Virus Maybe? Not Sure

You really need to follow forum guidelines and read the sticky threads. No HijackThis logs should be posted without them being requested and then they must be posted as attachments to your message. You also have HJT installed incorrectly. Please try to follow the steps below. If you cannot get the downloads or run the scans due to your problems, just proceed to the section of downloading and installing and using HJT and follow those steps.

You should uninstall SpyKiller. It is not useful and has been on a list of rogue/suspect spyware removal tools for quite some time. See: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Do you know what the next line is for?
O4 - HKCU\..\Run: [WebWatch] C:\unzipped\SCRIPTS ETC FILES\domainalarm\Domain Alarm.exe

What version of DAP are you running? Older versions contained malware.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You can also start working on the below after installing HijackThis properly!


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\DOCUME~1\Owner\LOCALS~1\Temp\IEXPLORE.exe <-- this is not a valid Internet Explorer

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{5468AC60-ED9F-49F0-B047-275985393713}\SECURITY.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: PowerReg Scheduler V3.exe
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINDOWS\System32\msc.cpl (file missing)
O21 - SSODL: rDcBRIvqKUbSJewL - {18A1900E-B20B-3AA4-DDDC-477C55E6CAD9} - C:\WINDOWS\System32\yjs.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\DOCUME~1\Owner\LOCALS~1\Temp\IEXPLORE.exe
C:\Program Files\SpyKiller <--- the whole folder
C:\WINDOWS\System32\yjs.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I don't understand why some of those were not fixed and some were!

Also Spykiller is still there.
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Look for it in Add/Remove programs. Is it there? Uninstall if it is.

Make sure System Restore is disable!
Make sure viewing of hidden & system files and all file extension types is enable per the READ ME FIRST step 3.


Please answer my questions from my previous post (see message # 3).

And why are you using so many accelerator type programs? Having more than one is probably of little use and may serve to slow you down.

 

This is old and is one of the versions that I would consider containing malware. You should uninstall it. The current version is Download Accelerator Plus 7.4. But again, why have multiple accelerators? See below.

No! You also have DAP!


Which spyware protection tools like SpywareBlaster, Spybot, Ad-Aware....etc do you have installed.

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\windows\system32\cm.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\cm.exe

Now run Ccleaner

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! It looks like all the stuff we were trying to remove is gone now. Just fix the below line:

O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

How are things working?

 

That process was not in your last HijackThis log! Are you sure it is still happening.

 

Okay! But if you remove items like this that we need to see, it will be difficult for us to help you because we cannot see the problem.

Please do the below (but it will be necessary for you to do this while the bad Iexplore.exe is running.

Download ProcessExplorer from:http://www.sysinternals.com/files/procexpnt.zip

Unzip it to a folder you can find (like c:\SysInternals) and now run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on C:\DOCUME~1\Owner\LOCALS~1\Temp\IEXPLORE.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

I need to see it when C:\DOCUME~1\Owner\LOCALS~1\Temp\IEXPLORE.exe
is running not when the valid Iexplore.exe is running.