Please Help!! Viruses just love me and won't go away

Welcome to Majorgeeks!

If you compress the log into a ZIP file and then upload the ZIP file, it may meet the size limit.

You have a load of problems! This is going to require a bunch of work and some more scans will be needed. Some of these scans will fix some problems and some of them are just need to help me locate hidden files so we can prepare a procedure for you to use to get things cleaned up.

First run the procedure in the following link and attach the Ewido log:

Running Ewido Anti-Malware


Now download and install Spy Sweeper Install it and get the update but do not start the scan yet!

Print or save these steps to a notepad file locally to refer to if necessary because ALL browsers (including this one) must be closed when you do the following.

• Run Spy Sweeper but do not start a scan yet.
• Close ALL browser sessions and exit any other programs that are running except SpySweeper (and notepad if you needed it to view these instructions).
• Open Task Manager by pressing CTRL-SHIFT-ESC.
• In Task Manager's Process list, locate explorer.exe. Right click on it and select End Process . Do not be alarmed! This will make your Desktop with icons disappear. It is only temporary.
• Now run a full scan with Spy Sweeper and save a new log to spysweeper.txt. You do this by clicking Session Log in the upper right corner, copy everything in that window and then pasting it into another notepad window.
• Now in Task Manager click File, New Task (Run...) and enter explorer.exe and click OK. Your Desktop should come back
• Now attach the new Spy Sweeper log here.
• Now reboot and run a new Spy Sweeper scan and attach this last log here (yes that is two scans with SpySweeper, one to hopefully fix, and one to make sure it fixed).

After doing all of the above attach the Ewido and Spy Sweeper logs and then attach a new HJT log so we can continue with manual cleaning steps. I may need you to run two other scanning tools. I'll know when I see the next HJT log.

 

How did you download other programs from the READ & RUN ME?
Are the downloads completing?
When you try to install Ewido, what happens? Any error messages?
Try installing it in safe mode.

Do not download them to your Desktop! Create a folder (like suggested in the READ ME) and download the files to this folder rather than the Desktop.

You did not follow the preliminary house cleaning instructions of the READ ME. That is why your Bitdefender log is so big. You should have emptied your housecall\Quarantine folder. Also you did not follow the instructions for creating the Bitdefender log. It should be an HMTL file. The way you saved it, it is too annoying to read (too many line wraps at incorrect places and too much merging of info with no spacing).

In fact, it looks like you may have skipped ALL of step 0. Did you look for those programs that are listed and uninstall them?

All the P2P downloading is infecting you with every piece of malware known to man!! You need to stop using the P2P programs, uninstall them, and delete all the stuff downloaded with them. As you can see in your Bitdefender log, Housecall had all this junk quarantined due to infections. And now your PC is really messed up from all of this.

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Also download and run this: Kazaa Spyware Removal


Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

I'm not sure exactly what is going on but let's see if we can make any progress using manual steps and HijackThis.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...e.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F3 - REG:win.ini: load=??? ??? ??? ? ? ?Iu ? ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe,hfgtkub.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: enu.com
O1 - Hosts: enu.com
O1 - Hosts: henu.com
O1 - Hosts: henu.com
O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: inc.whenu.com
O1 - Hosts: inc.whenu.com
O4 - HKLM\..\Run: [newname] C:\windows\newname5.exe
O4 - HKLM\..\Run: [dyavqeeA] C:\WINDOWS\dyavqeeA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [ms046242591075] C:\WINDOWS\ms046242591075.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\dpwzzs.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\System32\msbb.exe
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\KaZaA\My Shared Folder\YU GI OH GAME EXE. (WORKS GREAT) MUST SHARE..exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\f4j20e1oeh.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent <-- the whole folder
C:\Program Files\Common Files\Toolbar <-- the whole folder
C:\Program Files\WebSavingsfromEbates <-- the whole folder
C:\Program Files\NEWDOT~1 <-- the whole folder. This is probably NEWDOTNET or something similar.
C:\Program Files\KaZaA <-- the whole folder
C:\Program Files\Common Files\CMEII <-- the whole folder
C:\Program Files\System Soap Pro <-- the whole folder
C:\Program Files\ebkrdr <-- the whole folder
C:\Documents and Settings\Owner\Application Data\Lycos <-- the whole folder
C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe <--- delete all files and subfolders in this Temp folder
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\KZCZ2VWN\rcverlib[1].exe

C:\WINDOWS\Temp\Cookies\ <--- delete all files and subfolders in this folder

c:\WINDOWS\System32\zzb.exe
C:\WINDOWS\System\WinStart001.EXE
C:\WINDOWS\System32\dpwzzs.exe
C:\WINDOWS\System32\msbb.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\SYSTEM32\Agent.dll
C:\WINDOWS\SYSTEM32\aupdate.conf
C:\WINDOWS\SYSTEM32\rk.bin
C:\WINDOWS\SYSTEM32\sysfile.dll
C:\WINDOWS\system32\d18.dll
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msietn.dll
C:\WINDOWS\system32\NLNP13.dll
C:\WINDOWS\system32\qmdsregk.exe
C:\WINDOWS\system32\SHAgentNew.dll
C:\WINDOWS\sysupd.exe
C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\windows\newname5.exe
C:\WINDOWS\dyavqeeA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\expload.exe
C:\WINDOWS\ms046242591075.exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\Qm9iYnkgQmVlYmU\kA62sB40kAp5sAo.vbs

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Note: My previous instructions should help to get us started but I do not expect it to fix all the problems you have. Some of them will return. They require special steps to remove but if you cannot download anything, we are going to have a problem removing them since we need other tools to find hidden malware files.

