Posts by dlh6213

It was supposed to go away, but it's being stubborn :(

Make sure your system is set up to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

Reboot into Safe Mode.

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe <-- File

E:\WINDOWS\etb <-- Folder

If you still can't find or delete these, open HijackThis again and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy and paste E:\windows\system32\elitecla32.exe into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Repeat the delete on reboot instructions for E:\WINDOWS\etb\pokapoka62.exe.

Do a search for drawbend and duperealpure and see if you can find out anything about these now. It's no longer in your log, but if it's something bad we should make sure it's actually gone.

Back in normal mode, scan with HijackThis and post a new log.

I just see one more thing to fix there; I wasn't sure before so I had to do a bit of research.

Scan with HJT and have it fix

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k

Remember to close all windows before hitting Fix checked.

Go to C:\PROGRAM FILES and delete the Acceleration Software folder.

Empty the Recycle Bin and reboot.

According to the Ewido Log, it looks like she has, or had, the Qoologic trojan.

Please get Find_qoologic.zip (by baskar1234) from:
http://home.earthlink.net/~firestrike/antispy/findqoologic.zip

After you download it, unzip it; go to the new qoologic folder and double-click on qoologic.bat to run it. It will take a few minutes to scan the drive, so be patient. When it has finished, open My Computer, double-click on the C: drive, and copy & paste the contents of the below logs into this thread.

C:\log.txt
C:\win.txt
C:\start.txt

Hey Hammy, long time no see.

In the future, remember to close any open browser windows before scanning with HJT.

I believe 'pokapoka' is your main problem. Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitecla32.exe
O4 - HKLM\..\Run: [System service62] E:\WINDOWS\etb\pokapoka62.exe

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

E:\windows\system32\elitecla32.exe

E:\WINDOWS\etb

If either cannot be deleted, try booting into Safe Mode and deleting it from there.

Do you know what this file is for? duperealpure.exe If not, do a search for it, right-click on it, go to Properties, and get whatever information you can from there (Company, version, etc.)

Reboot (normally), close any open browser windows, scan with HJT, and post a new log please.

Make sure your system is set to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Update, and run these utilities again:

CWShredder
about:Buster
PurityScan uninstaller

Repeat the instructions in my last post (#14), and then post a new HJT log.

Please follow the instructions here to remove newdotnet -- http://www.newdotnet.com/removal.html

Delete the entire contents of the C:\Windows\Temp folder.

Delete the entire contents of the C:\Temp folder.

Do a search for *.tmp and delete all entries found.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Scan with HJT and have it fix:

O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
If the IP addresses below are not related to her ISP, have HJT fix both of these O17 entries --
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56

Close any open windows and hit Fix checked.

Reboot, close any open browser windows, scan with HJT and post a new log please.

What is the exact error message you get from Norton?

Where's the new Ewido log? :)

Download Killbox -- http://www.downloads.subratam.org/KillBox.zip -- and unzip the file to your Desktop.

Scan with HJT and have it fix the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=1...ative_id=209716
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ppdx5032.dll

Close any open windows and hit Fix checked.

Go to C:\Program Files and delete the entire WildTangent folder.

Do a search for the following files and delete any instances found:

qbet.exe
GameChannel.exe
kbdsp.exe
atrivs.exe
ppdx5032.dll

If any of the noted files could not be deleted, open KILLBOX, type (or copy and paste) the path of the file into the box; then check the Delete on Reboot box, and click the red X. You will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. Note: the file path will be something like C:\WINDOWS\System32\kbdsp.exe

Reboot, close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

Remove Newdotnet either from Add/Remove Programs, or by following the instructions here:
http://www.newdotnet.com/removal.html

Also in Add/Remove Programs, remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).

Scan with HijackThis and have it fix:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted folders:

C:\Program Files\Viewpoint
C:\program files\newdotnet

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are found, but cannot be deleted, reboot into Safe Mode and try it from there.

Download and run CCleaner – http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

NOW you can celebrate; your log looks clean to me :)

Glad we could help... Happy (and safe) computing!

Go to Add/Remove Programs and make sure WildTangent has been removed.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...6235&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...6235&id=1.20030
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kqdhu.dll

Remember to close any open windows and hit Fix checked.

Be sure your system is set to 'Show hidden files and folders':
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\qbet.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent

Do a search for atrivs.exe and delete any instances found.

If any of these could not be deleted, open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the …

Glad to hear things are getting better, but there's still a bit more to do.

