Help! PC totally screwed

**Hita** · 25-06-2005

Hi People,

I'm trying to get rit of several hijacks and popups. The most annoing one
is the explorer.exe popup and the homepagehijack oneclickseacrhes.com
I read the forums rules and first did a sweep with spybot and adaware.
This is my HJT log after this:

Logfile of HijackThis v1.99.1
Scan saved at 14:29:04, on 25-6-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Teun\Mijn documenten\Mijn Programma's\Hijack Remover\hijackthis2\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpE3E7.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.co...?1100108599104
O20 - Winlogon Notify: style2 - C:\WINDOWS\q1743887_disk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe

Many THNX for the effort!

**HJThis** · 25-06-2005

Hello,Hita & Welcome

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
msole32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpE3E7.tmp

O20 - Winlogon Notify: style2 - C:\WINDOWS\q1743887_disk.dll

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\System32\hpE3E7.tmp<---This file
C:\WINDOWS\q1743887_disk.dll<---This file
C:\WINDOWS\System32\msole32.exe<---This file

Then do this here

Empty your Temp folders as follows:
Open Internet Explorer. You'll get a Page not Found error, but that's normal in safe mode.
At the top, click Tools>Internet Options> and then, in the center click Delete Cookies
Click Delete Files and then in the new applet check the box for all offline content
Click OK
Close that applet and open the C>Windows>Temp folder, and delete all files in there too, and all files in sub-folders of Temp.
Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty
Double check to see if the folder C:\DOCUMENTSandSETTINGS\YOUR NAME\LOCALSETTINGS\Temp is empty.
Empty your recyle bin

& this here

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

& get this here out of the way

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

then reboot tell us how it is & show us new logfile.

HGD

**Hita** · 25-06-2005

Many THNX for the quick response. The explorer.exe problem is solved with your help, only the oneclicksearches.com won't dissapear. I checked the
lines in HJT and fixed them, then I tried in safemode to get rit of the
windows/system32/hpE3E7.tmp but this file isn't there, whereas the other
files were. Do you have another idea? That would be greater! But again, you
helped me out alot already! Thnx for the tips in the internet security.

Logfile of HijackThis v1.99.1
Scan saved at 19:31:51, on 25-6-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp83DE.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100108599104
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

**HJThis** · 25-06-2005

Hi,Hita

Sorry about the hold up on this

Please read these instructions carefully and copy them to notepad! Save the notepad file to your desktop so you will have it to refer to. Be sure to follow ALL instructions!

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
shnlog.exe
intmon.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

* * Go here to download CCleaner.

* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.

* Click Here and download Killbox and save it to your desktop.

* Click here to download smitfraud.reg. Download it and "Save" it to your desktop and have it ready to run later.

* Click here for info on how to boot to safe mode if you don't already know how.

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp83DE.tmp

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\hp83DE.tmp

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete these folders/files if they exist:
C:\WINDOWS\System32\shnlog.exe<---This file
C:\WINDOWS\System32\intmon.exe<---This file
C:\WINDOWS\System32\hp83DE.tmp<---This file

* IMPORTANT!: If you forget to run the smitfraud.reg file you may not be able to boot your computer normally. DO NOT forget this step. Locate smitfraud.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.

* Start Ccleaner and click Run Cleaner

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

* Run ActiveScan online virus scan here.

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

HGD

**Hita** · 26-06-2005

Thank you very much for your help! You are truly a god in destroying hacks and all of it's friends. But as you requested a log from HJT and Virusscan.
Bytheway, I deleted all of the files from the virusscan manually only couldn't
find the savenow adaware in my reg files. Tried to find it with a search in
regedit, search on savenow, but that gave nothing.

Logfile of HijackThis v1.99.1
Scan saved at 22:59:49, on 26-6-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100108599104
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

-------------------Virusscan------------------------

Incident Status Location

Virus:W32/Smitfraud.B Disinfected Operating system
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\OLEADM.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\System32\intmonp.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\popuper.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\System32\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\System32\hookdump.exe
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Teun\Application Data\PSGuard.com
Adware:Adware/Startpage.ACK No disinfected C:\RECYCLER\NPROTECT\00014978.exe
Adware:Adware/Smitfraud No disinfected C:\RECYCLER\NPROTECT\00014979.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\popuper.exe
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\screen.html
Virus:Trj/Clicker.BN Disinfected C:\WINDOWS\system32\hhk.dll
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\system32\hookdump.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\intmonp.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\msmsgs.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\oleadm.dll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.dll
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\system32\wp.bmp
I've you'll still found something let me know...

Thanks again

**HJThis** · 26-06-2005

Hi,Hita

As for the logfile i don't see any more items but the
Virus is saying some are there so try this first

Right-click: HERE and select Save As (in Internet Explorer it's labeled Save Target As) in order to download the Smitfraud.reg file. Save this file to your desktop.

Locate the smitfraud.reg file on your desktop and double-click it. When asked if you want to merge with the registry, click the YES button. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Download The Hoster and run hoster.exe. Press the Restore Original Hosts button and then press the press OK button. When it is done, exit the program.

Right-Click HERE and select Save As to download DelDomains.inf to your desktop.

Now RIGHT-CLICK on the DelDomains.inf file on your desktop and select the Install option.

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download, install, and run CleanUp!

Run this online virus scan ActiveScan to clean up any left over traces of these infections.

HGD

**Hita** · 27-06-2005

Oke thnx for the total cleanup!

Oh, bytheway, the cleanup link doesn't work... but take no offense.

**HJThis** · 27-06-2005

Hi,Hita

Hmm me & links

here you do see if this one
is good

http://www.stevengould.org/downloads.../CleanUp40.exe

HGD

Help! PC totally screwed

Help! PC totally screwed

Similar Threads

Internet/networking screwed up

I'm screwed

Task Manager Screwed Up

Certain websites are screwed up

IE Screwed Up My SBCYahoo!? PLEASE HELP!!