Tech Support Forum - View Single Post

tsf1jay · 02-21-2007, 11:09 AM

My computer is infected with multiple visruses which do not go away after mcafee scan. I ran mcafee in SAFE mode in DOS and it says it cleaned a bunch of viruses/trojans (please see the log). When I reboot in normal mode, viruses/trojans reappear and also replicate too many times. I also had run tune-up! registry fix after mcafee scan but that does not seem to help. Attaching the log from mcafee scan and HijackThis log I got after I rebooted in normal mode.
================= begin of McAfee scan log ============
McAfee VirusScan for Win32 v5.10.0
Copyright (c) 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.
Virus data file v4967 created Feb 20 2007
Scanning for 230136 viruses, trojans and variants.

02/20/2007 23:43:33

Options:
C:\WINDOWS /ADL /CLEAN /ALL /REPORT REPORT.TXT

Scanning C: []
Scanning C:\WINDOWS\*.*

Summary report on C:\WINDOWS\*.*
File(s)
Total files: ........... 287
Clean: ................. 287
Possibly Infected: ..... 0
Cleaned: ............... 0
Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Owner\Local Settings\Temp\1.dllb ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\5.dllb ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qv3xt3.game ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt34.game ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt42.game ... Found the Tibs trojan !!!
The file has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\win9868.tmp\win9868.tmp ... Found the BackDoor-CXJ trojan !!!
The file has been deleted.
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}\Bar888.dll ... Found the Matcash.dll trojan !!!
The file has been deleted.
C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc1\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc2\Update.exe ... Found the Generic Downloader.k trojan !!!
The file has been deleted.
C:\WINDOWS\system32\adir.dll ... Found the Downloader-ZQ trojan !!!
The file has been deleted.
C:\WINDOWS\system32\dlh9jkd1q1.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\dlh9jkd1q5.exe ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\WINDOWS\system32\inet.exe ... Found the Tibs trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvx5gamet2.exe ... Found the Tibs trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvxga6met3.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\qvxga7met4.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\unsvchosts.exe ... Found the Matcash trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga1me4t1.exe ... Found the W32/Zhelatin.gen.b@MM virus !!!
The file has been deleted.
C:\WINDOWS\system32\vxga3me2.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga4m1et4.exe ... Found the Generic Downloader.f trojan !!!
The file has been deleted.
C:\WINDOWS\system32\vxga4me1.exe\00001060.EXE\00001060.EXE ... Found the BackDoor-CXJ trojan !!!
The file has been deleted.
C:\WINDOWS\system32\wincom32.sys ... Found the Downloader-BAI.sys.gen trojan !!!
The file has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 74855
Clean: ................. 74744
Possibly Infected: ..... 23
Cleaned: ............... 0
Deleted: ............... 23
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

Time: 01:13.42
================= end of McAfee scan log============

then I ran HijackThis to take the log
================= Begin of HijackThis log============
Logfile of HijackThis v1.99.1
Scan saved at 7:58:15 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\dxdlg32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\kernels88.exe
C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\internet explorer\iexplore.exe
C:\Windows\xpupdate.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\system32\dxdlg32.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
================= end of HijackThis log============

Please help how to remove all these trojans/viruses.

