Posts by PhilliePhan

Is this a reliable program? Has anyone tried it?

http://spywarewarrior.com/viewtopic.php?t=28684&sid=ab1e055a1ab43a5e5fcb83c991567e76

PP :)

Check Point has updated ZoneAlarm to be compatible with KB951748. You can just install the new version, if you like.

-- You are correct. You should not have more than ONE active software firewall. By default, ZA is set to disable the Windows Firewall upon installation. When you removed ZA, you should have seen a security center popup saying your compy was at risk due to no firewall being active. You should check Security Center and verify.....

-- Frankly, I am leaning more and more toward replacing ZA with Comodo as I believe it is a better option. You might want to check that out:
http://www.personalfirewall.comodo.com/

Cheers :)
PP

My error message reads:
Windows - No Disk
Exception Processing Message c0000013 Paremeters 75b6bf9c

Lots of possible causes for this error. The obvious being the recent addition and removal of software. Probably something you'll have to dope out through trial and error.
This link might help: http://www.consumingexperience.com/2007/11/windows-no-disk-exception-processing.html

Also, for help removing what you couldn't uninstall properly ---> http://www.ursoftware.com/
Can't remember if free trial or not. I think it is, just not the "full featured" version.

Cheers :)
PP

Yes uninstalling the update is the BEST move..... (Unless your OK with sliding ZA to medium)

A friend who has XP does not have this update at all!! (He runs Zone alarm) and he wasnt prompted to install it.......

Check Point has updated ZoneAlarm to be compatible with KB951748. Links to the new DLs are on the linky I posted.

Options 1 or 2 no longer apply ;)

PP :)

I posted this in hopes that some one might be able to help me decide my next course of action. My first decision was to check for malware, and thats why I posted my hijack this log here. Any help, or point in the right direction would be much appriciated.

Nothing jumps out at me from your HJT Log other that an outdated Java. That could leave you vulnerable to a baddie such as Vundo.
You should uninstall ALL older versions of Java and install new version from here ----> http://www.java.com/en/

-- Probably not malware behind your problems.
-- If you can do a System Restore back to just before problems started, I'd try that. Essentially, take a few steps back and start again....
That will cause problems with some Added/Removed programs, but will probably be easier to deal with than where you are now.

-- Update the Java after restoring, rather than before, if you choose the System Restore route.

Best Luck :)
PP

Im a new one's here, kindly please someone help me how to stop an error loading everytime i started my PC since it was first occur when my anti-virus detect it as a virus and deleted it... the error always been shown on the startup is "error loading:C:Windows:system32:bcxhgsbb.dll ->could not found"

What has likely happened is that your A/V or anti-malware tools have deleted a baddie, but left some remnants in the registry (a run key) that now call the non-existent malware on startup.

I would suggest that you run the steps here --> PP's Malware Cleaning Steps and post the logs for us.
At the very least, post the MBA-M and HJT logs as directed in the linky.

I am not here too often, but someone ought to be able to advise you upon seeing those scanlogs.

Best Luck :)
PP

Microsoft Update KB951748 is known to cause loss of Internet access for ZoneAlarm users!

I suggest either Option 1 or Option 2 in the link below:

http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html

http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=52727

PP :)

I have installed many anti-virus for protect my computer

How many A/V programs did you install? More than ONE is a bad idea due to potential conflicts.
Multiple resident A/V actually can make you LESS safe!

If you are looking for a good total Internet Security package and you don't mind spending some cash, I recommend http://www.kaspersky.com/kaspersky_internet_security

--- If you have already been infected with malware, I suggest you try the steps in my "Malware Cleaning Steps" linky below.

Cheers :)
PP

Should i do kelly thing first. Also system restore...how do I do and what do I lose..............files or data?

--- Yes, do the Kelly's Korner link first. RightClick the link and save it. It should save as iedesktopshortcut.reg
Move it to the ill machine and DoubleClick on it and Allow it to merge into the registry. You may need to reboot to see results.

