Posts by dlh6213

Please do a search for GainPlugin.dll and let us know exactly where it's located.

Close any open browser windows, scan with HijackThis, and post a new log please.

Please follow the recommendations in post #2 of this thread:
http://www.daniweb.com/techtalkforums/thread28196.html

Your HJT log looks clean now, are you still having any problems?

Just a couple more things to clean up.

Scan with HJT and have it fix the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Remember to close any open windows before hitting Fix checked.

Go to C:\WINDOWS\web and delete related.htm

That's about all I see, are you still having problems?

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [combo.exe] combo.exe
If you don't want this (RoadRunner?) to be your Home Page, have HJT fix this O14 entry --
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
If you didn't put this O15 entry into your Trusted Zone yourself, have HJT fix it too --
O15 - Trusted Zone: *.adorons.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2695335...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1122583223265
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yah...ymmapi_0727.dll
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://studentsuccess.noellevitz.c...tivexviewer.cab

Remember to close any open windows before hitting Fix checked.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste combo.exe, and then click on Find Next

Right-click …

i got rid of backweb lite and reset my web settings but i still cannot access those same pages. i also got a letter today from my isp stating that they received complaints of my ip address trying to access other computers and that i may have a trojan. i think all of that is fixed but i am still having a problem with those web pages and every once in a while my computer will got to a blank white screen with pen stripes vertically on it. the reset button won't work so i have to cut the power and turn it back on again. i just got this computer two weeks ago and i have all my information backed up, so if it would solve these problems to reload windows then i could do that. let me know what you think.

Reinstalling Windows actually seems like a reasonable option at this point. Here is a link to instructions for doing so, if you need it:
http://www.daniweb.com/techtalkforums/thread6632.html

You may find this thread helpful as well:
http://www.daniweb.com/techtalkforums/showthread.php?t=16365&highlight=crackers+christmas

And follow the recommendations in the Protection link below to help prevent this from happening again.

Good luck! Let us know if you need any more assistance :)

Hi Reyhan, welcome to DaniWeb :D

Follow the recommendations and instructions in the links below.

When you get to the end of the third one (infection removal), go to post #5 and follow the instructions carefully.

Post your new HJT and Ewido logs when you've finished.

Hi Mark, welcome to DaniWeb :D

Please go to Windows Update and get the Critical Updates for Windows and IE.

Go to Add/Remove Programs in your Control Panel and remove WareOut, if present.

Scan with HijackThis and have it fix the following entries:

R3 - URLSearchHook: (no name) - {28E53C8A-53A4-6D46-4D28-9C92E80B17F4} - teqq32.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\LZJZQ.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\LZJZQ.DLL
O4 - HKLM\..\Run: [NukeSpan] media64.exe
O4 - HKLM\..\Run: [syspanel] sysmon12.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [stuffmon] msag.exe
O4 - HKCU\..\Run: [dialer423] bhoserv.exe
O4 - HKCU\..\Run: [ssweeper] SetupExeDll.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web...hm::/update.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
If the following IP addresses are not related to your ISP, have HijackThis fix this O17 entry as well --
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

C:\WINDOWS\SYSTEM\LZJZQ.DLL

C:\Program Files\WareOut

Do a search for the following and delete any instances found:

media64.exe
sysmon12.exe
msag.exe
bhoserv.exe
SetupExeDll.exe

If any of these files cannot be deleted, reboot into Safe Mode and try from there.

Empty your Recycle Bin and reboot.

Close and open browser windows, scan with HijackThis, and post a …

Hi Europa, what problems are you having, if any?

Go to Add/Remove Programs in your Control Panel and remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).

Scan with HijackThis and have it fix the following entry:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Go to C:\Program Files and delete the Viewpoint folder.

BigFix should be set to only startup manually as it is a resource hog.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste 06CBB302-3027-2876-B64E-B7FB3EDC4AF2, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the 'Find' instructions for each of the following:

098B2816-B4D3-3673-D079-F2C9806EDCDE
B333FFD7-73DB-5379-54CF-1EF25F8EC6AF
BE709C45-AFC1-EC7A-3096-3BB6E6204E4F
CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A

Close the Registry Editor.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HijackThis, and post the new log please. Are you still having problems?

