I cant seem to get rid of this virus! please help

[dwarfy.mafia]

Hi,

Last night, when I was downloading something, I seemed to of picked up this strange virus. In the bottom right corner, (The mini toolbar with the clock), there was a flashing yellow exclamation mark, and my home page (google) wouldent load, instead a page would load that would tell me to pay 50 dollars to get rid of my virus... I scanned my virus programs (Spybot and Ad-Aware), and it did not get rid of the problem.. I turned on my computer today, and now my home page loads, but about once every 30 seconds, a new window appears, which tells me all these virues I have, and I have to close it, and it pops up again, then I close it and it wont come back for a few minutes.

Please help! I have never had any major problems with virus's on this computer before

Here is my Hijack This info

I dont see how anyone can make anything outta this, but this is what the sticky told me to do

Thanks in advance for your help
It is sincerily appreciated, as I cant afford to bring my computer in to be fixed right now.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:17 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SoftCodec\isamonitor.exe
C:\Program Files\SoftCodec\pmsngr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SoftCodec\pmmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\SoftCodec\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\SoftCodec\iesplugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WLAN Utility.lnk = C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FA6E94F-B7C2-47A9-BC73-8B4253928370}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[edifier]

Do you still require assistance?.

 

[dwarfy.mafia]

yes please!

 

[edifier]

Download SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/SmitfraudFix.zip to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post this log.

 

[leeroyMarv]

Haven't finished checking the log yet but found this;
Trojan-Downloader.Zlob.Media-Codec
Type Malware
Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category Trojan Downloader
Category Description A Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.
Level High
Level Description High risk threats are typically installed without user interaction through security exploits, and can severely compromise system security. Such threats may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These threats may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type Remove
Description Trojan-Downloader.Zlob.Media-Codec is a program that typically purports to be a needed upgrade to Windows Media Player in order to view adult oriented videos on certain websites. However, Trojan-Downloader.Zlob.Media-Codec actually downloads and installs additional malware on the user's machine.
Add. Description Trojan-Downloader.Zlob.Media-Codec often silently downloads and installs rogue security programs such as SpywareQuake, SpyFalcon and WinAntivirusPro, but may install other malware as well. Some variants of Trojan-Downloader.Zlob.Media-Codec have backdoor functionality, giving a remote attacker the ability to control and use the infected machine for malicious purposes.
File Traces
%PROGRAM_FILES%\icodecpack\isamonitor.exe

and

pmsngr.exe is a process associated with Trojan.Media-Codec.Process from NA. pmsngr.exe
i.e. it is related to the other file; isamonitor.exe
You really should scan those files, they appear to be a trojan

C:\Program Files\SoftCodec\pmmon.exe
This one also appears to be part of the trojan. What is this SoftCodec folder you have, do you know what it is? All the stuff in it seems to be part of a trojan

SoftCodec is apparently supposed to be a multimedia compressor for windows, but the files in it are trojans; 'Trojan.SoftCodec Spyware' You should scan it with a good free antivirus like AVG; free.grisoft.com/ and anti-spyware; Ad-Aware; www.lavasoft.de/software/adaware/
But i still think those files are viruses

 

[Pizzaman]

Sounds like the about:blank virus i had a couple months back. Takes ages to get rid of. I ended up having to go into the registry files and removing a file called appinit.dll Here is a link:http://www.akadia.com/services/about_blank_virus.html
and another i used:
http://www.pchell.com/support/aboutblank.shtml

 

[dwarfy.mafia]

SmitFraudFix v2.109

Scan done at 12:32:32.15, 14/10/2006
Run from C:\Downloads\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dpfwu.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Camsta


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Camsta\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Camsta\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SoftCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



That is the log I got.


and leeroy, im not to sure what the sofcodec thing is, but its not something I need or use.

 

[edifier]

Go to ADD/REMOVE Programs and uninstall all versions of 'Java'. Then proceed here - http://java.sun.com/javase/downloads/index.jsp and install - 'Java Runtime Environment (JRE) 5.0 Update 9'. Also uninstall the following if you did not install them.

Noble Poker
PartyPoker

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Download Ewido(AVG Antispyware) http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm You will need this later in safe mode
Make sure to update this program.

