I have attracted a virus that takes over the background of my desktop and I can't change it. This is what it says:
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!
SECURE YOURSELF RIGHT NOW!
At the end of the message, it says click here for removal instructions in which it then takes me to a web site. The web site is:
http://213.159.117.130/?affid=NAT-1
I have ran the spykiller and here is what comes up:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\mshelp32.exe
C:\WINDOWS\githolbu.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\windows\system32\zgaccp.exe
C:\windows\system32\packager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Documents and Settings\Administrator\Application Data\osoa.exe
C:\WINDOWS\System32\d?xplore.exe
C:\WINDOWS\System32\ctlstmib.exe
C:\WINDOWS\SYSfit.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://government.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {768A885C-BC07-4F9C-93F5-D8080B211696} - C:\WINDOWS\System32\paebbaa.dll (file missing)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe
O4 - HKLM\..\Run: [QkWbN] C:\WINDOWS\githolbu.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [zgaccp] c:\windows\system32\zgaccp.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Administrator\Application Data\osoa.exe
O4 - HKCU\..\Run: [Tfkd] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [dox9RWZmV] ctlstmib.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://coahdc/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://coahdc/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://coahdc/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://coahdc/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/1/loader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COAH.local
O17 - HKLM\Software\..\Telephony: DomainName = COAH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COAH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COAH.local
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
Please help!!!!
ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!
SECURE YOURSELF RIGHT NOW!
At the end of the message, it says click here for removal instructions in which it then takes me to a web site. The web site is:
http://213.159.117.130/?affid=NAT-1
I have ran the spykiller and here is what comes up:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\mshelp32.exe
C:\WINDOWS\githolbu.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\windows\system32\zgaccp.exe
C:\windows\system32\packager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Documents and Settings\Administrator\Application Data\osoa.exe
C:\WINDOWS\System32\d?xplore.exe
C:\WINDOWS\System32\ctlstmib.exe
C:\WINDOWS\SYSfit.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://government.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {768A885C-BC07-4F9C-93F5-D8080B211696} - C:\WINDOWS\System32\paebbaa.dll (file missing)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe
O4 - HKLM\..\Run: [QkWbN] C:\WINDOWS\githolbu.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [zgaccp] c:\windows\system32\zgaccp.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Administrator\Application Data\osoa.exe
O4 - HKCU\..\Run: [Tfkd] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [dox9RWZmV] ctlstmib.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://coahdc/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://coahdc/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://coahdc/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://coahdc/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/1/loader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COAH.local
O17 - HKLM\Software\..\Telephony: DomainName = COAH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COAH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = COAH.local
O23 - Service: ASF Agent - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
Please help!!!!