Member Panel

My friend clicked one of those MSN links which asks something along the lines "Is this a picture of you?"

They have the usual homepage has been hijacked,windows opening on there own.They have avast installed but unfortunatly it didnt catch this virus it detects it tho but it just keeps copying itself over and over.

neways here is the HJT log

hello vanbommel1888 and welcome to pchf,

unfortunatly none of the security team are online at the moment but they will be here shortly to help you with that problem i know how you feel it just happened to my brother 10 minutes ago

genie3251

Hi....
Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Go to Start > Run and type
cmd
and OK. Type the below commands and hit "Enter" after each line
sc stop cmdService
sc delete cmdService
Type Exit to close.


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL= http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = FindTheWebsiteYouNeed
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Locksgramactivespam] C:\Documents and Settings\All Users\Application Data\dent stupid locks gram\glue iso.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e20.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e19.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e19.exe
O4 - HKCU\..\Run: [New Wipe] C:\DOCUME~1\Dan\APPLIC~1\INTRAP~1\NameChic.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zang...ridge-c356.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\ir4ml5h11.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFu\command.exe (file missing)

Open Windows Explorer and delete the following highlighted file/s
Also delete the following red folder/s

C:\WINDOWS\system32\ir4ml5h11.dll
C:\Program Files\RXToolBar
C:\Program Files\outlook

Reboot.....................
Post back a new HJT log and the Combo fix.

i have heard of this virus and many of my friends have it and it is a pain. I heard a couple of my mates saying that when you download it places a file in the C: root directory. I have had one before that was like this as well. It is probably a good idea to run programs such as Spybot or Ad-Aware as well as an anti virus program
JD