hi guys im new on here but am in desperste need of your help. when i boot my machine inernet explorer immediately comes up and directs me to inf3ct3d.us. mt internet connection becomes very slow and then none existent. i have run avast with no results i have also run avast virus cleaner and spybot again with no joy. PLEASE HELP
Click on the link in my signature and follow the instructions in the malware removal section
i have followed the instructions on the web site and neither programs could find anything. i no longer have the re direction on ie but i still have a none existent connection. i have a scan file from hijack this but dont know what to do with it can anyone check it out for me and see if there is anything wrong
Logfile of HijackThis v1.99.0
Scan saved at 19:04:46, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\p6.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Documents and Settings\Scott\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurs.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Steve Toms Edition
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.0.0.2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [msnappau] “C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe”
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSNPluginSrvcs] p6.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0938cff85961eaa76d22/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099044918828
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Cheers
Result from eddy’s analyzer:
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe
\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe
search bar = about:blank
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
o2 - bho: msntoolbandbho - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o3 - toolbar: msn - {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o4 - hklm..\run: [msnappau] “c:\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe”
o16 - dpf: raptisoftgameloader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
o16 - dpf: {2917297f-f02b-4b9d-81df-494b6333150b} (minesweeper flags class) - http://messenger.zone.msn.com/binary/minesweeper.cab31267.cab
o16 - dpf: {54b52e52-8000-4413-bd67-fc7fe24b59f2} (eartpatchx class) - http://files.ea.com/downloads/rtpatch/v2/eartpx.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://software-dl.real.com/0938cff85961eaa76d22/netzip/rdxie601.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1099044918828
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab31267.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
Nothing found.
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
Also remove these:
O4 - HKCU..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM..\RunServices: [MSNPluginSrvcs] p6.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
msnappau.exe and p6.exe are what there starting up, they most proberly causing you the trouble, so after making the above corrections/fixed, reboot then search for the files on your system and delete them (start bar > search).
Then redo and repost a new log.
–lee
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
You are using a old version of Hijackthis, please update.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
Software firewall detected.
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe
\windows\system32\p6.exe
\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = about:blank
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = about:blank
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,autoconfigurl = 10.0.0.2
o2 - bho: msntoolbandbho - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o3 - toolbar: msn - {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
o4 - hklm..\run: [msnappau] “c:\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe”
o4 - hklm..\run: [msnpluginsrvcs] p6.exe
o4 - hklm..\runservices: [msnpluginsrvcs] p6.exe
o4 - hkcu..\run: [msnpluginsrvcs] p6.exe
o16 - dpf: raptisoftgameloader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
o16 - dpf: {2917297f-f02b-4b9d-81df-494b6333150b} (minesweeper flags class) - http://messenger.zone.msn.com/binary/minesweeper.cab31267.cab
o16 - dpf: {54b52e52-8000-4413-bd67-fc7fe24b59f2} (eartpatchx class) - http://files.ea.com/downloads/rtpatch/v2/eartpx.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://software-dl.real.com/0938cff85961eaa76d22/netzip/rdxie601.cab
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1099044918828
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab31267.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - global startup: gwum.lnk = c:\program files\gigabyte\gigabyte windows utility manager\gwum.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
cheers guys i have removed the things you said and here is my new log
Logfile of HijackThis v1.99.0
Scan saved at 20:22:50, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\p6.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Scott\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurs.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Steve Toms Edition
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Some are still there from last time, they need to be fixed, they are these:
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
o2 - bho: msntoolbandbho - {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.3000.1001\en-us\msntb.dll
Also p6.exe and msnappau.exe are still there (harmful processes), so remove the above
then find and delete this file “p6.exe”, should be in C:\WINDOWS\System32
then find and delete this file “msnappau.exe”, should be in C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us
Although if i was you i would be wary of the folder “C:\Program Files\MSN Apps” as to my knolage this is not a default msn folder (you may want to consider deleteing it.
–lee
ok i have now deleted those aswell. i have also noticed an application file in my hard drive that is called autoprotect which i keep deleting but it re appears, i thnk this might be malicious but am unsure.
i have a new log
Logfile of HijackThis v1.99.0
Scan saved at 20:58:00, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott\Desktop\hijackthis.exe
This is a incomplete log.
