foxtrot

My girlfriends computer has some virus and i need some help. Everytime she gets on the internet pop ups about her registry start poping up every 5 seconds. I have already run adware and spybot it hasn't helped, i have also reinstalled the OS and it just keeps on messing up. So here goes my HJT log hope someone can help. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 4:16:40 PM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\mfs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] SYSADWARE.EXE
O4 - HKLM\..\Run: [Microsoft Machine Script] iexplorersis.exe
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\RunServices: [Microsoft Machine Script] iexplorersis.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] SYSADWARE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Buzz1927

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\Run: [Winsock2 driver] SYSADWARE.EXE
O4 - HKLM\..\Run: [Microsoft Machine Script] iexplorersis.exe
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\RunServices: [Microsoft Machine Script] iexplorersis.exe
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] SYSADWARE.EXE

Close all open windows and browsers, and hit "Fix Checked".

Delete these files.

C:\WINDOWS\System32\mfs.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe

Find and delete this file.

NeroFil.EXE

Reboot and post a new Hijackthis log, and say how things are now.

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

Clutch

When you "reinstalled the OS", did you just reinstall? Or format then reinstall?

Buzz1927

As all the crap is still there, I'd say they just reinstalled.

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

Clutch

Well, what I was thinking is that the virus could have lodged itself in a hidden boot sector, which then could have reinfected his new Windows installation.

But other than that, just reinstalling Windows won't help.

Buzz1927

Which virus?

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

foxtrot

Nothing has changed. But i couldnt find: C:\WINDOWS\System32\mfs.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe
NeroFil.EXE
maybe i was searching for them wrong but anyways here goes my new log.

Logfile of HijackThis v1.99.1
Scan saved at 4:47:53 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{805B22CC-31FD-4D6C-B6D9-B375FAE35D49}: NameServer = 69.43.32.27 66.118.64.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Buzz1927

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi

foxtrot

so far its been working fine but i havent been on the internet very long but here is the session log.

