Jump to content


Photo
- - - - -

SOS!


  • This topic is locked This topic is locked
92 replies to this topic

#41 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 04:59 PM

okay...i left the program running for something like 2 hours, and it still didn't open any notepad, should i restart or continue allowing it to possibly do something....

originally, the program only worked in safe mode
so is there any way that i can have it completely run in safe mode?


here's exactly what happend:

i started in safe mode. i ran the program. it said it needed to restart to complete, it counted down, it restarted
i logged on. it said it loaded. it said it was searching, please wait

and that's wehre we are

the program looks frozen (the little red line is not blinking)

#42 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 05:48 PM

It won't probably work in Safe mode

We must try another method

Let's try this first>>something is getting in the way and I'm not seeing any updates on this situation

download and save it to desktop Remv3.zip
UNZIP the contents to a folder

IMPORTANT>>and you must be In safe mode for this too work
With windows set to Show Hidden Files and Folders

In safe mode open the folder you unzipped the contents of remv3.zipand Double click on
remv3.bat
Let it run until the dos window closes

RESTART back to Normal mode

Remv3.bat would of produced a log
Navigate to c:\log.txt and post the whole contents of this log

Also post a fresh hijackthis log

Please stop bouncing back and forth from Normal mode to safe mode as minimally as you have to
Your making this very difficult, we still have a bit of cleaning to do and your allowing these infections to multiply

You really have to just let me know what the problems are, STOP and wait for instructions

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#43 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 06:58 PM

okay- i am right there.

my computer is starting in normal mode now... the log file did save to the hard drive, i saw it there

but now the c command thing is open from earlier, the same one that wouldn't really close

it says

"killing explorer and rundll32.exe
the system cannot find the path specified
0 files copied
scanning first pass. please wait"

this is the screen where i waited for a whole 2 hours before, however it said 1 file copied originally





thanks, awaiting your instruction

jordan

#44 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 07:03 PM

If the scan finishes with L2Mfix
Post both logs from L2mfix and Remv3.bat

Also post a fresh hijackthis log

And try not too do anything else until I get a chance to see all logs, thanks

I'm stepping out for a bit so I'll see the logs when I get back

EDIT>>the scan shouldn't take no 2 hours
Tops 5 minutes
If you can't get the scan to finish post me the Log.txt from within the L2mfix folder

If you can't get into Windows in Normal mode

First Hit (Ctrl+Alt+Del) on your keyboard to bring up the Task manager

End task on L2mfix

Then click on FILE in the Task manager
New Task(Run)
Type in
explorer.exe
and hit OK

That should get you back to Windows in Normal mode

I need to see some logs

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#45 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 08:39 PM

i had to remove the l2mfix from starting during safemode in hijackthis, otherwise it kept opening and freezing,
i also removed my outdated mcaffee from starting because when too much stuff was starting it had an aversion for freezing... i

here's the log.txt



Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll


and hijack this



Logfile of HijackThis v1.99.0
Scan saved at 9:37:12 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe









Finished

#46 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 08:42 PM

In the L2mfix folder should be a log called log.txt
Can you post that here please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#47 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:22 PM

this is lo2.txt

figure it may be what you're lookin for


L2Mfix 1.02a

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\jordan\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1976 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

#48 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:43 PM

my daughter switched users on the computer with a virus (who knows why)
and all of the desktop icons opened

dddd.exe
tvshdg.exe
IEXPLORER (caps locs)

and all of those other demon programs were running....i don't know what that means, but ...
i'll post another hijackthis log

#49 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:45 PM

Logfile of HijackThis v1.99.0
Scan saved at 10:45:30 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

#50 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 10:47 PM

is there any way for me to condense all of the users on my computer down to only one user? i have XP

you know, kind of get rid of the other profiles....so i'm only really dealing with one computer and one set of files running, etc.

i was thinking perhaps this would be easier for me to fix the virus if this was possible.


in any event. upon restarting under my user name, it is running more smoothly than it was on hers, however the tvgmd or whatever it was called, and a program called packager.exe and also every once in a while a program called calc.exe are running in my task manager and are not allowing a close.

it's really a shame about this whole l2mfix dillema,
do u think the virus is stopping it from running? before that series of restarts in order to get the l2mfix to complete.... the virus seemed basically contained- it hadn't been running during the hijackthis checks and also in my task manager...

that file ixgnear or whatever it was (the one i disabled starting automatically)
has disappeared (i checked on it while in safe mode running the l2mfix, just out of curiousity - to see if it had stayed disabled)
i thought that was weird.



thanks a lot, you really go above and beyond, and i hope that you are making money somehow from this site, let me know if you aren't and i'll take care of you

#51 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 11:28 PM

Well, we still have to do some cleaning

Ensure that you have Notepad.exe in both these locations
C:\WINDOWS and C:\WINDOWS\System32 folders
If one or both are missing download a new copy from this link
http://www.merijn.or...es.html#notepad
Save to desktop and UNZIP to both those folders

Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacools...areblaster.html
Hold onto this and check for updates every couple of weeks

Ensure you still have Searchmiracle.reg and Hoster

From this account

Open Hijackthis>>Open Misc Tools>>Open Process Manager and kill these processes
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\windows\system32\packager.exe


Do another scan with Hijackthis and put a check next to these entries

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Click FIX CHECKED, be sure all other windows are closed

RESTART your computer into safe mode

Find and delete
C:\WINDOWS\isrvs <--this folder
c:\windows\system32\tvshdg.exe <--file

Double click on Searchmiracle.reg and allow to merge to the registry

Open Hoster and Restore Original hosts

Run Windows CleanUp! in Safe mode

RESTART back to Normal mode

I need you to Redownload
eScan in case it was updated, you can delete your old copy
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

Also, I'm uploading a file called Findit.zip
UNZIP the contents to a folder, then open that folder and double click on Find.bat. It will run for awhile (should be no longer than 15 minutes) then produce a log (ignore any File not found messages on the screen)
Please copy and paste the contents of the log to this thread please.

Also post a fresh hijackthis log from this log>>We'll Call Log2

Could I have you do one more thing for me, I'm hoping we almost got all of it

Can you go to START>>RUN>>type cmd
Hit ok

Type these into the command prompt box hitting Enter after ea