--- If that does not work, try a System Restore to the most recent Restore Point before problems began. It shouldn't cause you much in the way of problems. Google System Restore for more and better info than I can provide.

http://support.microsoft.com/kb/306084

Let me know if you still have problems.

PP :)

still got probs. Here is the hijackthis file

At very quick glance, I do not see anything particularly evil in your HJT Log.

--- Did you try the registry merge from Kellys-Korner that I linked?
--- It might help to obtain the other scanlogs requested in my linky below. Otherwise I really have nothing to go on other than past experience with this problem (and a registry adjustment such as the one I suggested usually does the trick).
--- You might want to try a System Restore.

PP :)

On normal boot up none of the icons on the desktop or start menus work. When you click they show egg timer and hang up.

You very likely still have malware active on your compy. I am not here often enough to help you with that in a timely manner. If nobody jumps in to help you, you could try the steps in my PP's Malware Cleaning Steps linky below.

As for the Desktop Icons, I suggest running the following Registry adjustment:
http://www.kellys-korner-xp.com/regs_edits/iedesktopshortcut.reg

Best Luck! :)
PP

When I boot up my laptop (Windows XP Pro) I get two boxes pop up, saying
'error loading C:\Windows\system32\pwbcllrs.dll The specified module could not be found' and the same thing but with file name bljfiewn.dll
I've run Spybot and Adaware and they don't pick anything up, so would be really grateful if someone could suggest what to try next please?

Hi Yorkgirl,

I am not around much, so I don't know if I can help you in a timely manner.... But, since nobody else has responded, I'll point you in the right direction ;)

-- Your error messages are likely due to malware that has been partially cleaned by your onboard anti-malware tools. It is likely that registry remnants (run keys) have been left behind and are calling the now non-existent malware files at startup.

Chances are good that there is still active malware on your compy. I would suggest that you follow the steps in my linky PhilliePhan's Malware Cleaning Steps and post the Four requested logs here for me to have a look.

If I am not able to get back to you, you could post the logs at the site hosting the steps and I'm sure my friend Judy would be happy to assist you.

Best Luck! :)
PP

Rather than install another AV as backup, I would suggest using one of these Online Scanners instead. This way, you can avoid worrying about potential conflicts with your resident AV and you can be sure the AV definitions are up to date:

• ESET Online Scanner • Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

Cheers :)
PP

I owe you a beer as it seems to have worked a treat.
Not sure if its fair of me to ask you to have a look, however would appreciate if you could tell me if there is anything alarming.

A beer sounds good right now....

There are a few items in the ComboFix log that need attention - You should start your own thread so one of the volunteers can help you. I am not going to be around much for a while, so I am hesitant to take on new threads. If nobody replies here at Daniweb, you could try my friend Judy at iamnotageek.com.

-- You ought to get rid of the P2P stuff as many forums do not help P2P users unless they remove or disable the clients due to the risk of re-infection.

Also, you should definitely Update your Java as per the instructions in my "Protect Yourself..." Linky below!

Cheers :)
PP

I don't boot up in safe mode & at one point I don't think I could even get into safe mode.
When I can't restart, I just hit the restart button, I don't have any other choice.
Which forum should I post in?

Hi Michelle,
I do not know which would be the best forum - I don't really travel outside of this one, lol!
Probably http://www.daniweb.com/forums/forum10.html would be best. Post a link to this thread if you post there.

You should also try this to help diagnose the problem:
-- See if you can boot into Safe Mode via the linky here and then see if you can restart normally.
Stuff like this is hard to diagnose. I just helped someone with a compy which wouldn't stay in sleep mode. Turned out to be a pesky driver that was "waking" it.....

Safe Mode --->http://www.bleepingcomputer.com/tutorials/tutorial61.html

I'll try to check back in a timely manner, but "real life" has intruded upon my online time and I am not sure when I'll be able to post again with any regularity....

PP :)

sorry it took me so long to get back, my internet was out for a while so i couldn't get back here

No worries! However, I am not going to be around much for a while due to "real life" issues, so I'll probably not be able to reply in a timely manner.

