Still Can't Get Rid of Spyware/Virus'

You have problems including AFA Internet Enhancement. If that is in add\remove programs, you might be able to uninstall it from safe mode. Here are the lines to remove, safe mode would be good as some of these are executables that are virus related and could rename themselves when deleted from a normal Windows session. After that, try another online scan and spyware scan from safe mode as well.

C:\WINDOWS\system32\rrvmrz.exe
C:\WINDOWS\system32\omzvrd.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - C:\WINDOWS\system32\n.dll
O2 - BHO: SDWin32 Class - {D440BD9F-7514-44C4-A075-2ACE2F76F58B} - C:\WINDOWS\system32\ivehv.dll
O4 - HKLM\..\Run: [x36O33R] dmopatui.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [ivehvc] C:\WINDOWS\system32\ivehvc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rrvmrz.exe reg_run
O4 - HKLM\..\Run: [omzvrc] C:\WINDOWS\system32\omzvrc.exe
O4 - HKCU\..\Run: [g0pERTd4T] dim_32.exe
O9 - Extra button: WebTrends SmartView - {7127E6AE-C5EE-422A-96C6-BBFDA4340FE2} - C:\Program Files\WebTrends SmartView\WTsvu.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\350\atonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\WINDOWS\DOWNLO~1\WebEx\350\atonecli.dll (HKCU)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://exacttarget.webex.com/clien...bex/ieatgpc.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0002.exe
O23 - Service: hsaieab - Unknown owner - C:\WINDOWS\system32\hsaieab.exe

Come on back after and let us know if it worked. Thanks!

 

Theres so much crap running on your machine, please close everything and repost your log file with it attached, not cut and pasted. Thanks.

 

You have some problems that require special steps to remove. The HJT line with KavSvc is an indicator of Ad-behavior problems.

Please follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

 

Did you run RKfiles in safe mode and did you wait long enough for it to complete?

 

You must remember to exit browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before using HijackThis.

Okay the first thing we must do is stop Spybot's Teatimer because it could get in the way of making some fixes.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.

Now quit Spybot and reboot your PC and continue with the below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HijackThis and continue to my next message.

 

After completing the steps in my previous message, continue with these.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Download Pocket Killbox and save it to its own folder where you can find it.


Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\wmconfig.cpl
C:\WINDOWS\system32\guarnset.exe
C:\WINDOWS\system32\rrvmrz.exe
C:\WINDOWS\system32\dmopatui.exe
C:\WINDOWS\system32\dim_32.exe
C:\WINDOWS\dmopatui.exe
C:\WINDOWS\dim_32.exe
D:\cwshredder.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddnp.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {C370527A-24A7-4583-BE01-72E59000EB17} - (no file)
O2 - BHO: (no name) - {D440BD9F-7514-44C4-A075-2ACE2F76F58B} - (no file)
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rrvmrz.exe reg_run
O4 - HKLM\..\Run: [x36O33R] dmopatui.exe
O4 - HKCU\..\Run: [g0pERTd4T] dim_32.exe
O16 - DPF: {CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_08) - https://www.callinfo.com/jinstall-1_3_1_08-windows_custom-i586.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} -
O23 - Service: CWShredder Service - InterMute, Inc. - D:\cwshredder.exe


Now reboot one more time into normal mode and post a new HJT log. And tell us how things are working.