1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I've tried EVerything and my computer is only getting worse.

Discussion in 'Virus & Other Malware Removal' started by jdr18, Aug 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    Well this all happened after I accidentally clicked a "you have won a million dollars" pop up in the middle of a site. Every minute now my computer is getting worse and worse, Half of my desktop is filled with random programs now and more just keep coming. I've tried symantec antivirus, spybot S&D, and adaware, and nothing is working. I have been keeping up on windows updates as well so I can't imagine how things have gotten so screwed up in fifteen minutes. As a last resort I ran hijackthis and saved the log. Hopefully someone here can help me. Adaware will delete 220 objects then ill run it immediately after and 300 objects will be infected. I have no idea what's going on and I'm about to scream. Here's the log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\qpexgy.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SED\SED.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\System32\tmz.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dkibpjwgpishuqzuos.com/eLKiRSkf7XE6C1YIx4TC3e74hUJDdIyQ1Uq74pfgk8I.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bvyvyjysjyjzdmloynqbk.uk...MTn1LVa9IjbIHbMAghKnCUOjYa7TWTMumJMlzrA3n.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 35.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [wryxyjyfva] C:\WINDOWS\System32\qpexgy.exe
    O4 - HKLM\..\Run: [xakfimwguhsyw] C:\WINDOWS\System32\qpexgy.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [beep build] C:\PROGRA~1\OWNSMA~1\gramless.exe
    O4 - HKLM\..\Run: [OptionWeb01Stop] C:\Documents and Settings\All Users\Application Data\Great Free Option Web\draw active.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [xxyy] C:\WINDOWS\System32\xxyy\cdibldnf.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Rvpf] C:\WINDOWS\System32\tmz.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    Thanks for the help if anyone has any idea what the problem is.
     
  2. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    Just downloaded the latest version of hijackthis...here it is..if it helps.

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\qpexgy.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SED\SED.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\System32\tmz.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\Jonah\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dkibpjwgpishuqzuos.com/eLKiRSkf7XE6C1YIx4TC3e74hUJDdIyQ1Uq74pfgk8I.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://npmeifetsfzxovddizpzejo.org/...Tn1LVa9IjbIHbMAghKnpjr4raYkb3sumJMlzrA3n.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 35.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [wryxyjyfva] C:\WINDOWS\System32\qpexgy.exe
    O4 - HKLM\..\Run: [xakfimwguhsyw] C:\WINDOWS\System32\qpexgy.exe
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [beep build] C:\PROGRA~1\OWNSMA~1\gramless.exe
    O4 - HKLM\..\Run: [OptionWeb01Stop] C:\Documents and Settings\All Users\Application Data\Great Free Option Web\draw active.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKCU\..\Run: [xxyy] C:\WINDOWS\System32\xxyy\cdibldnf.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Rvpf] C:\WINDOWS\System32\tmz.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O19 - User stylesheet: (file missing)

    Thanks
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Go to Add/Remove programs and uninstall WondowsSA, EliteBar, My Daily Horiscope and Home Seach.

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dkibpjwgpishuqzuos.com/e...Uq74pfgk8I.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bvyvyjysjyjzdmloynqbk.uk...MumJMlzrA3n.jsp

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 35.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - HKLM\..\Run: [wryxyjyfva] C:\WINDOWS\System32\qpexgy.exe

    O4 - HKLM\..\Run: [xakfimwguhsyw] C:\WINDOWS\System32\qpexgy.exe

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe

    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

    O4 - HKLM\..\Run: [beep build] C:\PROGRA~1\OWNSMA~1\gramless.exe

    O4 - HKLM\..\Run: [OptionWeb01Stop] C:\Documents and Settings\All Users\Application Data\Great Free Option Web\draw active.exe

    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"

    O4 - HKCU\..\Run: [xxyy] C:\WINDOWS\System32\xxyy\cdibldnf.exe

    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

    O4 - HKCU\..\Run: [Rvpf] C:\WINDOWS\System32\tmz.exe

    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.skoobidoo.com

    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    O19 - User stylesheet: (file missing)


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\system.exe
    C:\Windows\System32\wsaupdater.exe
    C:\WINDOWS\System32\qpexgy.exe
    C:\WINDOWS\System32\tmz.exe

    Delete these folders:

    C:\WINDOWS\EliteBar
    C:\WINDOWS\System32\xxyy
    C:\Documents and Settings\All Users\Application Data\Great Free Option Web
    C:\Program Files\WindowsSA
    C:\Program Files\NaviSearch
    C:\Program Files\CashBack
    C:\Program Files\SED
    C:\Program Files\My DailyHoriscope
    C:\Program Files\OWNSMA~1

    I don't know the exact name of that last folder, but it will begin with OWNSMA and it will contain the gramless.exe file

    Boot back to Windows and do the following:

    Click here to download LspFix

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of cdlsp.dll and lspak.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode and delete these files:

    C:\windows\system32\lspak.dll
    c:\windows\system32\cdlsp.dll


    Click Here and download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
     
  4. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    running in safe mode now, i deleted everything on hijackthis that you told me to, but there was no home search program to remove and elitebar would not remove.

    heres the log though before safemode:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\qpexgy.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SED\SED.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\System32\tmz.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Documents and Settings\Jonah\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [xxyy] C:\WINDOWS\System32\xxyy\cdibldnf.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Rvpf] C:\WINDOWS\System32\tmz.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Boot back into windows and Run LSPfix like I said and VX2Finder. You don't need to be running in safe mode except when you are deleting the files..

