Posts by DMR

Glad we could help. Have a happy, spyware-free New Year! :)

...it was wierd, because i created another username on my computer, and that one never got infected...

Actually, that's not such a weird thing, because spyware infections aren't generally designed to spread in the way that viruses do. Spyware definitely can infect a computer in ways that effect all users, but it's equally possible for the infefction to be confined only to the particular user account which is active at the time the spyware is installed.

Hi rclksr,

Please paste your hijackthis log directly into your post instead of attaching it as a Word doc:

Run HijackThis again. Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Looks good- there are no signs of infections in your latest HJT log. :)

Does everything seem to be working properly now?

Due to the fact that the member who originally started this thread has not responded in well over one year, this thread is considered abandoned and has been closed.

In accordance with our posting rules, other members having similar problems should start their own threads and post their questions there. In order to help us help you most quickly, please include as much information about your problem as possible in your posts.

If the member who originally started this thread wishes to have the thread reopened, please send your request, including a link to this thread, to one of our moderators via email or Private Message.

Thank you.

We're getting closer.

1. Run HJT again and have it fix:

O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)

2. Delete the entire C:\Program Files\SpyAxe folder and then Empty your Recycle Bin. If Windows doesn't allow you to delete the folder, reboot into Safe Mode and delete it from there.

3. Download the smitfraud.reg file by right-clicking on this link and choosing "Save link as..." or "Save target as..." from the resulting pop-up menu. Save the file to your desktop.

- Double-click the smitfraud.reg file you saved, and when it asks if you want to merge with the registry, click YES.

- Reboot your computer; you should then be able to change your display settings back to normal.

Please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open AVG and use its update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button. Close HJT once it has finished performing the fixes:

O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O21 - SSODL: hZYuTXZQYkJG - {6CAFE98C-C605-4326-4C28-ACD87FEDF798} - C:\WINDOWS\System32\ufcbi.dll

4. Reboot into Safe Mode (you get to …

OK. Post the results when you can...

1. Run HijackThis again and have it fix the following two entries:

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

2. Delete the entire C:\Program Files\Common Files\VCClient folder and then empty your Recycle Bin.

1. OK- I'm just triple-checking here, but you cannot find the file even when you've configured Explorer to show all hiddne files and folders as described below, right?

Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

2. Open the AVG Test Center and click on the Virus Vault button. If you see the offending in the vault, right-click on it and choose the "Delete File(s)" option.

Which classes you take pretty much depends on your goal- are you taking the classes just for personal knowledge, or are you taking them for career/employment-related reasons? Also- have you subscribed to one of New Horizon's 6 or 12-month "package" deals, or are you taking classes on an individual basis?

OK- quite honestly, finding/borrowing/stealing the correct Windows install CD would be the quickest way to go right now. Being that many of the system/application errors you've posted are the result of other program errors (that is, the errors "cascade"), it makes is pretty difficult to sort out where the root of the problem lies. Also, I've got the feeling that you may have more than one thing wrong at the core of all of this.

But, working with what we've got:

1.

C:\windows\system32\mui\041b\xpsp2res.dll
(5.1.2600.2180 Hlasenia Balika Service Pack 2)

2. C:\windows\system32\mui\0414\xpob2res.dll
(5.1.2600.2180 00B-meldinger for Service Pack 2)

After logging in, I scanned both of these files for viruses...

I have never seen the box you describe, but the above files are valid Win XP files, not malicious files. Sorry I can't offer anything beyond that.

2.

An attempt to alter a protected object hasbeen detected.
(Attempt to delete a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Classes\.exe
Value: Content Type
Data: application/x-msdownload

Although I can't tell what is causing the message to pop up, that Ad Aware warning might tell us something about your inability to run programs, as the particular ".exe" subkey is one of the Reg entries which tells Windows how to handle executable files. The warning also gives me an idea that may allow you to run the Registry Editor:

If you can open Windows Explorer in any way, locate the C:\Windows\regedit.exe file and rename …

Sorry I didn't get back to this earlier.
Since the problem persists after you've reinstalled Windows, and your system looks to be free of viruses/spyware, you should probably start a new thread in our Windows 2000/XP forum and post as much background information on the problem as possible. Given the reformat, and the fact that your HJT and ewido logs look good, I don't think the problem is related to malicious infections.