Western Digital Data Lifeline, HP, and Compaq use BackWeb Lite to check for updates automatically, but it also installs advertisement popups and such on your system. It's best to have Spybot clean those up, but you may have to get your updates manually if you do. If you wish to keep it, you can have Spybot exclude BackWeb Lite so you no longer get the warnings. CounterSpy should have detected that as well.

Open Internet Explorer, click Tools, Internet Options, Programs tab, and then Reset Web Settings.

Let us know if this helps.

You can find complete instructions for removing Smitfraud and SpySheriff here:
http://www.bleepingcomputer.com/forums/How_to_remove_SpySheriff_Winstallexe_Spysheriffexe-t22402.html

And this will work for AntiVirusGold, Smitfraud, and SpySheriff:
http://forums.techguy.org/showthread.php?t=376692&page=1

That doesn't look like a complete log; in your next reply, please copy and paste the entire log.

You will need to go offline to complete this, so you may wish to print these instructions.

Go to Add/Remove Programs in your Control Panel and remove the following, if present.

SpySheriff
Daily Weather Forecast

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Open Notepad (or Wordpad). Go to http://www.bleepingcomputer.com/files/reg/smitfraud.reg ,copy the entire contents on the page, and paste it into Notepad. Click on File, Save As...; in the Save in box, select Desktop, and name the file smitfraud.reg, and then close Notepad.

Disconnect from the internet and reboot into Safe Mode.

Run CleanUp! again.

Scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with HJT and have it fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe

Close any open windows, other then HijackThis, and hit Fix checked.

…

I was pretty sure dinst.exe was bad, the lack of information in Properties confirms this hunch.

Did you already delete System2aflh47o.ini before?

Be sure you have your system set to Show hidden files and folders -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

In the General tab of the Properties window that opens, click the Stop button; once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the internet and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop.

Again, run a full system scan with Ewido, allowing it to fix whatever it finds.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - …

Hi DedBOYriot, welcome to DaniWeb :)

Do a search on your computer for MSDIRECTX and give us the location(s) and complete file name(s) if any instances are found.

You can also try this...
Download and install CleanUp! -- http://www.stevengould.org/downloads/cleanup/CleanUp40.exe -- but don't run it yet.

Reboot into Safe Mode.

Open CleanUp!, and click the Options button, move the Quick Setup slider to Thorough CleanUp! ; click Yes to the warning message and exit from Options. Click CleanUp! to start cleaning. When it's finished, click Close, and select No (to prevent the restart).

Reboot normally and let us know the status.

Yes, that's good :)

I'm going to mark this as solved, but if have any more problems with it, let us know.

That HJT log doesn't really tell us much.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Scan with HJT and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

Close any open windows, other then HijackThis, and hit Fix checked.

Reboot, close any open browser windows, scan with HJT, and post a new log along with the SilentRunners log.

Just a quick note for those of you who haven't done SP-2 and are still on a modem: :rolleyes:

I had to do the install over a modem (56K) and it took 7 HOURS! However, it lets you download in chunks, so you can go in for as many download sessions as you like. It worked fine for me, did about 4 different download sessions.

(If anyone in the "tech-guru" department knows any issues with this method, other than "get a DSL, ya dern fool", post away!) :)

This was in the very first post of this thread :) :
"Request a CD from Microsoft at:
www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx Or
http://www.michna.com/kb/WxSP2.htm#ordering_the_service_pack_on_a_cd
Of course, this means waiting for delivery by snail-mail, but installation will be much quicker and you’ll have it if you ever need to reinstall Windows XP. Also, if you have dial-up, you won’t keep your line tied up for hours or have to worry about being disconnected (not that that ever happens, right?)."

It's free and only takes a week or two to get it. Then it's MUCH faster to install :).

...one other question the O-16 with dealerconnect in it. you told me to erase it, but dealerconnect is a program we use to interface with Daimlerchrysler should I still erase it?

See this thread for some basic information about HijackThis (including O16 entries):
http://www.daniweb.com/techtalkforums/thread28196.html

download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop

Close any open windows, other then HijackThis, and hit Fix checked.

Now you can run CCleaner.