Anyhoo, let's go ahead and do the following:

-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log

NEXT:
Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.

THEN:
Go and Update your Java here ---> http://www.java.com/en
Be sure to uninstall ALL older versions via Add/Remove Programs!

LASTLY:
Give me a Fresh HijackThis Log from after all of the above has been completed.

I'll want to see:
1) New ComboFix Log
2) ESET Online Scan Log

Perhaps if Phil is still watching the thread he may have a few more ideas.

Hi Rachel, MT:

I am pretty much on the same page with what you have been doing which is why I've stayed out of the way ;)

-- I think Trend Micro's HouseCall is Firefox friendly....

http://housecall.trendmicro.com/

You could try that.

Also, do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by Clicking Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Please post logs from those two scans - They ought to give a pretty good idea if malware is residing on your compy and whether it is safe to install further updates/patches....

I imagine that once SP2 and any other Hotfixes are installed, IE7 will operate properly . . . Though I still prefer Firefox.

Hey Guys,

The first HJT log shows the following baddie:
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe

This is probably responsible for the initial issues and may well be stealthed and still active....

Just a "heads up" in case you didn't look back that far.

-- Also, be advised that you have been exposed to an infected USB drive somewhere along the way. You may want to check your portable storage devices. If memory serves, sUBs has a "cleaner" for these....

PP :)

What was wrong w/ my Java that was there?

There are a number of malware that exploit Java, so it isconstantly being updated. VUNDO, for example, is able to target and force execution on older runtime environments. That is why you really need to remove ALL older versions when you update. Otherwise, you are still vulnerable.
Also, I suggest running ATF-Cleaner (in my linkies below) which will clean the Java cache.

The computer won't restart when I click on restart which is HUGE, as I've never had that happen b4 on any other computer including this one. It only started recently.

I am not sure this is malware-related or if I would be able to help you with this.
'Course, it could be malware, but more likely to be a BIOS/Software/Driver type issue.
Do you get any error message? Are you able to restart after booting to Safe Mode?

-- There may be a better forum here at Daniweb for this problem - where some more knowledgeable people than I can have a look....

PP :)

HEY PP AKAMAI IS NOT EVEN A VIRUS? I SCANED AND I SHOWED UP AS A VIRUS IT SAID AKAMAI V .COM OR SOMETHING LIKE THAT SO I GUESS THAT WOULD BE AN ADDRESS MAYBE? AND WHAT IS PHILLIEPHAN'S MALWARE CLEANING STEPS IS IT GOOD. I SO TIRED OF D/L A BUNCH OF CRAP AND THEN GOING AND REMOVING IT. I WISH I COULD AFFORD SOME GOOD STUFF....

--- I am not familiar with any "Akamai virus." Can you give us anything concrete, such as
AV scanlog?

--- My "malware cleaning steps" are a workthrough I posted at another forum I frequent. They do not have many volunteers to help with malware removal, so I put together some initial steps for posters to follow to prepare 4 scanlogs BEFORE posting for help. In some cases, these initial steps can remove a good deal of malware.

--- There is a lot of "good stuff" to fight malware available for free! See both of my linkys below.....

Best :)
PP

Okay, well thanks for your help. I know you can't do much because of my windows, but I did not buy this computer >.<. And neither did the person that gave it to me >:O. Like i said before.. it was a gift. Anyways I will uninstall Viewpoint and update my Java like you said. Thanks again for your help.

You bet.

You may well be an innocent victim - I would think that if you cracked Windows, you'd recognize the tools you used....

I doubt you'll find help in forums in the future very forthcoming unless you remove those offending items.

PP :)

Can you be more specific about this akamai virus?

Akamai is a giant content distributer (or CDN).

Not sure what you are trying to remove....

PP :)

Hey Michelle,

I do not see anything particularly worrisome there . . . 'Course there are a few items in your Uninstall list with which I am unfamiliar, but as long as you know what everything is, you're ok.

-- It does look like you are running "selective startup" via msconfig to control unwanted startups. There are better ways to do this.

