Help Please--Malware Most Foul!

You have a bunch of problems. We are going to need some more scans to be run but first, you did not uninstall the below as requested in step 0 of the READ ME:
Ebates or Ebates_MoeMoneyMaker
Viewpoint Manager
SurfSideKick 3
KazaaLite
redswoosh
wildtangent

Please uninstall them both now.
Also look for programs with the name Zeno in them and uninstall them too.

Now let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

Now run the below procedure and attach the requested log:

Look2Me VX2 Removal

Now run the below Ewido scan and attach the log from Ewido

Running Ewido Anti-Malware

 

Please attach the Look2Me Destroyer log and the Uninstall list from HJT. Then proceed to another one of our sticky procedures for SurfSideKick:

SurfSideKick Removal

 

Well I'm not sure what you did while running the SurfSideKick procedure. Please tell me exactly what you did and what files you deleted. You do not seem to be following instructions. I asked that you attach the Look2 Me Destroyer log and also the Uninstall list from HJT (asked for it twice already). I asked for you to post these before running the SurfSideKick removal procedure.

 

Okay Look 2 Me Destroyer removed your Look 2 Me infection. The problem you mentioned with : RUNDLL Error loading DOCEOC16B1 is all part of your malware issues that we will get to below. You have some items in your uninstall programs list that are out of date and also there are some questionable items.

Do you know what the below are:
Alt Win
Security Toolbar
Universal Media Player
URL Display

The below should be uninstall as per the READ ME step 0:
Viewpoint Media Player
WebSearch Tools

The below should be uninstall because they are old. You already have the new Sun Java but need the latest FireFox version 1.5.0.4:
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_04
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Mozilla Firefox (1.0.7)


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\regsvr32.exe
C:\Program Files\c75myvai\c75myvai.exe
C:\defender20.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\c75myvai\3976346.exe
C:\Program Files\c75myvai\c75myvai.exe
C:\WINDOWS\cfg32a.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {3D782BB3-F2A5-11D3-BF4C-000000000000} - (no file)
O4 - HKLM\..\Run: [pQB.exe] C:\documents and settings\nathan stern.nathan.000\local settings\temp\pQB.exe
O4 - HKLM\..\Run: [awmua] C:\WINDOWS\System32\azbsndy.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [c75myvai] C:\Program Files\c75myvai\c75myvai.exe
O4 - HKLM\..\Run: [PTRGMYGK] rundll32.exe ptmg1v.dll,DllRunMain
O4 - HKLM\..\Run: [defender] C:\\defender20.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [newname] C:\\newname20.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard20.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [pmaunnlq] C:\WINDOWS\System32\pqda.exe kmaunnlq:
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\tkdevpaf.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/w...com/wtinst.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Instal...sinstaller.cab
O20 - AppInit_DLLs: repairs303169587.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\documents and settings\nathan stern.nathan.000\local settings\temp <--- delete all files in this Temp folder
C:\Program Files\c75myvai <--- the whole folder
C:\Program Files\DownloadWare <--- the whole folder
C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\Program Files\KaZaA Lite <--- the whole folder
C:\WINDOWS\Temp <--- delete all files in this Temp folder
C:\WINDOWS\regsvr32.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\azbsndy.exe
C:\WINDOWS\System32\ptmg1v.dll
C:\WINDOWS\System32\pqda.exe
C:\WINDOWS\system32\tkdevpaf.exe
C:\WINDOWS\system32\ptmg1v.dll
C:\WINDOWS\system32\D0CE0C16B1 <--- this may really be named D0CE0C16B1.DLL or D0CE0C16B1.EXE
C:\WINDOWS\system32\repairs303169587.dll
C:\defender20.exe <--- also look for defender20.dat and delete
C:\newname20.exe <--- also look for newname20.dat and delete
C:\keyboard20.exe <--- also look for keyboard20.dat and delete

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Many of the items I asked you to fix are still there. Not sure why you did not see them last time. Your HJT logs still shows them. Also your Look 2 Me infection has come back. We need to take a different approach to fixing this. I have a feeling that some of the programs installed to protect you are getting in our way of fixing the malware.

So first uninstall Ewido and also uninstall Windows Defender. Then reboot your PC and continue with the below steps!

NOTE: The first step with LSP-Fix may fix your inability to connect to the internet; however, remain disconnected from the internet while doing the below. Do not reconnect until coming back to attach logs and results.


Download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the newdotnet7_22.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move newdotnet7_22.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.


Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Microsoft DLL Registration Component ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

DLLReg

If you receive any error messages while doing any of the below steps, just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Run the Look 2 Me Destroyer steps again and save a new log. Attach the log when you come back.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\l2j8lc1u1f.dll
O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SurfSideKick 3 <--- the whole folder

c:\program files\newdotnet <--- the whole folder

C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\repairs303169587.dll
C:\WINDOWS\system32\l2j8lc1u1f.dll
C:\WINDOWS\regsvr32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings
(please use Majorgeeks.com for your start page for now so I can see that the procedure worked):

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. Also attach the Look2Me-Destroyer log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes just disable it and continue!

Did you do the step with LSP-Fix? Did it help?

 

Okay! Remember to attach the below:
- new HJT log.
- new Look2Me-Destroyer log
- also get a new uninstall-list log from HJT and attach it.

 

Had you noticed a few steps back that Surf SideKick was in Add/Remove programs and did you try uninstalling it at that point before you did the SSK removal procedure?

The below is still in your log which means you still need to repeat the instructions for stopping and disabling it. And then you must delete the file. Make sure you find the file and delete it. Tell me what happens!

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe

Also I would like to get some more info on the C:\WINDOWS\system32\devldr32.exe file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too. It may belong to Creative Labs but it may not. I did not think they installed it into this folder. It could be related to the service we are still trying to kill.

 

That is not how I said to fix the problem. You must do what I gave you in message number 10.


The devldr32.exe file is OK!

 

I still see the below line. See if HijackThis can simply fix it now.

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe (file missing)

If not, you will have to repeat the part of using HijackThis to Delete an NT Service.

 

Good job!

You no longer need Unlocker to run at startup. You probably used this to get rid of SurfSideKick.
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!