First of all thank you very much by cheking this post wanting to help me out, and sorry by some mistakes i might do, cause english isnt my first language.

I have some kind of trojan spyware in my computer that i could not remove with my knowledge..
I am really lost in what i sould do now, i runned and fix checked some things with hijack this and runned other programs but i cant get it out.
It turns my internet explorer home page to " about:blank " and showing some kind of porno searcher. I noticed this and the existence of a c:\programs\MKC001\MKC001.exe in the cpu, probably related. I runned various anti-spyware programs wich removed some spyware acitivity, but when i reboot the situation of " about:blank "is the same. It is not this cpu that is infected, its a one i will be working in 4 hours; if i post a log of hijackthis or any other program you ask me to, can please please someone help me to resolve this problem tonight ?
I am really lost in what i should do now, i runned and fix checked some things with hijack this and runned other programs but i cant get it out...
Sincere thank you to someone who attends my request of help.

Logfile of HijackThis v1.99.1
Scan saved at 23:42:38, on 23-02-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programas\QuickTime\qttask.exe
C:\WINDOWS\javajo.exe
C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\appyc.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EAA02F05-94D5-AC51-1A38-4EE43DA52407} - C:\WINDOWS\addfw.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [javajo.exe] C:\WINDOWS\javajo.exe
O4 - HKCU\..\Run: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Startup: SyscomII.LNK = C:\Programas\SyscomII\SyscomII.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programas\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (�%AF夶À¨) - Unknown owner - C:\WINDOWS\appyc.exe

i would apreciate all the help you can give me thank you

1. Download AboutBuster here:
http://www.malwarebytes.biz/AboutBuster.zip

Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.

3. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

5. Reboot to Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

6. Scan with Hijack This (current version is 198.2) and put checks next to all the following, then click "Fix Checked".
<**** insert HJT entries ***>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ftfgh.dll/sp.html#10001
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EAA02F05-94D5-AC51-1A38-4EE43DA52407} - C:\WINDOWS\addfw.dll

O4 - HKLM\..\Run: [javajo.exe] C:\WINDOWS\javajo.exe

O23 - Service: Remote Procedure Call (RPC) Helper (�%AF夶À¨) - Unknown owner - C:\WINDOWS\appyc.exe
Delete the following files/folders:
C:\WINDOWS\javajo.exe
C:\WINDOWS\appyc.exe
C:\WINDOWS\ftfgh.dll
C:\WINDOWS\addfw.dll

7. Double click on the AboutBuster tool I had you download earlier. Follow the instruction prompts to use the program and let do two scans (it will ask). When finished, press the *Save log* button. I will want a copy of that log after all steps are completed here.

8. Scan with Adaware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

11. NOTE:Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

Control.exe
Shell.dll
SDHelper.dll (if you are using Spybot Search & Destroy)
Hosts file (no extension)

If control.exe, shell.dll or SDHelper is missing
Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

For a missing Hosts file:
Download Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Quote:

ActiveX controls and plug-ins
* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

13. Finally, do an online scan at the following site. Let it remove any infected files found.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Finally, when you are all done, please post the new HJT log and the AboutBuster log here for review

All clean now, the problem is solved. Thank you very much and god bless u for the work you guys develop around here.

It is still best to post a final HiJackThis log for review.

Sorry about my delay in responding, Thank you very much for all the work done here.
Here is my current hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:48:48, on 09-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe
C:\spywarevanisher-full\SpywareVanisher.exe
C:\Programas\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-full\SpywareVanisher.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programas\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe

Oh, by the way, don´t know if you figure something out of this log about it, but my computer is runnin very slow (not only internet explorer) and the only program installed lately is Panda 2005 Titanium (registered av). Disk cleanup all done, also cookies gone and several defragmentations..

The log is clean and there is nothing to suggest an infection. You might check the CPU% in the Task Manager and see if any program continuously uses a large portion of the CPU, System Idle excepted.

Also, if you have not paid for it, you may want to re-consider using SpywareVanisher. Check here for info: http://www.spywarewarrior.com/rogue_anti-spyware.htm



At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm
d. Bugoff: http://castlecops.com/downloads-file-374.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003.
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/ Due to AdAware's recent decision to remove WhenU from its detection database, only to quickly add it back in response to public outcry I can no longer recommend this product as a first line of defense. For those interested, here is a link to discussion regarding this: http://www.dslreports.com/forum/remark,12665642~mode=flat

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. On the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.

Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.

I have already payed for SpywareVanisher, but thank you very much for sugestion. In fact it is system idle proccess that keeps my cpu hard disk slower and making noise, but this wasnt happening a couple weeks ago. Is there nothing i can do about it? Great internet speed and it became slow...
Thank you very much.

System Idle in excess of 90% is normal. Mine is regularly over 95%. It will cause no noise or slowdown. Perhaps you have a noisy fan or hard drive.