Spyware Warrior

ladedadehahaha · Posted: Sat Sep 17, 2005 2:47 pm Post subject: Cant...Get...Rid...Of...It!!!

Okay, I have been infected with abetterinternet.aurora, and no matter what i do it keeps coming back! I have tried all the manual ways to delete it that I could find, but nothing works. I also have been infected by cometcursor, media loads, and who knows what else. Here is my Hijackthis log... Please help!

Logfile of HijackThis v1.97.7
Scan saved at 3:47:02 PM, on 9/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\khlpwu.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Bazooka Scanner\spywarescanner.exe
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vturo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - blank (file missing)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [aonuff] C:\WINDOWS\System32\khlpwu.exe r
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool) - http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab

please please please help me if you can!

ladedadehahaha · Posted: Sun Sep 18, 2005 12:14 pm Post subject:

Also, WinAnti Spyware 2005 keeps reinstalling itself... I have deleted it about 5 or 6 times already, but it keeps coming back Sad

blender · Posted: Sun Sep 18, 2005 10:57 pm Post subject:

Hi and welcome

I need you to update your version of HijackThis. New one shows much more info.

Please download the new one here:

http://spywarewarrior.com/files/HijackThis.exe

Save the download to your computer in its own folder such as C:\HJT\hijackthis.exe.

Double click the file you just saved, click "run system scan & save log file"
When notepad pops up[ with log; please copy/paste results here.

Don't fix anything yet. Most items are safe or even essential for proper computer operation.

Once we get you cleaned up...I'll be recommending you update your Windows to sp2. Not till we get cleaned up tho.

Thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Thu Sep 22, 2005 7:12 pm Post subject:

Okay, thanks. Here is my new Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:09:30 PM, on 9/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\bujbka.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vturo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - blank (file missing)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ifeovu] C:\WINDOWS\System32\bujbka.exe r
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - Winlogon Notify: vturo - C:\WINDOWS\System32\vturo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE

Thanks!

blender · Posted: Thu Sep 22, 2005 9:34 pm Post subject:

Hi

Ok....quite the collection of nasties.
It will take a few rounds & tools to get em all.

something looks odd...Could be a 'botched install' but I'd like to check closer.

O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE

Does not appear you are even running an antivirus. Did you have trouble installing AntiVir?
Services normally don't run from temp.
I need you to check that file please.

Click start> run> type %temp% and hit enter.
Look for _VWUPSRV.EXE

Right click it> choose properties.
Look under version tab.
What is company name there?
Any file description under the "general" tab?

Let me know what you find.

************

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. Please copy instructions to notepad file for reference in safe mode.

We need to disable your antispyware apps to allow us to fix this.

It can be enabled when your clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning and a list of forums to seek help at.
it should look like this

Quote:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net

At this point press enter one time.
Next you will see:

Quote:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
Next you will see:

Quote:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
The fix will run then HijackThis will open.
In HijackThis, please place a check next to the following items and click FIX CHECKED:
After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! If machine does not reboot; please reboot it manually.
Once your machine reboots please continue with the instructions below.

Please post the vundofix.txt file from the vundofix folder into this topic.

*****************

Then......

Download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

Still some work to do.

Try and limit online time till clean. If any of the infections remain active they will download more junk.

Let me know if you had problems with any of the above.

thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Fri Sep 23, 2005 12:37 am Post subject:

Okay, first, the file _VWUPSRV.EXE. Here is the info I found on it:
File Version 6.31.0.1
AntiVir Software update service for Windows
Copyright 1998-2005 H+BEDV Datentechnik

Next, when I ran HiJackThis, I couldn't find the following to fix:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vturo.dll

Here is my vundofix.txt file:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 144 'smss.exe'
Threads [148][152][156]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 688 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 220 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

