Safe Mode. Instead I get into a blue Boot box which give me three options. One is a Floppy and the other two don't work. Do you have any ideas ?

Also, there is no My Web Search in Control Panel. I can see it in the Hijack This log though. Could I just delete that line from the Registry ?

I went to the Windows update and strangely there is a huge update listed of Service Pack 2. Whatever was downloaded the other day it can't have been that...unless a bug caught it and had it for supper !

I am not posting from the laptop, but my own computer, so that is safe.

Shall persevere with this download and see if it helps, but in the meantime I am stuck with the Safe Mode boot.

XP Service Pack 2 downloaded, but wouldn't install completely, so it's removing its self at the moment. One of the remaining bugs must have spotted it. I've a feeling it's time to take a break!

wolffie, if for the timebeing you cannot get into safe mode run thru those fixes in post #9 in normal mode. You just gotta get rid of those proxies for a start!

if you cant delete virus or trojs, run safe mode whn windoews is starting. .... prresss F8 whn windoes starts =)

wolffie, just a bit of info, don't try to force XP to start in safe mode via msconfig in normal mode.... if at the moment there is a problem with safe mode atarting, then you will never be able to get back to normal mode cos you'll be caught in a loop....This is just in case someone suggests it...

I am still getting an Access Denied message half way through the installation of XP Service Pack 2. Spybot Search and Destroy crashed after getting past 512/49129:Baciami and Ad-Aware SE Personal starts to download updates and then says it can't.

Here is the latest Hijack This log without the Safe Mode

==================================

Logfile of HijackThis v1.99.1
Scan saved at 14:54:56, on 08/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ESET\nod32kui.exe
C:\Documents and Settings\Christianne\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

cor wolffie.. there is going to be a lot of reinstalling of software after this.... but we want to save data.
Baciami is a hijacker. Try downloading AVG Antispyware 7.5, installing and updating. Then, under Scanner > Settings set recommended action to Quarantine. Run a full system scan.
From http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe download fixwareout and save it to desktop.
From an explorer window > tools > folder options > view, set show all hidden files and folders.

Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.

Okay, in normal mode run HT again and repost. SP2 installation appears to have slimmed it down... You may as well try to see if the SP2 goes in and stays in now...

oh, yeah... baciami does break spybot etc... so it could have been stopping sp2 going in...

Hi gerbil,
All that you suggested has been completed. Lots more nasties found with AVG...SP2 wouldn't go in, but when I eventually re-booted and connected my Home Page had been hijacked.
Running Ad-Aware went OK and it updated, but found nothing.
Spybot crashed and closed the system down just after finding Fun Web Products Search Hooks HKEY-USERS\Default\...(didn't have time to get the rest of the line )
XoftSpydidn't find anything, so it didn't crash :)
It might help if I knew where in the drive SP2 had downloaded. Going to the Web to find it seems to be an occasion for mischief to come in the door. Wish I had a Firewall !
Downloader.Agent.uj came back. I asked AVG to send it to quarantine, but didn't run Fixwareout this time. Should I have done that ? AVG already found that Downloader before I went online...I guess that is how my Home Page was hijacked. I am just assuming..
The first HT log is from before the last attempted install of SP2.
The second log is current.

======================
Logfile of HijackThis v1.99.1
Scan saved at 14:53:59, on 09/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Christianne\My Documents\hijackthis\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163024522903
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
===================================

Logfile of HijackThis v1.99.1
Scan saved at 17:55:14, on 09/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Christianne\My Documents\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163024522903
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

a decent firewall? cannot believe i left you relying on windows firewall with this problem!! the W firewall is great right up until you get a problem with a hijacker or callout trojan, then it's just rubbish. i am sorry for that! go here and get the free firewall, i use it and think it is fine [it's the last one...]
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Download it, shut off the net, turn of windows firewall in security centre and then install ZA and restart. Then run Fixwareout again and do the network connections check and DNS flush, and keep it off the net. Meanwhile i shall check your latest logs and get back.
[with that firewall, when you eventually do try to go on the net it will ask you for permissions for everything that needs to go outside - be very wary of most things, think about what you are allowing to contact other servers. the firewall will give you info on what is happening]

Done the ZoneAlarm install etc. Previously there was no firewall installed at all - not even a Windows one !
Apart from the update for Windows SP2 not installing and Spybot crashing things seem to have improved.
The file Spybot found was: ...6FAF6-072E-44CF8957-5838F569A31D
I deleted it from the Registry manually and held my breath.
Now it's crashing when it gets to SmitfraudC...69...- always there.