-- What symptoms are you having?

You should remove these in Add/Remove Programs:
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Then, Update your Java here ---> http://www.java.com/en

PP :)

Uh, I don't really know.. This computer was gaven to me as a gift. ^^ And if you think im lying because my name is Lie1983.. I'm not really 24-25 years old.

Well, I have seen cases where unscrupulous merchants have sold computers on the cheap with pirated Windows OS to unsuspecting customers.

Your copy of Windows is most likely illegal. I would suggest doing the honorable thing and remedy this, if indeed it is the case.

-- At quick glance, I do not see much in your logs to worry about. You should update your Java and Uninstall BearShare and Viewpoint.

PP :)

Hi nctw123,

This computer was and still is ridiculously infested with malware. Even some of your malware was infected by other malware! LOL!

In cases such as this, I generally recommend a reformat and reinstall of Windows.

However, if you'd like to continue with the cleaning process, please follow the instructions below.

--- I'd still like to see that uninstall list

--- DownloadFindAWF.exe by noahdfear and save it to yourDesktop.
• Double-click on FindAWF.exe to start the program.
• If a "Security Alert" shows, allow the program to run.
• Select option #1 - Scan for bak folders by typing 1 and press 'Enter'.
• When FindAWF finishes, a log will open in notepad called AWF.txt which will automatically be saved to the Desktop.

• Please submit AWF.txt for me.

Hang in there for further steps - I'm not sure how much free time I'll have over the weekend.

PP :)

I'm sorry.
I can't comment further unless you can tell me why

C:\WINDOWS\SYSTEM32\antiwpa.dll
H:\170Activation_WGA\Activation_WGA\NotGenuineRemover\RemoveWGA.exe

are running on your machine. Frankly, I'm surprised a moderator hasn't deleted this thread.

PP :)

No one is helping me, & the computer is getting worse. :(

Hi Michelle,

Sorry - It is like this in all the various support forums. The demand for assistance far outweighs the supply of knowledgeable volunteers!

Let's get you started on the road to recovery:
Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by Clicking Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

NEXT:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT: …

Hi nctw123,

Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by Clicking Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

NEXT:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post …

If you look at my "malware cleaning" linky below, there are some online scans listed in the steps. You might try a couple to doublecheck.

But, as I mentioned, I am not sure forum policy would allow us to advise you further due to the questionable legality of your OS...

PP :)

So i have no virus?

Probably not - though HijackThis alone is insufficient to make that diagnosis.

pp :)

PhilliePhan you are a scholar and a gentleman. . . You will forever have my gratitude and if ever there were a way I could repay the favor let me know.

Thanks for the good word, Bobby!
A number of sites I frequent ask for donations to keep them up and running - but what they really need are more trained and eager volunteers to help with the flood of infected computers. I'd be happy if you just "pay it forward" and do a good turn for somebody else down the road. :)

I must say that this was quite a learning experience . . . .All I ask now is if you have any links or recommendations as to how I might go about learning to do what you did?

A malware infestation is always a learning experience!

I am pretty much self-taught. Been doing this in my free time for about 5 years now - since about the time I got infected with a really nasty piece of malware. I did not know forums such as this existed then, and I ended up cleaning it myself - took a good week, LOL!
I probably should have just wiped the hard drive and reinstalled - that is and will always be the ONLY way to be sure you are completely clean. Especially with all the rootkits we see these days....

There are a number of places to learn about killing malware. Here are a …

Hey Bobby,

I just remembered that I forgot to have you remove ComboFix.

No worries if you don't see this before you've returned the machine or if you've already removed ComboFix.

If you do see this in time, please do this:
• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run box. (be sure there is a space between the x and the / if you type it)
• Click OK

That ought to wrap things up!

PP :)

Hello, I was recently infected by a virus and i checked Nortons free online virus scanner and it showed a Hacktool. The file infected is called Antiwpa.dll in my system32 folder. I really need some help on how to get rid of this.

LOL!