 

When did your problems with not being able to download anything begin?

You have HijackThis and you have Windows Defender (fairly recent). And other items from the READ ME. When did you download and install these? Was it after you had already run the READ ME that you started having problems downloading.

I see both Symantec and AVG antivirus applications. You should go to Add/Remove programs and uninstall all Symantec/Norton items you see. Tell me if this works or not. We may need manual steps to remove it.

I noticed you did not fix the below line last time. Did you choose not to fix this on purpose?
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

I missed one item last time! Power Scan. Look in Add/Remove programs for Power Scan and uninstall if found. Whether it had an uninsall or not, then look for the below line in HJT and have HJT fix it.

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

Then boot into safe mode and delete the C:\Program Files\Power Scan folder.

Now reboot normal mode and attach a new HJT log. Any change to your problems.

Do you know what the below is being used for:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe

srvany.exe can be a valid Windows service but I'm not sure if this is where it runs from when valid. I would expect it to be running as: C:\WINDOWS\system32\srvany.exe Most PCs do not have this running. See the below for some info about the valid Windows program. Does it sound like something you are doing?

http://www.liutilities.com/products/wintaskspro/processlibrary/srvany/

 

Okay then maybe we should try disabling it and see what happens.

You previous log showed both of them still being there. Take a look for yourself. Did you run any other scans inbetween these last two HJT logs. Perhaps something removed them for you.

That was a really bad thing to do. Now you have no restore points to revert to, if we cannot get the download issue resolved.

Do you have a list of all items that you were not allowing to startup?

Can you download in safe mode?

Does the Windows Installer program also run in safe mode? Sounds like the problem could be due to an incomplete install of some application. Windows Defender does not seem to be installed correctly. Does it work?

Do you have your Internet Explorer Security settings setup to allow downloads:

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to cpuidle ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.
Now reboot and get a new HJT log. Let me know if anything changes and if you get any error messages or cannot run any particular applications.

 

All of those items (O4 thru O20) where bad and we have now removed them.

Run msconfig and select Normal Startup if not already in that mode. And then reboot and attach a new HJT log.

Seems like Spy Sweeper fix a lot. Are you still having problems?

You did not answer my question as to whether you can download in safe mode.


........Edit........ how did you get Ewido and SpySweeper if you cannot download?

 

So then specifically the answer to the below is No????

 

Okay have you gone back to msconfig and selected Normal Startup yet. Please do not disable anything from loading at anytime unless I ask you to do so. Get into normal startup and then tell me if you see items in msconfig that are still unchecked. If there are, first make sure you definitely are still in Normal Startup mode and thentell me which ones.

Also uninstall MS Windows Defender!

 

Yes! And then attach a new HJT log. Make sure you leave it in Normal Startup now unless I request you to change it.

Also use your other PC to download Mozilla FireFox
Install it on the problem PC and see if you can download.

 

You're welcome!

Most of the time! But I do lose it once in awhile.

Yes! Tell me exactly what it is saying. It could be just things that it is seeing for the first time since you just installed it. By the way, is this the first time you have rebooted since cleaning things with Ewido & Spy Sweeper?

 

Do you still have SpySubtract installed? Do you use it? Is it a trial version?

Do you use AOL?

 

Okay sounds like SpySweeper may have fixed your download problems!

Download and run the below and see if you can use it to resolve Windows Installer issues.

Windows Installer CleanUp Utility

 

Tha't what I expected. There is a failed install somewhere. You had two msiexec.exe processes running. You can try killing them and see if it let's you. Then to run the Cleaner. Either way continue with the below.

We need to fix a few items you should not have trying to load from Norton. Since you are using AVG, you do not want or need these.
Also there are a few items that are not required to load at startup, and a few you do not use. It is better to just have HijackThis fix them rather than using MSconfig like you were.

Run HijackThis and select the below lines and then click Fix checked.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Then exit HJT and delete any of the below if found:
C:\Program Files\America Online 7.0 <-- the whole folder
C:\Program Files\interMute <-- the whole folder
C:\Program Files\Symantec <-- the whole folder
c:\Program Files\NORTON~1 <-- the whole folder

Then after running Windows Installer cleanup and fixing the above, reboot and attach a new log.

Now let me know your status. Time for me to get some sleep. Got an early day tomorrow and only had 4 hours of sleep yesterday.

 

You're welcome. You should uninstall the old Sun Java version (J2SE runtime Envir 5.0 Update 3 ) since you have the latest version installed.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!