Close any open browser windows, scan with HJT, and post a new log please. And let us know if you're still having problems.

do you have any programs i can download to prevent this (or any other spyware/malware) from happening again?

Glad to hear all is well again :)

See the 'Protection' link below to help prevent inferctions (SpywareBlaster in particular).

Hi Dreg, welcome to DaniWeb :D

Please start by following the recommendations and instructions in the links below.

When you get to the end of the third one, follow the instructions in post #5 to clean up the Aurora/Nail infection.

After you've completed all that, post a new log to clean up anything remaining (along with the Ewido log you will create).

Hi AMendoza, welcome to DaniWeb :D

Please start by following the recommendations and instructions in the links below.

After you've done that, post a new log to clean up anything remaining.

It's getting better, but not clean yet.

Reboot into Safe Mode.

Scan with Ewido again, allowing it to fix whatever if finds.

Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Remember to close any open windows, other then HijackThis, before hitting Fix checked.

Do a search for svcproc.exe and delete any instances found (this is a part of Aurora and it's still showing in your log).

Also do a search for System2aflh47o and delete any instances found.

Empty your Recycle Bin and reboot normally.

Go to C:\WINDOWS\dinst.exe; right-click on it and select Properties. Give us whatever info you can on it (Company, version, etc.).

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

Reboot into Safe Mode.

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - (no file)
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - (no file)
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe

Remember to close any open windows before hitting Fix checked.

Do a search for authz859.exe and delete any instances found.

Empty your Recycle Bin and reboot.

Run CCleaner again.

Close any open browser windows, scan with HJT, and post a new log please.

Hi rmdcorp, welcome to DaniWeb :D

I've moved your thread to the virus forum as this is the only place where HijackThis logs are to be posted.

Follow the recommendations and instructions in the links below.

After you've done that, and moved HijackThis, please post a new log to clean up any remaing items.

Hi David (and mom), welcome to DaniWeb :D

I've moved your thread to the Virus forum because that seems to be your primary problem.

Follow the recommendations and instructions in the links below, and then post back with any remaining problems.

If you can get HijackThis and run it, that would be helpful.

You can also try using System Restore to set your system back to a time before you started having problems.

First, right-click on an empty area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Then, scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com

Hi Andru, welcome to DaniWeb :D

Yes, go ahead and post your HijackThis log, but before doing so, please review the links in my signature block below.

When you post your HJT log please post your Ewido log as well.

In order to view some of the files and folders mentioned here, be sure your system is set to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/

Be sure to close any open windows, other then HijackThis, and hit the Fix checked button.

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

HotOffers should now be gone. If it still remains, please follow …

I wondered if I should uninstall CounterSpy to see if MS Anti-spyware will tell me the location of the infection?

Try that, and also post a new HijackThis log with your next reply.

Hacktool.rootkit doesn't usually show up in HijackThis logs, and never did in yours, so we can't really tell from that.

Do a search on your computer for MSDIRECTX and give us the location(s) and file name(s) if any instances are found.

Do you use any file-sharing programs? That's the most common way for this particular infection to spread.

Open Firefox and go to Tools, Options, and then click on Privacy (padlock icon on the left); click on the Clear All button.

Download, install, update, and run the following utilities:

CounterSpy –
http://www.download.com/CounterSpy/3000-8022_4-10375153.html?tag=lst-0-1

CCleaner – http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html

If, after doing the above, pynix is still on your computer, can you tell us where MS's Anti-spyware says it's located?

No one can tell you what utilities you need without first knowing what virus you have.

Follow the recommendations and instructions in the links below to get started.

Fixreg32.com is a blacklisted spam site (http://www.joewein.de/sw/spam-bl-f.htm)

Follow the recommendations and instructions in the links below.

After you've done that, post your HijackThis log in this thread.

You can get viruses on a computer?

It's been known to happen:
http://www.daniweb.com/techtalkforums/thread23881.html
:lol:

Did CleanUp! fix the problem? If not, do you have a location for the bad file(s)?

We'll be happy to help you out, but before you post a HijackThis log, follow the suggestions and instructions in the links below.