Antiwpa.dll is your ILLEGAL WINDOWS CRACK!

Probably why you are running the below:
O4 - HKLM\..\Run: [RemoveWGA] H:\170Activation_WGA\Activation_WGA\NotGenuineRemover\RemoveWGA.exe -startup

I do not believe it is within Daniweb guidelines to offer advice to users with pirated Windows....

Cheers :)
PP

I am posting...from my own computer!!
Does that mean that the problem is only with internet explorer and not with my computer?
Once again, a million thank yous to both of you for all of your help...

Great! Now we're cookin' with gas . . .as they say :)

-- Definitely looks like a problem with IE. It is not playing well with the machine.
I imagine that, once we get you updated properly, we'll give IE7 a look and remove IE6.

I am tied up with work right now and can't look at the new logs - Just wanted to congratulate you on the progress!
Will check back and have a look tomorrow if MT doesn't beat me to it.

PP :)

EDIT: At really quick glance, the logs look OK. Nothing jumping out there. Still, better to wait until one of us has a chance to give a closer look.

Well, guess I took a bit longer to get this posted than I originally thought. Of the files you had me look for, I ran searches and only about 2 of them actually existed, though not in the folder you listed - both had been quaranteened by the online scan. There was alvxqeif.dll.bac_a01172 in the folder C:\Documents and Settings\TiFF\.housecall6.6\Quarantine
The other file was
ssxjwpvi.dll.bac_a01172
In the same folder

You can delete that Quarantine folder if you so desire.

Likewise, these can be removed:
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Anyway here is the final combofix scan log. Also good news is I just noticed that the two error messages that I had been getting at bootup are gone:icon_cheesygrin:

Everything looks OK to me, Bobby. :)

-- The registry fix "took" this time. The machine is not trying to load those non-existent malware at startup any more.
-- You may want to look into some of the options for controlling unwanted Startups in the linky I posted earlier, but that is entirely up to you.

Have a look at my "Protect Yourself" linky below and definitely install Spyware Blaster as I recommend.

If everything is running as it should, please mark this thread Solved!

Cheers :)
PP

Where are you?:S
(Not trying 2 rush you or anything. I just have to return this thing by tomorrow morning. It's not a huge deal if we don't finish this tonight, and I know your doing this voluntarily so it is still appreciated. I have to go for a few hours, but will be back on later tonight. hopefully we are close?)

Hi Bobby,

Most days I really don't have much free time to devote to forums until after 7PM EST.

Looks like we are almost done, though my registry fixes didn't take via ComboFix. Probably blocked by one of the anti-spy tools. I should've used a switch to kill them. No worries, we'll try again "old school."
Most of the stuff left to deal with are the malware prevented from running via msconfig (and the Trend Micro and McAfee remnants). I would imagine all the actual malware files are gone, but in the interest of thoroughness I'd like to do the following:

-- Download BobbyFix.reg to your Desktop.
-- DoubleClick on BobbyFix.reg and follow the prompt to Allow it to merge into the registry

Then, you'll need to use Windows explorer to navigate to and DELETE any of the following, if they should remain:

C:\WINDOWS\system32\alvxqeif.dll
C:\WINDOWS\system32\bqdst.dll
C:\WINDOWS\system32\rrvfhlv.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2006
C:\Program Files\Common Files\?ystem\w?aclt.exe --> The ? can be any character. You should probably remove the C:\Program Files\Common Files\?ystem Folder.
C:\Program Files\Trend Micro

Do you recommend i purchase a new firewall or will i be safe enough the with xp and router firewall?

Actually neither :)

I would suggest one of the FREE software firewall options in my linky below:

PROTECT YOURSELF FROM MALWARE: Tools & Tips

Generally, you are pretty safe behind your router's hardware firewall. However, in addition to other advantages and features, a good bi-directional software firewall (unlike Windows Firewall) will monitor both incoming and outgoing traffic and alert you when some malware tries to "phone home." PCTools, ZoneAlarm or Agnitum are all pretty decent choices for free options and are a definite step up from the Windows Firewall in XP.

