I recently had a problem with one of those fake spyware scanners called spywaresoftstop. I managed to remove it but it left win32 virus. I need help since none of the virus scanners i have seem not to be able to remove it. The HJT logs is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:05 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [AceUtils] "C:\Program Files\Ace Utilities\au.exe" /ebh /eid
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188091797234
O17 - HKLM\System\CCS\Services\Tcpip\..\{E48F5F56-0884-485D-9E13-CB9939D58D70}: NameServer = 193.220.20.30,193.219.193.24,193.219.193.135
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: Mxngesl - C:\WINDOWS\SYSTEM32\mxngesl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8624 bytes

I cant run any of the online scans because they say i require Internet explorer 5 or above but i know i have version 7!?

Hello big_bang and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.


Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

AntiVirus
You appear to have AVG 7, Avast4 and Kaspersky Anti-Virus 7.0
First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best
and in some cases can cause system instability.
I recommend that you choose one that you want to keep.
The others I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Submit a File For Analysis
We need to have the files below Scanned by Uploading it to Jotti

Please visit Jotti (http://virusscan.jotti.org/)
Copy/paste the the following file path into the window
C:\WINDOWS\SYSTEM32\mxngesl.dll
Click Submit/Send File
Please post back, to let me know the results.
If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

How did you remove spywaresoftstop ?
Which scan tells you that you have win32 virus ?

Hello Katana and thank you from helping me.

As for the three virus scanners , I use both AVG and Kaspersky as on demand scanners while I use Avast to scan internet traffic.

I tried submitting mxngesl.dll to both jotti and virustotal. jotti gave me the error "specified file could not be found" while virustotal just got stuck in the uploading process.

You wanted the list of installed programs so here it is:

ABC Amber LIT Converter
Ace Utilities
Acer eManager for Notebook
Acer ePowerManagement
Acer GridVista
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ADPHONE
Age of Empires III Trial
AnalogX Vocal Remover
Applied Accoustics String Studio VS 1 VST DX v1.0
ArtRage 2.2 Free
ASIO4ALL
avast! Antivirus
AVG Free Edition
BitComet 0.91
BS.Player FREE powered by AdVantage
CDisplay 1.8
Conexant AC-Link Audio
CS-80V 1.6
CyberMotion 3D-Designer v12
Digimax Master
Download Accelerator Plus (DAP)
Drumagog 4
DVD Decrypter (Remove Only)
EarthView V3.6.9
Ethereal 0.99.0
FL Studio 7
FLV Player 1.3.3
Fraps
FreeSpace2Demo
Game Accelerator (remove only)
GameGain
G-Force
Gizmo Plugin
Google Earth
HijackThis 2.0.2
Homeworld2
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Solution Center 7.0
HTTP-Tunnel 2.10.0070
IL Download Manager
Image Line PoiZone v1.0 VSTi
Image Line ToxicIII v1.4 VSTi
ImageMixer for Sony
Intel(R) Graphics Media Accelerator Driver
InterActual Player
iScrobbler
iTunes
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Anti-Virus 7.0
Kaspersky Anti-Virus 7.0
Kate's Video Cutter 2.8.4
K-Lite Codec Pack 3.2.0 Full
Last.fm 1.3.0.62
Launch Manager
LinPlug Organ 3
Mario Forever 4.0
MatrixWorld 3D Screensaver (remove only)
MediaCell Mobile Video Converter
MediaMonkey 2.5
Mega Manager
Megaupload Toolbar
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Microsoft Reader
Microsoft Reader Text-to-Speech for English
Mozilla Firefox (2.0.0.4)
MSN
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
neroxml
Network Stumbler 0.4.0 (remove only)
Opera 9.21
Orbit
PDF Settings
POV-Ray for Windows v3.6.1b
Power MP3 WMA Converter 1.15
Proxy Finder Enterprise Edition
QuickTime
RealPlayer
Rhapsody Player Engine
Rob Papen Albino 3
Rob Papen Blue VSTi v1.01
S500/S600 USB Driver
SampleTank 2.2.2
San Andreas Radio V1.0
Sentinel System Driver
SmartFTP Client
SoftV92 Data Fax Modem with SmartCP
Sony Ericsson PC Suite 1.20.173
Sony Ericsson Themes Creator 3.02
Sony USB Driver
Space Exploration 3D Screensaver 1.2
Space Plasma 3D Screensaver (remove only)
Spybot - Search & Destroy 1.4
Steinberg Cubase SX v3.0.2.623
Steinberg Hypersonic v1.0
SUPER © Version 2007.bld.22 (Mar 14, 2007)
Switch Uninstall
Synaptics Pointing Device Driver
SyncroSoft Emu (Remove only)
Syncrosoft's License Control
System Requirements Lab
Terragen 2 Technology Preview
Texas Instruments PCIxx21/x515 drivers.
UseNeXT
VideoLAN VLC media player 0.8.6c
Virtual MIDI Keyboard
Winamp (remove only)
WindowBlinds
Windows Driver Package - Intel (NETw4x32) net (04/30/2007 11.1.1.11)
Windows Driver Package - Intel (w29n51) net (04/04/2007 9.0.4.36)
Windows Driver Package - Intel net (04/30/2007 11.1.1.11)
Windows Driver Package - Intel net (04/30/2007 11.1.1.11)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Wings 3D 0.98.32a
winpcap-nmap 3.1
WinRAR archiver
WinZip 11.1
Xfrog 3.5
Xilisoft Video Converter
XVid;-)
Yahoo! Widgets

And i removed spywaresoftstop using a tool called rouge.
As for which scan told me that i have win32, i ran an overnight full system scan with Kaspersky and it found about 1500 files infected with 'win32.virut.n'. And also, when I connect to the internet avast tells me that a file containing win32 is being downloaded.

Thank you for your help.

Hi big_bang,


As for the three virus scanners , I use both AVG and Kaspersky as on demand scanners while I use Avast to scan internet traffic.
All three are showing as running "realtime" so you need to stop AVG and Kaspersky from starting up automatically.

You are running a P2P filesharing program. --- BitComet 0.91
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe.
You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you uninstall it.

Please note: you must NOT use this whilst we are cleaning your machine.


Lets see if we can find that file
Show All Files And Folders
Now you need to show all files and folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
Please visit Jotti (http://virusscan.jotti.org/)
Click on Browse... and navigate to the following file: C:\WINDOWS\SYSTEM32\mxngesl.dll
Click Open
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)


TotalScan

Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.



Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Jotti/VirusTotal results
Total Scan Report ( if this is very long, please split it over as many posts as you need to)

Do you still need any help ?

big_bang, due to lack of a response to your helper this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.