[luisx4]

Please help,

My laptop is completely jacked. The only way that I could get windows to load was in safe mode. I ran all hte fixs in your malware section winsock, cleanup, ect., which allowed me to boot up in normal mode, but I still can't connect tot he internet. I am trying to connect via a wireless connection. When it does come up this random program Bravesnetry comes up. I did not install this program, but it is totally overloading my system. Please Please Please help.

Here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:22 PM, on 9/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...t...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rhqfs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ccwjeer.exe
O1 - Hosts: 84.252.148.18 www.bankone.com
O1 - Hosts: 84.252.148.18 bankone.com
O1 - Hosts: 84.252.148.18 halifax.com
O1 - Hosts: 84.252.148.18 www.halifax.com
O1 - Hosts: 84.252.148.18 halifax.co.uk
O1 - Hosts: 84.252.148.18 www.halifax.co.uk
O1 - Hosts: 84.252.148.18 www.bankofamerica.com
O1 - Hosts: 84.252.148.18 bankofamerica.com
O1 - Hosts: 84.252.148.18 www.paypal.com
O1 - Hosts: 84.252.148.18 paypal.com
O1 - Hosts: 84.252.148.18 www.lloydstsb.com
O1 - Hosts: 84.252.148.18 lloydstsb.com
O1 - Hosts: 84.252.148.18 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.18 lloydstsb.co.uk
O1 - Hosts: 84.252.148.18 www.garanti.com.tr
O1 - Hosts: 84.252.148.18 garanti.com.tr
O1 - Hosts: 84.252.148.18 www.kocbank.com.tr
O1 - Hosts: 84.252.148.18 kocbank.com.tr
O1 - Hosts: 84.252.148.18 www.disbank.com.tr
O1 - Hosts: 84.252.148.18 disbank.com.tr
O1 - Hosts: 84.252.148.18 www.chase.com
O1 - Hosts: 84.252.148.18 chase.com
O1 - Hosts: 84.252.148.18 www.southtrust.com
O1 - Hosts: 84.252.148.18 southtrust.com
O1 - Hosts: 84.252.148.18 www.wachovia.com
O1 - Hosts: 84.252.148.18 wachovia.com
O1 - Hosts: 84.252.148.18 www.wellsfargo.com
O1 - Hosts: 84.252.148.18 wellsfargo.com
O1 - Hosts: 84.252.148.18 www.barclays.co.uk
O1 - Hosts: 84.252.148.18 barclays.co.uk
O1 - Hosts: 84.252.148.18 www.barclays.com
O1 - Hosts: 84.252.148.18 barclays.com
O1 - Hosts: 84.252.148.18 www.barclays.pt
O1 - Hosts: 84.252.148.18 barclays.pt
O1 - Hosts: 84.252.148.18 www.barclays.pt
O1 - Hosts: 84.252.148.18 barclays.pt
O1 - Hosts: 84.252.148.18 www.citi.com
O1 - Hosts: 84.252.148.18 citi.com
O1 - Hosts: 84.252.148.18 www.citibank.com
O1 - Hosts: 84.252.148.18 citibank.com
O1 - Hosts: 84.252.148.18 www.etrade.com
O1 - Hosts: 84.252.148.18 etrade.com
O1 - Hosts: 84.252.148.18 www.neteller.com
O1 - Hosts: 84.252.148.18 neteller.com
O1 - Hosts: 84.252.148.18 tcfbank.com
O1 - Hosts: 84.252.148.18 www.tcfbank.com
O1 - Hosts: 84.252.148.18 hsbc.com
O1 - Hosts: 84.252.148.18 www.hsbc.com
O1 - Hosts: 84.252.148.18 hsbc.co.uk
O1 - Hosts: 84.252.148.18 www.hsbc.co.uk
O1 - Hosts: 84.252.148.18 aol.com
O1 - Hosts: 84.252.148.18 www.aol.com
O1 - Hosts: 84.252.148.18 comerica.com
O1 - Hosts: 84.252.148.18 www.comerica.com
O1 - Hosts: 84.252.148.18 www.3riversfcu.org
O1 - Hosts: 84.252.148.18 3riversfcu.org
O1 - Hosts: 84.252.148.18 www.53.com
O1 - Hosts: 84.252.148.18 53.com
O1 - Hosts: 84.252.148.18 www.bbt.com
O1 - Hosts: 84.252.148.18 bbt.com
O1 - Hosts: 84.252.148.18 www.boh.com
O1 - Hosts: 84.252.148.18 boh.com
O1 - Hosts: 84.252.148.18 www.capitalone.com
O1 - Hosts: 84.252.148.18 capitalone.com
O1 - Hosts: 84.252.148.18 www.cnbwax.com
O1 - Hosts: 84.252.148.18 cnbwax.com
O1 - Hosts: 84.252.148.18 www.cwbk.com
O1 - Hosts: 84.252.148.18 cwbk.com
O1 - Hosts: 84.252.148.18 www.ebay.com
O1 - Hosts: 84.252.148.18 ebay.com
O1 - Hosts: 84.252.148.18 www.edsefcu.org
O1 - Hosts: 84.252.148.18 edsefcu.org
O1 - Hosts: 84.252.148.18 egold.com
O1 - Hosts: 84.252.148.18 www.egold.com
O1 - Hosts: 84.252.148.18 www.e-gold.com
O1 - Hosts: 84.252.148.18 e-gold.com
O1 - Hosts: 84.252.148.18 www.firstusa.com
O1 - Hosts: 84.252.148.18 firstusa.com
O1 - Hosts: 84.252.148.18 www.frontierbank.com
O1 - Hosts: 84.252.148.18 frontierbank.com
O1 - Hosts: 84.252.148.18 www.gncu.org
O1 - Hosts: 84.252.148.18 gncu.org
O1 - Hosts: 84.252.148.18 www.householdbank.com
O1 - Hosts: 84.252.148.18 householdbank.com
O1 - Hosts: 84.252.148.18 www.icicibank.com
O1 - Hosts: 84.252.148.18 icicibank.com
O1 - Hosts: 84.252.148.18 www.mbna.com
O1 - Hosts: 84.252.148.18 mbna.com
O1 - Hosts: 84.252.148.18 www.mibank.com
O1 - Hosts: 84.252.148.18 mibank.com
O1 - Hosts: 84.252.148.18 www.midamericabank.com
O1 - Hosts: 84.252.148.18 midamericabank.com
O1 - Hosts: 84.252.148.18 www.myindymacbank.com
O1 - Hosts: 84.252.148.18 myindymacbank.com
O1 - Hosts: 84.252.148.18 www.nafcunet.org
O1 - Hosts: 84.252.148.18 nafcunet.org
O1 - Hosts: 84.252.148.18 www.nationalcity.com
O1 - Hosts: 84.252.148.18 nationalcity.com
O1 - Hosts: 84.252.148.18 www.cnb.com
O1 - Hosts: 84.252.148.18 cnb.com
O1 - Hosts: 84.252.148.18 www.nationwide.com
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg10.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\JOERUT~1\LOCALS~1\Temp\freddy.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [pwm1db92] RUNDLL32.EXE w0016de0.dll,n 0051db8d000000050016de0
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [mqbrapoA] C:\WINDOWS\mqbrapoA.exe
O4 - HKLM\..\Run: [{72-27-71-13-ZN}] c:\windows\system32\okdsrego.exe ELT001
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [win3208085-1273551] C:\WINDOWS\win3208085-1273551.exe
O4 - HKLM\..\Run: [ms071085-127355] C:\WINDOWS\ms071085-127355.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms043551085-127] C:\WINDOWS\ms043551085-127.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {A1C62740-93D5-4E72-A5B6-B668D58C5197} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pot0_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106119487956
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: crypt32net - C:\WINDOWS\SYSTEM32\crypt32net.dll
O20 - Winlogon Notify: wincnh32 - C:\WINDOWS\SYSTEM32\wincnh32.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bkebpm32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi302419.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\mqbrapo.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thank You
Ben Luis