Hi Jessica, welcome to DaniWeb :)

You have more than a few separate infections, and at least one of them is going to need some special attention. Let's start with some general cleaning proceedures to get the "lesser evils" removed.
Please do the following:

You will need to disconnect from the Internet for some of the following, so you'll need to print out the following instructions, or save them into a text file with Notepad.

1. Download and run these infection-specific removal tools (before scanning/fixing with about:buster and CWShredder, use their online update features to make sure you have the most current updates installed):

CWShredder - http://www.intermute.com/spysubtrac...r_download.html
about:Buster - http://www.majorgeeks.com/AboutBuster_d4289.html
HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

2. Download and install these general spyware removal utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program …

dirky083,

You are running a very outdated version of HijackThis. Please download the latest version (1.99.1), run a scan with it, and post the new log before you do anything else!!

You have quite a few infections, and they should be dealt with carefully; please do not perform any cleaning proceedures before I have a chance to review the new log you post.

Hi dg rider, welcome to DaniWeb :)

You are right; you still have evidence of "unwanted guests" in your HJT log.

Let's start with the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

1. There are no obvious problems in your HJT log. Please give us a link to the thread which had the solution you tried or tell us exactly what you've tried so that we don't duplicate your efforts.

2. Give us the names of some of ht problematic site. Are they all "secure" sites/pages?

You did the right thing, we're just pretty short of helpers this week, and there are a lot of people who need help. Please bear with us; I'll try to get to you soon.

Hi titan5239, welcome to DaniWeb :)

Unfortunately, everything has not been cleaned, but before proceeding with the fixes, there is one thing you need to take care of first:

C:\DOCUME~1\Chris\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:
Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-------------------------------------------------------------------------------------------------
Once you've taken care of the above:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - …

Hi Jon Silen, welcome to DaniWeb :)

Let's start with some general disinfection:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Spy Sweeper and make sure it is updated to the most current spyware definitions. Close the program after that.

- Open McAfee and use its Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with it; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "Network Security Service" or " 11Fßä#·ºÄÖ`I" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the …

Wretched log you've got there. [img]http://www.stevewolfonline.com/Downloads/DMR/Visuals/puke3.gif[/img]

Glad we could help :)

Weatherbug may not have been listed in your Add/Remove Programs control panel; as long as you manually deleted the folders I listed you'll be good to go.

Hi FLYN,

You do have at least one infection (a worm), as indicated by this HJT log entry:

O23 - Service: lsass (Local Security Authority System Service) - Unknown owner - C:\WINNT\lsass.exe (file missing)

However, you need to take care of something first:

C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

The log entry above indicates that you are running HijackThis from within a Temp/Temporary folder. Please do the following:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-----------------------------------------------------------------------------------------
Once you've moved HJT to a safe folder, please do the following:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite …

You're welcome :)

Can you post the HJT and ewido logs for us to review, please? I'd like to make sure your system looks clean before marking this thread as "Solved".

Thanks.

I missed this before, but twice now you've posted that the path to the fsaa.dll is:

C:\Windows\system2

Is that really correct, or is the path C:\Windows\system32?

I'm currently taking A+ classes with New Horizon...

My condolences; I hope your instructor there knows a heck of a lot more than mine did. :(

- Actually, the A+ course materials that New Horizons was using when I went were pretty well targeted to the test if I recall, although that was some years ago and they may be using different books now.

- I used to have bookmarks for tons of online testing resources, but those are long gone now. If you Google for combinations of the keywords CompTIA, exam, cram, test, online, study, etc., you'll find a good number of sites. Many of the sites require that you register before you can access the best sample exams and other resources, but if don't mind a little extra spam in your inbox (or if you use a "throw-away" email address), registering can be worth it.

Much better; time to clean up the loose ends. I see that you already have ewido installed, so:

1. Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido (don't run a scan with the program yet).

2. Open Spyware Doctor and update it. As with ewido, just close the program once the update is complete.

3. Open KAV and do as above.

4. Download and install the CCleaner utility, but don't run it yet.

5. Run HijackThis again, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button. Close HJT when it completes its fixes:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\ktr6l79s1.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\l0j8la1u1d.dll (file missing)

6. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

5. Run CCleaner. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

6. Run KAV, Spyware Doctor, and ewido consecutively; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks …

did he miss something :?:

Oooooh yeah.
Let's just say that I wouldn't let that HJT log take my daughter out on a date....

pimpwhack,

First- uninstall SpyCatcher; it is not a recommended antispyware program. Also, please do not install any other programs during the course of this troubleshoot unless we specifically instruct you to do so.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Open AdAware and check for/install the most current updates. Don't run a scan yet; just close Adaware after it installs the updates.