===============================

a decent firewall? cannot believe i left you relying on windows firewall with this problem!! the W firewall is great right up until you get a problem with a hijacker or callout trojan, then it's just rubbish. i am sorry for that! go here and get the free firewall, i use it and think it is fine [it's the last one...]
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Download it, shut off the net, turn of windows firewall in security centre and then install ZA and restart. Then run Fixwareout again and do the network connections check and DNS flush, and keep it off the net. Meanwhile i shall check your latest logs and get back.
[with that firewall, when you eventually do try to go on the net it will ask you for permissions for everything that needs to go outside - be very wary of most things, think about what you are allowing to contact other servers. the firewall will give you info on what is happening]

Good-oh, that was a randomly generated identifier. Before you try to install SP2 again let's try to clean up fully.
Now, Smitfraud... it's easiest to go with a specialised tool, so download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
This link has a download for the latest update file for Adaware....
http://www.download.com/Ad-Aware-SE-Personal-Definition-File/3000-8022_4-10603995.html?tag=lst-0-10
Unzip it and paste the update into the Adaware folder so that it overwrites the old one. This procedure will bypass the download block that some trojan has placed on Adaware.
Okay. Shut down the net, and in an explorer window, folder options, view, "Hide protected operating system files" box must be unticked, and "show hidden files and folders" selected. [ i always leave this latter setting in place, but NOT the former]. Run CCleaner.
Go to Safe Mode and perform a full Adaware scan and remove all the problems it finds. . If it finds anything, scan and clean again, and so on until it comes up emptyhanded.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear, which lists infected files (if present). Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
Try SpyBot again after updating it. If it runs fully, then try this scan online:- http://www.pandasoftware.com/products/activescan? Give them some details, and follow the scan buttons.
HT is not showing me anything bad atm, but it's there.....
Send that Smitfraud log in.... as well as the panda scan log if it finds anything.

[the FunWebProducts Searchhook that you mentioned earlier is a moderately innocuous piece of toolbar trash courtesy of Ask Jeeves, or from that family. Ask Jeeves gives you the kings of popup and ad sites downloaders etc. It's assoc with Global Search, another to avoid].

Btw, if i run a network analyser i see that i get approx two hits per minute from sites willing to share problems... they are always searching, searching for unguarded computers ie no firewall set up. Until you tire of it and stop it reporting such stuff, ZA will alert you also.

gerbil, I'm not quite sure what should have been pasted into AdAware. I've pasted the unzipped Smitfraudfix folder into the AdAware one...Is that what you meant ? At the moment Ad-Aware is scanning. Still can't get into Safe mode, but only Select First Boot Device which does not do the trikc.

Ad-Aware only found a reference to Repair Registry Pro which had been uninstalled some time ago. It did not crash.
SpyBot continues to crash - this time on SpyAxe. I manually removed C:\Windows\Web \related.htm, which it found before crashing. It is still in the Recycle bin.

=====================================
SmitFraudFix v2.120
Scan done at 14:19:38.18, 11/11/2006
Run from C:\Documents and Settings\Christianne\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

I got into Safe Mode by accident - pressed F8 and tried the options in the Boot window and then pressed the on/off button because the computer seemed to be stuck ! On startup it just went into Safe Mode all by itself. Not sure I care to replicate what I did in error...While there I took all the steps you suggested. SpyBot got a lot further down the line in this mode and came to list a problem:
My WebSearch\WMSDK\Sources...and I didn't get the rest of it. There is no reference to My Web Search in Add/Remove programmes. I wonder if it is something to do with the absence of the D drive that is causing the crash.

