Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
36 Posts
Discussion Starter #1
Winfixer is killing me also. Here's my log from the Hijackthisanalyzer. If anyone can help me I would really appreciate it.


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:19:03 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\tuvsp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD2A034D-75BB-412E-BAFA-819E4A8578D7} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O20 - Winlogon Notify: tuvsp - C:\WINDOWS\system32\tuvsp.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please disable Spywareguard, as it hinders the removal of some entries. You can re-enable it after you're clean.
  • Right click the running icon of Spywareguard located in the system tray
  • Go to Menu > File > Exit and confirm the programs close.

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop. Double-click on it to extract the files to a new folder on your desktop.

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
When asked to type in a filepath, please key this in:
  • C:\WINDOWS\system32\tuvsp.dll

Press Enter to continue with the fix.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\psvut.* < - the asterix * is part of the filepath

Press Enter to continue with the fix.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


The fix should then automatically launch HijackThis. (if it doesn't, you'll have to do it manually)
In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  • O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\tuvsp.dll
    O20 - Winlogon Notify: tuvsp - C:\WINDOWS\system32\tuvsp.dll
After you have fixed these items, close Hijackthis and reboot your computer.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then, perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
 

·
Registered
Joined
·
36 Posts
Discussion Starter #3
I think I did everything correctly, but Winpro2005 still keeps popping up. Anyway here's all my log files. Thanks for your time.


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\system32\tuvsp.dll

The second filepath entered was C:\Windows\system32psvut.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'


Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\system32\tuvsp.dll Deleted sucessfully.
C:\Windows\system32psvut.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
Active Scan

Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\tuvsp.dll
Adware:adware/popmonster No disinfected C:\Documents and Settings\Jeff\Favorites\SHOPPING\Best Buy.url
Adware:adware/delfinmedia No disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Dialer:dialer.vz No disinfected C:\WINDOWS\SYSTEM32\defaulttxt.dat
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/ncase No disinfected C:\PROGRAM FILES\nCase
Adware:adware/surfaccuracy No disinfected C:\PROGRAM FILES\SurfAccuracy
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\Newmsrdk
Adware:adware/gator.ptime No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\PrecisionTime
Adware:adware/cws No disinfected C:\Documents and Settings\Jeff\Favorites\Fun & Games
Adware:adware/sidesearch No disinfected C:\Documents and Settings\Jeff\Application Data\Lycos
Adware:adware/wupd No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20051004-202655-918.dll
Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20051029-214141-627.dll
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\biT.inf
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\tuvsp.dll
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\SYSTEM32\yum1el1us.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\?ttrib.exe
Spyware:Spyware/Searchcentrix No disinfected C:\WINDOWS\weblzedr.exe
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:40:28 AM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\tuvsp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD2A034D-75BB-412E-BAFA-819E4A8578D7} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O20 - Winlogon Notify: tuvsp - C:\WINDOWS\system32\tuvsp.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
For some strange reason, that didn't turn out as I had planned. We may be dealing with a new strain of this trojan.
I'll have to take an alternate approach to it.

Spyware is still On. Please disable it until such time you're fully disinfected.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Before fixing anything, please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\SYSTEM32\?ttrib.exe
C:\WINDOWS\system32\tuvsp.dll


Allow SFP to pack the files. This will generate a CAB archive on your desktop.

Please email the files to this address - sUBs[at]techsupportforum.com (replace [at] with @)

Please include a link to this topic in the message.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)
When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

# Do NOT do a full system sweep yet


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Arpropos
    Ncase
    Surf Accuracy
    Precision Time
    Gain
    Gator

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Documents and Settings\Jeff\Favorites\SHOPPING\Best Buy.url
    C:\PROGRAM FILES\COMMON FILES\remove_tools.html
    C:\WINDOWS\SYSTEM32\defaulttxt.dat
    C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
    C:\WINDOWS\INF\biT.inf
    C:\WINDOWS\SYSTEM32\yum1el1us.dll
    C:\WINDOWS\SYSTEM32\?ttrib.exe
    C:\WINDOWS\weblzedr.exe
    C:\PROGRAM FILES\Aprps
    C:\PROGRAM FILES\nCase
    C:\PROGRAM FILES\SurfAccuracy
    C:\WINDOWS\SYSTEM32\Newmsrdk
    C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\PrecisionTime
    C:\Documents and Settings\Jeff\Favorites\Fun & Games
    C:\Documents and Settings\Jeff\Application Data\Lycos

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Launch & use the diagnostic version of SpySweeper & configure it as followed:
  • Click on the Start button
  • After it has finished scanning, click the Next button
  • Allow Spysweeper to reboot your machine to remove the infected files.