Scan with HJT and have it fix:

O4 - HKLM\..\Run: [rmmon] C:\WINDOWS\SYSTEM\m1rmmon.exe

Then go to C:\WINDOWS\SYSTEM and delete m1rmmon.exe

That's all I see in your log, but to be sure your system is clean, I recommend getting CCleaner and the free trial version of CounterSpy; links to both can be found in the 'Cleanup' link below.

Hi Wild Bill, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below. When you get to the end of the third one (Infection removal), go to post #5 and follow the instructions there carefully.

When you've finished, please post a new HijackThis log along with the Ewido log.

Hi Clagoo, welcome to DaniWeb :D

I've split your post (from http://www.daniweb.com/techtalkforums/thread28035.html) into its own thread per forum rules -- http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Please follow the recommendations and instructions in the three links from my signature below.

Then, when you have HJT in its own permanent folder, please post a new log.

Also, do a search for lsvchost.exe; delete any instances found and let us know in your next post if you actually found any.

Hi Dano69, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below.

Then go to post #6 in the last one (Infection removal...).

In addition to the instructions in those posts, when you next scan with HijackThis, have it fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5A1B061E-B088-9A88-3986-A4314318D27D} - C:\WINDOWS\SDKOL32.DLL

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to C:\WINDOWS and delete SDKOL32.DLL

Please post a new HJT log when you've completed all of the above.

Download CCleaner --
http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html -- but don't run it yet.

Go to Add/Remove Programs and remove any of the following found:

BargainBuddy
Look2Me
WildTangent

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\kqdhu.dll

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\qbet.exe
C:\WINDOWS\System32\kbdsp.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent
C:\Program Files\BargainBuddy
C:\Program Files\Look2Me

Do a search for atrivs.exe and delete any instances found.

If any of these files cannot be deleted, try booting into Safe Mode first, and then delete them.

Now run CCleaner.

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Scan with HJT and have it fix the following:

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

Go to c:\windows\system and delete BHOmod.dll; empty your Recycle Bin.

That's about all I see. Follow the recommendations in the Protection link below to help prevent further intrusions.

Please follow the recommendations in post #2 of this thread:
http://www.daniweb.com/techtalkforums/thread28196.html

Your HJT log looks clean now, are you still having any problems?

Just a couple more things to clean up.

Scan with HJT and have it fix the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Remember to close any open windows before hitting Fix checked.

Go to C:\WINDOWS\web and delete related.htm

That's about all I see, are you still having problems?

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [combo.exe] combo.exe
If you don't want this (RoadRunner?) to be your Home Page, have HJT fix this O14 entry --
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
If you didn't put this O15 entry into your Trusted Zone yourself, have HJT fix it too --
O15 - Trusted Zone: *.adorons.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2695335...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1122583223265
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yah...ymmapi_0727.dll
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://studentsuccess.noellevitz.c...tivexviewer.cab

Remember to close any open windows before hitting Fix checked.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste combo.exe, and then click on Find Next

Right-click …

Hi Mark, welcome to DaniWeb :D

Please go to Windows Update and get the Critical Updates for Windows and IE.

Go to Add/Remove Programs in your Control Panel and remove WareOut, if present.

Scan with HijackThis and have it fix the following entries:

R3 - URLSearchHook: (no name) - {28E53C8A-53A4-6D46-4D28-9C92E80B17F4} - teqq32.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\LZJZQ.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\LZJZQ.DLL
O4 - HKLM\..\Run: [NukeSpan] media64.exe
O4 - HKLM\..\Run: [syspanel] sysmon12.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [stuffmon] msag.exe
O4 - HKCU\..\Run: [dialer423] bhoserv.exe
O4 - HKCU\..\Run: [ssweeper] SetupExeDll.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web...hm::/update.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
If the following IP addresses are not related to your ISP, have HijackThis fix this O17 entry as well --
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted file and folder:

C:\WINDOWS\SYSTEM\LZJZQ.DLL

C:\Program Files\WareOut

Do a search for the following and delete any instances found:

media64.exe
sysmon12.exe
msag.exe
bhoserv.exe
SetupExeDll.exe

If any of these files cannot be deleted, reboot into Safe Mode and try from there.

Empty your Recycle Bin and reboot.

Close and open browser windows, scan with HijackThis, and post a …

That doesn't look like a complete log; in your next reply, please copy and paste the entire log.

You will need to go offline to complete this, so you may wish to print these instructions.

Go to Add/Remove Programs in your Control Panel and remove the following, if present.

