[theemu323]

i've tried a number of programs but can't seem to get rid of this aim virus

here's my log - thanks!

Logfile of HijackThis v1.99.1
Scan saved at 21:34:37 PM, on 7/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ntmssvc.exe
C:\Program Files\BestBuy\HelpExpress\Admin\HXIUL.EXE
C:\Program Files\BestBuy\HelpExpress\Admin\Client\HelpExp.exe
C:\Program Files\BestBuy\HelpExpress\Admin\HXDL.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\security\logs\mainad.exe
C:\Program Files\Rebate_Nation\RebateNation1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinFixer 2005\WFX5.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\DOCUME~1\ADMIN\LOCALS~1\TEMP\MASH11~1.TMP\setup.exe
C:\DOCUME~1\ADMIN\LOCALS~1\TEMP\MASH11~1.TMP\mcappins.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Program Files\Rebate_Nation\RebateNation0.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Admin\erwe.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.somethingpositive.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.topfivese....com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://www.topfivese....com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.sho...0770&id=5.20013
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.sho...0770&id=5.20013
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://websearch.sho...0770&id=5.20013
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://websearch.sho...0770&id=5.20013
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

websearch.shopnav.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

- (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -

C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} -

C:\DOCUME~1\Admin\LOCALS~1\Temp\daniam.dat
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -

C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert]

C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebRebates0] "C:\Program

Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [jehehsr] C:\WINNT\jehehsr.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye

Network\bin\bargains.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows

AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [*antimain] C:\WINDOWS\Config\antimain.exe
O4 - HKLM\..\Run: [*odbcsrv] C:\WINDOWS\Fonts\odbcsrv.exe
O4 - HKLM\..\Run: [*mcweb] C:\WINDOWS\inf\mcweb.exe
O4 - HKLM\..\Run: [*ipwms] C:\WINDOWS\ipwms.exe
O4 - HKLM\..\Run: [*vssms] C:\WINDOWS\vssms.exe
O4 - HKLM\..\Run: [*javaanti] C:\WINDOWS\system\javaanti.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [RebateNation0] "C:\Program

Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer

2005\wfx5.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitebjb32.exe
O4 - HKLM\..\RunOnce: [*mainad] C:\WINDOWS\security\logs\mainad.exe

rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ntmssvc] C:\WINDOWS\System32\ntmssvc.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program

Files\BestBuy\HelpExpress\Admin\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program

Files\BestBuy\HelpExpress\Admin\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program

Files\BestBuy\HelpExpress\Admin\HXDL.EXE -from="MANIFEST.DAT"

-to="MANIFEST.DAT"
O4 - HKCU\..\RunOnce: [*WinLogon]

C:\WINDOWS\system32\spool\prtprocs\dllvss.exe ren my_time:1121716348
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Rebate Nation - file://C:\Program

Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program

Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com -

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windup...a1fc0d185f2132e

35bfd208bde7bfe9dea642faef3295f4f481cc5cfa83ba2e1bd5c705b365b125dbb7b88

ab26e12f85fd528:199ee2fabb487c2f7632a3c55842ae1b
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)

- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akama...nfo.apple.com/b

orris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload

Class) -

http://das.microsoft...tail/DASAct.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime

Environment 1.4.0_02) -
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -

http://download.weat...ibuginstaller.c

ab
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime

Environment 1.4.0_02) -
O20 - Winlogon Notify: mainad -

C:\DOCUME~1\Admin\LOCALS~1\Temp\daniam.dat
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner -

C:\WINDOWS\System32\angelex.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

[Advertisements]

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

[Kat]

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.