hi there first off i want to say that i have read scott's and killertoad's request for help i see scott has a typo in the virus name how do i know because i have the same virus its called Win32/Stepaik.B@mm and it has infected my alg.exe witch i beleve to be my XP firewall (the built in one) after manny hours of scanning & searching I have not found a cure for this version of virus i have seen a fix for the Win32/Stepaik & Win32/Stepaik.A@mm but these tools do not delete the virus and the only place i could find that had this version of the virus was RAV anti virus here is the link i found http://www.ravantivirus.com/scan/scan-stats.php?top=all but the problem is that there is no info on that site about this type of virus.... SO i as well as scott and killertoad ask for help to remove this virus from my computer 1 can i go to safe mode and just delete the alg.exe as i an running norton firewall 2 Is it posabale that RAV only has 1 name for the diff versions of the Win32/stepaik virus and if so why the other virus scanners don't find or remove this B version if you want me to post a hijackthis log for more info about my computer just let me know and i well post it thankyou in advance Static-X

Hi Static-X Post the Hijack log.

here is my hijackthis log hope it helps StartupList report, 14/11/2003, 12:37:09 PM StartupList version: 1.52 Started from : C:\Documents and Settings\lost-mojo\Desktop\HijackThis.exe Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Showing rarely important sections ================================================== Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.exe C:\windows\Explorer.exe C:\windows\SOUNDMAN.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\windows\System32\ctfmon.exe C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\windows\System32\nvsvc32.exe C:\Documents and Settings\lost-mojo\Desktop\HijackThis.exe --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SoundMan = SOUNDMAN.exe nwiz = nwiz.exe /install NvCplDaemon = RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup NeroCheck = C:\WINDOWS\system32\NeroCheck.exe ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VirtualDesktop = "C:\Program Files\Tweak-XP Pro 3\virtuald.exe" STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide Steam = CTFMON.EXE = C:\windows\System32\ctfmon.exe Ashampoo PopUpBlocker = C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe --------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe --------------------- Shell & screensaver key from C:\windows\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Checking for EXPLORER.exe instances: C:\windows\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\windows\Explorer\Explorer.exe: not present C:\windows\System\Explorer.exe: not present C:\windows\System32\Explorer.exe: not present C:\windows\Command\Explorer.exe: not present C:\windows\Fonts\Explorer.exe: not present --------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: NO!) .pif: HIDDEN! (arrow overlay: NO!) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden --------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (no name) - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll - {49E0E0F0-5C30-11D4-945D-000000000003} (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B} NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} --------------------- Enumerating Task Scheduler jobs: Norton AntiVirus - Scan my computer.job Symantec NetDetect.job --------------------- Enumerating Download Program Files: [Symantec AntiVirus scanner] InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab [InstallFromTheWeb ActiveX Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\iftw.dll CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab [Symantec RuFSI Utility Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab [WScanCtl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll CODEBASE = http://www3.ca.com/virusinfo/webscan.cab [InstallShield International Setup Player] InProcServer32 = c:\windows\downlo~1\isetup.dll CODEBASE = http://www.installengine.com/engine/isetup.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.6640277778 [CRAVOnline Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab [MSN Chat Control 4.5] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab --------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart) Symantec Proxy Service: C:\Program Files\Norton Internet Security\ccPxySvc.exe (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart) Norton Internet Security Accounts Manager: C:\Program Files\Norton Internet Security\NISUM.exe (autostart) NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart) ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) StyleXPService: "C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe" (autostart) SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\windows\system32\SHELL32.dll CDBurn: C:\windows\system32\SHELL32.dll WebCheck: C:\windows\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll --------------------- End of report, 11,318 bytes Report generated in 0.093 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only