Welcome to TSF. - Do you have multiple Operating Systems on this system? Such as Windows 2k and Windows XP?

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in notepad or wordpad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers open during the cleaning process unless otherwise prompted.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please allow yourself a few spare hours. Below are instructions for a virus scan(s) that can take longer then 2 hours.

It is also important you don't miss a step and perform everything in the right order!!
********************************DOWNLOADS********************************

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Please download CleanUp! and install it. Do not run it yet!

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

Please download Attribunes Look2Me-Destroyer.exe to your desktop. Do not run it yet

1. Download and run - bfu.zip
2. Checkmark the following boxes:
   • Use settings specified in script for the above option
     [*] Show log after script ends
3. Click the Web button located on the top right corner
4. Copy/Paste this url into the address bar of the Download script window:
   
   http://metallica.geekstogo.com/alcanshorty.bfu​
5. Execute the script by clicking the Execute button.
6. When it finishes running, click the Save button for a copy of the log
7. Post the log created by the script when you have completed the fix

Unplug your computer from the Internet when you have finished downloading.

********************************LOOK2ME FIX*********************************

• * Close all windows before continuing.
  * Double-click Look2Me-Destroyer.exe to run it.
  * Put a check next to Run this program as a task.
  * You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  * When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  * Once it's done scanning, click the Remove L2M button.
  * You will receive a Done Scanning message, click OK.
  * When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  * Your computer will then shutdown.
  * Turn your computer back on.
  * Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

********************************PURGE/CLEANUP*********************************

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click "Options..."
• Set the slider to "Standard CleanUp!"
• Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
• Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

********************************SAFE MODE*********************************

REBOOT TO SAFE MODE

1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
3. Continue to do so until the 'Windows Advanced Options' menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

*********************************SETTING UP********************************

Enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

********************************ADD/REMOVE********************************

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• Zeno
  Download Accelorator Plus
  WebHancer

*********************************HJT FIXES**********************************

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINNT\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [w002115a.dll] RUNDLL32.EXE w002115a.dll,I2 0000207c0002115a
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\rwinnrag.exe CORN001
O4 - HKLM\..\Run: [w503d47a.dll] RUNDLL32.EXE w503d47a.dll,I2 0000207c0503d47a
O4 - HKLM\..\Run: [w000e4ec.dll] RUNDLL32.EXE w000e4ec.dll,I2 0000207c0000e4ec
O4 - HKLM\..\Run: [w000e8fd.dll] RUNDLL32.EXE w000e8fd.dll,I2 0000207c0000e8fd
O4 - HKLM\..\Run: [w0011817.dll] RUNDLL32.EXE w0011817.dll,I2 0000207c00011817
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnrag.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINNT\system32\w9seq.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\syclient.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINNT\system32\mwang.dll

*****************************MANUAL DELETIONS*****************************

Locate and delete the following folder(s), if present:

• C:\Program Files\webHancer\
  C:\Program Files\Common Files\VCClient\
  C:\PROGRA~1\DAP\

Locate and delete the following file(s), if present:

• C:\WINNT\system32\slk8x2peu.exe
  C:\WINNT\system32\rwinnrag.exe
  C:\WINNT\system32\w9seq.dll
  C:\WINNT\system32\syclient.dll
  C:\WINNT\system32\mwang.dll

Search for & delete ... using Start> Search... the following file(s), if present:

• w503d47a.dll
  w000e4ec.dll
  w000e8fd.dll
  w0011817.dll

********************************EWIDO SCAN********************************

** Please disable all other antivirus programs before proceeding.**

Run Ewido:

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
• Once finished, click the Save report button
• Save the report to your desktop

Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

********************************ONLINE SCAN********************************

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
  [*] Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
  [*] Click on see report. Then click Save report

Please post that log in your next reply.

********************************CHECK LIST********************************

In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan
3. Ewido Results
4. C:\Look2Me-Destroyer.txt
5. Log from BFU.

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

 

I ran throught the steps you asked

I ran through the steps you asked, I really appreciate it. There are much less popups now, hardly any at all. However, Panda scan found some issues as you will see in the log. Also, I cannot use MLEXCHANGE which I use for my appraisal business, I keep getting a java handler error when trying to do searches. It is an online tool. Well, here is the rest of my information. Thank you very much, I feel like it's close.


