Ive Got A Virus Again

Ive done it that way and it still says ive started it from a Temp Folder when open it.

Thats what i did the first time.





I hate compuers! :bang: :bang: :bang:

Right, i just ran the scan anyway. This is what it came up with.

Logfile of HijackThis v1.99.1
Scan saved at 10:58:40, on 24/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\Program Files\iTunes\iTunes.exe
C:\Audio\Native Instruments\Traktor\Traktor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EAEC3929-DEFC-7073-95B8-A996761C4ED8} - C:\WINDOWS\system32\d3qk32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{823900D7-574C-4BE0-B115-385DC18F7F6A}: NameServer = 194.74.65.68 194.72.9.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

What are you using - winzip or winrar?

You'll have to give me til this evening to run through that log, I'm attempting but failing to get work done at the mo

Winzip.


Nee bother. Much appreciated.

No worries

Try right-clicking on the hijackthis.zip file and selecting 'unzip to /hijackthis' or similar, it should extract cleanly to another folder.

You do need to make sure though that the hijackthis.exe is placed in a folder at the root of the drive, eg C:\Hijack\ - if it's in my documents or similar it will f-up.

Shall be back with results later

Hmm... nasty stuff

Copy and paste this to a text file for later.

Download adaware (http://www.lavasoftusa.com/software/adaware/), spybot (http://www.majorgeeks.com/download.php?det=2471), cwshredder (http://www.majorgeeks.com/download4086.html), install, update all 3, then disconnect from the internet, close all browser/explorer windows, and run all 3 in that order (adaware, spybot, cwshredder - set this to 'fix')

You've got summinck pretty nasty called PowerReg Scheduler, you'll have to remove this first if any of the above three didn't:

Press ctrl+alt+del, click on processes, and kill any process with powerreg scheduler in the name. While you're there, kill mfccz32.exe and sdkjc.exe if they're there

Exit, then go into My Computer (make sure you can see hidden/system files - Tools-->Folder Options-->View tab), and delete the following files (if there - you'll have to do some major searching):

desktopdir+\startup\powerreg scheduler v3.exe
desktopdir+\startup\webshots.lnk
programfilesdir+\powerreg
startupfolder+\powerreg scheduler v3.exe
startupfolder+\powerreg scheduler.exe
startupfolder+\powerreg schedulerv2.exe
systemroot+\desktop\startup\powerreg scheduler.exe
systemroot+\start menu\programs\startup\image.lnk
systemroot+\start menu\programs\startup\norton disk doctor.lnk
systemroot+\start menu\programs\startup\powerreg scheduler v3.exe
systemroot+\start menu\programs\startup\powerreg scheduler.exe

and delete the following directory:

desktopdir+\startup

---

Now, go into regedit (careful!!! ), and see if mfccz32.exe and sdkjc.exe are present in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
if so, delete


Reet - then making sure all windows are closed and you're still disconnected from net, run HijackThis, and place checks next to the following (if still there) to remove:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zrixm.dll/sp.html#90728
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EAEC3929-DEFC-7073-95B8-A996761C4ED8} - C:\WINDOWS\system32\d3qk32.dll
O4 - Startup: PowerReg Scheduler V3.exe

And get rid of them. Then reboot into safe mode (start-->run, type "msconfig", boot.ini tab, check /safeboot, apply, close, restart) and delete the following:
C:\WINDOWS\system32\zrixm.dll
C:\WINDOWS\system32\d3qk32.dll
C:\WINDOWS\mfccz32.exe
C:\WINDOWS\sdkjc.exe

Then restart back into normal mode (undo /safeboot check), scan with avg, adaware, spybot, cwshredder.

I'd highly advise being careful how you browse and what you download from now on - use Firefox, and I'd prob suggest getting M$ anti-spyware too.

Phew - me hands are fucked from typing

Actually dont think i used Winzip.

I just right-clicked, then clicked 'Extract All' and put it in C:\ but when i open the program it says its in a Temp Folder. But it isnt, its in C:\ where i put it. Should i just ignore it, and carry on?

Other thing is the file that is in C:\ doesnt have .exe at the end, but it runs the program when i click it, giving me the above message.

Right, i must have misread what u said before.

I was putting it in C:\ when you had said put it in C:\Hijack

Working fine now.


Il get started on your big list of things to do now. Ive already got Spybot and Adaware. Will grab the other one.

And i have been only using Firefox over the last day or so. I only tried IE to run Housecall.

Cool hope it works

The majority of the stuff you told me to remove wasnt there, that or i couldnt find it.

But, ive done everything in your instructions.

Tried running IE and no viruses came up, which is encouraging. Before i couldnt navigate to a single page without it attempting to download 2 viruses.

But, when i tried to use Housecall, nothing happens when i click 'Scan Now'. Any ideas why that is?

The anti-spyware software should have got rid of most of it, why some of it wasn't there.

When you deleted that registry tree for IE by accident that may have f*d things a little, try this:

Go to regedit, and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsft\Active Setup\Installed Components\{89820200-EBCD-11cf-8B85-00AA005B4383}

and double-click on "IsInstalled", change the value to 1, click ok, and exit.

Then go to M$'s website, and download and install the latest version of IE - that may solve the problem.

THAT'LL TEACH YOU MUSIC THIEVES!

MMMWWWAAAAAAAAAAHAHAHAHAHAHAHAHAHAHAHAHAHA

Oops, I mean change the value to 0

@MoS - drinking this early on a Monday Phil?

i'd have rebuilt it by the end of page 1 of this thread


i'm on my 3rd cuppa yorkshire tea of the day... buzzing like a 15yr old charver on the school fields on a friday night!

I can only find something called 'Windows XP Service Pack 2'. I think this is the right thing, but it seems to be other stuff and not just IE.


Anyway it says before downloading and installing i need to:

1. Check your computer for unwanted software.
You can detect and remove unwanted software from your computer using a variety of tools available from other companies, including Lavasoft Ad-aware. (Note: Microsoft is not responsible for the quality, performance, or reliability of third-party tools.)

2. Get the latest PC manufacturer updates for SP2.
As one of the steps to ensuring you have all of the support information you need to install SP2, we recommend that you visit your PC manufacturer's Web site first and search for any information about SP2 that might apply to your computer.

3. Protect your important files.
We strongly suggest you back up or make a copy of your important and irreplaceable personal information, such as pictures, documents, music, and financial data.


Do i need do all this? It seems a bit far fetched.

You do if you don't have Service Pack 2! Right-click on My Computer on the desktop and select properties - in the general tab if it doesn't say Service Pack 2 underneath System anywhere you sure as hell need it

SP2 contains the new version of IE

Oh, and only do 3) above - just burn your most important documents to cd or something before installing SP2, just in case

I have got Service Pack 2, just looked.

What u suggest. I just download it anyway? Doing all that stuff first?

Nah, use this: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp

Its not made any difference.

If its any help to you, i think i might be missing some installation or other, because the advert at the top left on the Promise Board is just showing as a small red cross in the corner when using IE.

Any ideas?