Posts by dlh6213

Sorry for the delay in replying to this. You may need to remove and reinstall AVG.

Scan with hijackthis and have it fix the following entries:

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\system32 and delete NvMcTray.dll

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log. Also, describe any problems you are still having, please.

hey sorry i havent posted in a few days. got something strange to report. when i click on the link, mozilla tells me that the operation has timed out and i cant manually find the site. any thoughts?

Only that it may have been down at the time; I just tried it with IE and it works fine. I'll try it with Firefox later and see what happens. In the meantime, try it again.

The Ewido I have doesn't have a Fix option; if yours does, go ahead and use it.

Yes, scan in Safe Mode. :)

DMR's suggestion will probably work to get rid of it, but if it doesn't, try this --

Boot with your Windows XP installation CD.

When the Setup window opens, press R "To repair a Windows XP installation using Recovery Console"

It will show all the windows installations on your hard drive. Select the number corresponding to Windows XP (probably 1), and press Enter.

Enter any required passwords.

At the command prompt type:
cd \windows\system32

Press Enter

Type:
del hjharl.exe

Press Enter

Type:
exit

The system will reboot and the file should be gone.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Download, install, update, and run PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Scan with HJT and have it fix this entry:
O4 - HKLM\..\Run: [oxpacud] c:\windows\system32\hpklvh.exe r

Reboot into Safe Mode and delete these files:

C:\windows\system32\hpklvh.exe
C:\WINDOWS\njopaiqeo.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\zfvridb.exe

Empty your Recycle Bin, and do another scan with …

Lol :D, no problem. Guess I'd better open it again before we get another thread started.

You should post a new hijackthis log to be sure your system is all cleaned up.

And yes, it does often take awhile to get an answer. But because we're so busy here, threads do get overlooked on occasion; if you don't get a reply within 24 hrs, you can enter another post yourself to bring the thread back to the top of the forum.

I just noticed you started a new thread; please stick to one thread for the same problem.

This thread is being closed; please follow crunchie's instructions in your other thread. EDIT -- threads merged and reopened.

Most of the 'Poker' games installed on users computers were installed without their knowledge, and most come accompanied with adware and/or spyware; this is why I asked. Perhaps yours doesn't come with this 'junk,' or maybe you're okay with whatever ads, etc. it does include.

Go to Add/Remove Programs in your Control Panel and remove (if present):

BearShare
WildTangent

Delete the Nailfix you have now and try downloading it again; you may not have gotten a complete download. Then follow the previous instructions for both Nailfix and Ewido again.

Have HJT fix this entry:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Delete these files:

C:\WINDOWS\Nail.exe
C:\windows\system32\dtrrum.exe

Delete these folders:

C:\Program Files\BearShare
C:\Program Files\WildTangent
C:\WINDOWS\wt

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves), don't exclude the Valued Customer folder:

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress …

Hi Jessica, welcome to DaniWeb :D

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9....a-ob-assets.cab
O16 - …

Hi klauskinky, welcome to DaniWeb :D

Norton should be able to remove that; follow the instructions here:
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html

Move hijackthis into it's own permanent folder (it's now in a Temp folder), so that it, and the backups it will create, will not get deleted during the cleanup process.

After you've moved hijackthis, close any open browser windows, scan with HJT, and post a new log please.

You can also try running a couple of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Still no luck on getting rid of the mad.dll file (these guys are good). When I tried to tell the pocket box killer to reboot the computer, an error message came up. When i tried to tell the program to delete the file right there it said the file does not exist. Anyway, heres my new log file.

Yes they are good (if you can call this 'good'). This file is both self-protecting and self-replicating.

You can find instructions for removing it here:
ftp://www.wizardnco.com/pub/Docs/RemoveTVM/
(click on the How to Properly Remove TVM.doc link)

When you get to the part where you open the Registry (regedit), I suggest you make a backup before proceeding. At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Let us know how it goes...

If you have an hijackthis.exe icon on your desktop, do this:

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (something like HJT or HijackThis). Then, drag the hijackthis.exe icon into this folder.

Close any open browser windows, open HijackThis, and click on 'Scan and Save Log'

Copy the log and paste it here in this thread.

There is an updated fix for Aurora, so I think you should run it.

You will need to be disconnected from the internet during this process, so you may wish to print out these instructions.

Download the updated Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop but do NOT run it yet.

Disconnect your system from the internet and reboot into Safe Mode.

Double-click on Nailfix.cmd; your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run another full scan scan with Ewido and save the log.

Scan with hijackthis and have it fix the following entry:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hjharl.exe reg_run

Go to C:\WINDOWS\System32 and delete hjharl.exe

If you can't delete it, Open HijackThis again.

Click on the Config button, and then click on the Misc Tools button; click on the button labeled Delete a file on reboot...

A new window will open asking you to select the file that you would like to delete on reboot. Navigate to C:\WINDOWS\System32\hjharl.exe, click on it once, and then click on the Open button.

You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button to reboot now.

After you've rebooted (normally), search for hjharl.exe again to make sure it's gone; let us know in your next post.

