i woke up this morning & when i switched on the pc i started recieving popups informing me my pc was infected.
i have panda antivirus 2007, spyware doctor, AVG 7.5 pro,
avg antispyware(previously known as ewido), Ad-Aware 6 pro,
registry fix & a squared anti dialer installed on my pc..
i also have ZoneAlarm pro, nod32 & a few others on disks but not yet installed, so i didnt think it was something i had done.
i later found out from my daughter that my son was on the pc all morning.
on my desktop were 3 new icons that werent there when i went to bed
the night before. 1 called online security guide, another i can't remember as after i scanned with nod32 it disappeared. the last one was a program called porn pass manager.
everytime i tried to go online i notice my browser has been hijacked
& the site is called safeiepage.com & there is another window that
pops up saying:-
warning w32.Myzor.fk@yf is a virus that affects files with .exe. extensions & attempts to steal passwords & private information..
it also says its 138,293 bytes long & under technical details it says:-
1) creates files in %windir%\ by default this is c:\windows
2) adds values to registry keys: HKEY_LOCAL_MNACHINE\ (NOTICE MACHINE ISNT SPELLED CORRECTLY, BUT THATS HOW IT IS)Software\Microsoft\Windows\CurrentVersion\Run3
3) scans the hard drive for .exe files & infects any executable files.
searches for passwords/information which it may send to a
remote attacker.
it then goes on to say click OK to download officialy approved security software. always keep your patch levels up to date.
i would appreciate any help in ridding my pc of any trojans/malware/spyware etc.
i ran rootkit hook analyzer & it found 9 kernal hooks, but i
dont know how to work this program as it was referred by
someone on a forum.
everytime i scan with AVG, spyware doctor, nod32 or even panda
antivirus 2007 it eventually comes back my system is clean, i go to the panda online activescan & it finds even more??
i also noticed a thing called boonty games & have checked up on google & it appears to be a site where you can download games.
i know for a fact that i have not downloaded this so could this be what my son downloaded & could this be the culprit?
i also ran smitfraudfix & it found 3 infected files.
i will put the smitfraudfix log after the HijackThis log...
thanks for any help i recieve. here is my hijackthislog:-
Logfile of HijackThis v1.99.1
Scan saved at 23:12:36, on 28/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\PornPass Manager\isaddon.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\NEILDO~1\LOCALS~1\Temp\{7C1645DC-9D36-4539-ACF1-1A4C7FBDD1F4}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: Post Image to Blog - C:\WINDOWS\ImageShackT...r.dll/5003
O8 - Extra context menu item: Tag This Image - C:\WINDOWS\ImageShackT...r.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - C:\WINDOWS\ImageShackT...r.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - C:\WINDOWS\ImageShackT...r.dll/5001
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O15 - Trusted Zone: toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - toolbar.imageshack.us/...oolbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com/...asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - www.systemrequirements...reqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
SmitFraudFix v2.115
Scan done at 17:06:44.92, 28/10/2006
Run from C:\Documents and Settings\neil dougal\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
Here something i would delete....
here what you have...
Virus Name: W32.Myzor.FK@yf
Category: Worm
Risk Level: Medium
Symptoms: Displays a pop-up warning:
W32.Myzor.FK@yf is a virus that infects files with .exe extentions. It attempts to steal passwords and private information from the infected computer.Also displays a fake pop-up message saying that your computer is infected usually in the taskbar by the time
