My computer was recently struck with a virus where at first, my desktop turned red, some random new programs popped up on my desktop, and i have been getting a whole bunch of pop-ups. One of the most frequent pop-ups is one advertising a pop-up blocker. I assume that this is part of the virus. I downloaded a pop-up blocker, which fixed that problem for the most part, i ran ad-aware several times, which rid of much of the virus (i hope). Is there anything i can do to better identify this virus, and to defeat it as best as i can? Lastly, i restored my background of my desktop, but now all of the icons are still outlined in red. I discovered how to change the outline to other colors, but is there a way that i can take away the outline? Answer ASAP! Thank you!
Logfile of HijackThis v1.99.1 Scan saved at 9:39:40 AM, on 6/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Network Monitor\netmon.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\qaovnzi.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Digital Media Reader\shwicon2k.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE C:\WINDOWS\SM1BG.EXE C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\outlook\outlook.exe C:\dfndrb_2.exe C:\WINDOWS\qaovnziA.exe C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\PROGRA~1\ASEMBL~1\userinit.exe C:\WINDOWS\ECURIT~1\WAUCLT~1.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINDOWS\system32\pwinsqez.exe c:\windows\system32\dwdsregt.exe C:\WINDOWS\IA\command.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft Works\WSBico.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe c:\windows\system32\rlvknlg.exe C:\Documents and Settings\Owner\Desktop\HijackThis_v1.99.1.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080 R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll F2 - REG:system.ini: UserInit=userinit.exe O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [winlog] winlog.exe O4 - HKLM\..\Run: [defender] C:\\dfndrb_2.exe O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_2.exe O4 - HKLM\..\Run: [newname] C:\\nwnmb_2.exe O4 - HKLM\..\Run: [{43-3B-BE-E3-ZN}] c:\windows\system32\dwdsregt.exe GID003 O4 - HKLM\..\Run: [qaovnziA] C:\WINDOWS\qaovnziA.exe O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwinsqez.exe GID003 O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\ASEMBL~1\userinit.exe" -vt yazr O4 - HKCU\..\Run: [Cesnd] C:\WINDOWS\ECURIT~1\WAUCLT~1.EXE O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwinsqez.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\prdsregn.exe O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O10 - Hijacked Internet access by New.Net O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O20 - AppInit_DLLs: repairs303169590.dll regsvr32.dll O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\npwdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qaovnzi.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
READ CAREFULLY!! Well, You have LOADS off malware, but let's try to remove it :> You should make take some backups if you have important data in your computer because there may be some difficulities The Instructions may be messy, DO NOT hesitate to ask if something is unclear Please download, install, and update the free version of Ewido Anti-Malware: http://www.ewido.net/en/download/ If you already have Ewido Anti-Malware, it is not necessary to download it, but please do update the program, before using. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main Ewido screen, click on update in the left menu, then click the Start update button. After the update finishes, the status bar at the bottom will display "Update successful" Exit Ewido. DO NOT run a scan yet. Step one Please download Look2Me-Destroyer.exe to your desktop. http://www.atribune.org/ccount/click.php?id=7 Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX http://www.ascentive.com/support/new/suppo...me=MSWINSCK.OCX Step Two Please download LSP-Fix from the following link and save it to a location you can find later if necessary. http://www.cexx.org/lspfix.htm From the Windows Start button select Settings and then Control Panel. When the Control Panel window opens, double-click on the Add/Remove Programs icon. When the Add/Remove Programs Properties window opens, locate New.Net in the list of installed programs. Select it and then click on the Add/Remove button. Follow the on screen instructions. If there is no uninstall program listed then do the following: Go to www.newdotnet.com/removal.html Scroll down to Procedure 4and follow the removal instructions. Start the LSPfix program and check "I know what I'm doing" Then make sure that these (AND ONLY THESE!) are on the "remove" side: rlls.dll newdotnet????.dll And then click finish Step Three Download Brute Force Uninstaller to your desktop. http://www.merijn.org/files/bfu.zip Right click the file on your Desktop, and choose Extract All. Click Next. In the box to choose where to extract the files to: Click Browse. Click on the + sign next to My Computer Click on Local Disk (C or whatever your primary drive is. Click Make New Folder Type in BFU Click Next, and uncheck the Show Extracted Files box and then click Finish. Download sidekickFix.bat -> right click on that link and choose save as -> http://downloads.subratam.org/Lon/sidekickFix.bat <- Place sidekickFix.bat in your C:\BFU - folder. (Important!) Close all browsers and explorer folders. Double-click on sidekickFix.bat Click Yes and follow the prompts, when prompted to restart the PC please do so. Step Four 3. RIGHT-CLICK HERE -> http://metallica.geekstogo.com/alcanshorty.bfu <- and choose "Save As" (in IE it's "Save Target As") save as text "Alcra PLUS" Remover. Save it in the same folder you made earlier (c:\BFU). If it was saved as alcanshorty.bfu.txt rename to alcanshorty.bfu Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. When in safe mode: Open Ewido. Click on Scanner Click on Complete System Scan and the scan will begin. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Go to C:\BFU and start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Then restart your computer normally to return to normal mode. FINAL STEP Please run Hijack This again. Scan and copy the log and post it into this topic, along with the contents of C:\Look2Me-Destroyer.txt and Ewido raport NOTE! Your computer is not clean after these steps
Yes, it worked, but you still have a whole bunch of malware, so please be patient because the situation is pretty difficult.
