I'm totally stuck.

[LonnyRJones]

Download System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (even cookies, this time) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox what version is it ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\UnitedKingdom.exe
C:\WINDOWS\yseti.exe
C:\WHCC2.exe
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N68M2301NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\v3.dll
C:\WINDOWS\Installer.exe
C:\WINDOWS\mc-110-12-0000228.exe
C:\WINDOWS\system32\ad.html
C:\temp\180SAInstaller.exe
C:\temp\ZCWEDowST3.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.


manualy delete these folders
C:\WINDOWS\U3VzYW4
C:\Program Files\Hzfxgig
C:\PROGRAM FILES\Media Gateway
C:\PROGRAM FILES\whInstall
C:\PROGRAM FILES\WinAntiVirus Pro 2006
=============================================
C:\PROGRAM FILES\SCOM << what are the contents ?

Install atleast a free anti virus and firewall program
Dont make the common mistake of installing more than one anti virus or firewall
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/foru...howtutorial=60
ZoneAlarm provide's a paid for and free version http://www.zonelabs.com/
http://www.zonelabs.com/store/conten...=en&lid=nav_za
Kerio Personal Firewall
For home users, Kerio Personal Firewall 4 is available in two flavors -
the full edition and the limited free edition.
http://www.kerio.com/us/kpf_download.html
Sygate free for personal/home http://soho.sygate.com/products/spf_standard.htm
Outpost http://www.outpost.uk.com/download/outpost1.html



Post another Hiajckthis log afterwards and let us know of any problems

[Edward Skylover]

Here is the log from HiJackThis, I'm not sure if there are any problems or not.


Logfile of HijackThis v1.99.1
Scan saved at 22:07:47, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Susan\Desktop\family folder\Edward's folder\Computer downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E861860-46B1-4391-8745-983F9CD36025}: NameServer = 194.74.65.68 194.72.9.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thankyou for your help so far.

[LonnyRJones]

Its great to see an AV in your logs. :D

Post back in a couples days to let us know whats going on please

In the meantime
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

[Edward Skylover]

Ok. Thanks for your help. You've been great!

[tashi]

This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.