[Brimstone]

Logfile of HijackThis v1.99.1
Scan saved at 5:04:30 AM, on 12/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\icrss.exe
C:\WINDOWS\system\smss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Sinogbas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ei&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacific.net.ph
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.pacific.net.ph:8080;ftp=proxy.pacific.net.ph:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system\lsass.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SpyBlockerPro] C:\Program Files\SpyStopper Pro\spyblocker.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [f0a8eff1.exe] C:\WINDOWS\System32\f0a8eff1.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows DLL Loader] C:\WINDOWS\dll\rundll32.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Service] C:\WINDOWS\system\lsass.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O15 - Trusted IP range: 195.95.218.173
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149259375420
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe

[HJT Analyzer]

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your log does not indicate any spyware or virus infection. However, there are some entries that you might want to fix. Please follow the steps below.

The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
C:\WINDOWS\system\smss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ei&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacific.net.ph
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.pacific.net.ph:8080;ftp=proxy.pacific.net.ph:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra ''Tools'' menuitem: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O9 - Extra ''Tools'' menuitem: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O15 - Trusted IP range: 195.95.218.173
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe


The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\WINDOWS\system\icrss.exe
O4 - HKLM\..\Run: [SpyBlockerPro] C:\Program Files\SpyStopper Pro\spyblocker.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [f0a8eff1.exe] C:\WINDOWS\System32\f0a8eff1.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows DLL Loader] C:\WINDOWS\dll\rundll32.exe
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer beta 2!

[GTO]

Hi Brimstone.

I'm sorry it took me so long. Thank you for your patience!

Your system is infected. Please follow these steps:

1. Download Pocket KillBox or KillBox utility.

2. Use HijackThis to fix the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [f0a8eff1.exe] C:\WINDOWS\System32\f0a8eff1.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows DLL Loader] C:\WINDOWS\dll\rundll32.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Service] C:\WINDOWS\system\lsass.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D4CC28B6-A0A8-4F18-B9AA-6ABA606EC826} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E2426EB7-8DC2-48D0-B503-FCDB2D9BAE7C} - (no file) (HKCU)
O15 - Trusted IP range: 195.95.218.173
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)

3. Now restart your system in Safe Mode. This step is very important!

4. Once in Safe Mode, use either Pocket KillBox or KillBox to delete the following files:
C:\WINDOWS\dll\rundll32.exe
C:\WINDOWS\system\lsass.exe
C:\WINDOWS\System32\lich.exe
C:\WINDOWS\System32\f0a8eff1.exe

5. After you get done, restart your computer, run new HijackThis scan and post a fresh log here


I see you have a powerful anti-spyware program installed. However, you don't have any antivirus. Even the best spyware removers cannot protect you from viruses and viral trojans. That's why you got infected. Please install an antivirus program as soon as possible. I recommend Eset NOD32 (paid), Kaspersky Anti-Virus (paid) and avast! antivirus (free) products.

Your system is not up-to-date! It's vulnerable to a large number of different security and privacy risks! You have to install Service Pack 2 for Microsoft Windows XP and Internet Explorer 7. Also apply all latest updates and security fixes.

[Brimstone]

The files you told me delete with pocket killbox didn't exist anymore. Anyway heres a new log from HJT.

Logfile of HijackThis v1.99.1
Scan saved at 3:57:34 AM, on 12/21/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sinogbas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacific.net.ph
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SpyBlockerPro] C:\Program Files\SpyStopper Pro\spyblocker.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149259375420
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CF8FEA-17BF-43C2-BE5C-836CF3503B7D}: NameServer = 210.23.235.34 210.23.234.65
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

[GTO]

Hi Brimstone.

Use HijackThis to fix these entries:
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe (file missing)
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

Everything else in your log looks clean to me. Don't forget an antivirus

[Brimstone]

Whenever I fix these entries:

O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe (file missing)
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

and I run a new scan with HJT, they still appear and don't seem to get fixed. Is there any other way to get those fixed?