********
6:19 PM: | Start of Session, Sunday, March 12, 2006 |
6:19 PM: Spy Sweeper started
6:19 PM: Sweep initiated using definitions version 630
6:19 PM: Starting Memory Sweep
6:22 PM: Memory Sweep Complete, Elapsed Time: 00:03:20
6:22 PM: Starting Registry Sweep
6:22 PM: Registry Sweep Complete, Elapsed Time:00:00:28
6:22 PM: Starting Cookie Sweep
6:22 PM: Found Spy Cookie: websponsors cookie
6:22 PM: owner@a.websponsors[2].txt (ID = 3665)
6:22 PM: Found Spy Cookie: about cookie
6:22 PM: owner@about[1].txt (ID = 2037)
6:22 PM: Found Spy Cookie: yieldmanager cookie
6:22 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
6:22 PM: Found Spy Cookie: adecn cookie
6:22 PM: owner@adecn[1].txt (ID = 2063)
6:22 PM: Found Spy Cookie: adknowledge cookie
6:22 PM: owner@adknowledge[1].txt (ID = 2072)
6:22 PM: Found Spy Cookie: hbmediapro cookie
6:22 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
6:22 PM: Found Spy Cookie: specificclick.com cookie
6:22 PM: owner@adopt.specificclick[1].txt (ID = 3400)
6:22 PM: Found Spy Cookie: ask cookie
6:22 PM: owner@ask[1].txt (ID = 2245)
6:22 PM: Found Spy Cookie: belnk cookie
6:22 PM: owner@ath.belnk[1].txt (ID = 2293)
6:22 PM: Found Spy Cookie: atwola cookie
6:22 PM: owner@atwola[2].txt (ID = 2255)
6:22 PM: Found Spy Cookie: banner cookie
6:22 PM: owner@banner[2].txt (ID = 2276)
6:22 PM: owner@belnk[1].txt (ID = 2292)
6:22 PM: Found Spy Cookie: bizrate cookie
6:22 PM: owner@bizrate[1].txt (ID = 2308)
6:22 PM: Found Spy Cookie: burstnet cookie
6:22 PM: owner@burstnet[2].txt (ID = 2336)
6:22 PM: Found Spy Cookie: enhance cookie
6:22 PM: owner@c.enhance[1].txt (ID = 2614)
6:22 PM: Found Spy Cookie: overture cookie
6:22 PM: owner@data2.perf.overture[1].txt (ID = 3106)
6:22 PM: owner@dist.belnk[1].txt (ID = 2293)
6:22 PM: Found Spy Cookie: ru4 cookie
6:22 PM: owner@edge.ru4[1].txt (ID = 3269)
6:22 PM: Found Spy Cookie: 2o7.net cookie
6:22 PM: owner@entrepreneur.122.2o7[1].txt (ID = 1958)
6:22 PM: Found Spy Cookie: go.com cookie
6:22 PM: owner@espn.go[2].txt (ID = 2729)
6:22 PM: owner@go[1].txt (ID = 2728)
6:22 PM: owner@guitar.about[2].txt (ID = 2038)
6:22 PM: Found Spy Cookie: clickandtrack cookie
6:22 PM: owner@hits.clickandtrack[2].txt (ID = 2397)
6:22 PM: Found Spy Cookie: screensavers.com cookie
6:22 PM: owner@i.screensavers[2].txt (ID = 3298)
6:22 PM: Found Spy Cookie: l2m.net cookie
6:22 PM: owner@l2m[1].txt (ID = 2913)
6:22 PM: owner@msnportal.112.2o7[1].txt (ID = 1958)
6:22 PM: Found Spy Cookie: nextag cookie
6:22 PM: owner@nextag[1].txt (ID = 5014)
6:22 PM: owner@rsi.espn.go[1].txt (ID = 2729)
6:22 PM: owner@screensavers[2].txt (ID = 3297)
6:22 PM: Found Spy Cookie: servlet cookie
6:22 PM: owner@servlet[2].txt (ID = 3345)
6:22 PM: owner@sports.espn.go[2].txt (ID = 2729)
6:22 PM: Found Spy Cookie: tacoda cookie
6:22 PM: owner@tacoda[2].txt (ID = 6444)
6:22 PM: Found Spy Cookie: burstbeacon cookie
6:22 PM: owner@www.burstbeacon[2].txt (ID = 2335)
6:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
6:23 PM: Starting File Sweep
6:25 PM: Found Adware: whenu savenow
6:25 PM: vvsninst.exe (ID = 127141)
6:35 PM: File Sweep Complete, Elapsed Time: 00:12:51
6:35 PM: Full Sweep has completed. Elapsed time 00:16:49
6:35 PM: Traces Found: 34
6:36 PM: Removal process initiated
6:36 PM: Quarantining All Traces: 2o7.net cookie
6:36 PM: Quarantining All Traces: about cookie
6:36 PM: Quarantining All Traces: adecn cookie
6:36 PM: Quarantining All Traces: adknowledge cookie
6:36 PM: Quarantining All Traces: ask cookie
6:36 PM: Quarantining All Traces: atwola cookie
6:36 PM: Quarantining All Traces: banner cookie
6:36 PM: Quarantining All Traces: belnk cookie
6:36 PM: Quarantining All Traces: bizrate cookie
6:36 PM: Quarantining All Traces: burstbeacon cookie
6:36 PM: Quarantining All Traces: burstnet cookie
6:36 PM: Quarantining All Traces: clickandtrack cookie
6:36 PM: Quarantining All Traces: enhance cookie
6:36 PM: Quarantining All Traces: go.com cookie
6:36 PM: Quarantining All Traces: hbmediapro cookie
6:36 PM: Quarantining All Traces: l2m.net cookie
6:36 PM: Quarantining All Traces: nextag cookie
6:36 PM: Quarantining All Traces: overture cookie
6:36 PM: Quarantining All Traces: ru4 cookie
6:36 PM: Quarantining All Traces: screensavers.com cookie
6:36 PM: Quarantining All Traces: servlet cookie
6:36 PM: Quarantining All Traces: specificclick.com cookie
6:36 PM: Quarantining All Traces: tacoda cookie
6:36 PM: Quarantining All Traces: websponsors cookie
6:36 PM: Quarantining All Traces: whenu savenow
6:36 PM: Quarantining All Traces: yieldmanager cookie
6:36 PM: Removal process completed. Elapsed time 00:00:09
********
6:04 PM: | Start of Session, Sunday, March 12, 2006 |
6:04 PM: Spy Sweeper started
6:04 PM: Messenger service has been disabled.
6:15 PM: Your spyware definitions have been updated.
6:19 PM: | End of Session, Sunday, March 12, 2006 |


Tnks for the help