Cheers :)
PP

I am much obliged for your rapid responses and detailed instructions. I will resume your steps in about 14 hours when I am at my desk again.

You're welcome :)

No worries - and no rush. I should be around tomorrow evening

Such as? and how so?:idea:

The how so part is that it adds more stuff for us to sift through and deal with accordingly. Just a little extra work.

As for the "such as," my friend Chaslang has a good and thorough explanation here. Check it out:
Dealing with Startup Processes

Catch you tomorrow evening :)
PP

Here are the log files in order as requested. I hope you have a search engine for whatever your looking for!

LOL!

I have a pretty good idea of what I am looking for. Though, I should say that you ought not use Diagnostic Startup via msconfig as a "startup manager." There are better ways to deal with unwanted startups and malware. Plus, it adds to the workload of forum volunteers to have to deal with them.

Anyhoo, please do the following:

FIRST-
Look in Add/Remove Programs and UNINSTALL the following:

Adobe Reader 6.0.1 --> You'll need to update to the latest version.
Java 2 Runtime Environment, SE v1.4.2_03 --> This is probably the culprit that paved the way for Vundo. See instructions at end of fix steps to update Java.
McAfee VirusScan Enterprise --> Remove, since you are using AVAST! now.
Viewpoint Manager (Remove Only)
Viewpoint Media Player

THEN:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log

NEXT:
Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan …

In the last couple of days my Norton Internet Security 2007 has been playing some weird games and now it's not working at all.

Hi Froot-Loop,

Norton is a complex animal. I'm not sure this is the best place to diagnose such issues.
I would recommend some sort of dedicated Norton Support:

http://www.symantec.com/norton/support/productdetail/contact_ts.jsp?pvid=nis_2007

http://www.castlecops.com/f80-Norton_Anti_Virus.html

Obviously, the sooner your AV is up and running, the better!

Best Luck :)
PP

Should I be in safe mode while performing these?

No - Normal Windows boot is preferable at this time.

PP

however I am getting two new error messages upon startup every time. They are both RUNDLL error messages saying "Error loading C:\WINDOWS\System32\vyaqfgmb.dll The specified module could not be found." And actually the second error message is identical except it's looking for the file ssxjwpvi.dll in the same folder. I googled both of those file names and got nothing at all.
They look to me like incorrect registry entries, or remnants of the recently removed infection.

Hi Bobby,

You are correct - those are registry remnants from the removed malware.

Looks like you did not get it all. Please do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

NEXT:

• Download combofix.exe by sUBs to your computer's Desktop.
  
• Alternate Download
  
• (If you already have a …

Hi again,
I still cannot connect, unfortunately.
Thanks,
ERE

No luck with Firefox? It would really help to know if it fails as well as IE...

Are you able to use System Restore to restore your compy to a date before you started having problems? Maybe we need to take a step back before we go forward again.

PP :)

I'm hoping there's a solution that can bypass using that program again -- just because I hate that screen. Thankfully, I rebooted and am using the same computer to make this post, so all is not lost. Yet.

Sorry to hear that!
It worked exceptionally well on the same malware here in this thread:
http://www.daniweb.com/forums/thread112066.html

That's why I suggested it when I saw you were having trouble. But, you are right to wonder why the steps you already took didn't work - they should have worked.

Hang in there for Crunchie - I don't want to get in his way any more than I already have done.

PP

Found that hidden file and ran a scan see attachment.

Good deal - it looked kinda hinky to me, but that's why we scan them at Jotti before killing them ;)

I want you to know that I truly appreciate all your help with this problem, it means alot to me that there are people like you who take precious time away from yourself to help others. Thank You
Until Next Time (NOT),
Vegasgal

You're Welcome!
-- I've had a few "repeat customers" over the years in various forums. I'll keep my fingers crossed for you :)

PP

Adobe Acrobat 5.0 I couldn't find anywhere to check for updates, will I have to purchase the v8.0?