And I got the avast anit-virus program.

[GTO]

Hi Brimstone.

You have two choices. Either use the System Configuration Utility (Start > Run... > msconfig.exe) to uncheck named services, or manually remove their entries from the registry. However, it's not necessary. Those entries are not used anymore, so they aren't malicious.

[Brimstone]

Whenever I use an anti-spyware or anti-virus program, theres a notice that comes up and says that there is an error and it has to close. Even when I retry again the same thing happens. So now I can't do a complete scan to get rid of the spyware or virus. When I run AVG anti-spyware theres a threat of a trojan, DNSChanger.hg and I can't seem to get rid of it either even if I stop the scan to avoid it getting closed because of the error and then try to delete or quarintine it.

I also have ad-watch and when I made it active the malware and/or viruses that my computer was infected with before came back, then I ran a scan with HJT and its there again.

Logfile of HijackThis v1.99.1
Scan saved at 3:52:12 AM, on 12/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sinogbas\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacific.net.ph
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SpyBlockerPro] C:\Program Files\SpyStopper Pro\spyblocker.exe
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [f0a8eff1.exe] C:\WINDOWS\System32\f0a8eff1.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows DLL Loader] C:\WINDOWS\dll\rundll32.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Service] C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [Child Protector] C:\Program Files\Child Protector\winlogin.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [f0a8eff1.exe] C:\Documents and Settings\Sinogbas\Local Settings\Application Data\f0a8eff1.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149259375420
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CF8FEA-17BF-43C2-BE5C-836CF3503B7D}: NameServer = 85.255.113.108 85.255.112.131
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O23 - Service: icrss manager 32bit (icrss) - Unknown owner - C:\WINDOWS\system\icrss.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINDOWS\system\smss.exe (file missing)

[GTO]

Hi Brimstone.

You are still infected. Update your system and install a reliable firewall. I recommend COMODO Firewal or ZoneLabs Zone Alarm.

Please follow these steps:

1. Use HijackThis to fix the following entries:
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [f0a8eff1.exe] C:\WINDOWS\System32\f0a8eff1.exe
O4 - HKCU\..\Run: [f0a8eff1.exe] C:\Documents and Settings\Sinogbas\Local Settings\Application Data\f0a8eff1.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CF8FEA-17BF-43C2-BE5C-836CF3503B7D}: NameServer = 85.255.113.108 85.255.112.131
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

2. Now restart your system in Safe Mode. This step is very important!

3. Once in Safe Mode, use either Pocket KillBox or KillBox to delete the following files:
C:\WINDOWS\System32\lich.exe
C:\WINDOWS\System32\f0a8eff1.exe
C:\winstall.exe
C:\Documents and Settings\Sinogbas\Local Settings\Application Data\f0a8eff1.exe

4. Reboot your computer. Download the FixWareout tool. Install and run it. Restart your computer if FixWareout asks you to.

5. Press Start and click on the Run… option. This will open the Run tool. Type in cmd and press enter. Now the Command Prompt window should appear. Type in the command ipconfig /flushdns and press enter.

6. Open the Control Panel, double-click on the Network Connections icon and launch the Local Area Connection tool. Click Properties. Double-click on the Internet Protocol (TCP/IP) entry. Select the option Obtain DNS server automaticallyor enter addresses of your Internet service provider's default DNS servers manually. Apply changes.

7. After you get done, run new HijackThis scan and post a fresh log here.

[Brimstone]

The command ipconfig /flushdns doesn't work. Its says that it failed during execution. And the O17 entry keeps coming back. If I delete it, I end up not being able to use the internet.

[GTO]

Hi Brimstone.

You can bypass that command. Just make sure you run FixWareout and change DNS settings, as you are infected with a trojan that changes network settings in order to redirect you to malicious web sites and block access to legitimate resources.