Having problems w/programs, homepage redirected [Hijackthis log & Getlog xp listed]

I still can not get any of my antispyware working. I shut down explorer.exe and tried to get adaware to run from "new task" . Same result, nothing happened. However, when I shut down explorer, it in turn, shuts down my desktop. It clears the screen of all my desktop icons, and lower "start" bar, the only thing on the screen is my background, and whatever applications I had open, are in reduced bars towards the bottom of the screen, if I double click them, the bars restore to the normal size, and when I minimize, they go back to little bars. If I restart explorer.exe, everything returns to normal. I have noticed that occasionally when I shut the computer down for the day, I get an error that a program is not responding, and it is explorer.exe . It hasn't done it the last couple of days, but when my computer was really infected it would happen.

 

That's exactly what should happen when you kill explorer.
I'm still studying the export you sent and will let you know what to try next when/if I figure it out. I have some other highly knowledgable people looking into things also, in hopes they have some suggestions. Looks like you may be one of the first to get hit with a new 'malicious' nasty, so not sure yet what/where have been affected.

I would like for you to run the System File Checker. Click start>run and type cmd to open a command window. Type sfc /scannow (note the space) and hit enter. Have your XP cd ready, as it may prompt you to insert it. Reboot when it completes and see if things have improved.

I hope to have something more to offer tonight.

Please delete the previous log created with the newbat and run it again, then post the log.

 

Followed all steps, rebooted, tried to run some antispyware programs, nothing responded. Thanks again for the assistance. Here is the new newbat log.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ
DeviceNotSelectedTimeout REG_SZ 15
GDIProcessHandleQuota REG_DWORD 0x2710
Spooler REG_SZ yes
swapdisk REG_SZ
TransmissionRetryTimeout REG_SZ 90
USERProcessHandleQuota REG_DWORD 0x2710

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
load REG_SZ
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd
Device REG_SZ HP OfficeJet V40xi,winspool,Ne00:

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR REG_DWORD 0x0
CreateFirstRunRp REG_DWORD 0x1
DSMin REG_DWORD 0xc8
DSMax REG_DWORD 0x190
RPSessionInterval REG_DWORD 0x0
RPGlobalInterval REG_DWORD 0x15180
RPLifeInterval REG_DWORD 0x76a700
CompressionBurst REG_DWORD 0x3c
TimerInterval REG_DWORD 0x78
DiskPercent REG_DWORD 0xc
ThawInterval REG_DWORD 0x384
RestoreDiskSpaceError REG_DWORD 0x0
RestoreStatus REG_DWORD 0x1
RestoreSafeModeStatus REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall REG_DWORD 0x11111110

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center
FirstRun REG_DWORD 0x1

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride REG_DWORD 0x0
AntiVirusOverride REG_DWORD 0x0
AntiVirusDisableNotify REG_DWORD 0x0
FirewallDisableNotify REG_DWORD 0x0
UpdatesDisableNotify REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
<NO NAME> REG_SZ Microsoft VM
ComponentID REG_SZ JAVAVM
IsInstalled REG_BINARY 01000000
KeyFileName REG_SZ C:\WINDOWS\System32\msjava.dll
Locale REG_SZ EN
Version REG_SZ 5,0,3810,0

 

Just in from work and read your post. Please navigate to each of these keys, right click the value shown and click modify. Type a 1 and click OK.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride REG_DWORD 0x0
AntiVirusOverride REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall REG_DWORD 0x11111110

Change this value to zero.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 REG_DWORD 0x1

Close regedit and reboot. See if the firewall can be enabled and/or Windows Updates can be applied.

 

Please download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in pentstrm.exe, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

I would also like for you to search for the file C:\WINDOWS\System32\pentstrm.exe and zip/send me a copy if found.

