Posts by tayspen

Hi, well sounds like a nasty lil guy ;). Give ewido a whirl (www.ewido.net). It is a pretty good scanner.

Also

Download HijackThis (current verison is v1.99.1)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

* C:\HijackThis\
* C:\Programs\hijackthis\
* C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Make sure to post your ewido log to :).

Hi, Please run HJT again, and select Do system scan only. Then place a check (tick) next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = " "

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

O2 - BHO: (no name) - {F10159AE-FFE4-4C9F-859B-DF9A55365333} -

O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) -

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) -

O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control)-

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) -

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -

O18 - Filter: text/html - (no CLSID) - (no file)

O18 - Filter: text/plain - (no CLSID) - (no file)

O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} -

Click Fix Checked.

________________________________________________

Download Hoster.

• Unzip Hoster to

C:\Hoster .[*]Run Hoster.exe from its new home[*]Click "Make Hosts Writable?" in the upper right corner (If available) .[*]Click Restore Original Hosts and then click OK.[*]Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

________________________________________________

Now lets have ewido take out what it can, before we proceed manually.

Please download ewido anti-malware it is a free version of the program.

1. Install …

Ok, please post a new HJT log.

Hi, and welcome to daniweb. Please run HJT again, and slelect Do system scan only. Then tick these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoritos

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5EC.tmp

Click Fix Checked.

________________________________________________________

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows …

Try using Kilbox.

Please download Pocket Killbox by O^E.

Please double-click Killbox.exe to run it.

Check Delete on Reboot

Paste the path of the file into the textbox, then click the red X. Reboot your computer if it doesn't do so automatically.

uh, I would not check these.

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Those are legit, and can be used by the user, just because it says the file is missing, doesn't mena it really is.

Please also ensure that this file is gone.

C:\WINDOWS\system32\winapi32.dll

It is not ok ;). Please run HJT again, select Do system scan only, and check these items.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

Click Fix Checked.

_____________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\Program Files\winupdates\winupdates.exe

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

_______________________________________________________

Please post a new log - If you ran this in safe mode, don'y please run it in normal mode.

Hi, please check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\System32\winapi32.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Win32 Usb Driver] svhosint32.exe

O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe

O4 - HKLM\..\Run: [Windows Update Manager] updmgr.exe

O4 - HKLM\..\Run: [Sysino] lsess.exe

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKLM\..\RunServices: [Win32 Usb Driver] svhosint32.exe

O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe

O4 - HKLM\..\RunServices: [Windows Update Manager] updmgr.exe

O4 - HKLM\..\RunServices: [Sysino] lsess.exe

O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe

O4 - HKCU\..\Run: [Win32 Usb Driver] svhosint32.exe

O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe

O4 - HKCU\..\Run: [Sysino] lsess.exe

O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://D:\components\Liquid.ocx

O21 - SSODL: mtklef - {99589906-CF95-4335-F5AC-30E73DFAA272} - C:\WINDOWS\System32\dehsm32.dll

O23 - Service: Win32 System Spool - Unknown owner - C:\WINDOWS\system32\spoolsvc.exe" -netsvcs (file missing)

Click Fix Checked.

_________________________________________________________

We need to remove a NT Service

Do the following:

Start -> Run
*type services.msc
…

Hmm your right. It's just that it is weird that it in the fonts folder. LEts wait for a second opinion about it.

Use killbox then post a new log.

Thanks. You don't need to create to threads in the futher. Please run HJT and check the follwoing items.

O2 - BHO: DPCUpdater Object - {E321ACA5-B12F-4D2C-B786-23B0A559CB21} - C:\WINDOWS\System32\mlljk.dll

O20 - Winlogon Notify: mlljk - C:\WINDOWS\System32\mlljk.dll

Click Fix Checked.

__________________________________________

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.

_________________________________________________

Please download ewido anti-malware it is a free version of the program.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
6. You will need to update ewido to the latest definition files. …

Please check for any .exe files in this folder. Report back any you find.

C:\WINDOWS\system32\Fonts

You may need to show hidden files.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Nope, that log look clean.

Well, usally its in thing you download. Expessially in "Free" things, like toolbars for IE etc.

So how did I get infected...

Well, I forgot about that file ;). But just delete it with kill box the same way as the other. Then delete that folder.

Your HJT log looks clean.

