Posts by tayspen

There is some softweare on your computer that I am not to sure about. Please go to Start>Control Panel>Add\Remove Programs. THen uninstall (If found): Cookie Crusher.

Now run HJT and check the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.csnradio.com

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [Cookie Crusher] C:\Program Files\Cookie Crusher\ccrusher.exe

O4 - Global Startup: Shortcut to WallpaperChanger.lnk = C:\wallpapers\WallpaperChanger.exe

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} -

O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} -

Click Fix Checked

Post Another Log

That log looks clean to me. Does everything seem to be back to normal?

Lets first start with SmitRem. Download SmitRem (http://noahdfear.geekstogo.com/click...click.php?id=1).

Download smitRem.exe, saving the file to your desktop. Double click it to extract the contents to a folder of it’s own. Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete. Upon reboot, you can reset your desktop background.

Get into safe mode by pressing F8 on startup, then selecting safe mode...

---------------------------------------------------------------

When that is odne download ewido (www.ewido.net). Install. Update. Run. Remove what it finds. (Save log).

Post a new HJT log, the ewido log, and the contents of C:
SmitFiles.txt

Right Click on HiJackThis.exe (in the folder it is in) And select "Cut". Then Right click on your Desktop And select New>Folder name that folder HJT. In that folder right click and click "Paste". Scan again.

Sorry for not being clear...

Hi, there are still a few infections. Please run HJT again and select the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

O4 - HKLM\..\Run: [w11699f5.dll] RUNDLL32.EXE w11699f5.dll,I2 00098cde011699f5

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?135359440f944edb4aeaa8ad6553af a

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?135359440f944edb4aeaa8ad6553af a

O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\ir26l5fs1.dll

Click Fix Checked

-------------------------------------------------------------------

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, …

Hi, and welcome to DaniWeb.

Next scan please move HJT to its own folder. Now please run HJT again, and check the following items.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O11 - Options group: [INTERNATIONAL] International*

Click Fix Checked.

Please move HJT to its own folder, and post a new log, along with an ewido log (Run it in normal mode).

Right click HERE And Click "Save Target As...", When the dialog box comes up, select "Save", Then browse to your desktop, and press save. Exit out of internet explorer, double click on the folder. Then right Click on HiJackThis.exe And select "Cut". Then Right click on your Desktop And select New>Folder name that folder HJT. In that folder right click and click "Paste". Open the folder and run it. A log will pop up, in notepad. Post that.

If you want to be sure it is virus free.

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

Well, I iTunes is great, and legal, but the songs cost 99 cents each. Limewire, is not an illegal program to have on your computer, but downloading copyright material is still illegal, and always will be. I suggest iTunes.

Please post another log...

Hi, and welcome to DaniWeb. Lets start by running HJT again and selecting Do system scan only. Then place a check next to these items.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpBCC8.tmp

O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} -

O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - http://www.stamps.com/download/us/ca...ile=stamps.cab

Click Fix Checked.

------------------------------------------------------------------

Download
- Pocket Killbox by Option^Explicit Software Solutions

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion; say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\hpBCC8.tmp

-------------------------------------------------------
I see that you have ewido installed your computer. Please update it the newest version and run it. Let it remove whatever it finds. …

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

We will work form there.

Hmm, I am not seeing much in that log, what exactly are the problems you are having?

Hmmm, Nothing looks to bad. Lets start with some scanners.

Download the Free trial version of Spysweeper

http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg

Update the defintions and run it (Save Log)

Then download ewido

www.ewido.net - Install. Update. Scan. Remove anything it finds. (Save Log)

Then post those two logs, along with another HJT log...

Hi, please run HJT again and select, Do system scan only. Then check the following.

O20 - Winlogon Notify: winskf32 - C:\WINDOWS\SYSTEM32\winskf32.dll

O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (file missing)

Click Fix Checked

Then please go to Start>Control Panel>Add/Remove Programs Uninstall (if found):

NewDotNet

New.Net

If after uninstalling you lose internet connection please download WinsockXPFix (WinXP only) and run it.

----------------------------------------------------------
Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Please run Ewido,and save the logfile from the scan

Post back the results here, with a new HJT log.

Please post a new log, so we can ensure your clean.

Thanks jhay116 I have a few of my own , I just didn't havCCleaner ;).

Hi again :). Nothing looks to bad in your log, if you don't know what Mail.Com is I would Uninstall that.

Begin by downloading CCLeaner , and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
9. Press the "Apply" button and then the "OK" button.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back …

Also, have HJT fix this.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Oh, and another thing. The service may also be called, 11Fßä#·ºÄÖ`I, so if you don't see Remote Procedure Call (RPC), try that one.

Also, while you are in safe mode, please run About:Buster twice. Save the two logs as ab1.txt, and ab2.txt.

Now reboot to normal mode and run HijackThis and attach it's log and the two About:Buster logs.

Do NOT Reboot after attaching these logs

Ok, please do the following. Run HJT again and select Do system scan only. Check the following.