 

Here is what came up with the regsearch. I also searched for "C:\WINDOWS\System32\pentstrm.exe" and the regsearch tool found no evidence of it.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "pentstrm.exe" 5/21/2005 11:09:36 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Security Shedule "= "C:\\WINDOWS\\system32\\pentstrm.exe "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"pentstrm.exe "= "pentstrm.exe:*:enabledrotocol Component "

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"pentstrm.exe "= "pentstrm.exe:*:enabledrotocol Component "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"pentstrm.exe "= "pentstrm.exe:*:enabledrotocol Component "

[HKEY_USERS\S-1-5-21-1060284298-152049171-1343024091-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\pentstrm.exe "= "pentstrm "

 

Thanks. I meant to do a file search for C:\WINDOWS\System32\pentstrm.exe, using XP's search, not with the RegSrch tool.

 

Sorry about that, my novice skills are shining through again. I will have it sent to you shortly.

 

Hi, I've been watching this thread due to I'm having the EXACT problems... w-find homepage problem, windows update not working, windows firewall does nothing, antivirus and antispywares do nothing, etc.

Thanks to the information being posted to help you on this thread, I have been able to fix the w-find and clean up my registry and other settings, thanks all.

Today I was able to fix windows update and I'm hoping you can fix yours the same way.

In internet explorer click Tools menu, then click Manage Add Ons
Then Enable WUWebControl Class
if you dont see WUWebControl Class, change the drop down that says show add ons currently loaded to add ons that have been used by IE and it should show up.

Something turned it off and it has to be on for windows update

Then if windows update still doesnt run, then follow the instructions on this page and it should fix it. Seems a lot of files need to be re-registered.
http://groups-beta.google.com/group/microsoft.public.windowsupdate/msg/3b41afaaf1647b72

My windows update works and it's downloading security updates now, if by chance my firewall and antivirus is fixed by updating. I'll hollar again.

Thanks and Good Luck!

 

Welcome to WindowsBBS TyIndel
Thanks for your input. I'll check out your link soon.

NBSA1,

File recieved. That's one nasty infection! I'm going to try installing on a test machine so I can track all the changes and have a better idea of what to do to get you back in order. Will post something as soon as I have results.

 

TyIndel,

If you could navigate to the following key and export it, then post the contents, we might see the file that has infected your system also.

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\[COLOR=Black]Services[/COLOR]\SharedAccess\Parameters\FirewallPolicy\[COLOR=Black]DomainProfile[/COLOR]\AuthorizedApplications\List

You could also paste this command in the start>run box and get a text file named list.txt in C:

Code:

regedit /e C:\list.txt  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\[COLOR=Black]Services[/COLOR]\SharedAccess\Parameters\FirewallPolicy\[COLOR=Black]DomainProfile[/COLOR]\AuthorizedApplications\List "

 

How would I post the contents ? I exported it to my desktop for now. Here is what I found with the List.txt.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"pentstrm.exe "= ":*:enabledrotocol Component "

 

I already have your export NBAS1, which is where I found your filename. My last post was directed at TyIndel.

To see the contents of a reg file, simply right click and choose Edit. It opens in notepad. No need for you to keep that export.

 

When i rebooted. The windows update problem returned.

The pentstrm.exe breaks it again if you reboot.

But when I came to post that info for you, noahdfear posted the info I was lacking to fix it for good and fixed the other problems.

I booted to safemode, deleted pentstrm.exe file and registry entry and rebooted to windows and redid the windows update fix.

Tada! Everything works again. Running norton virus scan and microsoft antispyware now to get rid of any other issues. So far its found 11 virus/addware/etc. haha, just when I thought I had won!

one last thing to note is my file was not called pentstrm.exe, it was called mpg4tjis.exe so its got various names or its renamed itself as part of its own survival of me going after it.

Thanks a ton for the information that helped me solve the issue. I've seen about 3 other boards asking how to fix this bugger already. Seems its getting around fast.

 

This file makes quite a few changes in the registry and drops a couple of other random named dlls in System32 folder as well. As soon as I get enough registry exports gathered up for comparison, I'll put together a reg file to make the necessary changes. We're close to getting you fixed NBAS1. Hang in there!

 

Thanks a million for all the help. I won't be back at the infected computer until Tuesday, but will keep checking in over the weekend . Again, thanks for all of the help and patience.