SpySheriff
Daily Weather Forecast

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Open Notepad (or Wordpad). Go to http://www.bleepingcomputer.com/files/reg/smitfraud.reg ,copy the entire contents on the page, and paste it into Notepad. Click on File, Save As...; in the Save in box, select Desktop, and name the file smitfraud.reg, and then close Notepad.

Disconnect from the internet and reboot into Safe Mode.

Run CleanUp! again.

Scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with HJT and have it fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\msblank.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetr45\services.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe

Close any open windows, other then HijackThis, and hit Fix checked.

…

I was pretty sure dinst.exe was bad, the lack of information in Properties confirms this hunch.

Did you already delete System2aflh47o.ini before?

Be sure you have your system set to Show hidden files and folders -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Open the Services utility in your Administrative Tools control panel.

In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

In the General tab of the Properties window that opens, click the Stop button; once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the internet and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop.

Again, run a full system scan with Ewido, allowing it to fix whatever it finds.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - …

Hi DedBOYriot, welcome to DaniWeb :)

Do a search on your computer for MSDIRECTX and give us the location(s) and complete file name(s) if any instances are found.

You can also try this...
Download and install CleanUp! -- http://www.stevengould.org/downloads/cleanup/CleanUp40.exe -- but don't run it yet.

Reboot into Safe Mode.

Open CleanUp!, and click the Options button, move the Quick Setup slider to Thorough CleanUp! ; click Yes to the warning message and exit from Options. Click CleanUp! to start cleaning. When it's finished, click Close, and select No (to prevent the restart).

Reboot normally and let us know the status.

That HJT log doesn't really tell us much.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Scan with HJT and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

Close any open windows, other then HijackThis, and hit Fix checked.

Reboot, close any open browser windows, scan with HJT, and post a new log along with the SilentRunners log.

It's getting better, but not clean yet.

Reboot into Safe Mode.

Scan with Ewido again, allowing it to fix whatever if finds.

Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Remember to close any open windows, other then HijackThis, before hitting Fix checked.

Do a search for svcproc.exe and delete any instances found (this is a part of Aurora and it's still showing in your log).

Also do a search for System2aflh47o and delete any instances found.

Empty your Recycle Bin and reboot normally.

Go to C:\WINDOWS\dinst.exe; right-click on it and select Properties. Give us whatever info you can on it (Company, version, etc.).

Close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

First, right-click on an empty area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

Then, scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com

Hi Andru, welcome to DaniWeb :D

Yes, go ahead and post your HijackThis log, but before doing so, please review the links in my signature block below.

When you post your HJT log please post your Ewido log as well.

In order to view some of the files and folders mentioned here, be sure your system is set to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

If you don't already have it, get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/

Be sure to close any open windows, other then HijackThis, and hit the Fix checked button.

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

HotOffers should now be gone. If it still remains, please follow …

Hacktool.rootkit doesn't usually show up in HijackThis logs, and never did in yours, so we can't really tell from that.

Do a search on your computer for MSDIRECTX and give us the location(s) and file name(s) if any instances are found.

Fixreg32.com is a blacklisted spam site (http://www.joewein.de/sw/spam-bl-f.htm)

Follow the recommendations and instructions in the links below.

After you've done that, post your HijackThis log in this thread.

Did CleanUp! fix the problem? If not, do you have a location for the bad file(s)?

Sure :)

Since you've already followed those instructions you should have HJT and Ewido, please post the most recent logs of each (with HJT in normal mode and Ewido in Safe Mode).

Morning

i have downloaded & run cc cleaner set the folder options and run a search for scvho*.* in drive C: ro results were found

does this mean it has finally gone

I believe so :) Are you seeing any signs of it?

Do not get SP2 until after you have removed all malware.

Have any of the programs that detect it give you the location?

Download and install CleanUp! -- http://www.stevengould.org/downloads/cleanup/CleanUp40.exe -- but don't run it yet.

Reboot into Safe Mode.

Open CleanUp!, and click the Options button, move the Quick Setup slider to Thorough CleanUp! ; click Yes to the warning message and exit from Options. Click CleanUp! to start cleaning. When it's finished, click Close, and select No (to prevent the restart).

Reboot normally and let us know the status.

Hi Albie, welcome to DaniWeb :D

I've split your post into it's own thread per forum rules (http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules)

Please follow the recommendations and instructions in the three links from my signature below.

In the third one, follow the instructions in posts #1 and then #4.

Download, update, and run CCleaner –
http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html

In order to view some of the files and folders here, you will need to set your system up accordingly. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Open Explorer and click on the Search button.