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27a3c507...p/RdxIE601.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab

Click Fix Checked

---------------------------------------------------------

We need to remove an 023 Service

1. Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.

Remote Procedure Call (RPC) Helper

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Now:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type Remote Procedure Call (RPC) Helper in the space provided and click OK
4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\apiqk32.exe

7. REBOOT back into Normal Mode

---------------------------------------------------------

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install …

I have not used it myself. Though I have heard it is a good program.

He is very well known in the malware fighting world. He is an active memeber on many forums, and helps people rid themselves of malware often. That is probally why you reconize his name. He know's his stuff :).

Hmmm, I don't see anything in your log, that looks bad. I am out of ideas since LSpFix did not work, maybe jhay116, or DMR will have some more ideas.

Wait, by any chance do you have Norton Internet serurity on your computer?

please dont tell me to run it again lol XD

:cheesy:

We are ready to go...

Run HJT and check the following.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)

O23 - Service: windllrun - Unknown owner - C:\WINDOWS\system32\windllrun.exe (file missing)

Click Fix Checked

-------------------------------------------------------

Then go to Start>Control Panel>Add\Remove Programs Uninstall (If found) Windows AdStatus.

Then please ensure this folder is deleted:
C:\Program Files\Windows AdStatus\

If it gives you an error saying it can't be deleted, please boot into safe mode and delete it

Post a new log

Well, I hate to say this, but you should have run those scans first. Now I am going to need a fresh log, so we don't try to remove somthing they already removed.

Thanks

Pleas run ewido and Spysweeper and post the logs. That will take out most of the infections.

Yes, I would say you are infected.

Download hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

Download the Free trial version of Spysweeper

http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg

Update the defintions and run it, let it remove whatever it finds.

Then download ewido

www.ewido.net - Install. Update. Scan. Remove anything it finds.

Note: if you cna't download stuff let me know...

ok, now check the following.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
'
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?f84bc18420594b8cb1ccec68713507 5

O4 - HKCU\..\Run: [Cbowioa] C:\WINDOWS\system32\M?crosoft\??ool32.exe

O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

Click Fix Checked.

-------------------------------------------------------

Go to My computer>C:\>Windows>System32>Microsoft>

Delete any file in there that looks like it could be

??ool32.exe

-----------------------------------------------------

Post new HJT log

Please post another HJT log when you get back your computer. So we can determine the problem.

Thanks

Now, run HJT again, and check the following.

R3 - URLSearchHook: (no name) - {C7092936-98F7-B728-A2FC-E13B85752293} - C:\WINDOWS\system32\tcmaok.dll (file missing)

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?f84bc18420594b8cb1ccec68713507 5

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?f84bc18420594b8cb1ccec68713507 5

Click Fix Checked

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then check "Delete on reboot".

Reboot.

File List:

C:\DOCUME~1\Daddy\APPLIC~1\RACLE~1\winlogon.ex

Post what whould be the last log

Well. Better safe then sorry, so it wouldn't to run it...

Files\Content.IE5\OFRR24TH\photo[1].jpg -> Backdoor.Haxdoor.dw : Cleaned with backup

Yes but it was cleaned. The HJT log also showed no signs of it.

Hi, and welcome to Daniweb :).

You do have a bit of "nasties". Start by running HJT agan and selecting Do system scan only. Then check these items.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [YwO77Lg] C:\documents and settings\daddy\local settings\temp\YwO77Lg.exe

O4 - HKLM\..\Run: [w34T3sh] rtuphost.exe

O4 - HKLM\..\Run: [D3vag] C:\documents and settings\daddy\local settings\temp\D3vag.exe

O4 - HKLM\..\Run: [C3Y] C:\documents and settings\daddy\local settings\temp\C3Y.exe

O4 - HKCU\..\Run: [Iub] C:\WINDOWS\system32\n?pdb.exe

O4 - HKCU\..\Run: [Jgjrwwlk] C:\WINDOWS\system32\w?nlogon.exe

O4 - HKCU\..\Run: [Octu] "C:\WINDOWS\ICROSO~1\ping.exe" -vt rbnd

O4 - HKCU\..\Run: [Gda] C:\Documents and Settings\Daddy\My Documents\?ssembly\w?nspool.exe

O4 - HKCU\..\Run: [Rone] "C:\DOCUME~1\Daddy\MYDOCU~1\SKS~1\nslookup.exe" -vt rbnd

O4 - HKCU\..\Run: [Ntkn] C:\Documents and Settings\Daddy\My Documents\??crosoft\d?dplay.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll

O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\en46l1hs1.dll

Then click fix checked

--------------------------------------------------------------------

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You …

Hi, now have HJT fix the follwoing.

O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gad.../LocalExec.CAB

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1162

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Then post what should be the last log.

Well, That is a clean log :).

You are very welcome. I do it to fight the battle, The battle against malware.... And to help others :).

