Please Help, i'm under attack!

I have a ton of spyware, virus on my pc and can't get it off! I found some in my add/remove programs,but every time i remove them, they come back after i restart my pc! the main one that i can't get rid of is this 1-800 Solutions crap, i have others like 1stbar 1st svc or some crap, i got this log from hijack this but i'm still lost.

Edit by bjgarrick: Unrequested, Inline HJT log removed!

please help, thanks

 

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

After you complete the above, procede with the below online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan
Panda Online Scan


After you have completed the below online scans reboot and attach a fresh HJT log as an attachment to your post.

 

ok, whew I did all that, thanks Here's the new one

Inline log attached!

THESE ARE THE MAIN PESTS!
Select CashBack

SideFind

SlotchBar

Media Access

i found some of these and moved them to my desktop in an attempt to delete them, but i can't delete them for some
reason. why? The sidefine one keeps popping up like crazy, i did manage to delete it once, but it keeps
coming back. i did turn off my system restore until i get this crap fixed!

 

Next time you need to read this section in the sticky.

controlmind

 

heatherjean,

Please look in Add or Remove Programs for the following and Uninstall them if found:

Windupates

Media Access

NoAdware
(If you bought this make sure you have V3, if not uninstall it)

SideFind

SlotchBar

Select CashBack


Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

I'm sorry if I did something wrong, or posted something wrong. I'm new to all this, and I was in a hurry and really didn't read any other threads on here. Next time I will first. Thanks for all the help, i'm going to try the rest of the stuff you said bjgarrick, and post what happened.

 

Ok, I did everything just like you said. Thanks. Is there something I need to do now?

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r6.attbi.com;;localhost;

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - c:\PROGRA~1\System\Misc\kabh1.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [gr87adfn] C:\WINDOWS\system32\gr87adfn.exe
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup 1.0.0.8.cab
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) -http://media2.comcast.net/anon.comcastonline2/onleng/downloads/VideoMail/vmLaunc her2.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://128.121.20.43:1995/talk.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\winupdates ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\gr87adfn.exe

C:\WINDOWS\about.htm

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Ok, whew, I did all that, the only thing is I couldn't find gr87adfn.exe
in my system folder for some reason. I couldn't find a system32 folder, it just said system. I really appreciate all the help, there is no way in hell I could have done all this on my own! I'll be waiting for your reply

 

I notice that your running Avast! & AVG AntiVirus. This is NOT recommended as running 2 antivirus programs will cause conflicts on your computer. You need to pick ONE and uninstall the other.


Now scan with HijackThis and Check the Boxes for the following:

O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll

Make sure All Browser Windows are Closed when you Click FIX.


After you complete the above, reboot and post a fresh HJT log and also let me know how things are running.

 

That's strange, I didn't know I was running Avast. I uninstalled that months ago! Ok, I checked in my Add/Remove Programs, but it's not in there. I did a search for avast and it came up in My Documents folder and I deleted it. I did what you said below, and everything seems to be running fine, I'm not getting anymore virus popups and when I scanned with spybot it said nothing was found

 

There's still some Avast! remnants hanging around so do this. Download Avast Free, install it. As soon as you install it go into Add/Remove Programs and uninstall.

Reboot and attach a fresh HJT log.

 

Ok, gotcha, I did what you said, it's weird, I saw something that said Yahoo Pager or something in there, I don't even have Yahoo anymore. How can it be that even when you uninstall these programs, they still remain? Thanks

 

I also see Yahoo! Messenger set to startup, you appear to have the package installed. If you dont use/need it uninstall it also.

Are you having any further problems?

 

Nope, everything is running smoothly now, thanks to you! I really appreciate it because I would have been totally lost without your help. Thanks for taking time of your days to help a sista out Take care

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Thanks I'll check that out homie

 

Surf Safely!

 

I will

 

http://forums.majorgeeks.com/images/smilies/biggrin.gif