For the first time about 3 days ago I was hit by what I was sure was a browser hijack attempt, something was auto-downloaded onto my system before I could stop it, and since then my issues have been getting worse.
To sum up quickly I tried to follow the advice given in your article, and sure enough found despite using antivirus software and adaware, panda said I had one virus and about 60 adware/malware things, but then ie shutdown the whole page and the running panda program.
I was very worried because I couldn't go back to that page, so I went on. Did the housecall scan, all went ok, didn't seem to find that much, suggested some ms updates I was missing so I installed them, used Search and Destroy, and then Adaware again, then ran CCleaner and hijackthis. Rebooted and was much better, but still thought there was an issue so I tried the panda site again, (in between I changed antivirus product to AntiVir classic 7). The site seemed to load better, but as the scan started, Antivir active guard started popping up tons of virus? Mainly complaining of lock.exe in ie a lot, as well as win32hlp.exe, then ones I hadn't previously seen reference to, then spysherrif promptly installed itself alongside all of this at the same time, with more virus warning comming.
At this stage I pulled the ADSL plug from the wall and tried running all of the programs again, seeming to make good progress. Then rebooted to safe mode and pfroceeded to run what I could there as well.
Back in windows now and things are bad:
Windows firewall disabled just after I rebooted, and refuses to restart. Antivir says that the guard function is working, but if I try to open it for a scan, it faults out and loads blank, with just the file menus at the top.
Ad-aware and spybot only work intermitantly, (won't load sometimes, or just load with all options greyed out).
So I have removed all the Virus exe's I could see running in task manager, and deleted several that Ccleaner found in the windows startup:
I want you to search your system for a particular file but first let's make sure you can view all files:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select
Show hidden files and folders.
* Uncheck the Hide protected operating system files
(recommended) option.
* Click Yes to confirm.
* Click OK.
Then click start-->search
When the search window opens, click the "All files and folders" link from the left pane.
Then, enter Then click start-->search
When the search window opens, click the "All files and folders" link from the left pane.
Then, enter wgavn.exe in the "all or part of the file name" box at the top. Scroll down to the "Look in" box and click the drop down arrow. Select your Local Hard Drive. Scroll down a bit more and click the "More advanced options". Make sure these three are checked: Search system folders
Search hidden files and folders
Search subfolders
Then click the Search button at the bottom.
When you post back, let us know if that files exists. If it does, then stop here and just post back that information and wait for further instructions.
If it doesn't exist on your system, then continue on and do this:
Please download: SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press"Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
Logfile of HijackThis v1.99.1
Scan saved at 2:10:36 PM, on 25/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Thanks for the speedy initial reply there 1972vet Sorry about the delay in posting this reply, had to go and pick up my daughter from school. Searched for the file, it didn't show up, so I downloaded smitfraudfix and ran that. This was the output:
SmitFraudFix v2.75
Scan done at 15:48:48.84, Tue 25/07/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press"Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into your Normal Windows user mode.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.