Similar problem here, see if the suggestions in this thread help:
http://www.daniweb.com/techtalkforums/thread29209.html

Glad you got that first problem worked out :)

Download, install, and update Ewido –-
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1, but don't scan yet.

Reboot into Safe Mode and do a full system scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan with your next reply).

Reboot normally, close any open browser windows, scan with HJT, and post a new log along with the Ewido log.

2 problems there. Both have been updated a lot since and are now at SP2.

Then these.

C:\WINDOWS\System32\ndupinwx.exe
C:\WINDOWS\System32\dkfqomrq.exe
C:\WINDOWS\System32\??chost.exe
C:\Program Files\apsi\wtta.exe
O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [2f28c8bed102] C:\WINDOWS\System32\authz859.exe
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
[/qoute]

some of the may be genuine but on my machine (which I know to be clean) none of them exist.

It's not a good idea to get SP2 on an infected machine.

Some of those files are legit (video card, sound card, and HP's packet writing software).

First, right-click on an empty area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Then, scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {06CBB302-3027-2876-B64E-B7FB3EDC4AF2} - (no file)
O2 - BHO: (no name) - {098B2816-B4D3-3673-D079-F2C9806EDCDE} - (no file)
O2 - BHO: (no name) - {530B7D08-CAE3-EA46-E81F-C9EE8580BEBD} - (no file)
O2 - BHO: (no name) - {570B7D7C-CAE3-9147-E86D-BFEE8B80BECE} - (no file)
O2 - BHO: (no name) - {B333FFD7-73DB-5379-54CF-1EF25F8EC6AF} - C:\WINDOWS\System32\yzsrqvtv.dll
O2 - BHO: (no name) - {BE709C45-AFC1-EC7A-3096-3BB6E6204E4F} - C:\WINDOWS\System32\atpcyyyk.dll
O2 - BHO: (no name) - {CAD9FD7F-C0C0-F76C-BF7B-0F88956FE05A} - (no file)
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKLM\..\Run: [f405760d6a13] C:\WINDOWS\System32\basesrv2.exe
O4 - HKLM\..\Run: [ndupinwx] C:\WINDOWS\System32\ndupinwx.exe
O4 - HKLM\..\Run: [dkfqomrq] C:\WINDOWS\System32\dkfqomrq.exe
O4 - HKCU\..\Run: [Sjjd] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Notn] C:\Program Files\apsi\wtta.exe
If this IP address is not related to your ISP, have HJT fix this O15 entry as well --
O15 - Trusted IP range: http://
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - …

To find unique goodies.

Umm, yeah... well I guess... if you actually LIKE getting viruses, trojans, and other malware; not too many people like that though. :rolleyes:

It seems that alot of computer users are too afraid to open attachments sent to them from random addresses, are people just being paranoid?

Why on earh would someone want to open an attachment from a random address???

That's not being paranoid, that's just common sense!

Sure :)

Since you've already followed those instructions you should have HJT and Ewido, please post the most recent logs of each (with HJT in normal mode and Ewido in Safe Mode).

If I'm understanding your question correctly, try this:

Log on to MSN Messenger

In the top Menu bar, click Contacts

In the drop-down box, click Manage Contacts

Select Delete a Contact...

Click the name of the person you wish to delete, and click on OK.

If this isn't what you were asking, can you please clarify?

Well, I can log in from the home page now, with both IE and Firefox :).

I'll let you know in a bit about the page loading.

Too soon to tell about the new layout; give me a couple of days for that ;)

Edit: Page loading seems to be back to normal, but I found another problem -- threads that are marked as 'Solved' don't say 'Solved' anymore.

For the past few hours today I haven't been able to login from the home page (where I usually do). But I found, by trying some different things, I can do a "Quote/Reply" within a thread and then when asked to login I can do it from there.

Any idea what the problem might be?

Also, going from one thread to another is sometimes veerrryy slow -- it wasn't like this before the new layout.

No signs at all and the internet connection is now staying coneected and the settings not been wiped

thanks for all the help

Great, glad to hear it :D

Check out the links below to help protect and clean your computer.

Morning

i have downloaded & run cc cleaner set the folder options and run a search for scvho*.* in drive C: ro results were found

does this mean it has finally gone

I believe so :) Are you seeing any signs of it?