Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
8 Posts
Discussion Starter #1 (Edited by Moderator)
Ths is an email I sent to a friend to get help also. Please excuse th wording. It saved me time to cut ad paiste. I am dealing wit thi computer crash, tryin to open a new business and manage two kids at home.

I got the wireless card out of our desktop and put in my laptop that we never use at this time So I am able to get you an email wth some information about my computer. Here is a list of some of the spyware programs I had been downlading to try to get rid of the problems

1. Microsoft Antispyware
2. Spybot Search and Destroy
3. Lavasoft- AdAware SE and VX2 Variant ( I could not get the VX2 one to work. It said it needed the newest versio, but accoding to www.download.com it was the newest version 2.0)
4. Spyware doctor which we bought and will be using the 30 day money back guarentee since it was not as good as cnet said iy would be. All the rest of the programs we used were free downloads. Many of them I got from a tech support site I was using for assistance on the one certain malaware I was fighting (surfside kick)
5.Registry Cleaner Trial
6. We are also running Norton AntiVirus 2005
7. Hijack This- This is the one that the site I was working on said to use to get a log from so they could tell better what was wrong with the computer. There was another step they were wanting me to run after the Ad-Aware SE step. It was another full computer scan. That is when my computer crashed. I did go to kijack this before I started and got a log file andsaved it. I was able to recover this and itis attached to this email. Let me know ifit comes through ok.

Some of the names of the viruses I was working with were as follows
1. surfsidekick
2. I think one of the ones that showed up on many of the searchs was Apropos.
3. Many of the pop ups that were coming up had the name Aurora on them. I am looking to see if I can get to any of my quarentine lists from the programs above to give someone an idea of what the scans were finding. There were may of them that it would say it as deleting, but everytime it ran it was still there.

So how did this start and manifest itself. I was looking t some websites for Halloween costumes for the kids when I noiced a lot of pop ups coming up. We have two pop up blockers on our computer that do a good job. So I knew right away something was wrong. We did not hve Norton installed yet, because we had bought a brand new Nortons to replace our old one, but when our computer failed earlier in the year, my dad installed a new system on it and when I tried to put Nortons back on the computer it would not work. So we have been running with minimal protection praying we would be ok until we could figure out how to get it up and runnning. I went to the Norton help site and found a way to fully uninstall Nortons and then reinstall it. It worked an we ran a full computer scan hoping that would work. When it did not an the Microsoft Spyware program we had was not helping, we called my brother who recommended Spydoctor from the www.download.com sit. We did this an ran a free scan. It found 802 infections. The we ran another scan and foun 270 more and then one more after we purcased the full version ad found 80 more. But even after all of that it still had pop ups everywhere. So then I went to a tech site for the surfside kick infection. I started downloading the programs thy told me to and they had said there was a certain order I had to delete things and perform steps to get things to work. I will attach the site I was working off ofs instructions. I was performing one scan when the computer just turned itself off. I then tried to restart in safemode. I got a briht blue screen with white wording saying that the computer had shut down windows to protect it and when I tried to follow the instruction it gave me for running in safe mode of getting it up and goin again it would not work. So the computer never worked in safe mode. I then turned it off again and ran the computer in regular mode. It was able to boot to the page where I select which user I want. I picked my name and it came to a screen wit my screensaver picture and nothing else. I tried the control alt delete an it didnot work. It was froze on this picture. I turned off the computer and restarted in regular mode. It did the same thing, but the next time I was able to get th control alt delete to work. Dad talked me through some steps I could do with this page only available. It let me look in the msconfig and I checked the ini files. I went to the different ones and on one of them it asks to check the pathway. It gave this message.

It appears that the following line in the boot.ini file does ot refer to a vali operating system.
signature (41172ba5)disk(1)rdisk(0)partition (2)\Windows="Microsoft windowsXProfessional"/fastdetect"
it then asked if I wanted to remove it. I did and then it said all the pathways were ok after that. Dad lso had me stop most of the startup programs and restart. I did this and when I got to the page with my picture on it, there was a page open to my file direcory. I could now see all ofmy files ad directories in my computer. I started removing and backing up some files by putting in my memory stick and transferring files to my laptop. I have about finished that. The computer has maintained that state throughout the night. I hve not turned it back on adn off again since I can get the items I needed off the computer.

I hope some of this can help us figure out what is wrong with my computer and get it back up and running. I apologize for the bad typing. The keyboard on the laptop is going bad and som letters have troule typing and it skips around. Sorry.

Thank you again for taking a look at this. Please let me know if there is anything else you need.

Amy

PS I am able to get into the program files and my programs are still working. At least the ones I hve gone into to get information to give to you.

<Mod's note: It's always better to post logs in the thread, rather than as an attachment. Thank you.>

Logfile of HijackThis v1.99.1
Scan saved at 8:36:24 PM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\oecogn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Amy Broshears\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SDWin32 Class - {E08710E9-C69E-4125-985E-9D830F04786D} - C:\WINDOWS\System32\tthsv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [dnam] C:\WINDOWS\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\arrgan.exe reg_run
O4 - HKLM\..\Run: [ptiihwx] C:\WINDOWS\System32\oecogn.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126202620483
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\mdswch.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW15IEJyb3NoZWFycwAA\command.exe (file missing)
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Amy Broshears\Local Settings\Temporary Internet Files\Content.IE5\O1K9Q30X\cwshredder[1].exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello littlebrody26 and welcome to TSF,

You are severely infected here and it will take more than one pass, so please be patient with the process. You're biggest problem is that you are running XP with no updated service packs installed which leaves you extremely vulnerable.