I ran Brute Force.

Brute Force uninstaller log:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 10:35:44 PM, on 4/12/2006

Failed: DllUnregister C:\WINNT\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork

(key not found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRisk

FileTypes (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr

entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0

F} (key not found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not

found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not

found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key

not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe

(operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe

(operation failed)
Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\hsperfdata_Kellee

(operation failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Perflib_Perfdata_f44.dat

(operation failed)
Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Temporary Internet

Files (operation failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF249C.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF3540.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF48B0.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DFACBB.tmp (operation

failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\6W846F6T (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\F1H3YKFG (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\F7RQPIFE (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\ZLAL33UU (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not

found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not

found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINNT\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINNT\win*-*.exe|C:\bintheredunthat (source file not

found)
Script completed.


I unplugged the ethernet cable, closed all windows, and ran

Look2me-Destroyer:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/12/2006 10:45:05 PM

Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l

Attempting to delete infected files...

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Setup
Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SideBySide

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{7DCA383D-597B-4E39-9A03-C278ED1E0C2C}"
HKCR\Clsid\{7DCA383D-597B-4E39-9A03-C278ED1E0C2C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{7C158695-601C-4102-B33A-F919CD445B2F}"
HKCR\Clsid\{7C158695-601C-4102-B33A-F919CD445B2F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{72679689-55EB-40D8-B76D-67708C72EE08}"
HKCR\Clsid\{72679689-55EB-40D8-B76D-67708C72EE08}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


I rebooted in safe mode, made the explorer changes, and ran Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:14 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [w001fb2c.dll] RUNDLL32.EXE w001fb2c.dll,I2

0000207c0001fb2c
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe"

--logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la

mode\sched\eSched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -

http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -

http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program

Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty

Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe




Ewido scan report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:44:51 AM, 4/13/2006
+ Report-Checksum: 80578DB5

+ Scan result:

C:\bintheredunthat\w001fb2c.dll -> Downloader.Agent.ahv : Cleaned

with backup
C:\windows\keyboard10.exe -> Downloader.Adload.am : Cleaned with

backup
C:\windows\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\windows\keyboard9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\windows\mousepad10.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\windows\mousepad9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\windows\newname10.exe -> Downloader.Adload.ae : Cleaned with

backup


::Report End








I ran another hijack this report after rebooting normally, and ran panda

scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:34 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\a la mode\sched\eSched.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe"

--logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la

mode\sched\eSched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -

http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -

http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program

Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty

Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

PANDA SCAN LOG:


Incident

Status Location







Potentially unwanted tool:application/myway

Not disinfected C:\PROGRAM FILES\MyWay






Potentially unwanted tool:application/altnet

Not disinfected

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP

MANAGEMENT\ARPCACHE\ALTNETDM




Adware:adware/powerstrip

Not disinfected Windows Registry






Spyware:Cookie/Statcounter

Not disinfected C:\Documents and

Settings\Kellee\Cookies\kellee@statcounter[1].txt






Adware:Adware/IST.ISTBar

Not disinfected C:\Documents and

Settings\Kellee\Desktop\New Folder\[Full Version] frontend

zer0.zip[YSB_toolBar.exe]




Virus:Bck/IRCBot.WJ

Not disinfected C:\WINNT\system32\rar.exe

 

Your log is very difficult to read.

Kindly turn on the word wrap feature in your text editor.
With notepad, this can be done by going to Format -> & untick "Word Wrap".

Go to Add/Remove and uninstall:

MyWay

Please delete this folder:

C:\PROGRAM FILES\MyWay

Please delete this file:

C:\WINNT\system32\rar.exe

Go to Start > Run and type regedit and click OK.

Navigate to the following key, and delete the item in RED.

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Download FindQool http://downloads.subratam.org/Lon/FindQool.zip
* Extract the files and place the FindQool folder in root. Usually C:\
* Open the folder and run Qlocate.bat.
* Post the contents of the txt.log which will open.

In your next post I'll need a NEW HJT log in the correct format.
An online scan log with Kaspersky.
and the Find Qoo results.

 

More logs!

