I have recently acquired the smitfraud virus I seem to have cleaned it with the use of smitfraudfix in safe mode and the use of several anti virus programs. Even after cleaning it out my background selection browse and position are grayed out (desktop[Display Prop]) but i can still access customize desktop and color.

when i start up my computer I get a message saying Loadlibary("C:\Documents and Settings\All Users\Application Data\zcdyhmdc.dll") failed - The Specified module could not be found.

I searched on Google for zcdyhmdc but found nothing this only started appearing after I cleaned out the virus

Recommended Answers

All 11 Replies

btw when I go to Desktop -Customize desktop then to the web tab I have nothing in web pages

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

SmitFraudFix v2.242

Scan done at 8:49:57.82, Sun 10/28/2007
Run from C:\Documents and Settings\Praz-el\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Praz-el\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Praz-el\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2419FEBF-DCE5-47A5-91C5-149501E3D88B}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\Program Files\Internet Explorer\winload.exe

==========

Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Antivirus Version Last Update Result
AhnLab-V3 2007.10.27.0 2007.10.26 -
AntiVir 7.6.0.30 2007.10.26 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2007.10.28 -
Avast 4.7.1074.0 2007.10.28 -
AVG 7.5.0.503 2007.10.28 -
BitDefender 7.2 2007.10.28 Trojan.Downloader.Delf.OBD
CAT-QuickHeal 9.00 2007.10.26 TrojanDownloader.Agent.elj
ClamAV 0.91.2 2007.10.28 -
DrWeb 4.44.0.09170 2007.10.28 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5244 2007.10.26 -
Ewido 4.0 2007.10.28 -
FileAdvisor 1 2007.10.28 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.26 -
F-Secure 6.70.13030.0 2007.10.28 -
Ikarus T3.1.1.12 2007.10.28 Trojan-Downloader.Delf.OBD
Kaspersky 7.0.0.125 2007.10.28 Heur.Trojan.Generic
McAfee 5150 2007.10.26 -
Microsoft 1.2908 2007.10.28 -
NOD32v2 2621 2007.10.28 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.26 -
Panda 9.0.0.4 2007.10.28 Suspicious file
Prevx1 V2 2007.10.28 TROJAN.DOWNLOADER.GEN
Rising 19.46.61.00 2007.10.28 -
Sophos 4.23.0 2007.10.28 -
Sunbelt 2.2.907.0 2007.10.27 -
Symantec 10 2007.10.28 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.26:9 2007.10.28 -
Webwasher-Gateway 6.6.1 2007.10.28 Trojan.Delphi.Downloader.Gen
Additional information
File size: 94720 bytes
MD5: c5233a4187a9752152f1bb2360b2a37d
SHA1: 47ee3816e6c678132ca6374a516faf9dcc59dd9a

Scan taken on 28 Oct 2007 21:24:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Delphi.Downloader.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Downloader.Delf.OBD
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Win32.Trojan.Downloader (http://...) (probable variant)

I have now deleted it

Download HijackThis from here. Download it to your desktop and NOT a temporary folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

And this??

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:33 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Praz-el\Desktop\Highjack\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Flash Module - {C8A3B994-E27A-42f5-A053-C63799E621FB} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SysSFGE.exe] C:\WINDOWS\system32\SysSFGE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system32\frmwrk.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4849 bytes

Thank you :).

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log

SDFix: Version 1.113

Run by Praz-el on Thu 11/01/2007 at 02:16 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Praz-el\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Driver

ImagePath:
\??\C:\WINDOWS\system32\frmwrk.sys

Driver - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\11.TMP - Deleted
C:\12.TMP - Deleted
C:\14.TMP - Deleted
C:\16.TMP - Deleted
C:\E.TMP - Deleted
C:\F.TMP - Deleted
C:\WINDOWS\SYSTEM32\CENTER.EXE - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\0_exception.nls - Deleted
C:\WINDOWS\system32\alert_icon.gif - Deleted
C:\WINDOWS\system32\b.gif - Deleted
C:\WINDOWS\system32\backtomsn.gif - Deleted
C:\WINDOWS\system32\backtomsn.jpg - Deleted
C:\WINDOWS\system32\classifields.gif - Deleted
C:\WINDOWS\system32\close_icon.gif - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\down_arrow.gif - Deleted
C:\WINDOWS\system32\frmwrk.sys - Deleted
C:\WINDOWS\system32\google.htm - Deleted
C:\WINDOWS\system32\header_bg.gif - Deleted
C:\WINDOWS\system32\hf_en-US.js - Deleted
C:\WINDOWS\system32\home.htm - Deleted
C:\WINDOWS\system32\icon_warning.gif - Deleted
C:\WINDOWS\system32\images.gif - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\jewel.png - Deleted
C:\WINDOWS\system32\l_sb.css - Deleted
C:\WINDOWS\system32\l_sb_c.js - Deleted
C:\WINDOWS\system32\ma_search_1.gif - Deleted
C:\WINDOWS\system32\maps.gif - Deleted
C:\WINDOWS\system32\more.gif - Deleted
C:\WINDOWS\system32\msn.htm - Deleted
C:\WINDOWS\system32\news.gif - Deleted
C:\WINDOWS\system32\passport.gif - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\remove_spyware_button.gif - Deleted
C:\WINDOWS\system32\search.css - Deleted
C:\WINDOWS\system32\sec.htm - Deleted
C:\WINDOWS\system32\secuity_center_logo.gif - Deleted
C:\WINDOWS\system32\simcard1.dll - Deleted
C:\WINDOWS\system32\SrchBtn.gif - Deleted
C:\WINDOWS\system32\toolbar_bg.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_left.gif - Deleted
C:\WINDOWS\system32\toolbar_corner_right.gif - Deleted
C:\WINDOWS\system32\warn.htm - Deleted
C:\WINDOWS\system32\web.gif - Deleted
C:\WINDOWS\system32\yahoo.htm - Deleted
C:\WINDOWS\system32\ysch_srp_gsp2_20070621.js - Deleted
C:\WINDOWS\system32\yschx_20070405.css - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 14:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe"="C:\\Program Files\\CAPCOM\\LOST_PLANET_TRIAL_DX9\\LostPlanetDX9.exe:*:Disabled:LostPlanetDX9"
"C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe"="C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe:*:Enabled:Overlord"
"C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Praz-el\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam Client"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe"="C:\\Program Files\\Fury\\Binaries\\DiamondWare\\dwTVC.exe:*:Enabled:dwTVC"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="D:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\garrysmod\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\Steamapps\\tecknomasta2004@yahoo.com\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\48393902ld.exe"="C:\\WINDOWS\\system32\\48393902ld.exe:*:Enabled:Enabled"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe:*:Enabled:Crysis_32_sp_demo"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Praz-el\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 25 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\win_4s.exe"
Sun 28 Oct 2007 4,579 ...HR --- "C:\Documents and Settings\Praz-el\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

Its seems to be fixed thanks for the help

I will wait for your response before marking as solved just in case you see somethign wrong

.............. with
a new HijackThis log
[/list]

Will need to see this first.

========

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\win_4s.exe

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.