Here is my log from the Ewido Scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:21:25 AM, 9/23/2005
+ Report-Checksum: 3B2B5A1E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-790525478-1383384898-682003330-1003\Software\Support Software -> Spyware.NetworkEssentials : Cleaned with backup
HKU\S-1-5-21-790525478-1383384898-682003330-1003\Software\Support Software\Params -> Spyware.NetworkEssentials : Cleaned with backup
C:\asdf.exe -> TrojanDownloader.Small.bhf : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@ads.x10[1].txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@euniverseads[2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Earthlink\6.0\tgreeley@mindspring.com\Cookies\sarah greeley@www.shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.296:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.332:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.345:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.363:C:\Documents and Settings\Sarah Greeley\Application Data\Mozilla\Firefox\Profiles\tfiktdzo.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\time.class-480448a5-6518a0bb.class -> TrojanDownloader.Small.bhf : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@bookspan.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@rotator.dex.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@thunderbolt.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\btv_1001.exe -> TrojanDownloader.RVP.e : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\i2F.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\u6.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\u7.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp/install.exe -> Spyware.Downloadware : Error during cleaning
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp/SS.dll -> Spyware.MediaPops : Error during cleaning
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\~YG25.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Ftk\f.bak -> Spyware.FlashEnhancer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1822A552-6723-4C45-9931-BE9B23\E613F27C-AD40-4993-8022-48A11E -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1C488682-72E6-4532-A317-235F55\5A7E80DD-4060-4F63-94DD-20F843 -> Trojan.Agent.iw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2EBF30A5-5D1F-4511-B14F-03BF3A\C43C269E-04C0-4149-BECB-21FF58 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\347B2EC9-BAE2-4CAA-B708-6A10FD\3CD9C51F-F5C3-4374-97B9-FB9008 -> Trojan.Agent.iw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\35D6723E-FA49-45EF-9634-A2AF24\6CA7A40C-117C-4A09-AABF-F778C2 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\375DF533-A54D-4C2D-8E9D-A85F90\535EF60F-6F83-4498-A570-A8E406 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\587D95AF-3D5B-4703-8FC8-75F398\B41F994A-D756-4FB2-B266-D810FC -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\67151E13-C01F-4486-95C3-D31833\09628C55-95DE-417A-ADD0-32A263 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7D255DDB-A117-4C53-846D-B53621\7D3098BC-1D0B-44F8-9C87-153AE6 -> Trojan.Agent.iw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7F5EBD0A-47F4-45A1-BCA1-3E83B7\5CF866EE-43BE-4B62-9BB6-4EE1E3 -> Trojan.Agent.ay : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A238479F-04B7-4A4C-A79B-73A675\0696F7C2-BC25-41C2-A3CF-CC7A24 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AAD5E656-2967-468F-9D75-BACED3\1ED861C0-A7FF-4D25-BD32-27C9E4 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C8D6089A-F06E-428A-A25E-53B23B\F03B433C-C33A-40C6-AC64-98F15F -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CF27F7C8-D947-4161-B66F-5BD98A\DFDF12B8-1F49-4CAD-B57E-D1226D -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DC0D5C68-1021-4535-86F2-2C75BA\EC2E07C7-44B9-41E0-93C2-2A9F30 -> Trojan.Agent.iw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\FFFA1D78-B36C-428F-926B-8743D2\B3D8B45C-8E77-44FF-B71E-C8B975 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\SysAI -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\origcr.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\in10b6.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\mlljj.dll -> TrojanDownloader.ConHook.i : Cleaned with backup
C:\WINDOWS\system32\NLNP!3.exe -> Spyware.IGetNet : Cleaned with backup
C:\WINDOWS\system32\NLNP13.dll -> Spyware.IGetNet : Cleaned with backup
C:\WINDOWS\thin-114-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup

::Report End

And, Finally, here is my new HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:32:13 AM, on 9/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE

Also, on the ewido scan, one file couldnt be deleted because it was embedded in an archive and I didn't want to delete the whole thing without first asking. The file name was:
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp/install.exe
it was embedded in the C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp archive.
Anyway, just wanted to let you know.

Thanks so much for all your help so far!!

blender · Posted: Fri Sep 23, 2005 3:49 am Post subject:

Hi

Excellent work! Smile

You had 2 difficult to remove problems. Both nailed in one go. Smile

Go ahead and let Ewido delete that file:

C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp

Looks like that was the only one that gave "problems"

couple other items in HJT log to fix. HJT cannot do it because of the way registry keys are named.

Have another tool for that one.

Download Registrar Lite from here:

http://www.resplendence.com/download/reglite.exe

Install the program
Double click the purple rlite shortcut on desktop.

Copy and paste the follow text into the address bar, then hit 'Go':

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key. We want to remove these ones:

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
{5D60FF48-95BE-4956-B4C6-6BB168A70310}_

Notice the underscore at the end, They should be the first ones. Leave any others present. Only delete the two I listed.

Right click on each one, and select delete. If you get a confirmation question, respond OK then close out the program.

Run a new HiJackThis log and post it in this thread for review.

As for your AntiVir program....It looks like just the updater is left. Confused

Are you able to start AntiVir?
Can you configure options, run scan, run update, etc?

Let me know about that please. Important we get your antivirus working properly.

thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Fri Sep 23, 2005 9:46 am Post subject:

Alright, here is my new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:51 AM, on 9/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{554F208C-FA9E-421F-80B3-93CA7BAFD758}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE

Also, I deleted my AntiVir a while back because it wasnt working properly. I guess the updater is what got left behind, so I'm guessing I'm going to need to download another Anti Virus program...

