a virus?, help please.. Options

[Insecure Emotion...]

umm..i dont know what happened to my computer, but all of the sudden when i turned it on..it gives me a black desktop wallpaper that says..
"WARNING!
YOU'RE IN DANGER!



ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!


SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!

Removal instructions "

and i didnt type that..they allow you to hi-light it..i think they want me to download some crap..and its allowing a lot of pop ups..please help..i dont have many virus protection programs..

[dispn0ygonekrazy]

alright umm first tell me its your desktop that seems infected right?

[dispn0ygonekrazy]

oops srry for double post does your popups either say Aurora or about:blank?

[Insecure Emotion...]

no..it says something about we will download in 60 seconds..press yes if you are tempted..or something..and they keep downloading SRTSEXCL on my desktop every time i put it in the trashcan..thanks for helping..

[dispn0ygonekrazy]

naw im here to help you and ill try to get your pc cleaned up but it will take sometime...one more question does it says trojan.smithfraud or anything similar to that? is ur background blue?

[Insecure Emotion...]

its blue when you start up and then turn to the black screen saver..

it doesnt say anything about a trojan smithfraud

[dispn0ygonekrazy]

alright i believe you have the Backdoor.IRC.Aladinz.K trojan and its use recently by Symantec products such as Norton Antivirus software and other things by norton If you have any Norton products please tell me now.

[Insecure Emotion...]

no..i dont have any..but i tried downloading one just an hour ago..but it just froze..

[dispn0ygonekrazy]

did this just occurr awhile ago/?

[Insecure Emotion...]

well..i used it on saturday..and now its monday..i just turned it on..and it popped up a black desktop..and i tried getting rid of it

[dispn0ygonekrazy]

alright i have a couple of programs you will need to download in order to solve your problem first download HiJack This from Merijin and then download Ewido from its website Ewido and please run a free virus scan from Trend Micro after you've done all that then we'll get to business on your trojan problem.

[Insecure Emotion...]

thank you soo much..but can i work on this tomorrow..my mos kicking me off for not doing my homework..thanks again!

[dispn0ygonekrazy]

sure glad to be of help so far when your on we'll continue this 2morrow =]

[Insecure Emotion...]

well..im back now..and you can help me whenever..you just get your priorities straight before you help me..i dont want to interfere with your life..but i found out that it is a trojan smithfraud..i read the blue screen before it turned black..and i already installed ewido and hijack..housecall is scanning right now.. thanks..

[dispn0ygonekrazy]

alright good i can help you now knowing your Trojan is smithfraud ive help many people with this before and i dont mind helping you =] thats what i do in my spare time. since your running TrendMicro when your done with that and reading this. Please post a log OF HJT(HiJack This) In the same thread then we'll get to business =] before doing that please Put HJT in a permanent folder for ensuring backup isues (EX. C:\HJT)

[Insecure Emotion...]

Logfile of HijackThis v1.99.1
Scan saved at 6:50:52 PM, on 5/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\101\System32\smss.exe
C:\WINNT\101\system32\winlogon.exe
C:\WINNT\101\system32\services.exe
C:\WINNT\101\system32\lsass.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\101\system32\svchost.exe
C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoguard.exe
C:\WINNT\101\system32\regsvc.exe
C:\WINNT\101\system32\MSTask.exe
C:\WINNT\101\System32\WBEM\WinMgmt.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\Explorer.EXE
C:\WINNT\101\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\101\system32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\101\system32\HPHipm09.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Win20021\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Win20021\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C579D13-BDED-4F57-9557-6FD1067476A0} - C:\WINNT\101\system32\agpo.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\101\wsem303.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Documents and Settings\Win20021\Desktop\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Documents and Settings\Win20021\Desktop\NavShExt.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\101\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\101\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\101\system32\hphmon03.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Personal Coach.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\101\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\101\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {A99547AD-2942-4013-A299-FF311ED6F5B8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A99547AD-2942-4013-A299-FF311ED6F5B8} - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d9d6f067011f31e
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O18 - Filter: text/html - {BD6D6EA3-4C5E-4F00-A91B-34403626B672} - C:\WINNT\101\system32\agpo.dll
O18 - Filter: text/plain - {BD6D6EA3-4C5E-4F00-A91B-34403626B672} - C:\WINNT\101\system32\agpo.dll
O20 - Winlogon Notify: ntfs32 - C:\WINNT\101\SYSTEM32\ntfs32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\101\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Documents and Settings\Win20021\Desktop\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\101\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\101\system32\HPHipm09.exe
O23 - Service: SAVScan - Unknown owner - C:\Documents and Settings\Win20021\Desktop\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

there you go..

