Posts by tayspen

Hello, please run HJT again, select do system scan only, and check these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Setting...s/MyHome2N.htm

N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\Documents and Settings\\Owner\\My Documents\\MyHome2N.htm"); (C:\Program Files\Netscape\Users\default\prefs.js) - UNLESS this is some custom script or somthing

O4 - Startup: progman.exe.lnk = C:\WINDOWS\system32\progman_Old.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab

O16 - DPF: {56EF6132-8288-11D6-9548-00D0594BC94C} (BPCWebZip1 Control) - https://secure.otte.vic.gov.au/osdc/BPCAxWebZip1.cab

Click Fix Checked.

____________________________________________

Im not sure about some of the stuff in C:\Program Files\Program Files_Shareware -- But if there is anything bad in there, ewido shuld kill it.

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead …

Hi, Please run HJT again, and check these items.

O2 - BHO: PREAT IE LightFrame - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\system32\LightFrame3IECOM.dll

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

O8 - Extra context menu item: Add to QQ Customized Panel - E:\Program Files\Tencent\QQ\AddPanel.htm

O8 - Extra context menu item: Add to QQ Emoticons - E:\Program Files\Tencent\QQ\AddEmotion.htm

O8 - Extra context menu item: Send picture by MMS - E:\Program Files\Tencent\QQ\SendMMS.htm

O8 - Extra context menu item: Send the Picture by QQ MMS - e:\Program Files\Tencent\QQ\SendMMS.htm

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\Program Files\Tencent\QQ\QQ.EXE (file missing)

O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - e:\Program Files\Tencent\QQ\QQ.EXE (file missing)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho.../yinst0401.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe

Click Fix Checked.
__________________________________________

Start>Run type Services.msc
-Right click Windows Log
-Now choose Properties and change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Windows Log
into the box and delete it.

_______________________________________

Post a new HJT log. I combined your old HJT with your first post.

If you odnt know what the 017 entries are, check those, then click fix checked.

Besides that, you look goood :)

@DMR - The lines...They are gone!

Now, please check these items in HJT.

O2 - BHO: (no name) - {2BE520F1-8FEA-45E9-A00D-395CC5693200} - C:\WINDOWS\system32\ursrs.dll (file missing)

Click Fix Checked.

______________________________________________

Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

_______________________________________________

Post another HJT log, and let us know how your comp is doing.

I hate to say this, but it is pretty hard to read that log, with all those lines in it ;). We will pick up with the fresh ewido log, and aHJT log with no lines :).

Thanks

Ok, we will continue when I get the new logs :).

We will start with removing Purity Scan, and then run ewido and let that kill some things.

Look in your Start>Control Panels>aAdd/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.

Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

____________________________________________________________

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

…

You will also need to do this.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that …

No, don't check that. It has to do with Spwspweeper, and if spysweeper is still on your computer, checking that could cause problems. If SS is not on your system, then you can check it.

kylethedarkn - Just for future reference, just because it says file missing, does not mean it is :). It can be a bug in HJT.

Or...

Just use smitfruad fix, to do it automatically.

;)

Sounds like a codec issue. You can get the MS codecs for Windows media player here.

http://www.microsoft.com/windows/windowsmedia/forpros/format/codecdownload.aspx

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report …

Well, first off you are running a "vigin" version of XP. That is you don't have any of the updates. But, we need to clean it, before we update it, so lets begin. Run HJT again and select Do system scan only, then check these items.

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe

O4 - HKCU\..\Run: [SSK Service] C:\WINDOWS\winssk32.exe

O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk571YYGB

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab

O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab

O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://207.226.177.98/dba2218.exe

Click Fix Checked.

_________________________________________________________
Please broswse to, and delete these files.

1. C:\WINDOWS\winssk32.exe
2. C:\WINDOWS\winppr32.exe

If you get an access denied error, you may need to boot into safe mode. If you can't see the files you may need to Show hidden files and folders.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

…

What site? I think you forgot to post the link ;).

Somthing like.

System.Threading.Thread.Sleep(1000) ' Sleep for 1 second

?

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

_________________________________________________________

Post a fresh …

Hi there, please do the follwoing for me.

Run HJT again, and check these items.

