ok.. so here is my problem in a nutshell.. I just got home (i live in the city on the weekdays) and my home computer had been having a lot of issues.. so a friend came and reformatted it a couple nights before i came home. That same night, a friend of my fiance's came over and stayed the night, and when my fiance went to bed, this friend decided to go look at porn sites (i know you are thinking .. yeah.. friend.. lol.. but my fiance doesnt really know how to use the computer). Anyways.. so i get home and the internet is really slow so i leave it for the night.

Today, I get up and the computer is locked up.. i reboot. Internet not working. So i reboot the modem and computer. nothing. I call tech support and apparently I have a virus that is trying to infect all the computers on the network!! So they disabled my modem. My problem is that due to the reformatting of the computer, I dont have any scanners on my computer, except ad-aware. I managed to get hijackthis last night before the internet shut down.

Advice please! I am at my mothers now, and I will come back to check after work. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 12:47:47 PM, on 12/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\rmdsregl.exe
C:\windows\adtech2006a.exe
C:\WINDOWS\QnJ1Y2U\command.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\rpcsvc.exe
C:\WINDOWS\system32\freecell.exe
C:\Documents and Settings\Bruce\My Documents\downloaded (shyla)\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-ca\msntb.dll
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\3.tmp
O4 - HKLM\..\Run: [{14-41-10-0E-ZN}] C:\windows\system32\rmdsregl.exe DRCA02
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1134618049202
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJ1Y2U\command.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINDOWS\System32\rpcsvc.exe

You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and potential lost backup issues.

It's best that the HijackThis tool NOT be located on your Desktop or in a TEMP folder. This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive. Name it HJT (or HijackThis) such as C:\Program Files\HJT, C:\HJT and move the HijackThis.exe file in it. Run HJT from there.




Read over the following directions. Ask if anything appears unclear to you.


Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat



We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll

O4 - HKLM\..\Run: [SERVICES] C:\WINDOWS\system32\3.tmp
O4 - HKLM\..\Run: [{14-41-10-0E-ZN}] C:\windows\system32\rmdsregl.exe DRCA02
O4 - HKLM\..\Run: [ADTECH2006] C:\windows\adtech2006a.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QnJ1Y2U\command.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINDOWS\System32\rpcsvc.exe


Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:
C:\WINDOWS\DH.dll
C:\WINDOWS\system32\3.tmp
C:\windows\system32\rmdsregl.exe
C:\windows\adtech2006a.exe
C:\WINDOWS\system32\dwdsregt.exe

C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\rpcsvc.exe



DELETE APPLICATION FOLDERS
C:\WINDOWS\QnJ1Y2U




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.


There will be additional scans and procedures to be done after this.

I got my computer formatted... but now I am getting this type of screen!! (it isnt the only one.. i keep getting 'messenger service' pop ups saying to go to different registry cleaner sites... I was leery when i noticed one of the screens had the word 'damaged' misspelled.

Here is the screen I keep getting.: http://img.photobucket.com/albums/v3...20pics/msg.jpg

http://www.experts-exchange.com/Oper..._21646976.html

That is NOT a message from Microsoft. It's a popup designed to LOOK "official" and to induce you to install a 3rd party program (and buy it). Just delete it. This is, however, a good indication that you've got a bunch of spyware/adware installed on your system that MAY be a contributor to your problem.

That is your second round of 'major' infections. Submit your latest HJT log if you want to try fixing it or reformatting again if you want. Also consider that your version of XP appears to be very much out of date (no service packs - SP1 for XP [and SP2] and IE - see comments below) and likely allowing your PC to be very vulnerable to re-infection in under 15 minutes, typically. SP1 loads a firewall tool by default and is very much needed because of situations such a what you are experiencing.



Consider the following if you choose to re-format:


To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.


As a final cleanup step, it is often advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
To Turn OFF System Restore.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
4. Click Apply.

To Turn ON System Restore.

1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
2. Create new System Restore points.

(Windows ME)
See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
   http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
   http://www.microsoft.com/windows/ie/default.asp
   
   
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
   AVG: http://free.grisoft.com/doc/1
   Avast: http://www.avast.com/eng/avast_4_home.html
   
   
3. In addition to using Ad-aware consider using another free malware scanning/removal program :
   Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
   Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
   MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
   
   
4. Consider using a free firewall if you are not already using one. Some good free ones are:
   Sygate: http://smb.sygate.com/products/spf_standard.htm
   Zone Alarm: http://www.zonelabs.com/store/content/comp...n.jsp?lid=ho_za
   
   It is not a bad idea to also consider using a Router/Hardware firewall device where you have a high-speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
   
   
5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
   Mozilla Firefox: http://www.mozilla.org/products/firefox/
   
   
6. Consider increasing your browser security by using these programs:
   SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
   SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
   • If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
     
   • IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
     https://netfiles.uiuc.edu/ehowes/www/resource.htm
   
   
7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
   • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
   • Next select ‘Open host file manager’ button.
   • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
   • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
     
     
     #start of lines added by WinHelp2002
     # [Misc A - Z]
     127.0.0.1 phpadsnew.abac.com
     127.0.0.1 a.abnad.net
     127.0.0.1 e.abnad.net
     127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
     .
     .
     .
     #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:

• Keep all of these programs up-to-date, and
• Use them on a regular basis.

ok, so what do i do if i dont want to reformat (I dont know when i can get my friend to do it for me again.)

Here is the latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:22 AM, on 12/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\w?auboot.exe
C:\DOCUME~1\Bruce\LOCALS~1\Temp\!update.exe
C:\Program Files\osni\msla.exe
C:\Documents and Settings\Bruce\My Documents\downloaded programs\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {927C8DF1-6469-3AEF-17C5-10E4F9C179BE} - C:\WINDOWS\System32\yfetiyz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {927C8DF1-6469-3AEF-17C5-10E4F9C179BE} - C:\WINDOWS\System32\yfetiyz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Telecoma Center] tellcoma.exe
O4 - HKLM\..\Run: [NI.UERS_0001_NI57M1124] "C:\WINDOWS\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe" -nag
O4 - HKLM\..\RunServices: [Microsoft Telecoma Center] tellcoma.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Telecoma Center] tellcoma.exe
O4 - HKCU\..\Run: [Baab] "C:\Program Files\osni\msla.exe" -vt mt
O4 - HKCU\..\Run: [Otmhc] C:\WINDOWS\System32\w?auboot.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTick...cab?refid=5124
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe