I followed all of the directions, Still need help

Looks like you skipped step 0 of the READ & RUN ME. You have a load of items in there covered in the Uninstall list. Please go back and check that list again.

What version of SpySweeper are your running and what is the reference/database version?
Is it a paid version that can fix problems or is it a new trial version that only scans?
Did you do a recent scan from safe mode? Attach the log.

What version is Ewido? Is its reference/database current? Did you do a recent scan from safe mode? Attach the log.

You have a load of malware in there and some may possibly be removed cleanly via Add/Remove programs. This like Vbounce or Virtual Bounce, SurfSideKick, WinTools, WildTangent

 

But that was not what I wanted you to do with SpySweeper. I just wanted to know if it was a paid version or not and then to have you post a log from it. The latest trial versions will not fix anything. And as you can see, it found a lot to fix.

Uninstall it. REBOOT. And then download, install and do a scan with the below version which normally will fix. I say normally because I'm not sure what will happen now by going to an older version.

Download, install, update and run this slightly older version of Spy Sweeper: here
Save the Spy Sweeper log and post it here as an attachment.
Also attach a new HJT log.

 

Spysweeper fix a lot of baddies. That should help the rest of this go a lot easier.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - (no file)
O2 - BHO: (no name) - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - (no file)
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\WINDOWS\DOWNLO~1\MINICL~1.DLL (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [itCBF9c] C:\WINDOWS\tydxv.exe
O4 - HKLM\..\Run: [\SWO] c:\windows\mrjj.exe
O4 - HKLM\..\Run: [0s0s09sw.dll] RUNDLL32.EXE 0s0s09sw.dll,b 115000
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [{C2-23-3E-EB-ZN}] C:\windows\system32\rrdsregp.exe FI002
O4 - HKLM\..\Run: [ELNKPCCINST] C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (Miniclip) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: pcftp - C:\WINDOWS\Fonts\pcftp.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\kt88l7lu1.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe
C:\Program Files\WildTangent <--- the whole folder
C:\WINDOWS\tydxv.exe
c:\windows\mrjj.exe
C:\windows\mrjj.exe
C:\WINDOWS\Fonts\pcftp.dll
C:\windows\system32\rrdsregp.exe
C:\WINDOWS\system32\kt88l7lu1.dll
C:\WINDOWS\system32\0s0s09sw.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did you manually navigate using Windows Explorer or did you use Windows Search?
Windows Search is not the same as Windows Explorer and must be configured separately to look for hidden files and to look in system folders. See the below:

Searching for Hidden Files on WinXP

Looks like you either missed a few items or they came back. I also noticed something else I missed yesterday which I'll add below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Local Security Authority Subsystem Service (or if not found look for lsass ) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Local Security Authority Subsystem Service

If that does not work try entering the short name: lsass

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ELNKPCCINST] C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to navigate to and delete:
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe
C:\WINDOWS\scvhost.exe

Let me know what you find!

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Is your ISP Earthlink? Or was it at one time your ISP? I'm wondering if the below line:
O4 - HKLM\..\Run: [ELNKPCCINST] C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe

has something to do with Earthlink. It would be rather silly of them to load one of their processes this way from a temp folder so it seems unlikely it belongs to them. But this elnk_pcc.exe process is normally EarthLink\Protection Control Center.

If installed properly, it normally runs like this: C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize


Please download DelDomains and unzip it to your desktop. Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Please note you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adders.)


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now download WinPFind

• Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. .
• Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take sometimes take a while, upwards to 30 minutes or more.
• When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.

Now get a new HJT log and also attach it.

 

Not without you completing my instructions and attaching the new HJT log. You also did not attach the WinPfind log.

 

Attach a new HJT log so I can be sure what you did in the registry worked. Something is still blocking the O15 lines from being removed. Deldomains did not work based on the log you posted.

 

Since something appears to be blocking the fixes and it does not seem to be the malware, here is what I want you to do.

Uninstall SpySweeper, Ewido, and MS Antispyware if they are still installed. Then reboot your PC before continuing with the below.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now reboot into safe mode and use Windows Explorer to look for and delete the below (Note: many of these may not be found, but I need to double check):
C:\Documents and Settings\Joe\Application Data\tvmcwrd.dll
C:\Documents and Settings\Joe\Application Data\tvmdmns.dll
C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\Q0J234WX\elnk_pcc[1].exe
C:\WINDOWS\mtuninst.exe
C:\WINDOWS\SYSTEM32\0s0s23oa.dll
C:\WINDOWS\SYSTEM32\oins.exe
C:\WINDOWS\SYSTEM32\cpl_moh.cpl
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\SNLAD2.dll
C:\WINDOWS\system32\kW800clmefqa0.dll
C:\WINDOWS\system32\ISXRIP.DLL
C:\WINDOWS\system32\irhlpapi.dll
C:\WINDOWS\system32\DKRGRES.DLL
C:\WINDOWS\system32\pprfproc.dll
C:\WINDOWS\system32\dz16gt.dLL
C:\WINDOWS\system32\whnrnr.dll
C:\WINDOWS\system32\ivwphbk.dll
C:\WINDOWS\system32\xtsp1res.dll
C:\WINDOWS\system32\aui2dvaa.dll
C:\WINDOWS\system32\nmtcfgx.dll
C:\WINDOWS\system32\slmedia.dll
C:\WINDOWS\system32\ohpdx32.dll

Then reboot into normal mode and attach a new HJT log and a new WinPfind log.

 

Run DelDomains again and then run HJT to fix any of the below that remain:


O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Look for the below file and delete if found:
C:\WINDOWS\SYSTEM32\saie_kyf.dat

Now reboot and post a new HJT log. Also remember to let me know how things are working.

Immunize again with Spybot!

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Your welcome! Make sure they understand what is in the How to protect thread to especially steps 9 & 10. Print it for them, so you can remain the hero!