I also ran ewido again to try and delete that file, so just in case you need it, here is my log of that:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:45:42 AM, 9/23/2005
+ Report-Checksum: 4A71222D

+ Scan result:

C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Cookies\sarah greeley@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp/install.exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\Sarah Greeley\Local Settings\Temp\upd9.tmp/SS.dll -> Spyware.MediaPops : Cleaned with backup

::Report End

And, I believe that's all you asked for! Thanks again! It feels so nice to finally be getting all of this taken care of for good!

blender · Posted: Fri Sep 23, 2005 11:54 am Post subject:

Hi

Looking better all the time. Smile

Have Hijackthis fix the fo0llowing:

R3 - Default URLSearchHook is missing

If that line returns...
Copy thye following text inside code box to a new notepad file.
Save as file name fix.reg
As file types all files
Save it to desktop.

Once saved...double click it and allow merge.
Should get success messege.
You can delete fix.reg when done.

ladedadehahaha · Posted: Sat Sep 24, 2005 11:01 pm Post subject:

Okay, I got AntiVir installed alright, and it performed a system check for me. The only problem is that when i tried to update, it said that the update service was found to be inactive.

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:51 PM, on 9/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\AIM95\aim.exe
C:\DOCUME~1\SARAHG~1\LOCALS~1\TEMP\_VWUPSRV.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{554F208C-FA9E-421F-80B3-93CA7BAFD758}: NameServer = 205.188.146.145
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Hope we got everything bad off!
Thanks! Smile

blender · Posted: Sun Sep 25, 2005 6:15 am Post subject:

Hi

Looks like baddies are off. Smile

Updater still wants to run from temp. The service listed in your log has it installed to correct location.
Need to get rid of the temp one.

Lets try this:

Uninstall AntiVir and reboot to Safe mode. (tap f8 key while booting)
log into your account. Not admin.

Click start> run> type %temp% and hit enter.
Select everything in that folder and delete it.

Open Internet options in control panel.
Hit "delete files" and check to delete offline content, then OK.

Restart back to normal windows and install AntiVir again. Uncheck the "Install new files only " box on setup.

Reboot after install and try updater again.

Let me know if that works.

thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Sun Sep 25, 2005 10:54 am Post subject:

Okay, I did all that and now the updater seems to be working fine. It's updating right now, and after that I'm going to run a scan of my system. Thanks again for all of your help, you've been a lifesaver! Smile

blender · Posted: Mon Sep 26, 2005 8:26 am Post subject:

Hi

Glad to hear updater working well.

Few things to do yet.

Once you have scanned with AntiVir and let it deal with whatever it finds...reboot.

then....

After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.

Right click "my computer"
Click "properties"
Click "system restore" tab
Checkmark "turn off system restore"
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

*********

Check your IE security settings:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialise and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Now on to protection/prevention

I recommend:

You have done some of the following but never hurts to check.

IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Please follow readme instructions for install...it is a little different.

Single user PC use IE-Spyad1
Multi user PC use IE-Spyad2

Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

Spywareguard This program watches for any changes to your home/search pages for IE. If something (including you) tries to make changes, you will be alerted with a popup giving you the option to keep change or revert to previous settings.
Install> update. It should prompt you to start the program
Takses little resorces and is also free.

Using a hosts file will greatly increase security. Many of those flashy annoying ads on websites will not display and it blocks access to thousands of sites entirely.

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

Keep a firewall running at all times. I use zone alarm. A free version can be downloaded here:

Free zone alarm

Remember to keep up with your windows updates including office.

Remember to keep your antivirus up to date.

Keeping all your security up to date

IE settings for increased security

Confused which antispyware is good or bad?

Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

And finally...more security reading..: Protect your Computer

Happy surfing! Very Happy

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Tue Oct 04, 2005 6:58 pm Post subject:

thanks again, the only thing i had problems with was creating a system restore point. when i tried to go to properties for my computer it went, but first showed me the message:
"The procedure entry point RemoteAssistancePrepareSystemRestore could not be located in the dynamic link library WINSTA.dll"

blender · Posted: Wed Oct 05, 2005 1:36 pm Post subject:

Hi

Interesting....

Lets try this:

Boot to Safe mode & log into your account.

click Start> run> type:

C:\Windows\inf

Hit enter.

locate sr.inf

Right click it and choose install

Once completed; reboot to normal windows.