i have a few questions still remaining. 1) can i delete the quarentined items? 2)what of the programs that you had me download can i now delete? 3)What do you suggest i do to remove the rest of the malware? Thanks again!
Yes Not yet Here it comes... but this is justanother step, after this, you still have some malware Click start -> run -> type services.msc Scroll down and find this service: Windows Overlay Components When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok Do the same with this service: WLTRYSVC Then open HijackThis, do a system scan only and check these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{60D62A16-94DD-B926-A140-E82B2199D2CA} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\nushl.exe F2 - REG:system.ini: UserInit=userinit.exe,ypalvim.exe O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing) O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll O2 - BHO: EffBarBHO - {15E38167-B065-4BB5-B987-9F04B1E85AEA} - C:\Program Files\EngageSidebar\EffBar.dll (file missing) O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing) O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing) O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll (file missing) O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing) O4 - HKLM\..\Run: [wcgulb] C:\WINDOWS\system32\wkcdld.exe reg_run O4 - HKLM\..\Run: [hsh87c44] RUNDLL32.EXE w0027ff1.dll,n 00187c43000000030027ff1 O4 - HKLM\..\Run: [w003354c.dll] RUNDLL32.EXE w003354c.dll,I2 00187c430003354c O4 - HKLM\..\Run: [w0381cb7.dll] RUNDLL32.EXE w0381cb7.dll,I2 00187c4300381cb7 O4 - HKLM\..\Run: [w038b172.dll] RUNDLL32.EXE w038b172.dll,I2 00187c430038b172 O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qaovnzi.exe (file missing) O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys Close all other open windows and click fix cheked. Download qoofix.bat http://downloads.subratam.org/Lon/qooFix.bat (rightclick on link above and choose save as, if using IE save target as) Place qoofix.bat in your C:\BFU - folder. (Important!) Doubleclick qooFix.bat, Close all browsers and explorer folders. Choose option 1 (Qoolfix autofix) and follow the prompts. Please be patient, it will take about five minutes. After that, follow the instructions in here: http://www.outerinfo.com/howto.html (remember to restart your computer) And finally post a new HijackThis log
Here is my new HiJack this log: Logfile of HijackThis v1.99.1 Scan saved at 10:07:38 AM, on 6/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Digital Media Reader\shwicon2k.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE C:\WINDOWS\SM1BG.EXE C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HijackThis_v1.99.1.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [w06fbb47.dll] RUNDLL32.EXE w06fbb47.dll,I2 00187c43006fbb47 O4 - HKLM\..\Run: [w0a6cd5c.dll] RUNDLL32.EXE w0a6cd5c.dll,I2 00187c4300a6cd5c O4 - HKLM\..\Run: [w0ddf73b.dll] RUNDLL32.EXE w0ddf73b.dll,I2 00187c4300ddf73b O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/joysavsht.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS The only problem that i had this time was that there was no: O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qaovnzi.exe (file missing) or O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys But now, everytime that i boot up my computer, three error messages appear saying: "Error loading w06fbb47.dll The specified module could not be found." "Error loading w0a6cd5c.dll The specified module could not be found." "Error loading w0ddf73b.dll The specified module could not be found." Thanks again for your help! I can already see a dramatic improvement in my computer!!!
