Using Spybot, Adaware and Spyware Blaster...still having problems...Help, Please

Please use normal text...I am wearing sunglasses to read your post.

Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.

See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm

Next....

Reboot to SAFE MODE

Show HIDDEN FILES and folders

These necessary options are explained in FAQ's 8 and 9 on this page:

http://www.russelltexas.com/malware/faqhijackthis.htm

In Safe Mode...Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:  (if present)

dial32.exe
wintime.exe  
mstasks2.exe

(bad Trojans)

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Navigate down the folder structure in left hand window and then in the right window delete the following files: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):

C:\WINDOWS\dial32.exe
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\mstasks2.exe
C:\WINDOWS\system32\system32.dll
C:\WINDOWS\System32\NDrv.dll
C:\WINDOWS\questmod.dll
C:\WINDOWS\System32\kjzeaw.exe

Exit Explorer and empty the Recycle Bin.

Reboot to Normal Windows.

Next...You have a CoolWebsearch infection.

Get CWShredder to repair your CoolWebSearch infestations:

http://majorgeeks.com/download4086.html

Follow the directions for running the program at the next link.

http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

At bleepingcomputer.com start reading at the section that says:

You can download this program here: CWShredder

(Note...we have noticed recently some CWS variants are harder to remove unless the shredder is run in Safe Mode...hit F8 while booting to enter Safe Mode and run the shredder.) Make sure you select the FIX button and not the Scan only button!

After cleaning with the shredder in Safe Mode do this:

Reboot in normal mode Windows and download and run these two programs (Spybot S&D and Adaware). Use Spybot first. (1.3 version)
http://majorgeeks.com/download2471.html

Adaware download link at next hyperlink.

Follow the directions completely at:

http://www.cjwd.demon.co.uk/spybot-adaware.html

Print out and go slow on the instructions to set up the custom scan options for Adaware. These settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it!

Reboot if asked by either program and let it complete any cleanup. Then reboot a final time after running both and run Windows Disk Cleanup: Start/Run/ type: cleanmgr

I check all the categories at the end of the scan and click OK.

Next... run Hijackthis (in new safe folder) and check these entries: (If present):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINDOWS\System32\NDrv.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - "C:\WINDOWS\System32\smiehlp.dll (file missing)
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKLM\..\Run: [toeuihgbmvd] C:\WINDOWS\System32\kjzeaw.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O21 - SSODL: System - {1E93949B-84E8-4E73-96D3-4139CD196F74} - C:\WINDOWS\system32\system32.dll

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE

Show HIDDEN FILES and folders

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries: (if still present)  (Yes...I don't have dementia and I know I said this at the beginning of this post...doesn't hurt to check again in case you missed them or they came back):

dial32.exe
wintime.exe  
mstasks2.exe


Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Navigate down the folder structure in left hand window and then in the right window delete the following files and/or folders: (if present...some may be gone...but look very carefully and make sure you have enabled hidden files option):

C:\WINDOWS\questmod.dll
C:\WINDOWS\system32\wintime.exe
C:\WINDOWS\System32\kjzeaw.exe
C:\WINDOWS\dial32.exe

Exit Explorer and empty the Recycle Bin.

Reboot in normal mode Windows and run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleanup completing...XP users can fix it here:

 http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Reboot and browse a bit, exit IE 6 and post a new Hijackthis log.

Special Comments: After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

Texruss
www.russelltexas.com
Classroom Teacher and Slyware Warrior Tom Coyote Forum
Expert Malware Responder DellForum
Spyware Fighter Wilders Forum                  

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, pskelley, cghost, and SpotCheckBilly.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs:  jimw, ddeerrff, msgale, volcano11 and redwolfe_98. Please follow their advice when they respond to your problems. They have a proven track record here.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

Thank you for you response. I apologize for the text coloring. Hope it didn't cause too much trouble for you. Will try the instructions give and let you know the outcome. Again, thank you.

Thank you very much for your time and help.

I followed your instructions and I think I have my computer back. I did some updates through McAfee and hope they also help. The only thing I can't seem to fix is my desk top. It is still a solid purple color which is not so easy on the eyes. Do you happen to have any suggestions for that?

Thank you.

I assume you've tried the normal means to change your background/wallpaper.

Post a new HJT log.

Hi Derf,

I have tried making the change the normal way but it doesn't work. I click on 'apply' then 'ok', but when the desktop appears, it is the same purple color. Here is my lastest HJT log. Thanks for your response.

Logfile of HijackThis v1.98.0
Scan saved at 9:49:54 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\NDrv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kimberly Thomas\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E870271-B352-4CF2-B317-FBB80AB8CF28}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E870271-B352-4CF2-B317-FBB80AB8CF28}: NameServer = 205.188.146.146

 

Change to a different color scheme in Display/Appearance tab and see if that helps.

Wow...is this the same machine that previously had one foot on a banana peel and the other in the grave?

Looks fine now...good job!

Now stay clean... http://russelltexas.com/malware/allclear.htm

Texruss

Thanks Tex,

Couldn't have done it without you. Your detailed instructions were a big help. Was very close to picking out a pink and white steel box for this weekends service.  

Will try to change the color scheme. Thanks again and keep up the great work. Be in touch soon.

Honeybe023