You still have to remove:
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
i have also noticed an application file in my hard drive that is called autoprotectWhat is the exact filename and what is the exact location?
the exact file name is autoprotect and the exact location is c:/. also when i tried to delete msnapps folder, a warning came up saying that msntb.dcc: access was denied
Logfile of HijackThis v1.99.0
Scan saved at 21:18:19, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack this\hijackthis.exe
C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe4014749ca9bd94c51618107\update\update.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurs.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Steve Toms Edition
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108760722609
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Fix the ones I mentioned and get your system up-to-date.
Visit Windows Update and install ALL security patches/updates.
i have deleted the mentioned files and have updated from windows 30 mins ago
Either you didn’t or you poste the last log before you did.
Which one is it?
lucifer,
The problem is the processes are still running in memory.
So open taskmanager (alt + ctrl + delete) then click on the 'processes tab at the top, then you will see a list of running processes, scroll down and look for the two ‘msnappau.exe’ processes and press ‘kill proccess’, you should then be able to delete the ‘C:\Program Files\MSN Apps’ folder.
let us know how this gets on 
–lee
i have now deleted the msnapps folder and here is my new log
Logfile of HijackThis v1.99.0
Scan saved at 21:50:52, on 18/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Scott\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurs.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = The Steve Toms Edition
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108760722609
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
;D
Looks clean to me, no harmful stuff that i can see
However, there is this:
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
its not harmful, what it does is starts MSN messenger up when you turn on your PC, ‘fixing’ could speed boot up time on your computer (you will still be able to open MSN via the icon on your desktop/start menu), but of course its your system, so its up to you if you do it or not 
o and BTW, when we said install all security patches we meant SP2 as well, and then the patches for them as well. (you are currently on SP1 according to your log).
By having SP2 it will increase your windows security and help prevent spyware getting on your system.
-lee
i have a problem with sp2 because it doesnt like wireless networks… cheers guys you’ve saved me from re formatting. the only other thing is this application folder that keeps appearing in my hard drive everythime i delete it it comes back after i boot up and it was created the same day that i got the virus. do you know what i can do with that
cheers
I cannot find any infomation on ‘c:\autoprotect.exe’
Is it running in memory? (check task manager)
Also try uploading it here and let us know the results: http://virusscan.jotti.org/
–lee
hi lee i submitted it to that site and here are the results
Service load: 0% 100%
File: autoprotect.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
Packers detected: None
AntiVir No viruses found (0.37 seconds taken)
Avast No viruses found (1.53 seconds taken)
AVG Antivirus Collected.3.X (0.36 seconds taken)
BitDefender Trojan.LowZones.G (0.63 seconds taken)
ClamAV No viruses found (1.36 seconds taken)
Dr.Web Trojan.LowZones (1.72 seconds taken)
F-Prot Antivirus W32/Lowzones.AC (0.14 seconds taken)
Fortinet No viruses found (0.81 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.LowZones.g (1.18 seconds taken)
mks_vir Trojan.Lowzones.G (0.44 seconds taken)
NOD32 Win32/Lowzones.G (1.16 seconds taken)
Norman Virus Control Sandbox: W32/Malware; [ General information ]
- File length: 7168 bytes.
[ Changes to registry ]
- Sets value “Flags”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1001”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1004”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1200”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1201”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1206”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1400”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1402”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1405”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1406”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1407”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1601”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1604”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1605”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1606”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”.
- Sets value “1607”=“” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3”. (1.73 seconds taken)
cheers
OK it seems its malware that avast doesn’t detect :-\
So password protect (zip) the file up with either Winzip or Winrar.
Then email the file to virus@avast.com
In the email mention the password to open the file, and them give them the jotti scan information in your last post (let them know the info is from jotti online scanner).
After this, do an online scan with bitdefiender here: http://www.bitdefender.com/scan/licence.php (click ‘i agree’)
Check/tick all the options down the left side, and when it finds the malware, let bitdefender remove it
Then your system should be clean
-lee