See if you can run system restore.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Thu Oct 06, 2005 6:22 pm Post subject:

Hi,
I located the file but when i went to install it gave me the following message:
"The file 'st.sys' on Windows XP Professional CD-ROM is needed. Type the path where the file is located, and then click OK."

Problem is, I don't have the CD-ROM... and I dont know where to find it on my computer if it is here already. Sad

blender · Posted: Thu Oct 06, 2005 9:17 pm Post subject:

Hi

I think you made typo? File it is looking for I believe is sr.sys Part of system restore.

I want to tell ya to get service pack 1 at least installed or sp2. But....without restore capability...we should hold off if possible. If service pack install goes wonky...we can't recover.

Lets see if there is a copy somewhere on your computer.

Click start> run> type cmd and hit enter.

copy the following line:

cd c:\ & dir /s /a sr.sys > srfiles.txt & start notepad srfiles.txt

Right click into open cmd window and hit "paste"
Let it search
Notepad will pop up when done with results.

Please post results.

If none present...I can send you a copy of mine. I have an XP box with no service packs...therefore file version will be the same.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Mon Oct 10, 2005 8:14 pm Post subject:

There was no result.. Sad

sorry! I dont know how it would have gotten deleted... I've installed Windows XP numerous times due to past viruses and trojans.

blender · Posted: Mon Oct 10, 2005 8:42 pm Post subject:

Hi

I messed up the command string to paste in and it was trying to open a text file that does not exist. We created the file but just tried opening the wrong one.

I just edited it to reflect my error. Embarassed

Go to your C:\ drive and locate srfiles.txt

Post results of that file please.

Thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Tue Oct 11, 2005 11:04 am Post subject:

Alright, here is what I came up with:

Volume in drive C has no label.
Volume Serial Number is 6038-BDEE

Directory of C:\WINDOWS\system32\dllcache

08/18/2001 05:00 AM 70,400 sr.sys
1 File(s) 70,400 bytes

Directory of C:\WINDOWS\system32\drivers

08/18/2001 05:00 AM 70,400 sr.sys
1 File(s) 70,400 bytes

Total Files Listed:
2 File(s) 140,800 bytes
0 Dir(s) 14,213,562,368 bytes free

Hope this helps! Smile

blender · Posted: Tue Oct 11, 2005 12:09 pm Post subject:

Hi

Looks like most everyone with this problem has solved it by installing SP1.
Not only should it solve current problem but will solve several security issues as well that is causing your re-infections.

Here is the link:

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

I would download the "network installation" if you have a fast connection. It is a big download but you can burn it to CD.
If you ever need it again you will have it handy.
If slow connection...go with the express install. Express install will only install files you need.

Best to disable antivirus while installing service pack.
Dont forget to turn it back on once sp1 is installed.

Let me know how that works out.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Wed Oct 12, 2005 2:37 pm Post subject:

Okay, I downloaded the service pack, and it seems to have installed fine. I'm not really sure how to check it out, or how I tell if everything worked. I didnt get any error messages, it just said to reboot to finish the installation, so I did, and thats the last I've seen of it.

blender · Posted: Thu Oct 13, 2005 12:08 pm Post subject:

Ok...Great!

See if you can create a restore ppoint.

Start> programs> accessories> system tools> system resrtore.
click "create a restore point"
Call it whatever you like...
Hit "create"

It should tell you success. If the sp1 update didn't resolve issue...it will spit error.

Let me know what happens. Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Thu Oct 13, 2005 4:50 pm Post subject:

Ok, awesome! I created the system restore point, and it worked great! Thanks!

blender · Posted: Thu Oct 13, 2005 7:16 pm Post subject:

Great!

Now that restore works...I advise visiting windows update to get the rest of available updates Including SP2.
It will take a few visits & reboots to get em all.
Many nasty exploits have been fixed with the updates.

If ya want to save sp2 so you can burn it to cd in case you ever need it; here is the link for that: (it's a big download)

http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

I wanted to make sure restore was operational before I pushed sp2.

Good luck and surf safe Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

ladedadehahaha · Posted: Sat Oct 15, 2005 7:15 pm Post subject:

Okay, i did the windows update, and it said it installed all the latest updates, which hopefully includes SP2. It didnt tell me exactly what it installed. But, it worked fine.

ladedadehahaha · Posted: Sat Oct 15, 2005 7:19 pm Post subject:

Oh, actually nevermind, I figured it out. Thanks so much for all of your help!

Nick · Posted: Wed Oct 19, 2005 11:30 am Post subject:

This subject is now closed, if you need it re-opened please pm a moderator to reopen it.
Anyone else with similar issues please start a thread of your own.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Spyware Warrior Donations

October 19th, 2005

Thank you,

Nick
_________________
Nick's Security Ticker