Good! it is gone :). Your log looks clean. Does everything seem to be fine?

Ok, to put it simply. You are Loaded with infections.

Please start by download the following. Do not run them yet.

SmitRem - http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Ewido - ww.ewido.net

CCLeaner - www.ccleaner.com

After you download those, you may need to print these instructions, you will not have internet access during parts of this fix

-------------------------------------------------------------------------

Now please do the following.

Double click SmitRem it to extract the contents to a folder of it's own. Restart your computer in safe mode , logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete. Upon reboot, you can reset your desktop background.

Reboot computer normally

-------------------------------------------------------------------------

Then please run HJT again, and select Do system scan only. Place a check next to these items.

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp18C8.tmp (file missing)

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: (no name) - {0E677229-E309-4341-81BD-3CC3018BF5B3} - (no file)

O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

O4 - …

That file is still there :mad:. Run killbox again, paste this path into the box (same one where you did it last time).

C:\WINDOWS\SVCHOST.EXE

Then check "Delete on reboot", and then reboot.

Post a new log

Well, you had AdWare.Win32.Suggestor. And you were also infected with NewDotNet -- which was what was stopping you from acessing the internet. These infections usally come form downloading things from unknown sources. Things like "Free" programs or toolbars...

The last thing I see is Spyware Nuker which is an anti-spyware tool which used to be on the list list of suspect programs. I am pretty sure it was taken off, but it still might be a good idea to uninstall it.

Besides that you are looking pretty clean :)...Does everything seem to be back to normal?

Hi there :).

Please run HJT and select Do system scan only.

Then check the following items.

O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\

Then click Fix Checked

------------------------------------------------------

Then please boot into safe mode and delte the following file.

C:\WINDOWS\system32\w9seq.dll

Empty your recycle bin!

------------------------------------------------------

Reboot normally.

Go to Start>Control Panel>add/remove programs Uninstall anyting having to do with.

NewDotNet

New Dot Net

New.Net

-------------------------------------------------

Download ewido (www.ewido.net). Install. Update. Scan. Remove anything it finds. (Save the log)

Post a new HJT log, and a ewido log

Hi, and welcome :)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File list:

C:\WINDOWS\SVCHOST.EXE

We will work from there.

Post a new log

Hi, run HJt and check the following.

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...0/installer.exe

O20 - Winlogon Notify: cdscsix3 - C:\WINNT\SYSTEM32\cdscsix3.dll

O20 - Winlogon Notify: directpt - directpt.dll (file missing)

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

Then click Fix Checked

---------------------------------------------------------------------

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again …

Good! :).

Now check the following.

O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)

Click Fix Checked.

That looks about all. Does everything seem to be back to normal?

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window. Check delete on reboot, then reboot.

File list:

C:\WINDOWS\SYSTEM32\winzlo32.dll

If that doesnt work, let me know. That should do it.

Hi :),

Yes, if killbox didn't delete it you may need to delete it manually.

As for the other files, if the scanner said it took them out its fine. But just to make sure lets clean the temp. files, as that is where it seems to be.

Download CCleaner (www.ccleaner.com). Install it, and run the cleaner part of it.

Then please post a new log, so I can see what there is left.

Try, checking the "Delete on Reboot" option. Then reboot, see if that does it.

Your welcome :). Let me know if it works.

Hi, please run HJT again, and select Do system scan only. Then check these items.

O4 - HKCU\..\Run: [Aceu] "C:\PROGRA~1\COMMON~1\ICROSO~1\ati2evxx.exe" -vt yazr

O4 - HKCU\..\Run: [Szsmf] C:\Program Files\Common Files\?asks\arpa.exe

O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm

O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm

O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll

Click Fix Checked

--------------------------------------------------------------
Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File List

C:\WINDOWS\SYSTEM32\winzlo32.dll

C:\PROGRA~1\COMMON~1\ICROSO~1\ati2evxx.exe

C:\Program Files\Common Files\?asks\arpa.exe

----------------------------------------------------------

…

You could try PocketKill Box.

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File List

<The path to the file you want to delete>

Hi :).

Please start HJT, and select "Do system scan only." Then, check these items.

O2 - BHO: (no name) - {17A9D5A9-E944-211F-E207-CEDC289742F0} - C:\DOCUME~1\JENNIF~1\APPLIC~1\Mode64\Dent about.exe (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [Funk 2 Meta Poll] C:\Documents and Settings\All Users\Application Data\magsacidfunk2\bash idol.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZCxdm341YYGB

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aolsvc.co.uk/mol...84/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aolsvc.co.uk/mol...,21/mcgdmgr.cab

Click Fix Checked

---------------------------------------------------------------------

Then go to Start>Control Panel>Add/Remove programs.

Uninstall anything that has to do with.

My Web Search Bar

Funk 2 Meta Poll

--------------------------------------------------------------------
Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

Post a new HJT log, and the ewido log

Ok, lets start by Downloading hijackThis. Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

We will then work from there.