[dispn0ygonekrazy]

hmm you have quite a big load of viruses and trojans =[ but dont worry we'll get you fixed up in no time


Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:

items to fix

C:\WINNT\101\System32\smss.exe
C:\WINNT\101\system32\lsass.exe
C:\WINNT\101\system32\services.exe
C:\WINNT\101\system32\spoolsv.exe
C:\WINNT\101\system32\regsvc.exe
C:\WINNT\101\system32\MSTask.exe
C:\WINNT\101\System32\WBEM\WinMgmt.exe
C:\WINNT\101\Explorer.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Win20021\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0C579D13-BDED-4F57-9557-6FD1067476A0} - C:\WINNT\101\system32\agpo.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\101\wsem303.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\101\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\101\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...d9d6f067011f31e
O18 - Filter: text/html - {BD6D6EA3-4C5E-4F00-A91B-34403626B672} - C:\WINNT\101\system32\agpo.dll
O18 - Filter: text/plain - {BD6D6EA3-4C5E-4F00-A91B-34403626B672} - C:\WINNT\101\system32\agpo.dll
O20 - Winlogon Notify: ntfs32 - C:\WINNT\101\SYSTEM32\ntfs32.dll


Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

[Insecure Emotion...]

umm im not done but..i have a question..


* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

after that step..is the list supposed to show on the killbox??

[dispn0ygonekrazy]

if you cant do that then copy and paste each one in the area wher eyou can paste one by one and deleting one by one

[Insecure Emotion...]

ok..i did that..but what is this supposed to do?

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

[dispn0ygonekrazy]

it suppose to restore some registry files that may have been infected by smithfraud or any other files

your log didnt seem to have and Trusted Zone so your safe on that but you can never be to sure so install it anyways

[Insecure Emotion...]

alright! thanks for everything..but is it still supposed to have this desktop? i cant change it...

[dispn0ygonekrazy]

all right please post a new HJT log so i can see whats left of it then we'll clear up your desktop

[dispn0ygonekrazy]

srry for the double repost but run EWIDO the program you downloaded earlier and post the LOG here after it scans oops my mistake on the killbox

remove these files here as repeating the same steps earlier here in this log but for these files.

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe

[Insecure Emotion...]

heres the hijack this log..


Logfile of HijackThis v1.99.1
Scan saved at 9:05:09 PM, on 5/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\101\System32\smss.exe
C:\WINNT\101\system32\winlogon.exe
C:\WINNT\101\system32\services.exe
C:\WINNT\101\system32\lsass.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\101\system32\svchost.exe
C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoguard.exe
C:\WINNT\101\system32\nvsvc32.exe
C:\WINNT\101\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\101\system32\MSTask.exe
C:\WINNT\101\System32\WBEM\WinMgmt.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\System32\WBEM\WinMgmt.exe
C:\WINNT\101\Explorer.EXE
C:\WINNT\101\system32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Win20021\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\101\system32\hphmon03.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Personal Coach.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\101\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Documents and Settings\Win20021\Desktop\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\101\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\101\system32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

im still waiting for the ewindo to load.

[dispn0ygonekrazy]

all right lets wait for the EWIDO first and then move on with the removal

[Insecure Emotion...]

thank you soo much! for helping me with this virus! the cleanup program cleaned it up! and then the black desktop was just a virus that controlled the pop ups and it was on the local hardware..so i just deleted that..well thanks for all of your help! i'll always remember the programs and i learned a thing or two about computers..so thank you!!! i wish i could pay you..but im a broke kid..hahaha..

[dispn0ygonekrazy]

wait wait so your clean now then right? hows your system running better than before =]?

[Insecure Emotion...]

yes! im cleeaann!!! *squeakk!!* hahaha..yeah..i feel clean too!! no more aching back! hahaha..well..cya around the forum..i love your poems in the writing sections..haha

[dispn0ygonekrazy]

well one last request just to make sure your system is clean PLEASE post your final log of HJT this will be the moment of truth

[Insecure Emotion...]

Logfile of HijackThis v1.99.1
Scan saved at 9:47:31 PM, on 5/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\101\System32\smss.exe
C:\WINNT\101\system32\winlogon.exe
C:\WINNT\101\system32\services.exe
C:\WINNT\101\system32\lsass.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\system32\regsvc.exe
C:\WINNT\101\system32\MSTask.exe
C:\WINNT\101\System32\WBEM\WinMgmt.exe
C:\WINNT\101\system32\svchost.exe
C:\WINNT\101\Explorer.EXE
C:\WINNT\101\system32\hphmon03.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\101\system32\HPHipm09.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Win20021\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINNT\101\system32\hphmon03.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Personal Coach.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\minimavis.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\101\System32\dmadmin.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Documents and Settings\Win20021\Desktop\Ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Documents and Settings\Win20021\Desktop\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\101\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINNT\101\system32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

haha ok..but i THINK im clean..

[dispn0ygonekrazy]

Congradulations Insecure Emotions Your log is clean I hope I've been a help to you and keep your computer safe.

How do you prevent yourself in the future?

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

[Insecure Emotion...]

thank you thank you thank you again!!