Spyware Trouble -- Help Needed

Didn't we just fix you up a few days ago? I guess you did not follow my advice at the end of that thread. Your old thread was: http://forums.majorgeeks.com/showthread.php?t=53058

And I suggested that you follow the steps in: How to Protect yourself from malware!

Did you? Did you start using FIrefox?

 

You missed some of them Thug! I'll post a follow up in a bit.

Rtf15, what is it with these poker games things and UltimateBuddy (which is considered malware by many people). Both you and your brother have these.

Also this log shows Ares and Bearshare P2P file sharing programs. Both contain adware. And they should not be running when you are posting HJT logs. Why would you even think of having those running while trying to fix problems.

 

That's probably where you got DLhelper (deal helper from). Most free online programs like this (especially these poker games) typically lead to so kind of problem. It's up to you and your brother in the end but I don't trust those kind of programs.

Did you read what I said about Ares and Bearshare containing adware? See this too:
http://www.spywareinfo.com/articles/p2p/

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
istsvc.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - Startup: DLHelperEXE.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\Common Files\WinTools <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\Documents and Settings\username\Start Menu\Programs\Startup\DLHelperEXE.exe
replace the username text with the actual user name account.

Also look for DLHelper here and delete it if found:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DLHelperEXE.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Why do these need to run at startup:
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h

If kept, they should only be loaded when you need them.

 

You did not fix the WildTangent entry in your log:
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

Try looking here:
Also look for DLHelper here and delete it if found:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DLHelperEXE.exe

And what is the user name you used?

 

You did not fix these either:

C:\WINDOWS\koium.exe
C:\Program Files\ISTsvc\istsvc.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [mTbfEEAf4] C:\WINDOWS\koium.exe

 

Your log looks clean! You said you could not delete the above file. Did you find and could not delete it, or did you not find it at all?

Do a search for it if necessary but first configure Windows search:

How to use windows XP search mechanism to look for hidden files:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter DLHelperEXE (leave off the .exe)
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Do you find it this way?

 

You're welcome! That sounds good! The below link contains information on steps you should take to help prevent future problems (some you may already have completed):

How to Protect yourself from malware!

I would like to see a final log to make sure everything is gone and nothing else popped up!