[Advertisements]

Hi Ben,

1.
Can you please run HijackThis and put a checkmark before the following lines:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rhqfs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ccwjeer.exe

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg10.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\JOERUT~1\LOCALS~1\Temp\freddy.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [pwm1db92] RUNDLL32.EXE w0016de0.dll,n 0051db8d000000050016de0
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [mqbrapoA] C:\WINDOWS\mqbrapoA.exe
O4 - HKLM\..\Run: [{72-27-71-13-ZN}] c:\windows\system32\okdsrego.exe ELT001
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [win3208085-1273551] C:\WINDOWS\win3208085-1273551.exe
O4 - HKLM\..\Run: [ms071085-127355] C:\WINDOWS\ms071085-127355.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms043551085-127] C:\WINDOWS\ms043551085-127.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab

O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: crypt32net - C:\WINDOWS\SYSTEM32\crypt32net.dll
O20 - Winlogon Notify: wincnh32 - C:\WINDOWS\SYSTEM32\wincnh32.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bkebpm32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\mqbrapo.exe

Click Fix checked when you are done.

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

4. Then find this file:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and rename it to hosts.bak
Then download the hosts file offered here:
http://www.mvps.org/...p2002/hosts.htm
and use it to replace your own. (The one we just renamed)


5. Then reboot and download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Reboot once more and post all the logs and a fresh HijackThis log.

Regards,

[Metallica]

Hi Ben,

1.
Can you please run HijackThis and put a checkmark before the following lines:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rhqfs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ccwjeer.exe

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsg10.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\JOERUT~1\LOCALS~1\Temp\freddy.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [pwm1db92] RUNDLL32.EXE w0016de0.dll,n 0051db8d000000050016de0
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [mqbrapoA] C:\WINDOWS\mqbrapoA.exe
O4 - HKLM\..\Run: [{72-27-71-13-ZN}] c:\windows\system32\okdsrego.exe ELT001
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [win3208085-1273551] C:\WINDOWS\win3208085-1273551.exe
O4 - HKLM\..\Run: [ms071085-127355] C:\WINDOWS\ms071085-127355.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [ms043551085-127] C:\WINDOWS\ms043551085-127.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab

O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: crypt32net - C:\WINDOWS\SYSTEM32\crypt32net.dll
O20 - Winlogon Notify: wincnh32 - C:\WINDOWS\SYSTEM32\wincnh32.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bkebpm32.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_32.dll

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\mqbrapo.exe

Click Fix checked when you are done.

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

4. Then find this file:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS and rename it to hosts.bak
Then download the hosts file offered here:
http://www.mvps.org/...p2002/hosts.htm
and use it to replace your own. (The one we just renamed)


5. Then reboot and download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Reboot once more and post all the logs and a fresh HijackThis log.

Regards,