My fault there - Was doing 10 things at once. I confused myself. I must've been thinking of Adobe Reader
If you already removed Acrobat 5.0, you can get it here --> http://www.download.com/Adobe-Acrobat-5-0-5-Update/3000-6675_4-10069848.html

I looked 2 X in the C:\WINNT\system32 Folder for: 953BEBAFA6.sys - then looked 2 X in the C:\WINNT Folder and still couldn't find it.

My fault again - That is a hidden file and you need to enable the viewing of hidden files to see it: http://www.bleepingcomputer.com/tutorials/tutorial62.html
You might want to check again just to make sure it is/isn't there. Looks a bit iffy to me. It could very well be gone.

pc is running much better now Thank You:icon_smile:

You're welcome - Happy to help :)

Let's go ahead and remove Combofix:

• Click Start > Run
• Type or Copy&Paste ComboFix /u into the Run Box. (be sure there is a space between the x and the / if you type it)
• Click OK

Everything else looks OK to me. If things are running well and you don't find 953BEBAFA6.sys for Jotti scan, then I think you can mark the thread as solved!

Have a look at my "Protect Yourself" linky below - Definitely install Spyware Blaster!

Cheers :)
PP

I doubt Crunchie will mind if you go ahead and do the following:

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

• DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post back with the MBA-M Scanlog and I'm sure Crunchie will weigh in with further advice.

PP :)

This afternoon when I logged on Nortons found and fixed 3 trojans. I ran SpyWare Doctor and came clean. Here are the 3 reports you wanted and from what I can read we still have a nasty little booger around. I hope that we can remove it soon.

I don't see much there - I think Norton got three of the baddies I had targeted in the CFScript.

--You should use Add/Remove Programs to remove the following:

Adobe Acrobat 5.0 --> Remove and update to latest version. I think it's 8.
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3 ---> Remove all of these older Java versions. Help deter Vundo.
Do not remove this one --> Java(TM) 6 Update 5
Pando --> P2P stuff is a good way to get reinfested. A number of forums deny help to people until they remove or disable these.
URGE -->your choice
Viewpoint Media Player (Remove Only)

-- Can you tell me what is in this folder --> C:\WINNT\hvrqkcro
If you don't recognize it as something you need, DELETE it.

-- Also, please go here ---> and use the Browse Button at the top of the page to navigate to …

AllRightyThen!

-- Are you able to Uninstall/Remove XPdefender in Add/Remove Programs?
See if you can do that first. If not, no worries - keep going with the rest of the steps.

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Be sure you get it onto the Desktop this time, please ! If you still have trouble, let me know!
-- Download the attached file CFScript.txt to your Desktop as well.
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

ALSO:
Please run http://www.eset.com/onlinescan/
-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.
-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.

One More Thing:
Run HijackThis and Open the Misc Tools section.
Open the Uninstall Manager and Click Save list
Save it to your desktop.

Please post the fresh ComboFix log, the ESET Log and the Uninstall List for me and we'll go from there. I will try to check back in a timely manner, but I'm a bit overextended ato the moment...

Best Luck …

We do not bank online, but I do love shopping online. Yesterday I did purchase Spyware Doctor so I will keep an eye out on my credit card account.
Thanks Again

Hi Vegasgal,

I'll post the next steps in a few minutes (slow typist).

-- Regarding all the malware, I am still not sure if those are active baddies or if your computer has been "salted" by smitfraud so it can extort you to buy their Spyware Remover and it can "remove" all these "baddies" that it planted in the first place . . .. If that makes any sense LOL!

Those keyloggers, to my knowledge, must be installed manually. Also, I did not see the Run Keys, so perhaps they are not active and only there to provide extra motivation for the extortion.
-- But, I'd rather err on the side of caution and operate under the assumption that your machine may have been compromised.... Keep an eye on the creditcards, etc...

For the ComboFix download, in Firefox click Tools > Options > select the Main Tab and make sure to check the box under Downloads where is says Always ask me where to save files and click OK

Then, download Combofix to the Desktop.

Back in a few with the next steps :)
PP