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT - do not use your computer as you scan.
 

·
Registered
Joined
·
36 Posts
Discussion Starter #5
Thanks

I think that may have gotten it. I haven't saw the winfixer again yet. Hopefully I won't again. If you see anything else that I should get rid of let me know sUBs, Thanks



====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpywareGuard\sgmain.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:56:10 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD2A034D-75BB-412E-BAFA-819E4A8578D7} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


End of KRC HijackThis Analyzer Log.
=================================================================

********
8:55 PM: | Start of Session, Sunday, October 30, 2005 |
8:55 PM: Spy Sweeper started
8:55 PM: Sweep initiated using definitions version 564
8:55 PM: Starting Memory Sweep
8:55 PM: Found Adware: virtumonde
8:55 PM: Detected running threat: C:\WINDOWS\SYSTEM32\tuvsp.dll (ID = 77)
8:56 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
8:56 PM: Starting Registry Sweep
8:56 PM: Found Adware: apropos
8:56 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
8:56 PM: Found Adware: blazefind
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/bridge.dll\ (2 subtraces) (ID = 104526)
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
8:56 PM: Found Adware: coolwebsearch (cws)
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/rundlg32.dll\ (2 subtraces) (ID = 112385)
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\rundlg32.dll (ID = 112483)
8:56 PM: Found Adware: ist istbar
8:56 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\istbaristbar\ (2 subtraces) (ID = 129119)
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/istactivex.dll\ (2 subtraces) (ID = 129124)
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\istactivex.dll (ID = 129174)
8:56 PM: Found Adware: minigolf
8:56 PM: HKLM\software\minigolf\ (1 subtraces) (ID = 135062)
8:56 PM: Found Adware: 180search assistant/zango
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ncaseinstaller.dll (ID = 135764)
8:56 PM: Found Adware: virtualbouncer
8:56 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (ID = 145551)
8:56 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (ID = 145565)
8:56 PM: Found Adware: websearch toolbar
8:56 PM: HKLM\software\microsoft\windows\currentversion\installer\userdata\aui\ (1 subtraces) (ID = 146479)
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow.dll\ (2 subtraces) (ID = 146481)
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)
8:56 PM: Found Adware: winad
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
8:56 PM: Found Adware: ist software
8:56 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
8:56 PM: Found Adware: ist yoursitebar
8:56 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
8:56 PM: HKU\S-1-5-21-2549561080-805658773-1078421604-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {71ed4fba-4024-4bbe-91dc-9704c93f453e} (ID = 104516)
8:56 PM: Found Adware: cws-aboutblank
8:56 PM: HKU\S-1-5-21-2549561080-805658773-1078421604-1007\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
8:56 PM: Found Adware: media-motor
8:56 PM: HKU\S-1-5-21-2549561080-805658773-1078421604-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {aee46806-2c5a-4a4e-a5dd-b4531f64a187} (ID = 140144)
8:56 PM: Registry Sweep Complete, Elapsed Time:00:00:22
8:56 PM: Starting Cookie Sweep
8:56 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:56 PM: Starting File Sweep
8:58 PM: Found Adware: limeshop
8:58 PM: c:\program files\limeshop (144 subtraces) (ID = -2147480733)
8:58 PM: Found Adware: hotbar
8:58 PM: c:\documents and settings\localservice\application data\hotbar (4 subtraces) (ID = -2147480877)
8:58 PM: c:\windows\system32\msbb (1 subtraces) (ID = -2147480555)
8:58 PM: Found Adware: netspry hijacker
8:58 PM: c:\program files\homepage (ID = -2147480543)
8:58 PM: Found Adware: delfin
8:58 PM: c:\program files\common files\dpi (ID = -2147481129)
8:58 PM: c:\documents and settings\all users\application data\pcsvc (12 subtraces) (ID = -2147481135)
8:58 PM: pn_getoutofdebt.dfn (ID = 57773)