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp

O4 - HKLM\..\Run: [a080178c.exe] C:\WINDOWS\System32\a080178c.exe

O4 - HKCU\..\Run: [a080178c.exe] C:\Documents and Settings\Chris Stone\Local Settings\Application Data\a080178c.exe

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab

Click Fix Checked.
____________________________________________

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

______________________________________________________

Post the smitfraudfix log, and a new HJT log, and the ewido log previously requested

AVG Is:

[list=type]
[*]Free
[*]Light Wieght
[*]Performs the same as NAV
[*]Doesn't steal 90% of your system resources like Norton.
[*]Did I mention free?
[/list]

Hmm, I would uninstall Winpatol, and stick with only one AV, as more than one can just cause problems as you have seen. I would go with AVG Free.

http://free.grisoft.com/doc/1

I am sure somebody could help.

If, this was in the right place ;). This needs to be in the python forum.

Hi, in short it will remove the viruses from your computer. You will find that if you google those files, that they are indeed bad...

Hi, please run HJT again, and select Do system scan only. Then check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O4 - HKLM\..\Run: [funk] funk.exe

O4 - HKLM\..\Run: [7e99bbd1.exe] C:\WINDOWS\system32\7e99bbd1.exe

O4 - HKLM\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O4 - Startup: .protected

O4 - Global Startup: .protected

Click Fix Checked.

_________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\Windows\System32\funk.exe

  C:\WINDOWS\system32\7e99bbd1.exe

  C:\WINDOWS\system32\brmfrsmq.exe

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

______________________________________________________

Please download ewido anti-malware it is a free version of the program.

1. Install ewido …

Yes you need to run VundoFix and ewido. VundoFix needs to remove the Vundo virus (Probally what Avast is detecting), and ewido needs to do some general cleanup.

Plus I need to see there logs.

You may be cleaner, but you are not 100% clean yet ;).

Hi, please run HJT again, select Do system scan only, and check these items.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7ECC24F0-5232-D278-7EA5-F0878839A1BE} - (no file)

O2 - BHO: (no name) - {8C553C96-7B39-31F0-4D87-88519024D246} - (no file)

O2 - BHO: (no name) - {A1EED0F5-29A5-BDB4-7E78-ACC6D0395B3C} - (no file)

O2 - BHO: (no name) - {D9332814-7B67-85C0-93B4-AC5AD8E785F0} - (no file)

O2 - BHO: (no name) - {E7772C32-CDED-BD3C-3F78-74C680C6A16E} - C:\WINDOWS\system32\UPD\bdrjbwwqmk.dll

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [hgOa2xnhu] C:\documents and settings\john blahunka\local settings\temp\hgOa2xnhu.exe

O4 - HKLM\..\Run: [ti] C:\windows\system32\ti.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup144.cab

Click Fix Checked.

___________________________________________________

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • Unregister .dll
  • then Click on the All Files button.
    
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\system32\UPD\bdrjbwwqmk.dll

  C:\WINDOWS\userint32.exe

  C:\documents and settings\john blahunka\local settings\temp\hgOa2xnhu.exe

  C:\windows\system32\ti.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on …

Just post the log, please don't "fix" anything yourself, If used incorrectly this program can cause mild damage ;).

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

Please don't post the same thing in more than one forum, becasue this can be virus related, we will continue here.

Logs clean, but your Java is outdated.

http://www.java.com/en/download/manual.jsp

As for why explorer is not opening, is beyond me. Sorry :(

Heh, Thats what I meant ;).

Hi please run HJT again check these items.

O2 - BHO: (no name) - {00000000-0000-46FE-B963-27BDACE793E9} - C:\Program Files\xmm3u7ox\xmm3u7ox.dll
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\ssqnm.dll
O2 - BHO: winapi32.MyBHO - {26C43C19-A1CE-456E-9CBF-77FFB9E92681} - C:\WINDOWS\system32\winapi32.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: ssqnm - C:\WINDOWS\system32\ssqnm.dll

Click Fix Checked.

__________________________________________________

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You …

Hey there. Congrats on the clean log. In order to keep your self clean you will need to do a few things. The biggest would be installing Service Pack 2. An offical Microsoft update that adds new features to windows, as well as much more security.