Reconnect …

Apparently there is an updated fix for this that I wasn't aware of; hopefully this will clean it up.

You will need to be disconnected from the internet during this process, so you may wish to print out these instructions.

Download the updated Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop but do NOT run it yet.

Disconnect your system from the internet and reboot into Safe Mode.

Double-click on Nailfix.cmd; your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run another full scan scan with Ewido and save the log.

Next run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ppgmull] c:\windows\system32\gjlblli.exe r
O4 - HKLM\..\Run: [gnzrsbm] c:\windows\system32\znxafz.exe r

Close all open windows, other then HijackThis, and click Fix checked.

Go to the following locations and delete the highlighted files:

…

It's still in a Temp folder (C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.188\HijackThis.exe). It needs to be in it's own permanent folder so that it, and the backups it will create, do not get deleted during the cleanup process.

If you have an hijackthis.exe icon on your desktop, do this:

Right-click in an open area of your desktop, select New, Folder; give the folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon into the new folder.

Then, close any open browser windows, scan with hijackthis, and post a new log please.

Hi lol102001, welcome to DaniWeb :D

Please take a look at this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

And after you've moved hijackthis, please post a new log.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Scan with hijackthis and have it fix this entry:
O4 - HKLM\..\Run: [lvmkyfg] c:\windows\system32\uvivqm.exe r

Then delete this file:
C:\windows\system32\uvivqm.exe

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in this thread.

Please post another hijackthis log as well.

Don't delete the HijackThis backups, at least not until your system is clean and has been running properly for awhile.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Boot into Safe Mode and do a search for mad.dll

Run Pocket Killbox and paste the full file path of mad.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\mad.dll)

Reboot normally and do a search for mad.dll again and let us know if it's gone in your next post.

Scan with HJT and post a new log please.

It looks like you got most of it cleaned up now, but just to make sure...

Download rkfiles.zip from:
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot into Safe Mode.

Double-click rkfiles.bat
It will scan for a while, so please be patient.
Wait for the DOS window to close, and then reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Run …

Hi Michelle, welcome to DaniWeb :D

First, right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

I don't see the typical entries in your log for Aurora, but maybe you've partially fixed it. Just in case, do this...

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode.

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nso18A.dll (file missing)
O2 - BHO: (no name) - {D2BB2846-00CB-8CF0-8C1E-E0B4A08AF596} - C:\WINDOWS\FYI\ecxacawryf.dll (file missing)
O4 - HKCU\..\Run: [pcdlib32] C:\WINDOWS\pcdlib32.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1105540045194
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhe...n7/dlhelper.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22RTE.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - …

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

If AVG will find the entries, but not fix them, it should give you the locations so you can navigate to them and delete them manually.

Empty your Recycle Bin and Reboot.

Right-click in an …

Do this again please...

Reboot into Safe Mode.

Double-click on the Nailfix.bat that is on your desktop.

When it's finished, run a full system scan with Ewido.

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [qisqtc] c:\windows\system32\coyeps.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure to close all open windows before hitting Fix checked.

go to the following locations and delete the highlighted files:

C:\WINDOWS\Nail.exe
C:\windows\system32\coyeps.exe
C:\WINDOWS\svcproc.exe

Reboot and post a new hijackthis log and the new Ewido log.

Sorry, that site has been revised; please go here instead and follow the instructions:
http://www.newdotnet.com/removal.html

Your system needs to be set to Show hidden files and folders in order to see those folders.

Deleting the temp files hurt won't the programs.

Thank you so much!! I have been struggling forever with this and it was as easy as downloading this program. I am soo happy! Thank you!

Glad Bruce was able to help you get this fixed finally :)

As soon as possible, you should go to Windows Update and get (at least) SP1a for XP.

It's best to wait until your system is clean before getting SP2.

SP2 won't fix the hacktool problem, you need to follow the instructions from Symantec to remove it.

After you've finished the updates and the hacktool removal procedure, please post a new log.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Viewpoint (or Viewpoint Manager, ViewMgr or something similar)

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet).

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode.

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ezgecws] c:\windows\system32\sgwfwb.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine …

You're welcome, glad we could help :)

Remove Newdotnet either from Add/Remove Programs, or by going to http://www.newdotnet.com/#remove and scrolling down to the Uninstall tool.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Go to Add/Remove Programs in your Control Panel and remove Kazaa.

Get Kazaabegone to remove all remnants of Kazaa:
http://www.spychecker.com/program/kazaagone.html

Before running Kazaabegone, download LSPfix from http://www.computercops.biz/downloads-file-334.html (the …

Open HijackThis

Click on the Config button

Click on the Misc Tools button

Click on the button labeled Delete a file on reboot...

A new window will open asking you to select the file that you would like to delete on reboot. Navigate to mad.dll, click on it once, and then click on the Open button.

You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button to reboot now.

After you've rebooted, search for mad.dll again to make sure it's gone; let us know in your next post.

Post a new hijackthis log and let us know if you're still having problems. If so, please describe it/them.

Hi SediAK, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

MyWay (or MySearch, MyBar, or anything similar)

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet).