Type the following in the All or parts of the file name box:

scvho*.*

In the Look in box, select your C: drive.

Click on More advanced options and make sure that the first three boxes are checked.

Perform the search; give us the exact names and locations of any files found in your next reply.

In the future can you please copy & paste your logs rather then attaching them? Makes them much easier to work with :) Thanks.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Reboot into Safe Mode.

Run a full system scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan in your next reply).

Reboot normally, close any open browser windows, scan with HijackThis, and post a new log along with the Ewido log.

Scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close any open windows, other then HijackThis, and hit Fix Checked.

Go to C:\WINDOWS\web and delete related.htm

Empty your Recycle Bin and reboot.

Download WinsockXPFix from here: WinsockXPFix

Run it, and click the Fix button; choose YES when asked if you want to proceed.

If it still doesn't work, try IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Scan with HijackThis and post a new log please. And let us know if IE is working properly.

Go to Add/Remove Programs in your Control Panel and remove the following, if present:

Viewpoint (or Viewpoint Manager, ViewMgr, or something similar)
WildTangent

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Reboot into Safe Mode.

Do a full system scan with Ewido (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close any open windows, other then HijackThis, and hit Fix Checked.

Go to the following locations and delete the highlighted file and folders:

C:\WINDOWS\web\related.htm

C:\Program Files\WildTangent
C:\Program …

Try reinstalling MSN Messenger.

You can read what's said here about Matcli.exe, it's spyware, but without it some of your support may not be available (but you can always come here for help :) ) -- http://www.hardavenue.com/startup/matcli.exe.php

Scan with HJT and have it fix the following entry:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Other then that, your log looks okay to me; are you still having problems?

If you had SP2, your HijackThis log would show these entries:
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

If you have SP1, your log will show:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Your log currently shows:
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Which indicates NO Service Packs have been installed.

Please begin by following the recommendations in the 'pinned' topics at the top of this forum (Protecting, Cleaning, & Specific Infections).

Go to Window Update and get SP1a for both XP and IE (don't get SP2, not at this time anyway).

Post a new HijackThis log after completing the above.

Try using System Restore to return your system to a date prior to the updates and see if that fixes the problem.

Your log looks okay to me now, are you still having problems?

I would suggest you do another scan with Ewido and if comes up with anything post the new log here.

Please follow the instructions found here:
http://www.bleepingcomputer.com/forums/How_to_remove_Antivirus_Gold_or_AVGold-t22397.html

Get CounterSpy from here and allow it to do a full system scan:
http://www.download.com/CounterSpy/3000-8022_4-10375153.html?tag=lst-0-1

Go to Windows Update and get the Critical Updates for your system.

You could have included what Punkbuster actually is (so we wouldn't have to look it up), and what specifically you've tried (instead of just saying "everything"). Also, the log from whatever you tried could have been posted as someone else may spot something you could have overlooked.

After you've gone through the 'pinned' threads, if you haven't resolved your problem, please post a HijackThis log here in this thread.

Hi Shane,

For future reference, if you don't get a reply to a post, you can 'bump' it to the top of the forum by simply making another post in the existing thread yourself rather then starting a new thread.

Also, by looking through your past threads, it appears you seem to keep getting reinfected on a (roughly) monthly basis. To help prevent this, you should review the 'pinned' topics at beginning of this forum (regarding protection, cleaning, and specific fixes).

Go to Add/Remove Programs in your Control Panel and remove (if present):

180Solutions
Media Gateway
Viewpoint (or Viewpoint Manager, ViewMgr, or something similar)

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [370n10rk] C:\WINDOWS\system32\370n10rk.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...tgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W...e/bridge-c9.cab
O16 - DPF: {1C763326-813B-466F-AF7A-8618C10955D6} (SysCheck.SystemCheck) - http://services.yummy.net/download/WebInstall.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab31267.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v4...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1093733159796
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOA...tallerProj1.cab

Without more information, about all I can suggest is to review the 'pinned' threads at the top of this forum to see if there's anything you haven't tried yet.

You still have Aurora :(

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Then go to post #5 in this thread and follow the instructions carefully:
http://www.daniweb.com/techtalkforums/thread28196.html

When you've completed that, go to post #6 in the same thread and follow the instructions there as well.

In addition to the entries suggested to be fixed with Hijackthis in thoses posts, include these:

O4 - HKLM\..\Run: [rebdzp] c:\windows\system32\ayxakb.exe r
O4 - HKCU\..\Run: [Issfjgus] C:\WINDOWS\system32\W?nSxS\arpa.exe