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================

O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp27D0.tmp
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O20 - AppInit_DLLs: interceptor.dll

===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file …

Glad we could help, TheGu3st. Have a happy and virus-free New Year. :)

No don't know about VC Client exactly, unless it's part of Adobe Acrobat or a photo editor, but not positive.

The "VC" programs definitely aren't part of Acrobat, and I doubt they're part of a photo editing program either.
Can you tell me what other files (if any) are in the C:\Program Files\Common Files\VCClient folder?

After ewido finished scanning, it popped up with this message:
The file "C:\Documents and Settings\Emmie\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll" cannot be removed because it is embedded in the archive "C:\Documents and Settings\Emmie\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat". Do you want to remove the whole archive?
I clicked on Yes, since I figured I could just uninstall Wildtangent and reinstall if needed. Was that a good choice?

Yes- the Wild Tangent programs contain adware/spyware components; it is recommended that you remove them. Ewido also picked up a piece of the WeatherBug program, which is ad-sponsored as well, so it should be uninstalled too.

Also, I searched my C: drive for "nvidGUIv" and was only able to find "NVIDGUIV.EXE-089AD208.pf" in C:\WINDOWS\Prefetch. Earlier, a friend told me to delete that file, but it seemed to have returned. I didn't delete it this time, just in case. Should I manually delete it again?

Yes, and as a matter of fact, you can delete all of the files in the C:\WINDOWS\Prefetch folder. Here's the story on that:
"To increase the startup time of your applications, Windows pre-loads portions of programs in a folder called Prefetch. Malware sometimes imbeds itself in this folder and uses that as their ‘autostart’ mechanism each time you boot.
Since Windows will automatically repopulate the Prefetch folder with valid program entries, emptying the entire contents of the folder won’t do any harm. You can do this by going to C:\Windows\Prefetch; open the Prefetch folder, click on Edit, Select All, …

Did you perform all of steps I posted fully and completely? There are entries in your latest log that definitely should not still be there after that cleaning process.

... and who knows what else.

Indeed.... :(

I know that you said you've done some of the following, but let's go through the general cleaning process again; there are entries in your HJT log that should have already been removed by ewido, SpyBot, etc.:

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open SpyBot and use its update feature to download and install the most current spyware definitions file. Close the program once the update is complete.

- Open AdAware, click the "Check for updates now" button, and follow the prompts to install the most current spyware definition database. Close the program once the update is complete.

- Open Norton and use …

I've seen wiring "hackarounds" for the whole "fan's power comes from the supply but motherboard needs to sense fan bla bla bla" hookups, but the actual wiring configuration depends on the particular motherboard, and honestly- I'm too tired to go Googling for that info right now. It's sleepy-time for Dave................................

1. Looks good; I only see one loose end. :)

Run HJT again and have it fix:

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\l6l60g3se6.dll (file missing)

2. I have a question about these entries; I've found conflicting information on them so far:

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

Can you tell us anything about the VCClient program?

3. After you fix the 020 entry above, reboot, run HJT one more time, and post the new log.

1. Open your Add/Remove Programs control panel and uninstall the MalwareWipe and SpyTrooper "utilities". Please see this page for more information on these and other bogus "anti-spyware utilities".

2. You are running an outdated verision of HijackThis; please download and run the current version (1.99.1) and post a new log from that version.

Hi emmie, welcome to DaniWeb :)

Before proceeding with the main fixes, uninstall the "Surf Accuracy" program via your Add/Remove Programs control panel; the program is spyware.

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Download and install these utilities (but do not run scans with them yet):

ewido Security Suite (trial version) - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton Antivirus and use its Live Update feature to make sure that you have the most current virus definitions installed. As with the above programs, don't run a scan with Norton; just close it once it is updated.

2. Download and install the CCleaner utility, but don't run it yet.

3. Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "nvidGUIv" or "nvidGUIv2" and double-click on it.

- In the General tab of the Properties window …

OK- I have to log off for the night fairly soon, but I'll repost tomorrow after I've had a chance to chew through the event history you posted.