 

I believe I have put together a reg file that will fix the firewall issue, and hopefully the Windows Update and security app problem too. I would first like for you to download the Zone Alarm free firewall. Don't install it just yet.

Please add Panda ActiveScan to your favorites, or place a shortcut to it on your desktop.

Download the Codalush.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to Codalush.zip, then right click and extract the Codalush.reg file, also to your desktop.

If you still have the previously created export, services.reg, proceed with the second command below. Otherwise, copy and paste the first command into the Start>run dialog box and hit enter. It will create services.reg in Local Disk C: as a backup in case it's needed. Then repeat with the second command, which will create C:\services1.reg

regedit.exe /e c:\services.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services "

regedit.exe /e c:\services1.reg "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services "



Please physically disconnect your internet connection.

Reboot to safe mode.

Make sure Windows Explorer is set to show hidden files and folders, as well as system files and extensions for known file types.

Open C:\Windows\system32 and delete the following files, if present.

pentstrm.exe
vnetbsh.dll
yxaetgmo.dll

Open C:\Windows\Prefetch, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK. When disk cleanup completes, double click the Codalush.reg file and allow it to merge into the registry.


Reboot back into Windows and install Zone Alarm. Reboot when done and re-connect your internet connection then use the Panda ActiveScan shortcut/favorites bookmark to go directly to there and scan your PC.

If anything is found infected and uncleanable, please post back with those results and a new HijackThis log.

If all is clean, go directly to Windows Update and install all available critical updates. Reboot if promted and go back until no more updates are offered, then post back with a new HijackThis log.

 

Here is what the pandascan found. I am now able to run adaware and spybot. But I am still not being allowed to use the windows firewall, or update windows(automatic, or manually).



Incident Status Location

Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\thun.dll
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/Findspy No disinfected C:\WINDOWS\alkntgw.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\awkadbr.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\dddupgg.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:Adware/Findspy No disinfected C:\WINDOWS\fycgsra.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\gxkuajq.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\ipihqwp.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\irarkau.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\jrqlrhr.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\kkiaifr.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\kopktgt.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\kpvxgji.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\kuhapqd.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\obssiqc.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\omhuxfb.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\qbwdhuw.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\rcehlcy.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\rmpkuim.exe
Adware:Adware/CWS.Flsmngr No disinfected C:\WINDOWS\system32\flsmngr.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\thun.dll
Adware:Adware/Findspy No disinfected C:\WINDOWS\tamrcmc.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\vfrrjvd.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\wielicn.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\wsfroko.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\wuyfowg.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\xdofafm.exe
Here is a new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:53:03 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Jim\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll (file missing)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1116442197142
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O21 - SSODL: Remote Shedule - {E046A39B-9102-4407-8F7A-98A641FF62DB} - C:\WINDOWS\system32\brown32k.dll (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - % (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

WooHoo! Looks like a lot of success!

Reboot to safe mode and run the smitfraud tool again. I updated it again on Saturday, so delete your copy and re-download it if you got it before that.

smitfraud.zip

When it's complete, run HijackThis again and fix the following. There may be an R1 or R0 about:blank entry in the scan that should be fixed also.

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.d ll (file missing)
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O21 - SSODL: Remote Shedule - {E046A39B-9102-4407-8F7A-98A641FF62DB} - C:\WINDOWS\system32\brown32k.dll (file missing)

Make sure hidden files are set to show, then search for and delete each of those files from the PandaScan. Let me know if you are unable to find any of them.

Delete the contents of C:\Windows\Prefetch and C:\Windows\Temp.
Run disk cleanup, checking all boxes except Compress all files.

Reboot back into Windows and click Start>run, type cmd and hit enter to open a command prompt window. Type sfc /scannow and be prepared to put in your XP cd. Reboot when done.

Re-install NAV.

Post a new HJT log along with any comments.

 

When I click on the smitfraud download I get an error message of "Invalid Attachment specified. If you followed a valid link, please notify the webmaster ". Can I download it from another location?