Thanks for your help so far! I went through your steps. The only thing that I couldn't do was remove "Myway" in add/remove programs, because it wasn't listed. It was in the registry and on the hard drive, however.
Here are the scans:

Thu 04/13/2006
Running from: C:\findqool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names

MD5 Check....

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe
userinit REG_SZ C:\WINNT\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006

----------------------------

Kaspersky:

*Saved as Attachment*
Even with word wrap, whenever I pasted in the text it left spaces, so I attached the Kaspersky report.

----------------------------------

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:00 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

 

Go into Spybot->Recovery and check everything listed there. Then hit the Purge button...

Delete this file:

C:\Documents and Settings\Kellee\Desktop\New Folder\[Full Version] frontend zer0.zip

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Is that the entire HijackThis log in Normal Mode? Restart your computer and post a new HijackThis log.

Still getting black worm detected?

 

I cannot run enter the system restore tab, I receive an error: "Run a DLL as an App has encountered a problem and needs to close. "

That was a HJT in normal mode, but here is another one. I deleted the file you asked me to delete. I'm not receiving pop ups at this point, I just can't do searches from "http://mreis.mlxchange.com/" without receiving this error:
Login : 008508
SiteCode : MRE
EventID : 1007
Category : 4
Severity : 1
Log : JS Exception caught in http://mreis.mlxchange.com/ - Window.OnError: JS Exception caught in ViewUtilJS.asp - viewDataRSC (-2146827850): Object doesn't support this property or method in line 219
Date : Thu Apr 13 2006 - 20:52:46 EDT

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:42:08 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\DOCUME~1\Kellee\Desktop\Look2Me-Destroyer.exe
C:\WINNT\system32\drwtsn32.exe
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


I have an appraisal business and this is crippling me. Thanks for your help!

 

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Tell us if this works:

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
[*] Tick on the checkbox - Turn off System Restore on all drives
[*] Click Apply[/list]
Turn it back 'On' by unticking the same checkbox & click OK

Lets try to re-register ALL of IE's Dlls...

Copy the following below into wordpad...

rem Script used to manually reregister Internet Explorer and Shell related *.dlls
rem Also included the Digital Signing and Cryptographic Provider *. dlls if needed
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\System32\dacui.dll
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\Catroot\icatalog.mdb
rem regsvr32 setupwbv.dll /s
rem regsvr32 wininet.dll /s
regsvr32 comcat.dll /s
regsvr32 CSSEQCHK.DLL /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browsewm.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
rem regsvr32 mshtml.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
rem regsvr32 comctl32.dll /i /s
rem regsvr32 inetcpl.cpl /i /s
rem regsvr32 mshtml.dll /i /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
rem regsvr32 proctexe.ocx mshta.exe /register /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
rem regsvr32 triedit.dll /s
rem regsvr32 dhtmled.ocx /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
rem regsvr32 hmmapi.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
rem regsvr32 wininet.dll /i /s
regsvr32 urlmon.dll /i /s
rem regsvr32 digest.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
rem regsvr32 trialoc.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
rem regsvr32 wab32.dll /s
rem regsvr32 wabimp.dll /s
rem regsvr32 wabfind.dll /s
rem regsvr32 oemiglib.dll /s
rem regsvr32 directdb.dll /s
regsvr32 inetcomm.dll /s
rem regsvr32 msoe.dll /s
rem regsvr32 oeimport.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
rem regsvr32 laprxy.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
rem regsvr32 vgx.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
rem regsvr32 FLUPL.OCX /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
regsvr32 licdll.dll /s
regsvr32 regwizc.dll /s
regsvr32 softpub.dll /s
regsvr32 IEDKCS32.DLL /s
regsvr32 MSTIME.DLL /s
regsvr32 WINTRUST.DLL /s
regsvr32 INITPKI.DLL /s
regsvr32 DSSENH.DLL /s
regsvr32 RSAENH.DLL /s
regsvr32 CRYPTDLG.DLL /s
regsvr32 Gpkcsp.dll /s
regsvr32 Sccbase.dll /s
regsvr32 Slbcsp.dll /s
exit

Save the file as "All Filetypes" and name it fixie.bat

Make sure IE is closed and double click on fixie.bat to run the file.

Also, try downloading the latest Sun Java applet and see if that corrects any problems.