Help Msn Has Sent Me A Spyware Bomb

HELP! My friend had a msn spyware problem and i let it download to my computer. My CPU has been taken hold of and never runs as slow as now. I have experienced spyware problems before but not like this. PLEASE HELP! On request i can post a HIJACKTHIS post
Thanks
BAND123

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I Have attached the hijackthis post-all the steps were successful but my cpu is still slow and the amount of programs running in the taskbar manager has increased. I would like to know which i can remove. Thanks
Band123

 

I know that windll32 is a trojan but I am not going to touch it until you have told me what to do.
Bandi123

 

The first thing I notice is that your running McAfee and Norton. This is NOT recommend as running 2 antivirus programs will cause conflicts on your computer. Pick one and uninstall the other!

-Please download Ewido Security Suite

- Install and get any updates!
- Run a full scan on Local Disk C:\
- Remove ALL found infections

After you complete the above, reboot and post a fresh HJT log.

 

I did the scan and i removed two cookies and a file called abcdef.exe-whicj is a virus. Im still aware that windll32 is still showing up and the norton antivirus webpage regard it as a virus. Here is my new HJT post.

 

First, uninstall Ewido and disable any antivirus or antispyware programs so they will not block parts of this fix.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windll32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windll32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windll32.exe
O4 - Global Startup: WinMessenger StartUp.lnk = C:\Program Files\WinMessenger\WinMesgr.exe

O14 - IERESET.INF: START_PAGE_URL=http://www

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Do a search for the below file, be sure you have the viewing of hidden files and folders enabled per the tutorial.

windll32.exe

C:\WINDOWS
C:\WINDOWS\System
C:\WINDOWS\System32

Look in the above directories, most likely will be in one of those.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Attached is the HJT post:
Ive done all you ask and it is faster-cant remember if it is to the same standard. Couldnt find windll32.exe in windows, system or system 32.
Two of the files you asked me to remove were to do with programs-1: mcafee firewall-do i reinstall? 2:Winmessenger: reinstall?
Thanks
Bandi123

 

make sure you have enabled the viewing of hidden files when you are searching for the .exe files..

 

i did that

 

No you do not need to reinstall anything. One was just a startup entry which isnt required and the other was a bug in HJT, nothing to worry about.

Your HJT log is clean, are you having any further problems?

Did you manually search in those 3 folders I mentioned?

 

Thanks for your help! I did a manual search aswell as a scanning search. I just did a scan with the online trojanscan and when i did this pestpatrol popped up with "a pest has been found in memory!" axscanengine.exe. what is this?

 

It appears to be some kind of scan, not really sure.

Was it removed?

 

no I did not remove it. Thanks for all your help. Everything seems to be working fine. Fantastic job!
Bandi123

 

Just to be safe attach a current HJT log.