I know i have viruses on my computer, because: -open IE i set homepage for google, yahoo, but ends up with syssecuritypage.net. I keep on changing homepages, but this virus takes over, then it doesnt allow me to set the same website as a homepage. Thats why i use Firefox -Blinking question mark/red cancel sign by toolbar by clock at bottom. every 5 minutes a baloon comes up saying that i need to download stuff, but it has 2 squares and text, which anyone could make in MS word in 1 min. -http://404dnserror.com. When i click a link somewhere, like a website i get from google, it will take me there. It also says i need to download "system doctor". -Norton antivirus detects a lot, like idd13C.temp.exe - like 20 of those. If anyone knows how to fix these (especially the top 3) then i will be grateful. And if theres a good program which allows me to delete virus files i know are viruses, that would also be helpful. Because when i try to delete a file manualy, because Norton antivirus "failed to delete" I dont want to spend 150$ for someone to reformat my PC, because like 1 time a year its happening. I would like to prevent the hefty price, because thats what they charge. Thanks-
Go here http://www.hijackthis.de and click 'Direct Download". Extract the file to your desktop. After running Vundofix you will need to run a scan, save a log file and post it here. Then download Vundofix.exe to your desktop http://www.atribune.org/ccount/click.php?id=4 Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a fresh HijackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Post the contents of C:\vundofix.txt and a HijackThis log.
Um, i rebooted and i did the scan, again, because it poped up before any icons ad whatever appeared. I dont think its the right scan log, but what does hijackthis do because it wasnt in your steps? VundoFix V6.1.2 Checking Java version... Java version is 1.5.0.6 Scan started at 11:30:45 PM 8/31/2006 Listing files found while scanning.... C:\WINDOWS\system32\vtsqo.dll C:\WINDOWS\system32\oqstv.ini C:\WINDOWS\system32\oqstv.bak1 C:\WINDOWS\system32\oqstv.bak2 C:\WINDOWS\system32\oqstv.ini2 C:\WINDOWS\system32\prafxtpt.exe C:\WINDOWS\system32\pwihhdlh.exe Beginning removal... Attempting to delete C:\WINDOWS\system32\vtsqo.dll C:\WINDOWS\system32\vtsqo.dll Could not be deleted. Attempting to delete C:\WINDOWS\system32\oqstv.ini C:\WINDOWS\system32\oqstv.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\oqstv.bak1 C:\WINDOWS\system32\oqstv.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\oqstv.bak2 C:\WINDOWS\system32\oqstv.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\oqstv.ini2 C:\WINDOWS\system32\oqstv.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\prafxtpt.exe C:\WINDOWS\system32\prafxtpt.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\pwihhdlh.exe C:\WINDOWS\system32\pwihhdlh.exe Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.1.2 Checking Java version... Java version is 1.5.0.6 Scan started at 11:45:10 PM 8/31/2006 Listing files found while scanning....
Yes, that is the correct log. As you can see 6 infections were cleaned. VundoFix couldn't delete one of the infections so after I see your HijackThis log I'll give you futher instructions. HijackThis wasn't in the instructions because it is for us to see what the infections are. Run a scan and save a log file. Post it here.
Logfile of HijackThis v1.99.1 Scan saved at 8:53:28 AM, on 9/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\isnotify.exe C:\WINDOWS\system32\issearch.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\ismon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\DOCUME~1\Eliot\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - C:\Program Files\FrontierSH\SrchHelp\frSrcAs.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Frontier Search Helper] rundll32 C:\PROGRA~1\FRONTI~1\SrchHelp\frSrcAs.dll,S O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140209414083 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146943814406 O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} - http://www.geoplayer.com/downloads/GeoPlayerX.cab O18 - Filter: text/html - (no CLSID) - (no file) O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Click here download VundoBeGone. Run VundoBeGone.exe You may experience BSOD, this is normal. Restart computer manually if needed. Then, go to Add/Remove Programs. Locate: [bold]MySearch[/bold](or similar) [bold]ToolBar888[/bold] Remove both. Do not worry if they are not there. Go here and download Ewido. Install and update. Restart your computer in safe mode(press F8, upon boot, select "Safe Mode" from menu). Run a full Ewido scan. When finishes set all items to delete and click "Apply All Actions" Click "Save Report". Restart in normal mode. Next, run a Scan Only with HijackThis, check to fix these(if they remian). [bold]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe [/bold] lol, DO NOT click that link! I just now picked it up in my cache. [bold]O18 - Filter: text/html - (no CLSID) - (no file) [/bold] Note for: O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll. Fix this file only if there it says "(file missing)". If it still remains urroxtl.dll go here to get RogueScanFix. Run it. Post Ewido log and a new HijackThis log.