02-21-2007, 11:09 AM	#1 (permalink)
tsf1jay Registered User Join Date: Feb 2007 Posts: 21 OS: XP home edition	Multiple infections HELP! My computer is infected with multiple visruses which do not go away after mcafee scan. I ran mcafee in SAFE mode in DOS and it says it cleaned a bunch of viruses/trojans (please see the log). When I reboot in normal mode, viruses/trojans reappear and also replicate too many times. I also had run tune-up! registry fix after mcafee scan but that does not seem to help. Attaching the log from mcafee scan and HijackThis log I got after I rebooted in normal mode. ================= begin of McAfee scan log ============ McAfee VirusScan for Win32 v5.10.0 Copyright (c) 1992-2006 McAfee, Inc. All rights reserved. (408) 988-3832 LICENSED COPY - May 26 2006 Scan engine v5.1.00 for Win32. Virus data file v4967 created Feb 20 2007 Scanning for 230136 viruses, trojans and variants. 02/20/2007 23:43:33 Options: C:\WINDOWS /ADL /CLEAN /ALL /REPORT REPORT.TXT Scanning C: [] Scanning C:\WINDOWS\. Summary report on C:\WINDOWS\. File(s) Total files: ........... 287 Clean: ................. 287 Possibly Infected: ..... 0 Cleaned: ............... 0 Scanning C: [] Scanning C:\. C:\Documents and Settings\Owner\Local Settings\Temp\1.dllb ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\Documents and Settings\Owner\Local Settings\Temp\5.dllb ... Found the W32/Zhelatin.gen.b@MM virus !!! The file has been deleted. C:\Documents and Settings\Owner\Local Settings\Temp\qv3xt3.game ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\Documents and Settings\Owner\Local Settings\Temp\qvxt34.game ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\Documents and Settings\Owner\Local Settings\Temp\qvxt42.game ... Found the Tibs trojan !!! The file has been deleted. C:\Documents and Settings\Owner\Local Settings\Temp\win9868.tmp\win9868.tmp ... Found the BackDoor-CXJ trojan !!! The file has been deleted. C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe ... Found the Generic Downloader.k trojan !!! The file has been deleted. C:\Program Files\Common Files\{3417BE8B-0A1F-1033-0916-031025200001}\Bar888.dll ... Found the Matcash.dll trojan !!! The file has been deleted. C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc1\Update.exe ... Found the Generic Downloader.k trojan !!! The file has been deleted. C:\RECYCLER\S-1-5-21-2105242733-1762407506-2985652280-1003\Dc2\Update.exe ... Found the Generic Downloader.k trojan !!! The file has been deleted. C:\WINDOWS\system32\adir.dll ... Found the Downloader-ZQ trojan !!! The file has been deleted. C:\WINDOWS\system32\dlh9jkd1q1.exe ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\WINDOWS\system32\dlh9jkd1q5.exe ... Found the W32/Zhelatin.gen.b@MM virus !!! The file has been deleted. C:\WINDOWS\system32\inet.exe ... Found the Tibs trojan !!! The file has been deleted. C:\WINDOWS\system32\qvx5gamet2.exe ... Found the Tibs trojan !!! The file has been deleted. C:\WINDOWS\system32\qvxga6met3.exe ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\WINDOWS\system32\qvxga7met4.exe ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\WINDOWS\system32\unsvchosts.exe ... Found the Matcash trojan !!! The file has been deleted. C:\WINDOWS\system32\vxga1me4t1.exe ... Found the W32/Zhelatin.gen.b@MM virus !!! The file has been deleted. C:\WINDOWS\system32\vxga3me2.exe ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\WINDOWS\system32\vxga4m1et4.exe ... Found the Generic Downloader.f trojan !!! The file has been deleted. C:\WINDOWS\system32\vxga4me1.exe\00001060.EXE\00001060.EXE ... Found the BackDoor-CXJ trojan !!! The file has been deleted. C:\WINDOWS\system32\wincom32.sys ... Found the Downloader-BAI.sys.gen trojan !!! The file has been deleted. Summary report on C:\. File(s) Total files: ........... 74855 Clean: ................. 74744 Possibly Infected: ..... 23 Cleaned: ............... 0 Deleted: ............... 23 Non-critical Error(s): 1 Master Boot Record(s): ......... 1 Possibly Infected: ..... 0 Boot Sector(s): ................ 1 Possibly Infected: ..... 0 Time: 01:13.42 ================= end of McAfee scan log============ then I ran HijackThis to take the log ================= Begin of HijackThis log============ Logfile of HijackThis v1.99.1 Scan saved at 7:58:15 AM, on 2/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchosts.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\zHotkey.exe C:\WINDOWS\system32\dxdlg32.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\WINDOWS\system32\kernels88.exe C:\Program Files\Common Files\{1417BE8B-0A1F-1033-0916-031025200001}\Update.exe C:\Program Files\Messenger\msmsgs.exe c:\program files\internet explorer\iexplore.exe C:\Windows\xpupdate.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\dlh9jkd1q6.exe C:\WINDOWS\system32\dlh9jkd1q7.exe C:\WINDOWS\system32\dlh9jkd1q6.exe C:\WINDOWS\system32\dlh9jkd1q7.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal.mailaka.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mailaka.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\ofb1.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {5ccaab50-41e0-4574-a1c6-5a4847a9ce57} - C:\WINDOWS\system32\ideoept.dll O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3417B~1\Bar888.dll O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\system32\dxdlg32.exe O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe O4 - HKLM\..\Run: [dns.exe] C:\WINDOWS\system32\dns.exe O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228" O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227" O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O15 - Trusted Zone: .adgate.info O15 - Trusted Zone: .dollarrevenue.com O15 - Trusted Zone: .errorsafe.com O15 - Trusted Zone: .imagesrvr.com O15 - Trusted Zone: .matcash.com O15 - Trusted Zone: .media-motor.com O15 - Trusted Zone: .mediatickets.net O15 - Trusted Zone: .snipernet.biz O15 - Trusted Zone: .systemdoctor.com O15 - Trusted Zone: .winantivirus.com O15 - Trusted Zone: .winfixer.com O15 - Trusted Zone: .adgate.info (HKLM) O15 - Trusted Zone: .dollarrevenue.com (HKLM) O15 - Trusted Zone: .elitemediagroup.net (HKLM) O15 - Trusted Zone: .errorsafe.com (HKLM) O15 - Trusted Zone: .imagesrvr.com (HKLM) O15 - Trusted Zone: .matcash.com (HKLM) O15 - Trusted Zone: .media-motor.com (HKLM) O15 - Trusted Zone: .media-motor.net (HKLM) O15 - Trusted Zone: .mediatickets.net (HKLM) O15 - Trusted Zone: .snipernet.biz (HKLM) O15 - Trusted Zone: .systemdoctor.com (HKLM) O15 - Trusted Zone: .winantivirus.com (HKLM) O15 - Trusted Zone: .winfixer.com (HKLM) O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/c...cab?v=1,0,0,37 O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Owner\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{48FF8732-2D9A-45D2-AC39-928DFE93D2A1}: NameServer = 165.76.12.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{6C946AAC-89EC-4E1D-807A-18480BAD72A1}: NameServer = 165.76.12.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{D5B499E2-243B-40DC-A325-188732468138}: NameServer = 165.76.12.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA75678-EDD3-48EB-8F6C-0B68EB1251BA}: NameServer = 165.76.12.2 O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll O20 - Winlogon Notify: ideoept - C:\WINDOWS\SYSTEM32\ideoept.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing) O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing) ================= end of HijackThis log============ Please help how to remove all these trojans/viruses.