Ok, please check these items in HJT

R3 - URLSearchHook: (no name) - {1717AFDE-6030-3CBE-64A2-30469096D9CA} - C:\WINDOWS\System32\ilpig.dll

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {1717AFDE-6030-3CBE-64A2-30469096D9CA} - C:\WINDOWS\System32\ilpig.dll

O2 - BHO: (no name) - {1717AFDE-6030-3CBE-64A2-30469096D9CA} - C:\WINDOWS\System32\ilpig.dll

O2 - BHO: (no name) - {2137E161-79D6-2204-8B05-2F27B6E4EE98} - C:\WINDOWS\System32\rprctdyg.dll

O2 - BHO: (no name) - {2137E161-79D6-2204-8B05-2F27B6E4EE98} - C:\WINDOWS\System32\rprctdyg.dll

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1162

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgGB2404.exe

O20 - Winlogon Notify: winhla32 - winhla32.dll (file missing)

Click Fix Checked.

______________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\System32\ilpig.dll

  C:\WINDOWS\System32\rprctdyg.dll

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

____________________________________________________

Download about:buster Here.
Download CWShredder Here.
Download and install …

Please run HJT again, select Do system scan only. And check these items.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\system32\mljjh.dll

O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\ssqrp.dll

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b3.../java/RntX.cab

O20 - Winlogon Notify: mljjh - C:\WINDOWS\system32\mljjh.dll

O20 - Winlogon Notify: ssqrp - C:\WINDOWS\SYSTEM32\ssqrp.dll

Click Fix Checked.

_______________________________________________

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.

_______________________________________________________

Please download ewido anti-malware it is a free version of the program.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you …

Hi, and welcome to DaniWeb. Please run HJT again and select Do system scan only. Then check these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O20 - Winlogon Notify: winbjv32 - winbjv32.dll (file missing)

Click Fix Checked.

__________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\Documents and Settings\Josh\Application Data\THUNKBAITDEAF\boreregspile.exe

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

____________________________________________________

Please go …

Well, from what I gathered from that, you think you have another virus. Well guess you could post another log ;).

Looks clean to me.

Look clean to me :).

Try standard first, if fils, go reboot. Also if it asks to make a backup, accept it.

It is ok, I should have said that. In that case please you killbox to delete this file.

C:\WINDOWS\system32\ipconfig.exe

Then post a new log.

Please have HJT fix these.

O4 - HKCU\..\Run: [LDM] \Program\

I also need to know what OS your on?

Hi, and welcome to DaniWeb. Please run HJT again, and select Do system scan only. Then check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\system32\mspxs32.dll

O2 - BHO: (no name) - {466D90BB-5E07-528B-27E0-0095CBA2889B} - C:\WINDOWS\system32\zkdl.dll (file missing)

O2 - BHO: (no name) - {7340A0BB-7334-67BF-0AD0-30B8FB92A5AB} - C:\WINDOWS\system32\zkdl.dll (file missing)

O2 - BHO: (no name) - {819D7D5C-FC85-EB0F-B739-EEE52EBD07F3} - C:\WINDOWS\system32\ysorsh.dll (file missing)

O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\system32\explorer32.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\system32\explorer32.exe

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

…

Indeed.

But please if you did not install firefox to this direcotry let us know.

C:\Firefox\firefox.exe

Hi, you have numerous infections. Please run HJT again, select Do system scan only. Then place a check next to these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpF1E.tmp

O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab

O20 - Winlogon Notify: winkve32 - winkve32.dll (file missing)

Click Fix Checked

___________________________________________________

Please download AboutBuster.

• Double click the AboutBuster folder, then double click the AboutBuster.exe inside.
• Click "Extract all" in the box that pops up, then "Next"
• Choose the location you would like to install AboutBuster, such as My Documents.
• Make sure "Show extracted files" is checked, then click "Finish".
• Reboot to safe mode
  (by hitting the F8 key repeatedly until at the bootup screen until a menu shows up and choose Safe Mode from the list)
• Open AboutBuster and click the "Begin Removal" button. It will shut down all Explorer windows (if open) while it works.
• It will begin to check your computer for malicious files. If it asks if you would like to do a second …

By the looks of the log, it was probally the virus telling you you had a virus, to trick you to by there porgram :).

Please run HJT again, and select Do system scan only. Then check these items.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpD4FF.tmp

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/Yazzl...cab?refid=1162

O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll

Click Fix Checked.

_________________________________________________

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After …

Have you tried un-installing, and then re-installing it?

You have a memeber of the Smitfraud family in there ;). That is most likley the baloon pop-ups.