    After you run LspFix and delete the other files. Post the VX2Fider log and another Hijack This log. When you post a Hijack This log you need to always post it all. You are leaving this part off:

    Logfile of HijackThis v1.98.1
    Scan saved at 8:43:50 PM, on 8/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    We need to see that too.
     
  6. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    here is the log from the vx2 program:

    Files Found---
    C:\WINDOWS\System32\KrCOM.DLL
    C:\WINDOWS\System32\Lj32.DLL
    C:\WINDOWS\System32\VkRSION.DLL

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    NavLogon
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    User Agent String---
    {2622327F-6973-4E4C-95CA-6F63EB20385B}
     
  7. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    and here is the latest hijackthislog:


    Logfile of HijackThis v1.98.1
    Scan saved at 10:17:05 PM, on 8/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Documents and Settings\Jonah\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50183
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
     
  8. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    researching whatever the hell happened and bumping because the internets working faster now and the pop ups have stopped. but there is still a ton of random program icons all over my desktop.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    IMPORTANT!: Before you run this tool please close ALL running programs. Sign off and stay off the internet until the entire procedure is complete.


    Now run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

    C:\WINDOWS\System32\KrCOM.DLL
    C:\WINDOWS\System32\Lj32.DLL
    C:\WINDOWS\System32\VkRSION.DLL


    This time click on the Delete these files button. It will give you a message about one file to be deleted on reboot.
    It will ask to reboot to delete the last file. Go ahead and Restart the computer

    After it reboots run VX2Finder again and click on the User Agent button and it will delete the user agent string.

    Finally click the Restore Policy button to restore the Debug policy altered in the look2Me installation.

    Restart your computer



    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50183

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/in...p://about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


    Restart to safe mode and delete the C:\Program Files\Common Files\WinTools folder.


    I did not Add Weatherbug to my list for removal, but it is adware. Check this out for info on Weatherbug and make your own decision:

    http://www.pchell.com/support/weatherbug.shtml

    Here are two adware free alternatives:

    http://www.tropicdesigns.net/ -----> I use this one.

    http://www.singerscreations.com/




    Run VX2Finder again. This time click on the Make Log button as you did before and also click on the Hosts Log button. Copy and paste both of those logs here in your next reply along with another Hijack This log as well.
     
  10. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    Here are the three logs, did everything you said.

    Files Found---

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    NavLogon
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    User Agent String---

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    127.0.0.1 www.igetnet.com
    127.0.0.1 code.ignphrases.com
    127.0.0.1 clear-search.com
    127.0.0.1 r1.clrsch.com
    127.0.0.1 sds.clrsch.com
    127.0.0.1 status.clrsch.com
    127.0.0.1 www.clrsch.com
    127.0.0.1 clr-sch.com
    127.0.0.1 sds-qckads.com
    127.0.0.1 status.qckads.com

    Logfile of HijackThis v1.98.1
    Scan saved at 10:19:43 AM, on 8/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Jonah\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  11. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    anyone know whats times flrman1 is on?
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First you need to unzip (extract) Hijack This and move it to a permanent folder. It will not function properly when run from the zip folder or the Temp folder.

    You need to create a new folder in My Documents and name it Hijack This. Right click on the HijackThis.zip file and choose "Extract all" and extract it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.


    Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.


    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe


    Restart your computer and make sure the C:\Program Files\Common Files\WinTools folder has been deleted.
     
  13. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    did everything you said, and the wintools folder is gone. Here's the latest hijackthis log:

    Logfile of HijackThis v1.98.1
    Scan saved at 12:16:32 AM, on 8/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50183
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50183

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50183

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa


    Restart your computer.


    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  15. jdr18

    jdr18 Thread Starter

    Joined:
    Sep 1, 2003
    Messages:
    108
    Thanks for what you've done so far, flrman1, computer seems to be running much faster. Here's the latest log, and I have some questions still. As far as questions go:

    After a restart this message pops up now: "Error loading C:\Program Files\Wildtangent\Apps\CDA\cdaEngine0400.dll The specified module could not be found"
    What does that mean, and what can I do?

    Also, If I go to the control panel>add/remove programs, these programs still show up on the list:

    Bullseye Network
    Cashback by BargainBuddy
    Elitebar Internet Explorer Toolbar (tried to remove this at the very beginning and the screen just flashes for a second but nothing happens)
    NaviSearch
    Websearch Toolbar
    Wildtangent Web Driver
    Red Swoosh EDN client (remove only)

    These are all the programs that I did not recognize, and most seem to coincide with the spyware we've been trying to remove. So, what should I do? Attempt to remove them?

    Oh, and here's the latest hijackthis log.

    Logfile of HijackThis v1.98.1
    Scan saved at 12:42:21 PM, on 8/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HijackThis\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

    Thanks so much for your continued help, flrman1. Your a lifesaver!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - I've tried EVerything
  1. fasteddie
    Replies:
    5
    Views:
    1,070
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/258978

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice