Tarun

You can save the batch file to your desktop. Unlocker may be a better method for you.

O4 - HKLM\..\Run: [plvhirg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\plvhirg.dll,sknyisb To delete this line, enter this line in a notepad. cd C:\Windows\System32\ del /f /q plvhirg.dll Save As... DeleteMalwareDLL.bat Or, you can get Unlocker and navigate to C:\Windows\System32, then use Unlocker on the plvhirg.dll. Also, schedule a boot-time Avast virus scan to remove all the malicious files.

Because they do not have to be deleted, as they are not malicious. However, if you delete them there will be a performance boost or other positive effects such as faster bootup, etc.

You can use VistaBootPRO to clean up the new boot management.

Have you tried Dial-a-fix?

Dial-a-fix can repair your permissions.

Start > Run > notepad Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] "RegisteredOwner"="YOUR DESIRED NAME HERE" Save as... RegOwner.reg

I personally do not trust anything that was at one time listed on the Spyware Warrior Rogue/Suspect Anti-Spyware page. From their site: Note on Spyware Detector: Spyware Detector was listed on this page because of concerns with false positives. Testing with the latest version of Spyware Detector indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider Spyware Detector to be "rogue/suspect" anti-spyware.

The optional items are totally safe to delete (and recommended) too.

Still shows this picture badly on my site.. This may be why: <span id="joomla" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://www.wincert.net/templates/jw_onemorething/ images/omt_joomla_trans.png',sizingMethod='scale');"></span> DXImageTransform.Microsoft.AlphaImageLoader caught my attention. I might try... <span id="joomla"><img src="http://www.wincert.net/templates/jw_onemorething/images/omt_joomla_trans.png" alt="Technews" title="WinCert.net Tech News"></span>

Those are old generic DNS server IPs. They were first with AT&T and slowly spread out. The ones offered in the original post offers Anti-Phishing and better speeds.

Reset everything in IE7 to the defaults.

Cleaned out misinformation again. More vital services and other items were being ripped out. If people are unsure what something is, do not guess, just want for someone who is an expert in the field to post. Tal, once you have completed all of the scans please post a new log. Closed

Incorrect. If they were to return there would be a name and a file associated with them.

It's late and I had a busy day so I'll chat with you tomorrow about it

Avast - English

Run Avast and then my Anti-Malware Pro package (just updated it tonight with the rest of my site)

I did read your post thoroughly. If you had checked off items like these and did the fix, they wouldn't return. Items such as these wouldn't be there again. O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {7B6020C8-7F87-70B3-1AAC-B50F918B8A79} - (no file) Do you need more help with using HijackThis?

Refer to this post, as nothing has changed. What to do in HijackThis: Scan for a log but do not save it. Next, every item listed in the referenced post should have a checkmark beside it in HijackThis. After they have been checked, you click on Fix Checked.

Still shows this picture badly on my site.. This may be why: <span id="joomla" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='http://www.wincert.net/templates/jw_onemorething/ images/omt_joomla_trans.png',sizingMethod='scale');"></span> DXImageTransform.Microsoft.AlphaImageLoader caught my attention.

Looks fake to me. Poor grammar and everything in it as well. Notice how there are no spaces after the commas for each continent/area?

Indeed, don't use them. The parts of upgrading IE is right on; but actually using the browser... ...what's the point?

The post was removed due to incorrect information that was provided telling the user to remove services and other needed files through HijackThis when the files existed and were properly functioning. HijackThis has a bad bug where it can report items such as services as missing when the files actually exist. This is further proven by reading the running processes of the user's log. Help with HijackThis logs is appreciated; however, not reading the logs fully with a proper analysis is not appreciated as you are essentially telling the user to rip out vital parts of their services and other required items for functionality. Two of the four Avast services are listed as missing as seen below. Now, looking into the running processes we find the following. Clearly, we can see that the "file missing" reports from HijackThis are not actually missing, but are present and running properly. Again, helping with the HijackThis logs is fine; but please read over them completely and nothing less. As the user has posted a new log and this one does not need to be remain open for further discussion, this topic is now... Closed.

You still have several infections. See below for recommendations. You still have several traces of malware. Did you run SpywareBlaster, CCleaner, CWShredder, Ad-Aware, Spybot and AVG Anti-Spyware? Generated by Tarun's HijackThis Converter v0.50 Beta. Default-color items are optional, red are known to be malicious. Changed registry value R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ Created registry value R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 Changed registry value R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://contexualsearch.com/searchbar.html Enumeration of existing IE's BHO's O2 - BHO: (no name) - {1AD71CBA-7F06-75C3-F09C-00027DA5D459} - C:\WINDOWS\System32\kcuyfjb.dll O2 - BHO: (no name) - {2E275F81-808E-E084-8D30-02D5A84D1C85} - C:\WINDOWS\System32\vwjgvii.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll Enumeration of existing IE's toolbars O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: (no name) - {7B6020C8-7F87-70B3-1AAC-B50F918B8A79} - (no file) Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [uoffxzl.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\uoffxzl.dll,vejahhc O4 - HKLM\..\Run: [opziqk.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\opziqk.dll,ibizbed O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE Extra "Tools" menu items and buttons O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe IE plugins for file extensions or MIME types O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll Changing of IERESET.INF O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople Downloaded Program Files item O16 - DPF: HushEncryptionEngine - https://mailserver2.hushmail.com/shared/Hus...ptionEngine.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab? O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys O20 - AppInit_DLLs: c:\windows\system32\awtsqpp.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll ShellServiceObjectDelayLoad (SSODL) autorun Registry key O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) Recommendations: - Uninstall the Yahoo AntiVirus since you have Avast and it is a far superior anti-virus. - Make use of Spybot S&D's SDHelper for IE. Let me know if any of this has helped. I'm not sure why your malware continues to return unless there is an issue with a virus or a strong hijacker.

Welcome to MSFN!