Please download SmitfraudFix from http://siri.geekstogo.com/SmitfraudFix.php

NOTE: This tool will not work on 98/ME systems. Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by rebooting the computer, and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

Please post a new log, also does that take care of the balloons?

Please run HJT, and place a check next to these items.

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp786A.tmp

O4 - Startup: StealthBot v2.6 Revision 3.lnk = Starcraft\StealthBot\StealthBot v2.6R3a.exe

O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm

O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm

O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm

O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm

Click Fix Checked.

-------------------------------------------------------

Please download SmitfraudFix from http://siri.geekstogo.com/SmitfraudFix.php

NOTE: This tool will not work on 98/ME systems.

Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by rebooting the computer,

and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from

the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click

smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected

files.

You will be prompted : "Registry cleaning - Do you want to clean the

registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove

the Desktop background and clean registry keys associated with the

infection.

The tool will now check if wininet.dll is infected. You may be prompted to

replace the infected file (if found); answer "Yes" by typing Y and press

…

Well, I see no signs of a virus. If you think your Xp install is corrupt, you may want to perform a repair install: http://www.michaelstevenstech.com/XPrepairinstall.htm

Hi,

Please have HJT fix these.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go2net.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 - Only if you do not have a proxy set up

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

Click Fix Checked.

The only other things I see is the cookie crusher program, and the wallpaper changer program, which, in your last post you said you trust.

I would say you are clean, but if you just want to triple check you could run an online scan. http://www.kaspersky.com/scanforvirus.html

You can get HJT HERE. Please run it, and select Do system scan only, then post the log that pops up.

Sure.

Hmm, not sure why it did that either, try putting it in code tags. Put CODE tags at the top of the log. That should format it a bit better.

Hi, please format you log one entry per line, it is way to hard to read as it is now ;).

That log looks clean.

Try just

WSCM

or

Windows Service Manager

Hi, please run HJT again, and place a check next to these items.

O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe

Click Fix Checked.

---------------------------------------------------------------

We need to remove a NT Service

Do the following:

Start -> Run
*type services.msc
*click OK
The Services Management Console opens - do the following:

• Click the

Extended tab.
*Scroll down until you find Windows Service Manager (WSCM)
*Click on the service to highlight it.
*Click Stop
*Right-Click on Windows Service Manager (WSCM) .
*Click on 'Properties'
*Select the 'General' tab
*Click the down-arrow on the right-hand side on the 'Start-up Type' box
*From the drop-down menu, select ' Disabled'
*Click the 'Apply' tab
*Click 'OK'
Now:[list=type]Open HJT
*Click on Config>>Misc Tools>>Delete an NT Service
*Type Windows Service Manager (WSCM) in the space provided and click 'OK'.
*The program will ask you to REBOOT --- Accept
*REBOOT into SAFE MODE (F8 on bootup, then select safemode)
*Using Windows Explorer, locate and DELETE the following file (if it still is present):
[/list]
C:\WINDOWS\System32\service.exe

*REBOOT back into Normal Mode

---------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of …

What version do you have? You went though them all pretty quickly.

http://service1.symantec.com/support/nav.nsf/docid/2001092114452606

or

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

or

http://www.askdavetaylor.com/how_can_i_fully_remove_norton_antivirus_from_my_system.html

Hi, please run HJT again, and check the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\system32\ntdll.exe

O4 - HKLM\..\Run: [Windows Spooler] C:\WINDOWS\system32\spoolsv32.exe

O4 - HKLM\..\Run: [Windows DLL Host] C:\WINDOWS\system32\dllhost32.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [2Tray.exe] C:\PROGRA~1\IMAGEC~1\2tray.exe

O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe

Click Fix Checked

------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

If it fails to delete one, check Delete on …

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

We will owrk from there, in determining the problem.

Please post a fresh log.

Lol, It is long, I know, but trust me when I say that doing it will save you headaches in the long run.

Hi, please run HJT again, and check off the following items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Click Fix Checked.

----------------------------------------------------------------
Let's begin by downloading
SmitfraudFix. Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer, so it will take some time to run. When done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

…

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

We will work from there to determine if it is indeed a virus.

Thank you, for making your own thread :). Start by running HJT again, and selecting Do system scan only. Then in HJT check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

O4 - Startup: Morpheus.lnk.disabled

O4 - Startup: TrueAssistant.lnk.disabled

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab

Click Fix Checked

----------------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on …

You can fix the 09, the 016 is related to Java, and is legit. Are you using a proxy server? If not you may want to fix this.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Exactly what are the problems you are having still?