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode.

Reboot your computer in Safe Mode by doing the following.

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Please make sure ALL security programs including 'Spybot', your Antivirus, Ewido, etc, are disabled until they are needed. They may interfere with the cleaning process.

Run Smitfraud

* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.Save this log.

Navigate to the following folder and delete if still present.

C:\Program Files\SoftCodec

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\SoftCodec\isaddon.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\SoftCodec\iesplugin.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

Exit Hijack This but remain in safe mode.

Run Ewido - make sure of the following settings.

Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"

Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Save this scan log.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use firefox also, select at top of ATF cleaner-tick Select all and run again.

Reboot into normal windows, run ATF cleaner again and post a fresh 'HJT' log along with the safemode scan logs from Ewido and SmitFraudFix.

 

[dwarfy.mafia]

Hi, thx for all the help so far!

I did what you told me to do, and here are the logs I have




SmitFraudFix v2.109

Scan done at 16:20:21.84, 14/10/2006
Run from C:\Downloads\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dpfwu.dll Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\SoftCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End






--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:34:13 PM 14/10/2006

+ Scan result:



C:\Downloads\SetupPoker.exe -> Adware.Casino : No action taken.
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP508\A0091821.exe -> Adware.Casino : No action taken.
HKU\S-1-5-21-1137396071-3439514860-3377727607-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : No action taken.
C:\Program Files\filesubmit\kaleidascope_ss.zip\NNWDAC638.EXE -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091395.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091396.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091476.dll -> Adware.NewDotNet : No action taken.
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : No action taken.
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : No action taken.
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-1137396071-3439514860-3377727607-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP508\A0091862.dll -> Adware.ProtectionBar : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Camsta\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@oewabox[1].txt -> TrackingCookie.Oewabox : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Planetactive : No action taken.
C:\Documents and Settings\Camsta\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Camsta\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Valuead : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@yadro[1].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Camsta\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Camsta\Cookies\camsta@zedo[2].txt -> TrackingCookie.Zedo : No action taken.


::Report end

 

[edifier]

You did not have Ewido delete all those baddies. Please do the following.

Look in ADD/REMOVE Programs for 'NewDotNet'. If there, uninstall it.

Update Ewido and reboot into safemode again. Run Ewido and 'Delete' whatever it finds. Once completed, save the scan log.

Run ATF cleaner.

Reboot into normal windows and post the Ewido safemode scan log and a new HijackThis log.

 

[dwarfy.mafia]

Hi, I could not find Newdotnet in remove programs.

I did the Ewido again, and delted this time, and here are my results


VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:49:06 AM 16/10/2006

+ Scan result:



C:\Downloads\SetupPoker.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP508\A0091821.exe -> Adware.Casino : Cleaned with backup (quarantined).
HKU\S-1-5-21-1137396071-3439514860-3377727607-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\filesubmit\kaleidascope_ss.zip\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091395.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091396.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP503\A0091476.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1137396071-3439514860-3377727607-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C1BA3EC0-6DD3-4C77-9BE2-2E0F8E04EC34}\RP508\A0091862.dll -> Adware.ProtectionBar : Cleaned with backup (quarantined).
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Comclick : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@weborama[2].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.
C:\Documents and Settings\Camsta\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Camsta\Cookies\camsta@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

\





Logfile of HijackThis v1.99.1
Scan saved at 7:54:57 AM, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WLAN Utility.lnk = C:\Program Files\Blitzz\802.11g USB Adapter BWU723\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FA6E94F-B7C2-47A9-BC73-8B4253928370}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Thx!

 

[edifier]

Your log looks clean. You should flush the Restore Folder by going to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

If you are not experiencing any more issues, feel free to install and use any of the freebies on this list. Firewalls are a little further down.

http://www.computerforum.com/52032-list-malware-detection-prevention-programs.html

 

[dwarfy.mafia]

Alright cool!
Thanks very much for the help, its greatly appreciated.

 

[edifier]

Your Welcome.

 

[andy1st]

Might sound silly but

why dont you try to do a system restore point and just bin your previous days activity (last good check point)