Please Help.

Hi and welcome to TSG,

Please download and run the following programs:

CWSHREDDER

http://www.majorgeeks.com/download4086.html

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer.

IMPORTANT! To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.

 

Download and run the RapidBlaster Killer tool:

http://www.wilderssecurity.net/downloads/rbkiller.exe

You will need to uninstall MessengerPlus as it comes bundled with lop.com.

Also, I suggest you get rid of WildTangent unless you absolutely need it for games.

Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [EmailMesh] C:\Documents and Settings\Rithwik\Desktop\client.exe

O4 - HKLM\..\Run: [yijketts] C:\WINDOWS\njzavikq.exe

O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [kyshrxykxp] C:\WINDOWS\system32\igvyhtdw.exe

O4 - HKCU\..\Run: [Cuckoo Clock] "C:\PROGRA~1\WARCRA~1\Cuckoo.exe"

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Program Files\Messenger Plus! 2 - folder
C:\Documents and Settings\Rithwik\Desktop\client.exe - file
C:\WINDOWS\njzavikq.exe - file
C:\Program Files\RapidBlaster - folder
C:\Program Files\WildTangent - folder
C:\WINDOWS\system32\igvyhtdw.exe - file
C:\PROGRA~1\WARCRA~1\Cuckoo.exe" - folder (The name will start with WARCRA and it will contain the file Cuckoo.exe)

How to restart to safe mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Then reboot and post another log.

 

Selective start-up means you have some things unchecked in msconfig so they don't start-up when you reboot.

It would be best to go into msconfig and put a check beside everything and then post another log so that nothing is hidden. You can go back and uncheck the ones you don't want on start-up afterwards.

 

Everything looks good now but you still have some things unchecked in msconfig. If you want to yuo can check everything in msconfig and post another log for review.

Based on this log, yes you can go ahead and turn system restore back on and create a new restore point.

http://www.pchell.com/virus/systemrestore.shtml

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

 

You're welcome.

I’m closing this thread now as it has been solved. If you have more problems related to this thread and need it reopened, please PM a Moderator.

ANYONE ONE ELSE WITH A SIMILAR PROBLEM PLEASE START A NEW THREAD.