[crocit]

well i keep getting stupid pop ups saying my pc is under threat via the taskbar/toolbar, and a big red cross flashes in the taskbar and my wallpaper on desktop changes to a red background a big symbol picture, and Norton cant see this, one of the pop up bubbles from the taskbar/toolbar says its trojan32.looksky, and also my home page on IE has changed to ucleaner.com, ultimate cleaner 2007, whicjh is a false spyware thing scanner/remover, well heres my hijack this logfile, hope u guys can help me

Logfile of HijackThis v1.99.1
Scan saved at 18:21:49, on 11/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Documents and Settings\crocit\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [aB8aaQQEp] C:\WINDOWS\kljhtmjh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ppmate] C:\Program Files\PPMate\PPMate\ppmate.exe -autoplay
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VideoCAM Web V3
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [WmaHeck] C:\DOCUME~1\crocit\APPLIC~1\MP3MUL~1\scr road.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo!\Help\bin\matcli.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MetaCafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://crocit.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445BB3BD-2F12-4222-899A-B55D5DC88B0B}: NameServer = 192.168.1.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: wmpenv - {3E0FB092-DE7E-45DD-B757-09E9F923835A} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {5F7F51BC-A560-4511-AC58-AB3651F31CE0} - C:\WINDOWS\wmpconf.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

[slipend]

Run a spyware scan.

Download both of these here

[evilfantasy]

Welcome to TCF.

HijackThis should be run from a permanent place on your hard drive. Please do this first: Go to C: and create a new permanent folder (call it hijackthis). Then put (or download - choose "save" not "run") the hijackthis.exe file in it (You must unzip it if it's zipped). You should now have C:\hijackthis\hijackthis.exe. Then run hijackthis by clicking this .exe file. By doing this, you will have backups if you accidentally remove the wrong item (running from a temporary folder these backups can easily get lost).
I have mine in C:\program files\hijackthis. You can then right click the icon and create a shortcut to the desktop.

Go into add/remove programs and see if anything you know shouldn't be there has been installed that you can un-install.

If you don't have Spybot Search & Destroy please download/install it. Here
Check for updates now and get any updates.
Look for the Immunize feature in Spybot and use it.
Do not use the Teatimer function.
Run Spybot and let it fix what it finds.
Let me know if it can not fix anything and what the name is.

Then run CCleaner. Use the default options.
If you do not have CCleaner please install it. Here
Once CCleaner is open use the default options and click Analyze and it will show a log of what will be removed. Next click Run Cleaner to remove everything.
Next on the upper left of CCleaner select the Issues tab.
Next click Scan For Issues. Next click Fix selected issues.
It will prompt you to make a backup. For the first run I would suggest doing so.

Run a new HJT scan.
Please save the log as a .txt file to your desktop.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.
This is much more convenient than scrolling through logs within posts in trying to help.

EDIT: Spybot is likely to find and not fix this problem. We will then move on to special instructions. I am hoping Spybot will provide the name of the infection.

[crocit]

well ive done spybot search and destroy scan, and ad aware SE scan, it seems to be called win32.TrojanDownloader.NewMedia. im currently just doing the CC clean up thing now, could it be win32.TrojanDownloader.NewMedia thats doing this?

[evilfantasy]

It is likely, I will need another HJT log.
Where there is one there can be more.
Run a new HJT scan.
Please save the log as a .txt file to your desktop.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.
This is much more convenient than scrolling through logs within posts in trying to help.

I take it they were not able to be removed by spybot or adaware?

[crocit]

right done all the cc cleaner things, and did new hijack this run, which is in the attachment as you said, also printed a screen of my desktop. thanx for your help guys

and it removed it, but it came back 3/4 hours later.

[slipend]

Wow, that is one busy desktop!

[evilfantasy]

Please do the following...
1. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Run CCleaner.
Do a fresh HJT scan and post a new HJT log along with a rapport.txt log
(2 attatchments)

[crocit]

that smitfraud seems to have got rid of it, coz i dont see the openerror cleaner, privacy protected icons no more, well ive attatched the rapport txt and new hijack this scan, and done a cc clean. thank you very much for your help!! :):D:o

[evilfantasy]

OK looks good. Just a few more quick steps.

Run HJT and select do a system scan only.
Check/tick these entries.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://mppv2flash3.valueactive.com/Bet365/FlashAX.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
**Important Close all windows including this one before clicking fix checked.

Finally we will want to toggle the system restore to remove infected restore points.
1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.