More info and installation of SP2: http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

You will also need to get an antivirus. I reccomend ewido. It works well and is free for 14 days, even after the 14 days yo ucan still use it you just won't get the auto update feature.

Thats really about it, the main thing you need to do is get an AV software, and SP2.

Happy Computing:).

Yes, check viewpoint, and uninstall it. Then post one more up to date log, so we can ensure you are still clean :).

Still more to do :). Did you run Hoster? Now please check these items in HJT.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)

O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

Click Fix Checked.

________________________________________________

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.
store points which are likely to be infected)

Post another log

Hang in there :)

Hi, please run HJT and check these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINNT\system32\hpD72A.tmp

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://www.ldschat.com:8569/Java/cfs40301.cab

Click Fix Checked.

______________________________________________________

Then please boot into safe mode (Press F8 on startup, then select safe mode.) and delete the following File.

C:\WINNT\system32\hpD72A.tmp

______________________________________________________

I see you have ewido...scan with it and post that log along with a new HJT log.

Can this be marked as solved? Are the problems gone?

Read my above edit.

More on taskmon: http://www.liutilities.com/products/wintaskspro/processlibrary/taskmon/

Sorry for the confusion.

Crap. Hold that you have 98.

DO NOT DELETE TASKMON - If you already did, kill box should have made a backup if you told it to. Also, windows will re generate it...Or it should

Wink.exe : http://castlecops.com/s4399-Wink_exe.html

I am very sorry, that was my mistake, but nothing we can't fix.

Sorry :(

EDIT: Ok, taskmon is back, no harm done :).

New log is clean. :)

Sure, try it in safe mode. If it fails, just skip that step.

Hi megaman99

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your questions and HJT log in that thread.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

Sure, lets finish this one first, then you can create a new thread for the other computer :).

That is ok. Don't worry about ewido. Please do the following...

Please download Pocket Killbox by O^E.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

  C:\WINDOWS\taskmon.exe

  
  C:\Program Files\Wink\Wink.exe

  
  

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

Then post a new HJT log.

Log looks good. I see you have Ewido installed. If you could please scan with that, and post a log it would be great :).

Hi, and welcome to DaniWeb. Please run HJT again, select Do system scan only. Then check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)

O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe

O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe

O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe

O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe

O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe

O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe

O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe

O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS

O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.e xe

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll

O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)

O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Close ALL browsers and click Fix Checked

________________________________________________________

Begin by downloading

Hi, that log look pretty short. Are you sure you copied the whole thing? Also, be sure to run it in Normal mode.

Please run HJT again, and check these items.

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

O4 - Startup: wink.lnk = C:\Program Files\Wink\Wink.exe

O4 - User Startup: wink.lnk = C:\Program Files\Wink\Wink.exe

O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.187/display/PopupSh.ocx

O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.c...kerutility.cab

Click Fix Checked

___________________________________________________

Please download ewido anti-malware it is a free version of the program.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

You still have the party poker entries? Did you chose to keep those?

Besides that the log looks good.

Hmm, that folder has to be there. It can't be deleted. Maybe it got hidden somehow? Please have windows show hidden files then try again.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Run Disk Defrag:

A. Click Start –> Programs –> Accessories –> System Tools –> Disk Defragmenter.

B. Select the drive you wish to defrag. (Usally C:\)

C. Then click Defragment

Run ChkDsk:

http://www.deltatranslator.com/chkdsk.htm

This will flush restore points...

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

I'm not doing anything 'till you post your answer, jhay.

Will my answer suffice :)

That is indeed what I need.

Please run HJT again, and check the following items.

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - Startup: VPN@NAU.lnk = ?

O4 - Startup: YPOPs.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

Click Fix Checked.

_____________________________________________________

Then please go to Start>Control Panel>Add/Remove programs. Uninstall:

• PartyGaming
• PartyPoker

_____________________________________________________

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured …

Hi, and welcome to DaniWeb.

Well, despite what McAffee says, lets still see if you are infected. To me it does sound like you have a nasty or two.

Download HijackThis (current verison is v1.99.1)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

• C:\HijackThis\
• C:\Programs\hijackthis\
• C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Posting a HJT log may shed some lights on some more infections, making the cleaning process easier, as we would no exactly how to "attack" it.