Hi there AznAnim8 , welcome to PCHF.
Yup you are indeed infected , and with a pretty nasty piece of work. But we'll clean that up for you.
First of all I need you to download some programs for use later.
Download
this file and unzip it to your desktop
Download about
:Buster from
here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet
Download CWShredder from
here, install it, check for updates but again, don't use it yet.
Download and install Ewido Security Suite Trial from
here. Run and update the program but do not scan with it yet.
(see for installation instructions in the "Prework" link below in my sig.)
Please download
CCleaner
Ensure hidden files and folders are set to show;
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).
How to disable system restore:
WinXP.- Click the Start button.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called
Remote Procedure Call .
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.
Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
Open
HJT and click config > misc tools > “delete an NT service”
Copy and past:
RPC
Click OK.
While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.
Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.
Bring up task manager Ctrl-Alt-Del and end these processes if they are present
javark.exe
crvv.exe
Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vzapy.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3EE87594-07E8-2AA2-49D8-1EA0E2CAC359} - C:\WINDOWS\system32\atlpx32.dll
O4 - HKLM\..\Run: [javark.exe] C:\WINDOWS\system32\javark.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crvv.exe
Now find and delete the files in bold , and run Ccleaner.
Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.
Run Ewido and do a full System Scan with it.
Save the report it creates.
Now reboot,and run hijackthis again and attach a fresh
hjt log along with the about buster log and the Ewido log.
Also i see you have the Messenger service running , if you don't use it . i would advice to disable it:
Please download
Shoot The Messenger
Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state — running or disabled — that you desire.
If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.
And you also don't have an firewall or AV , with out those youre gone get reinfected in no time.
You could have a look in our download section for some free apps.
Windows Spyware Infection Notice
Linear Mode
