[evilfantasy]

Go into add/remove programs and remove (if there)
WinRar

If there is anything else in there you know should not be there remove it also.

==============

Open HijackThis and select "Do a system scan only"
Place a check mark next to these entries
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Policies\Explorer\Run: [w] %SystemRoot%\WinRaR.exe
O4 - HKCU\..\Policies\Explorer\Run: [mm] %SystemRoot%\sourro.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {8F63DB01-41FE-437E-9E43-2C1A716CC315} (pNetbreeze.netbreeze) - http://www.netbreeze.co.uk/registrat...pNetbreeze.cab
Close all windows except HijackThis and then click "Fix checked"

===============

Now go into C:\ and look for and delete these files if there.
[SIZE=-1]C:\WINDOWS\sourro.exe
[SIZE=-1]C:\Program Files\WinRAR\WinRAR.exe

================

Download CWShredder and run it.
* Click on Update.
* Click on 'I Agree' button if you agree.
* Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK.
* If it asks if you want to delete a certain random file, choose no.
* Let it finish the scan and then hit Next and Exit.

===============

Run CCleaner
Reboot the computer
Post a fresh HJT log.

Tell me how things are now.

[gizmo]

kk thanks alot, is winrar bad then, i use that when i download songs or albums if they need extracting?

[evilfantasy]

WinRaR is infected with CWShredder.

Everything you open with it is likely being infected also. Once we get you clean we will recomend a good free replacement for WinRaR.

[gizmo]

is it safe to delete the files in the system 32 file as it says the files should not be touched as the pc needs them to run?

[evilfantasy]

Skip it for now.

[gizmo]

it wont let me delete winrar in the program file, it says make sure the disk is not full or write protected and that the file is not currently in use, winrar is also in the WINDOWS file, could i delete it from there instead?, i also cant find the souro file. shold i leave them as i cant find the sourro file and the winrar wont let me

[evilfantasy]

Please open HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

[SIZE=-1]WinRAR.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Policies\Explorer\Run: [w] %SystemRoot%\WinRaR.exe <If not there just go to the next step.
After clicking Fix, exit HJT.


Now try to delete the WinRar files.

[gizmo]

I dont know what do do now cause it aint in there!!!! any ideas?

[evilfantasy]

Run the CWShredder and then post a new HijackThis log.

Download CWShredder and run it.
* Click on Update.
* Click on 'I Agree' button if you agree.
* Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK.
* If it asks if you want to delete a certain random file, choose no.
* Let it finish the scan and then hit Next and Exit.

[gizmo]

i used the cw shreder and it said everyting was clean, heres the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:30, on 01/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Analyze.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MailChacker.exe] C:\MailChk\MailChecker.exe -r
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 4519 bytes