YEESSS!!! We are almost clean Few more things to do: Open HijackThis, do a system scan only and check these: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [w06fbb47.dll] RUNDLL32.EXE w06fbb47.dll,I2 00187c43006fbb47 O4 - HKLM\..\Run: [w0a6cd5c.dll] RUNDLL32.EXE w0a6cd5c.dll,I2 00187c4300a6cd5c O4 - HKLM\..\Run: [w0ddf73b.dll] RUNDLL32.EXE w0ddf73b.dll,I2 00187c4300ddf73b O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM Then click fix cheked but don't close HijackThis yet. Click config -> Misc tools and there delete an NT service Copy this in the box: Windows Overlay Components And click ok Do the same exept copy now: WLTRYSVC ok and close HJT Then go to control panel and uninstall this via add / remove programs if found: ToolBar888 Next restart your computer to safe mode There make your computer to show system files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Fix these with HJT in safe mode if found: O4 - HKLM\..\Run: [w06fbb47.dll] RUNDLL32.EXE w06fbb47.dll,I2 00187c43006fbb47 O4 - HKLM\..\Run: [w0a6cd5c.dll] RUNDLL32.EXE w0a6cd5c.dll,I2 00187c4300a6cd5c O4 - HKLM\..\Run: [w0ddf73b.dll] RUNDLL32.EXE w0ddf73b.dll,I2 00187c4300ddf73b And then delete these files or folders in safe mode if found: w06fbb47.dll <- Use the search feature to find this which is located in start menu w0a6cd5c.dll <- Use the search feature to find this which is located in start menu w0ddf73b.dll <- Use the search feature to find this which is located in start menu C:\WINDOWS\cfg32p.dll C:\WINDOWS\qaovnzi.exe C:\WINDOWS\System32\wltrys C:\Program Files\EngageSidebar C:\Program Files\ToolBar888 C:\WINDOWS\IA I noticed that Ewido found lots of worms here: C:\Documents and Settings\Owner\Complete It could be a false positive, but you can decide do you want to delete the files or not Then boot back to normal mode and download the F-Secure BlackLight Beta by clicking accept and then clicking download on the next page. http://www.f-secure.com/blacklight/try.shtml Save to a folder of your choice or the desktop. Start the program by double-clicking on its icon. Click Accept Click Scan - see Note When the scan is complete, press Next DO NOT rename anything yet, I want to see the log first Post the log which is propably somewhere in your desktop. It looks something like -> fsbl.xxxxxxx.log Note: While scanning, it is important to observe the following precautions: Close all browser, program and Explorer windows. Disconnect from the internet to prevent background programs from autoupdating during the scan. Do not touch your computer (mouse & keyboard) or have any programs running other than BlackLight I suggest that you delete all temps and cookies with ATF Cleaner http://www.atribune.org/content/view/19/2/ It is easy to use, ask for help is there is some problems Post a new HijackThis log and the log from blacklight
Here is my HJT log: Logfile of HijackThis v1.99.1 Scan saved at 12:41:43 PM, on 6/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Digital Media Reader\shwicon2k.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE C:\WINDOWS\SM1BG.EXE C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HijackThis_v1.99.1.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.94.74.68:8080 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64" O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124236545\ee\AOLSoftware.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/joysavsht.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS Here is the blacklight log: 06/29/06 12:29:12 [Info]: BlackLight Engine 1.0.41 initialized 06/29/06 12:29:12 [Info]: OS: 5.1 build 2600 (Service Pack 2) 06/29/06 12:29:13 [Note]: 7019 4 06/29/06 12:29:13 [Note]: 7005 0 06/29/06 12:29:15 [Note]: 7006 0 06/29/06 12:29:15 [Note]: 7011 1684 06/29/06 12:29:15 [Note]: 7026 0 06/29/06 12:29:15 [Note]: 7026 0 06/29/06 12:29:29 [Note]: FSRAW library version 1.7.1018 06/29/06 12:30:28 [Note]: 7006 0 06/29/06 12:30:28 [Note]: 7011 1684 06/29/06 12:30:28 [Note]: 7026 0 06/29/06 12:30:28 [Note]: 7026 0 06/29/06 12:30:30 [Note]: FSRAW library version 1.7.1018 06/29/06 12:38:11 [Note]: 7007 0 Blacklight found no hidden files!!! i could not find the following files that you told me to delete: w06fbb47.dll w0a6cd5c.dll w0ddf73b.dll C:\WINDOWS\cfg32p.dll C:\WINDOWS\qaovnzi.exe C:\WINDOWS\System32\wltrys C:\Program Files\ToolBar888 i also did not delete any files from "C:\Documents and Settings\Owner\Complete" because i was not sure which ones were safe to keep, and which should be deleted. Thanks once again for your help! my computer is acting even better than it was BEFORE i got the virus!!!
You should try Spyware Doctor or Free AVG to make sure that you don't have anymore viruses or infected files.
@acoolguy Fix this and the log is finally clean \o/ O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.media-motor.net/cabs/joysavsht.cab As said, run a few scanners, you can google bitdefender or kaspersky's or panda's online scanners and scan with them Please tell is there still is something wrong in your computer
Thank you again for your help, but now i just need to know what of the programs that you had me install can i delete?
Hey im pretty sure theres a program that will take care of all the stuff you did and its 1 program. I looking for something called expose that searches for the little things that are left behind after you delete something and other little files that download and you dont need them.
