Too many viruses

[Fed]

Do you have the latest Windows updates?

[JPH]

Viruses, Worms & Spyware oh my!  

1. Update Ad-Aware, Spybot S&D, AVG & Ewido all one at a time but don't scan yet.

2. Boot into safe mode.

3. Turn off System Restore if you haven't already.
   a. Click Start, right-click My Computer, and then click Properties.
   b. Click the System Restore tab.
   c. Click to select the "Turn off System Restore" check box, click Apply and then click OK.
   d. Click Yes when you receive the prompt to the turn off System Restore.

4. Click Start > Run and paste the following into the Run prompt and click OK
(*Note - You may want to paste this into notepad & save this to a .txt file on the desktop so you can copy it once in safe mode)

Code: [Select]

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke +immortal
5. Perform a Full System Scan with Ad-Aware and remove anything it finds. When it's done you won't be able to close the window so just minimize it.

6. Now do scans with the other programs as well one at a time removing anything they find (Spybot S&D, AVG, Ewido)

7. Reboot into Normal Mode

8. Rename HijackThis.exe to HJT2K6.exe

9. Do another HJT scan and attach the new logfile.

If you have any problems along the way let me know.  

[Fed]

Dejavu   I like the way you think JPH.

[JPH]

Just adding a bit to your already excellent suggestions.  
Maybe this way we can actually get an Ad-Aware scan to work.  

[Doomsayer]

updates on problems,   no msblast.exe in task manager.   Windows is fully updated.  i followed the process JPH gave me,  i updated all the viurs programs successfully.  then restarted in safe mode,  (system restore was already turned off by me earlier, but i double checked)  then i opened ad aware  your way,  although i'm not sure what you meant by "+procnuke +immortal"   so if that was important than i missed it,  which might explain the result,  the error message popped up again just as it always does,  however if you don't do anything,  ad aware run's normally,  as far as i can tell,  then promptly after quarentining what it found,  it closed on it's own.    the other's programs  spybod and AVG both ran well, found a bunch of crap,  then got rid of it,  then  when it came time to run ewido,  about half way through the scan, the computer froze.    now what?     should i try again,  also, i should probably find out what you meant by "+procnuke +immortal "  before i try again.        Thanks guys!!

[unlovedwarrior]

i dont know what he meant either but im guessing it was kinda important or he wouldnt have bothered typing it, have u tried unistalling reinstall adaware

[Fed]

Your Hijackthis log is full of nasties, the above method is a cleaner way to remove them all.
[highlight]Come back with a fresh HJT log after you have done the cleaning as described.[/highlight]
(Don't skip any steps or change the order)

[Doomsayer]

Fair Enough.  here is the new logfile   also,  the popups have calmed down a bit.   Thanks a lot for all your help,   we're almost out of this.

[Fed]

Do you mind if we experiment on you?
Great!

Download and install PrevX 1, just go with the defaults and let it do it's own thing.
http://www.prevx.com/security.asp
PrevX 1 will ask you to re-boot during this process.

After it has scanned & cleaned your computer, re-boot and run a fresh HJT log.

Let's see just how good PrevX 1 really is, so far I have found it to be excellent.
It is touted to remove Surfsidekick so now we can test it.

[Doomsayer]

So ,  i gladly tried your experiment,  however, after the program had scaned about 25% the computer froze.   it did say that the computer was infected though.   so  right now i'm trying this again,  and we'll see if it can complete a scan.

[unlovedwarrior]

are you tring in safe mode

[Doomsayer]

Yes,  i have tried it in safe mode,   It wont' work at all,  because evidently it needs the internet to run.   in normal mode It still freezes the computer upon completing 25% of the scan.   Thanks though

[GX1_Man]

Sometimes you just have to format and reinstall.....

[JPH]

Hey Doomsayer, sorry I've been away for a few days. Let's see if we can manually fix the remaining nasties.

Once again, go into Safe Mode with System Restore turned off

Go to Start > Control Panel > Add or Remove Programs
See if there is an entry for SurfSideKick, if so remove it (you might have to enter a code that it gives you)
Also search for an entry called PSDream or something similar and remove it if it's there

Do a HJT scan again and put a check next to the following entries if still present:

R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe,fmpkhdm.exe
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsu56.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: (no name) - {87E3AC65-4EF0-420D-F7A8-671331AA31B4} - C:\WINDOWS\system32\lcea.dll  
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [zmb] C:\WINDOWS\zmb.exe
O4 - HKLM\..\Run: [dywtvu] C:\WINDOWS\system32\dhrcww.exe reg_run
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [yvdvx] C:\WINDOWS\system32\dhrcww.exe reg_run
O4 - HKCU\..\Run: [Utprlvei] C:\Documents and Settings\Byron Irving\My Documents\s?curity\?poolsv.exe
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\ugpnpmgr.dll (file missing)
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\wsdsp.dll (file missing)
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\dlvacm.dll (file missing)
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\mwhtml.dll (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe

Choose "Fix checked" (you might be prompted to reboot, if so boot back into safe mode again)

Delete the following files:

C:\WINDOWS\system32\fmpkhdm.exe (or C:\WINDOWS\fmpkhdm.exe)
C:\WINDOWS\system32\nsu56.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\system32\lcea.dll
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\zmb.exe
C:\WINDOWS\system32\dhrcww.exe
C:\Documents and Settings\Byron Irving\My Documents\s?curity\?poolsv.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe

Delete the following folders (and all their contents):

C:\Program Files\SurfSideKick 3
C:\Program Files\PSDream

After you've done all that, run another HJT scan and post the new log file.

[Fed]

PrevX does not need the internet to scan but you need to explore the PrevX options.
Does the phrase 'Automatically upload malware for research' ring any bells for you?
Try looking under PrevX>Advanced>Protection Plus