OK, I seem to be in virus hell.

NAV says it found Hacktool.rootkit in the following location:
E:\WINDOWS\system32\orans.sys

Since then, I've been bombarded with all kinds of junk. It seems to have allowed something called WinFier 2005 to paste itself on my desktop, as well as stuff like sidefind and 180search assistant and all kinds of other junk. I can't seem to be able to remove or quarantine or uninstall ANY of these. HELP :eek:

Downloaded and ran spysweeper, and it removed a bunch of stuff. Here's my HJT log. Please help. Also, I'd like to know how I can prevent this from happening again.

Many thanks in advance.

What log?

Rootkit:
http://www.trendmicro-middleeast.com...TROJ_ROOTKIT.N

To fix Trojans, see How to remove Trojans and its ilk!

Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
How to remove Begin2Search/Coolwebsearch and Other Nasties

Then see How to post your Hijackthis log-files as an attachment.

So sorry, I did read all the posts you mentioned before posting my query.

Not sure why the log didn't upload...

I scanned with Housecall too.. doesn't seem to have helped though.

Thanks.

Attached Files

HJT.txt (9.4 KB, 8 views)

Not only are you supposed to READ all those posts,
You are also supposed to FOLLOW and DO what it says in those posts!
When you have done that, post a new log.

Hey RealBlack...

Thanks for your patience. I'm sure you'll need another pint of guinness before you're done with me

Ok. So here's what I did:

1. Ran the sysclean thing from trendmicro.
2. Downloaded and ran ewido as per instructions. Scan report attached.
3. Downloaded spybot, adaware, vx2 plug in, cw shredder, smartkiller, and about buster.
4. Rebooted in safe mode and ran in this order: aboutbuster, smartkiller, cwshredder, adaware, vx2 plugin, spybot.
5. Rebooted in safe mode and ran HJT. Followed "fix" instructions as given on "how to remove begin2searcg/coolweb search and other nasties" page
6. Rebooted in safe mode and ran HJT again. Log attached.

The computer already "feels" better in terms of speed etc. However, I still seem to have this thing called WinFixer on my desktop and in my programs file. It won't uninstall.

What now???

Thanks again for your help and patience.

S

Attached Files

	HJT log2.txt (5.8 KB, 2 views)
	Scan report_20050911.txt.txt (4.7 KB, 2 views)

Did you ever go to Add/Remove Programs in the Control Panel?
It should be there. Uninstall Winfixer and then delete any traces.

Or try this:
http://www.spyware-removal-guideline...nfixer-removal

Or run Counterspy from
http://www.sunbelt-software.com/CounterSpy-Download.cfm

I did... but it doesn't appear there.

I have a shortcut on my desktop. when I right click on the shortcut and look at properties, it says "E:\Program Files\WinFixer 2005\WFX5.exe"

But I can't find that file in the programs folder, either when I access it using explorer or when I access it using the control panel. However, it appears on my start menu -- and no, I can't find it in the "taskbar and start menu" folder in the control panel.

It tried launching itself automatically, and a window poppd up that said: "the item WFX5.exe that this shortcut refers to has been changed or moved. Do you want to delete the shortcut?" I clicked on yes, and off went the shortcut. It's still in the programs list on my start menu though.

It's possible that one of the earlier "cleaning" sessions deleted it, but how do I get it off from my start menu?? I did run the counterspy software, and it found and fixed a few other things, none of them WinFixer... I couldn't believe that there was still gunk on the system after all the anti-spyware/adware stuff I downloaded and ran. How can I prevent this happening? Will something like ZoneAlarm help? Also, I'm wondering why the @$** I have a paid subscription to Norton AV if it can find stuff but not quarantine or delete it???

I'm horrified.

Click Start/Run and type in regedit and click OK.
Click on Edit/Find and type in runonce and click on Find next.
When found, check the keys Run and/or Runonce, if winfixer found, rightclick/delete it.
Press F3 for the next Find. Repeat until you come to the end of Registry, then exit Regedit.

In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.[/b]
Click on Start/Search/FileFinder and search for that winfixer, if found delete it.

RealBlack,

Thank you ,thank you, thank you. I bow to thy superior knowledge and thy willingness to share it with others.

WinFixer didn't show up in the registry, but I found it using the search tool (location = E:\documents and settings\all users\start menu\programs). I deleted it and now IT'S GONE... I hope it stays gone...

It seems like almost immediatey, ewido and spybot keep finding and removing rubbish from my system. How can I prevent the rubbish from getting there in the first place???

Thanks once again,
s

By using a combination of your brain, common sense and Firefox!
NEVER use Internet Explorer, except for Windoze updates.

Do NOT install any toolbar-crap from Google, Yahoo, MSN and whatever. (you have at least 2, they are for IE, so uninstall that junk.

Use a DECENT antivirus program like the free AVG from http://free.grisoft.com and a (free) software firewall like from http://soho.sygate.com (don't get Zonealarm).
Do NOT use any crappy resource-hogging bloatware from Symantec/Norton!

Gotcha.

Have downloaded firefox (takes some getting used to though) and the sygate firewall.

Thanks once again for all your help. May your tribe increase!

s