It sounds like a reformat is gona be problematic , and you have never done it before? In that case it might be better to just clean it anyway.

I said it would be alot of work , not impossible. Let me know if youre still around and ill make a list of instructions to clean it up.

Hi joe05,
Hi, I'm still around struggling to clean my pc .. I appreciate your help so much. So I posted my hijackthis log again for you to see it. Again thank you.

:shocked: :shocked: WOW!! What have you been doing?!?! Youre latest hijackthis log is only 9.6kb , the first was 14.4kb.. Its almost clean! :cheesy: A THIRD of the entire log is gone!


Did you only do our Prework instructions? If yes , then i'd really would like to see the Ewido log. Have a look in "C:\Program Files\ewido\security suite\Reports" to see if the log is saved there. If it is then please attach it to youre next reply.


First go to add/remove programs and uninstall uninstall Zenosearch if present.

Then boot in safemode (hit f8 when booting up) and fix these with hjt:

Then manually delete the files in bold , and run Ccleaner again.

Then please post a new hjt log , and if you still have it , the Ewido log aswell.

Also it seems you have no firewall , to be better protected from things like this you should have one. Have a look in our download section for some free ones if you want.

Just to illustrate , this is the bad stuff that was present:



C:\WINDOWS\RmVsbWE\command.exe
C:\mousepad1.exe
C:\WINDOWS\egrwmlgA.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32098-59121249.exe
C:\WINDOWS\system32\csrrs.exe
C:\windows\system32\qqdsregn.exe
C:\WINDOWS\system32\owinrrag.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\WINDOWS\egrwmlg.exe
C:\Program Files\Common Files\Windows\services32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {3293FA30-437F-7AE3-E805-56C7EB39BD9F} - C:\WINDOWS\Kcxuzrvx.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\tbu02640\TOOLBA~1.DLL
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKLM\..\Run: [egrwmlgA] C:\WINDOWS\egrwmlgA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32098-59121249] C:\WINDOWS\win32098-59121249.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{2D-D0-02-2E-ZN}] C:\windows\system32\qqdsregn.exe CORN001
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinrrag.exe CORN001
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinrrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: svchost.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: repairs303169542.dll,wbsys.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RmVsbWE\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\egrwmlg.exe


And some are pretty nasty , and some need special instructions/tools and can be tricky to remove.
I really would like to see the Ewido log , lol.

good day joe05, here's the ewido report ... i did used spybot also :read2: :sleepy1: ...i'm kinda late in replying cause i'd stay late trying to clean it out and getting ready for my final :grin: ... now all i need is u'r expertise..

SO i did what you told me joe and here is the log. I noticed that four of the items you told me to manually delete can't be deleted because it came back afterward. :o What to do?

Have a look in add/remove programs for anything related to Zeno , if there is then uninstall it , or if unsure post what you find for me to look at.

and do you use/want the PeoplePC software? If not , then also uninstall that in add/remove programs.

Then do a panda active scan here:

http://www.pandasoftware.com/products/activescan

Post back the log from it , and also a new hjt log please.