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode.

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [ztkedjw] c:\windows\system32\htjmkdh.exe r
O9 - Extra button: (no name) - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - (no …

Your log looks clean to me other then the possible exception of

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

If you didn't put this in your Trusted Zone yourself, you can have hijackthis fix it.

Are you still having problems with your system?

Okay, we'll wait for the new log.

Did you set Dawn.com as your start page yourself?

:D That's more like it, except you should take the .exe out of the folder name (so it looks like this: C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe, instead of this: C:\Documents and Settings\Owner\My Documents\hijackthis.exe\HijackThis.exe)

Go to Add/Remove Programs in your Control Panel and remove (if present):

EmpirePoker
WeatherBug

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\tgihc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FFB01F76-070A-2AD3-8F84-AA3B478C5BC2} - C:\WINNT\system32\winkl32.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - AppInit_DLLs: mad.dll

Close any …

Your log looks good, other then one stubborn entry.

Go to Services in your Administrative Tools control panel.

Locate the service named 11Fßä#·ºÄÖ`I, if present, and double-click on it to check its status. If the Startup type shows anything other then Disabled, use the drop-down arrow to change it to Disabled. If the Stop button is highlighted (not grayed out), click on the button to stop the service. Then close the Services utility.

Scan with HJT and have it fix this entry again:

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipbc.exe" /s (file missing) (Remember to close any open windows before hitting Fix checked)

Reboot, run HJT again and see if the O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipbc.exe" /s (file missing) entry still exists.

If it does, try deleting it through the Windows Registry Editor:

Copy 11Fßä#·ºÄÖ`I (so you can paste it later)

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste 11Fßä#·ºÄÖ`I that you copied earlier, and then click on …

Happy (belated) birthday, Dave!

Hi Emily, welcome to DaniWeb :D

Be sure your system is set to "Show hidden files and folders"

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Do you have "smitfraud.reg" on your desktop?

Close any open browser windows, scan with hijackthis, and post a new log please.

Go to C:\WINNT\system32\config\systemprofile and delete the contents of the Cookies folder (but not the folder itself).

According to your log, HijackThis is still in a Temp folder (C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe); it needs to be in it's own permanent folder so that it, and the backups it will create, do not get deleted during the cleanup process.

After you've moved it, close any open browser windows, scan with hijackthis, and post a new log.

1) Why did SP2 screw up now and not when I first installed it?

I have no idea; perhaps someone else here can answer that.

2) Should I do all those things you've posted?

Yes, except for the in-place upgrade.

3) Should I reinstall SP2?

I would certainly try it, but not until after your system has been cleaned up. If it causes problems again, you can just remove it now that you know the cause.

After you've run the Shredder and cleaned out all the Temp files, post a new hijackthis log.

Move hijackthis from the Temporary folder it is in now into it's own permanent folder (like c:\HJT\hijackthis.exe).

After you've moved it, close any open browser windows, scan with hijackthis, and post a new log.

You should have copied the report from Ewido to your clipboard; please scan with it again and do so. Then post the report here.

Is that the complete log? It doesn't have any O15, O16, or O23 entries like your first one did.

Scan with hijackthis and have it fix the following entires:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [BNInv] invbn.exe
O4 - HKLM\..\RunServices: [IE Runtimes] winis.exe

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted folder and file:

C:\Program Files\winupdates
C:\WINDOWS\system32\invbn.exe

Do a search for winis.exe and delete any instances found.

Note: if any of these cannot be deleted in normal mode, try Safe Mode.

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log please.

I don't see much else wrong.

Please go to http://virusscan.jotti.org/ and have this file scanned:
C:\WINDOWS\System32\wbem\wmiprvse.exe

Post the results back here and let us know what problems you are still having.

Hi dazed+confused, welcome to DaniWeb :D

Start with this --

Go to Windows Update and get SP1a for both XP and IE.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these …

Hi Rahul, welcome to DaniWeb :D

First, you should go to Windows Update and get SP1a for both XP and IE.

Then go here and follow the instructions:
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html

After you've done that, close any open browser windows, scan with hijackthis, and post a new log please.

Hi soulkeeper, welcome to DaniWeb :D

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Empty your Recycle Bin and Reboot.

Close any open browser windows, scan with hijackthis, and post a new …

Please review this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

Then, after your friend has moved HijackThis, post a new log.

Try getting this self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Download CWShredder 2.14 from here:
http://www.intermute.com/products/cwshredder.html
Run it, and press the Fix button (not scan). Close all windows before hitting the Fix button.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Cookies
History
Local Settings\Temp
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

You can also try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

Download CWShredder 2.14 from here:
http://www.intermute.com/products/cwshredder.html
Run it, and press the Fix button (not scan). Close all windows before hitting the Fix button.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Cookies
History
Local Settings\Temp
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log along with a fresh Ad-Aware log.

Need help with all the above. Have tried to download CW and Buster and hasving no luck and the Hijack This I need more detailed stp by step help. Nothing seems to be working to get this problem out of my system.
larry H

What kind of problem are you having getting CWShredder and about:Buster?