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

To do this:
Click My Computer, then C:\
Right click in the right-hand panel.
In the menu that opens, click New>Folder.
That will create a folder named New Folder.
Rename it"HJT".


Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Download Trackqoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download Nailfix Utility at http://www.noidea.us/easyfile/file.php?download=20050711214630636 Save it to your desktop. Do NOT run it yet.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Some Anti-Spyware Programs are known to intefere with HJT fixes. If you have these programs, please disable them:

Microsoft AntiSpyware
*Click on Options>Settings.
*In the left pane, click on Real-time Protection.
*Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
*Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
*After you've done these, click on the Save button and close Microsoft AntiSpyware.
*Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Search & Destroy Spybot's TeaTimer
Go to Tools>Resident - Deselect TeaTimer.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
-Empty Recycle Bins
-Temporary Internet Files
-Delete Cookies
-Delete Prefetch files
-[X]Scan local drives for temporary files (Please uncheck this option)
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted and reboot back into Safe Mode.

Once in Safe Mode, double click on nailfix.exe
.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Run Ewido:
*Click [Scanner]
*Click [Complete System Scan] to begin scanning.
*Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].

Once finished, click the [Save report] button
Save the report to your desktop
Close Ewido

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\WINDOWS\System32\oecogn.exe--this file may have changed names, look in the body of the HijackThis log for an 04 entry with an random.exe r

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

AWS or Weatherbug

To stop a service and set to 'disabled'

1. Go to Start > Run and type in services.msc then click OK
2. Click the Extended tab.
3. Scroll down until you find the service.
===> Command Service (cmdService)
4. Click once on the service to highlight it.
5. Click Stop
6. Right-Click on the service.
7. Click on 'Properties'
8. Select the 'General' tab
9. Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
10. From the drop-down menu, click on 'Disabled'
11. Click the 'Apply' tab, then click 'OK'

Open HijackThis>Config>Misc Tools>Delete an NT Service and copy/paste the following entry in the box and click OK:

Command Service if that’s not found, copy/paste cmdService in the box.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {E08710E9-C69E-4125-985E-9D830F04786D} - C:\WINDOWS\System32\tthsv.dll (file missing)
O4 - HKLM\..\Run: [dnam] C:\WINDOWS\system32\d140113.a.Stub.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\arrgan.exe reg_run
NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.
O4 - HKLM\..\Run: [ptiihwx] C:\WINDOWS\System32\oecogn.exe r

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\mdswch.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW15IEJyb3NoZWFycwAA\command.exe (file missing)


Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Delete the following Files and Folders if they still exist.

C:\WINDOWS\System32\oecogn.exe or whatever it changed to-refer to the 04 entry
C:\WINDOWS\System32\tthsv.dll
C:\WINDOWS\system32\d140113.a.Stub.EXE
C:\WINDOWS\System32\arrgan.exe
C:\PROGRA~1\AWS
C:\WINDOWS\system32\mdswch.dll
C:\WINDOWS\QW15IEJyb3NoZWFycwAA

Reboot back into Safe Mode.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode

Locate & double-click on TrackQoo1.vbs . Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next post
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

IMPORTANT!:
Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2 (SP2). SP2 should only be installed on a fully disinfected system.) At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

Run a new scan with HijackThis and save to log to post here.

So I will need the following logs:

WPFind
Trackqoo
HijackThis
Ewido Scan results
 

·
Registered
Joined
·
8 Posts
Discussion Starter #3 (Edited)
Thank you for so much for helping

I have some questions. When I have tried to run some of the programs since the crash such as Spybot etc it says that I am not running an updated enough Windows program. I fear that when I was trying to fix things I have deleted something that helps my programs and Windows run. My second problem is my dad reformated my computer a few months ago and when he redid it he loaded into it a copied version of Windows XP professional since we at that time had just moved and could not find our original cd of Wondows XP Home Edition. We can not update our computer since it is not a valid key code from the micropsoft update place. Our question is. We have backuped everything we own on our computer since we were able to get that program to function long enough to get our stuff off the computer. Would you recommend now that we have our original cd of Windows XP Home ediition to just reformat our computer and start all over. This way we would be able to get updates since that cd came with our computer and has not been loaded on any other computer. I then could be sure now that I have the information from this computer to start with a very protected computer. Will this take out everything that is in it or would I still need to have the computer cleaned? Let me know how to proceed. My father can ship me the original cd he used in my computer to try to put back the problems that I have possible due to me deleting something vital to the function of XP. Thank you again for your help.

Amy
 

·
Premium Member
Joined
·
14,311 Posts
I hate to say this, but yes, backup all your data now and do the format and reinstall of Windows XP Home.

Then install the Windows Updates. Make sure to install the prevention programs below so something like this won't happen so easily next time:

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top