OK- that found some nasties. Please do the following:

Make sure that you have closed all open programs and are totally disconnected from the Internet for the following:

From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. (If you get prompted for a password while running L2MFix, type: bye )

Copy the contents of the L2M log and paste it back into this thread, along with a new hijackthis log.

1.

Norton seems to run alright when Windows is booted normally. I have found that it works best when I am connected to the internet

Yes, that's a function of Norton's Live Update feature; it likes to check for updates when Norton first starts up, and at whatever interval it's scheduled to run after that.

2.

The links on the IE toolbar work great, but the shortcuts on the desktop don't.

None of the shortcuts work? Do the icons still look normal? What does happen (if anything) when you double-click on those icons?

3.

I was thinking that since we have Norton Internet Security, and the antivirus is part of that, that there might be a connection there.

There could be- the "Integrator" mentioned in the error message is the piece of the Symantec package that provides the consolidated "control center"-type display from which you can run/configure all of the separate components (firewall, anti-virus, anti-spam, etc.) of the Internet Security software bundle. If, when in Safe Mode, you were attempting to launch the anti-virus component via the Integrator window, try launching it directly instead (assuming you have a direct shortcut to the antivirus program in the Norton/Symantec folder under your Start menu).

4.

Frankly, the Norton Anti-Virus hasn't seemed to work very well ever since we got it.

No *cough!* AVG Free Edition *cough!* comment... ;)

5.

Second, 1 of the lsass.exe files is in C:\WINDOWS\system32, and the other in C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989. Hopefully, …

Yoiks! :eek: :eek:

I wasn't after the entire log, just the details from some of the entries flagged with "error" or "warning":

... look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a window with more detailed information on the error; post that info here.

Your log shows entries with application errors 1000, 1001, and 1002, as well as error entries related to DCOM; I'd like to see the details of one of each of those. Here's how to post the full details of a given entry:

- Double-click on an entry to open the entry's Properties window.

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.

- You can then paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

There should be a record of the PUP's detection in McAfee's Activity Log. Exactly how you get to the log varies between different versions of McAfee, but it shouldn't be hard to find.

What? Wasting our time by posting a log??

Haven't you heard? We live for HJT logs. Eat 'em for breakfast, lunch, and dinner; sometimes have 'em for midnight snacks, too. :mrgreen:

Well, OK... that might be a bit extreme, but shoot us a log if you want- we'll give it a review for you.

Glad we could help :)

Have a happy, spyware-free New Year!

1. The "sys32" folder and its contents are/were the work of backdoor trojan, but I doubt that the infection was the cause of your program and shortcut problems. Regardless, the entire folder should be deleted if you haven't done so already.

2. It would still be worth seeing if the Event Viewer holds any clues. See if you can access the utility this way:

- Click on the "Run..." option in your Start menu.
- In the resulting "Open:" dialog box, type the following and then click OK: eventvwr

If that works, look through the logs for errors and warnings and tell us if you find anything which might be relevant.

3. Run the System File Checker utility to see if Windows detects any inconsistencies in its system files:

- Click on the "Run..." option in your Start menu.
- In the resulting "Open:" dialog box, type the following and then click OK: cmd
- In the resulting DOS window, type the following at the command prompt and then hit enter: sfc /scannow

If you can tell us the exact name of the PUP, we can tell you what it is/does, and whether or not it should be removed.

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

Make sure that you are totally disconnected from the Internet for the following:

From the l2mfix folder, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. (If you get prompted for a password while running L2MFix, type: bye )

Copy the contents of the L2M log and paste it back into this thread, along with a new hijackthis log.

1.

the Norton Antivirus wouldn't run in safe mode. I have had this problem earlier when trying to fix this virus. It comes up with the following error...

Does Norton run properly when booted into Windows normally?

2.

When I searched for sass.exe, I came up with four responses. I erased 2 of them, but the other 2 were lsass.exe, which I did not remove.

Good thinking. "lsass.exe" is a valid Windows file, although there are infections which also use that filename. The legit version of lsass.exe should be found in the C:\WINDOWS\system32 folder, and a backup copy may exist in another folder. Where exactly are your two copies of the file living?

3. Did you intentionally install any Wild Tangent games? Your HJT logs shows a Wild Tangent component running as a Windows startup item; if you didn't knowingly install any Wild Tangent programs, that entry should be deleted.

Give us feedback on the above questions and we'll continue from there.

The main infection on your system is a variant of the Look2Me parasite, which can be a bit difficult to remove. Please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!