8:58 PM: cj_juno9818876-t.dfn (ID = 57672)
8:58 PM: limeshop.inf (ID = 65527)
8:58 PM: limeshop_readme.txt (ID = 65532)
8:58 PM: limeshop_preferences0.htm (ID = 65531)
8:58 PM: limeshop_offer0.htm (ID = 65530)
8:58 PM: limeshop_confirm0.htm (ID = 65529)
8:58 PM: datamerchlimeshopsaved.dls (ID = 65503)
8:58 PM: ink_inkline023-t.dfn (ID = 57718)
8:58 PM: americiansingles-d009-love.dfn (ID = 57671)
8:59 PM: datamerchlimeshopsaveda.dls (ID = 65548)
9:00 PM: datamerchlimeshopsaved.dls (ID = 65547)
9:00 PM: pn_smoking_18.dfn (ID = 57774)
9:00 PM: cj_netzero10290102-t.dfn (ID = 57673)
9:00 PM: limeshop_readme.txt (ID = 65532)
9:00 PM: ink_inkline022-t.dfn (ID = 57717)
9:00 PM: ink_inkline011.dfn (ID = 57716)
9:00 PM: ink_inkline005-t.dfn (ID = 57715)
9:00 PM: pn_dreamshape14.dfn (ID = 57772)
9:12 PM: Found Adware: shopathomeselect
9:12 PM: atimebka.dat (ID = 75801)
9:12 PM: Found Adware: purityscan
9:12 PM: ?ttrib.exe (ID = 73385)
9:28 PM: Found Adware: winantispyware 2005
9:28 PM: df_kmd.sys (ID = 146298)
9:31 PM: hotbar.inf (ID = 62344)
9:31 PM: Found Adware: bonzi buddy
9:31 PM: bonzi.url (ID = 51610)
9:31 PM: limeshop_script0.htm (ID = 65534)
9:31 PM: limeshop_script0_wo.htm (ID = 65534)
9:31 PM: Found Trojan Horse: 2nd-thought
9:31 PM: popup blocker.url (ID = 48318)
9:31 PM: online virus scan.url (ID = 48317)
9:31 PM: internet privacy software.url (ID = 48302)
9:31 PM: stop popups.url (ID = 48318)
9:31 PM: ebay.url (ID = 48213)
9:31 PM: walmart.url (ID = 48361)
9:31 PM: ebay.url (ID = 48213)
9:31 PM: buy.com.url (ID = 48207)
9:31 PM: best buy.url (ID = 48168)
9:31 PM: limeshop_script0.htm (ID = 65533)
9:34 PM: File Sweep Complete, Elapsed Time: 00:37:21
9:34 PM: Full Sweep has completed. Elapsed time 00:38:55
9:34 PM: Traces Found: 250
9:40 PM: Removal process initiated
9:41 PM: Quarantining All Traces: virtumonde
9:41 PM: Warning: Timed out waiting for explorer.exe
9:41 PM: Warning: Timed out waiting for explorer.exe
9:41 PM: Warning: Timed out waiting for explorer.exe
9:41 PM: Warning: Quarantine process could not restart Explorer.
9:41 PM: virtumonde is in use. It will be removed on reboot.
9:41 PM: C:\WINDOWS\SYSTEM32\tuvsp.dll is in use. It will be removed on reboot.
9:41 PM: Quarantining All Traces: apropos
9:41 PM: Quarantining All Traces: blazefind
9:41 PM: Quarantining All Traces: coolwebsearch (cws)
9:41 PM: Quarantining All Traces: ist istbar
9:41 PM: Quarantining All Traces: minigolf
9:41 PM: Quarantining All Traces: 180search assistant/zango
9:41 PM: Quarantining All Traces: virtualbouncer
9:41 PM: Quarantining All Traces: websearch toolbar
9:41 PM: Quarantining All Traces: winad
9:41 PM: Quarantining All Traces: ist software
9:41 PM: Quarantining All Traces: ist yoursitebar
9:41 PM: Quarantining All Traces: cws-aboutblank
9:41 PM: Quarantining All Traces: media-motor
9:41 PM: Quarantining All Traces: limeshop
9:41 PM: Quarantining All Traces: hotbar
9:41 PM: Quarantining All Traces: netspry hijacker
9:41 PM: Quarantining All Traces: delfin
9:41 PM: Quarantining All Traces: shopathomeselect
9:41 PM: Quarantining All Traces: purityscan
9:42 PM: Quarantining All Traces: winantispyware 2005
9:42 PM: Quarantining All Traces: bonzi buddy
9:42 PM: Quarantining All Traces: 2nd-thought
9:42 PM: Preparing to restart your computer. Please wait...
9:42 PM: Removal process completed. Elapsed time 00:01:46
********
8:23 PM: | Start of Session, Sunday, October 30, 2005 |
8:23 PM: Spy Sweeper started
8:24 PM: Your spyware definitions have been updated.
8:53 PM: Program Version 4.5.5 (Build 607) Using Spyware Definitions 564
8:55 PM: | End of Session, Sunday, October 30, 2005 |
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You may want to print out the rest of these instructions for reference, since you will have to restart your computer during the fix. Please download hese additional files/programs. Do not run them until instructed to do so.

AproposFix.exe - do NOT run it yet.

CleanUp.exe - Install.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, it will create a log, log.txt file in the aproposfix folder.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Apropos Fix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top