I removed the two lines in the previous log that had FOUND! next to them.

Nothing else new except here is a newer SmitFraudFix log:
=====================================
SmitFraudFix v2.120
Scan done at 16:59:48.51, 11/11/2006
Run from C:\Documents and Settings\Christianne\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

wolffie, that link i referred to earlier has the latest personal definitions file for Adaware. Just download it [it is defs.zip] to your desktop or a scratch folder, unzip it to the same folder and then paste the resulting defs.ref file into the Lavasoft\Adaware program files folder, replacing the existing one.

On my sys i have a partition dedicated to temporary files.... so there are Downloads and Scratch Pad folders amongst all Windows's temp files. Smitfraudfix and Adaware update would have gone to Downloads and have been extracted to Scratch Pad, and then dealt with... i find it clean that way. In my E: drive where all my 3rd party applications are located i have a folder Cleaning Services which is where a lot of these temporary AV, anti trojan services go. Temporary? yep, u always get the latest version.

Placing the smitfraudfix folder inside Adaware would not have done any harm - it would just ignore it. But no, i said for the smitfraudfix folder to go on your desktop [ or another place will do]. Move it out of Adaware.. [when you unzip or otherwise extract stuff, you get to choose where you want it to go...]
So now redo the Adaware thing. Download that .zip, unzip it and paste it into the ProgramFiles\Lavasoft\Adaware folder.

Disconnect from the net. Check that a Restore point has been made. Run CCleaner. Go to Safe Mode.
Fascinating stuff... Spybot must be removing some Smitfraud files - good. Anyway rerun Smitfraudfix and this time use option 2:-
=You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
=The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Use Adaware to rescan fully. Repeat if it finds anything.
Run AVG antispy.
Now run Spybot and clean and rerun it and rerun it until it goes to the end.
Reboot into normal Windows, tell me how you are getting on... don't post with that PC!!!
You will also have to restore your desktop background...

[Your first Smitfraudfix log referred to downloading trojans: Online Security Guide.url and Security Troubleshooting.url - as your sys is being cleaned of these things, keep it off the net cos any remaining will just undo all the good progress by calling home for backups!! So post from another puter, and we may not need to dl any more software.]

Hmm... couldn't find the def.refs file, so I pasted everthing of smitfraudfix into the Ad-Aware folder.

I can only get into Safe Mode by switching off while Windows is loading. I'm not sure how good or bad this is. Until I am sure I am loathe to do this too often !

Ad-Aware found Alexa and it's been quarantined.

I have not had to go on the Web with that computer to-day, so things must improve. I know there are updates for Spybot because the computer I'm using to write this has them...

Spybot crashed in Safe Mode. First time I wasn't looking at it. It started up as if it were the first time it was running...asked me if I wanted a system backup, which I accepted. Interestingly Spybot was not on the Desktop in Safe Mode and neither were most of the other shortcuts. I had to search for it. I ran it a second time and it crashed the computer at one of the numbers it was checking of Gain.Gator. Third time it crashed at Coupon... Fourth time I tried in normal mode and it crashed the computer half way through. It didn't find anything. In Safe Mode it goes much farther than in Normal Mode, but not far enough - only about 3/4 of the way.

I don't like to create these Safe Mode situations too often without knowing what damage it could cause. I can only get into Safe Mode by switching off as Windows is starting up.

Would the failure to install SP2 have anything to do with the absent D drive ? Might the install be looking for it when it's not there ? This laptop came with a set of recovery disks. Once the infections have gone would they be useful in this situation ?

Desktop background is still there.

Option 2 only ran for a few seconds.

=============================
SmitFraudFix v2.120
Scan done at 14:50:41.25, 12/11/2006
Run from C:\Documents and Settings\Christianne\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

defs.zip definitely wasn't in that link you gave me, gerbil

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.