Requsting permission to post my hijack this log file?

Hello...this is my first post here. After annoying pop-ups and countless hours of running programs to rid myself of their annoyances, I decided to finally ask for help. I have done everything in the "READ ME BEFORE ASKING FOR SUPPORT" forum twice. The only thing not done was the "Symantic Security Check" and this was just because it would not ever load. I tried 5 times and waited a maximum of 10 minutes for the page to load but it never did...so that's why I haven't done that. I also read the "NO HIJACK THIS LOG FILES BEFORE READING THIS" forum and tried to figure out what was not needed. The only thing I could find for sure was the "D.exe" program. (which I haven't deleted yet in fear of crashing because the list says d.exe and mine says D.exe...don't know if caps make a difference) The others checked out okay except for the ones that I could not find in the links given. I also have some O23 keys that are not listed in the forum and I don't know what to do with them. I have been trying to do this myself for the past 7 hours and it's time for some help. The only problems I'm having are pop-ups. Let me know if someone could help me by looking at my log file or in any other way...I will not post the log file until permission is given...Thanks in advance!

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here is my log file...Thanks!

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Done. Here it is.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O2 - BHO: (no name) - {338C325D-C539-57B6-800B-165504812913} - C:\WINDOWS\System32\olbh.dll (file missing)

O4 - HKLM\..\Run: [D.exe] C:\documents and settings\jason davis\local settings\temp\D.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Bkj6sa7.exe
O4 - HKLM\..\Run: [ibigwtkiog] C:\WINDOWS\System32\enwnuceu.exe
O4 - HKLM\..\Run: [u7tO3Eh] avgav.exe
O4 - HKLM\..\Run: [nAUrLhm.exe] C:\documents and settings\jason davis\local settings\temp\nAUrLhm.exe
O4 - HKLM\..\Run: [SSLdVNYhu.exe] C:\documents and settings\jason davis\local settings\temp\SSLdVNYhu.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [Psembwg] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [Osus] C:\Program Files\htwu\rrup.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX. NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\htwu ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\picsvr ←–– Delete this whole folder if it exist!

C:\WINDOWS\system32\?ttrib.exe <-- There will be 2 of these files, it will be attrib.exe. Look at the size, author, and date created to determine which one is the baddie. Once you find the baddie, right click and delete it!

C:\WINDOWS\System32\Bkj6sa7.exe

C:\WINDOWS\System32\enwnuceu.exe

C:\WINDOWS\about.htm

avgav.exe ←–– Search for this file and delete when found!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I have followed the process given. I did not find the executable avgav.exe. Also, when I run Ad-awareSE, it pauses and quits scanning at random spots. It's always been while scanning "CLSID\{Some random #'s, different every pause}". I don't know if you need to know this or not...but all the other test ran fine. Here is my new log file.

 

Your HJT log is clean, are you having any further Malware issues?


For the Ad-Aware problem, lets give you registry a quick cleaning.

Download RegSupreme Pro 1.1

Install this program, after you install you will be prompted to "defrag" you registry for best performance. You can go ahead and click YES, should take but a minute or so.

After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to an easy location just in case.

After you fix the invalid entries, reboot and scan again and see if it still freezes.

 

Thanks for the help with the log file...I'll continue to get to the bottom of the pop ups...they are less severe now than before though. As far as other malware issues...I think I'm good.

About the ad-aware pausing...I've done as you requested with the registry cleaning software but the pause is still occuring. Another thing you might need to know is that spybot picks up wildtangent everytime it is ran. I don't know if that's got anything to do with anything but thought it might help...thanks in advance...again.

 

Can you attach me the log from Spybot so I can see exactly what its finding?