[Wahine]

Hi there, my husband and I have spent a solid 14 hours working on what began as aurora popups. At first, we installed a pop-up blocker from Panicware. This stopped most of the popups. Then we attempted to install McAfee VirusScan 9.0. This screen soon showed a "There was an error in scripts on this page" and we could not proceed. At one point, the McAfee software stopped at a stage before the "download" stage. This is when we began searching the internet for help.

Earlier today I tried a common remedy to aurora that I found online. I downloaded Nailfix, ewido, ccleaner, and hijackthis. I went into Safe Mode and ran these in the suggested order. Ewido found 381 files (many from eZula and ABI), and I deleted all of those. Hijackthis found a number of scripts which I researched on the internet, and then deleted the obvious problems.

I still was unable to run McAfee scan, although some problems seemed resolved:
at startup, before trying my online remedies, I received a notice stating that the computer could not find nail.exe, and a McAfee installation screen was present, but now those two have disappeared.

I then found your web site and followed your instructions. I ran CleanUp! which deleted over 1000 files, I ran Ad-Aware which knocked out about 200 objects, CWShredder found nothing, and Spybot S&D also found objects. I reran Ewido which found two cookies that I deleted. I was unable to access the Windows XP update SP1a, so I did not do that. And finally, here is my latest hijackthis log. Any help you could give me at all would be soooo greatly appreciated. Oh, and one other symptom my computer is having is that I am unable to perform a Search from the Start panel...the normal input boxes do not appear. Thanks again in advance.

Logfile of HijackThis v1.99.1
Scan saved at 8:16:36 PM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Lindsay Kirby\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

I want you to run the an online scan if you haven't done so already. Use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

The log looks ok now. Just need to find out if there is a trojan doing the dirty work.

Go to Start->Run and type in sfc /scannow and hit OK. Let it run. If it doesn't find any missing/corrupted files, it should close by itself. If it does find something, it may ask for your Windows CD.

[greyknight17]

I want you to run the an online scan if you haven't done so already. Use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

The log looks ok now. Just need to find out if there is a trojan doing the dirty work.

Go to Start->Run and type in sfc /scannow and hit OK. Let it run. If it doesn't find any missing/corrupted files, it should close by itself. If it does find something, it may ask for your Windows CD.

[Wahine]

Hey, thanks for your fast reply. I went to the web site and clicked "Scan Now". The little moving green bar on the button stopped moving, but nothing happened after about 10-15 minutes. Task manager said that the free scan was running, but nothing on the screen happened and I couldn't hear any inner workings of the computer going on. Does this tell you anything? Is there an alternative? I'll keep trying. Thanks.

[Wahine]

Oh and the sfc /scannow run closed on its own. Yay!

[greyknight17]

How about a scan at TrendMicro? Will that work? Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Boot into Safe Mode by restarting and then hitting the F8 key repeatedly until a menu shows up (choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (which you should have already). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Save the log from the Ewido scan so that you can post it later.

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the results here along with the new HijackThis log. Also post the Ewido scan results here.

[Wahine]

All right, I have to run some errands, and I want plenty of time to devote to this, so later this afternoon I will try these fixes and post back with the results ASAP. Thanks.

[Wahine]

Okay, the scan on the link for TrendMicro would not go. I was able to press "Check my PC", and then on the next page, I was able to check the box and click "Continue with the next step". After this, there were some links to information I could click on, but there were no "Scan Now" type buttons. Later I found a different page on this site for a free virus scan. I clicked it, but it did nothing, just like the pandaware scan did. I did try the Spyware scan on this site however, and it found a number (100-ish) of iffy files, and it deleted all of those. I followed the rest of your directions. Here is the Ewido scan, then the FindIt's scan and then HijackThis.





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:33:54 PM, 7/23/2005
+ Report-Checksum: 3EAF57E8

+ Scan result:

No infected objects found.


::Report End



Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 07/23/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\A_I_037.DLL
* UPX! C:\WINDOWS\System32\VM_D.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is D838-FE6B

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is D838-FE6B

Directory of C:\WINDOWS\system32

01/28/2003 02:18 PM 25,214 sd_drive.ico
1 File(s) 25,214 bytes
0 Dir(s) 35,443,429,376 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».





Logfile of HijackThis v1.99.1
Scan saved at 5:35:52 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Lindsay Kirby\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[greyknight17]

OK, basically done here. Just delete these two files:

C:\WINDOWS\System32\A_I_037.DLL
C:\WINDOWS\System32\VM_D.DLL

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[Wahine]

Oh, and yesterday I ran the CWShredder which found nothing, but two of the deleted files found by trendmicro's spyware scan today were CoolWebSearch files.

[Wahine]

Okay, I deleted those two. Is there a reason why I am unable to scan the computer using those two web sites, or why I am unable to search out of the windows Start panel? I thought these might be virus related, but maybe not. Also, I'm still having problems installing my anti-virus software. Are these other issues? Do you have any suggestions about how to fix these?

[greyknight17]

OK, since those problems might be related, let's dig a little deeper:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Go to Start->Run and type in sfc /scannow and hit OK. Let it run. If it doesn't find any missing/corrupted files, it should close by itself. If it does find something, it may ask for your Windows CD.

[Wahine]

Boy, the digging is getting deeper. The link you posted brought up nothing, but the web site says they have discontinued the TDS software. Should I follow the second directions on your post?

[greyknight17]

LOL. I leave for a few weeks and things start changing.

OK, I don't know what happened with that program (why it was discontinued?), but use this instead:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Give me the Silent Runners log also in the same reply.

[Wahine]

All righty, the Mwav log is below. (40 errors and 11 viruses) When I tried to open Silent Runner from my desktop, a warning popped up that said "Could not create object named WScript.Shell". I am guessing that I haven't disabled some script blocker. That's also a problem when I tried to install McAfee last night...there's a script error. I had Norton on my computer at one time, but I couldn't find the program now however. I found a shortcut icon for it that goes nowhere, and I wonder if the program got deleted somewhere along the way. Could one of these blockers be from any of the fixes that we've installed?

Also before running MWav, I emptied all the quarantine folders I could find and I purged the Spybot Recovery folder. I don't know if I missed anything.




File C:\Documents and Settings\Lindsay Kirby\Desktop\Nailfix\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Lindsay Kirby\Desktop\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00020906-0000-0000-C000-000000000046}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06290BD5-48AA-11D2-8432-006008C3FBFC}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8ECF83A0-1AC9-11D4-8501-00A0CC5D1F63}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ECFBE6E0-1AC8-11D4-8501-00A0CC5D1F63}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}" refers to invalid object "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX.1" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\PWIBHO.Panicware" refers to invalid object "{00000000-6C30-11D8-9363-000AE6309658}". Action Taken: No Action Taken.
Entry "HKCR\PWIBHO.Panicware.1" refers to invalid object "{00000000-6C30-11D8-9363-000AE6309658}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\a_i_037.exe infected by "Trojan-Downloader.Win32.IstBar.iu" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Lindsay Kirby\Desktop\Nailfix\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Lindsay Kirby\Desktop\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\Quarantine - 07-13-2005 - 20-27-37.SBU infected by "Trojan-Downloader.Win32.TSUpdate.k" Virus! Action Taken: No Action Taken.
File C:\Program Files\sf\sf.exe infected by "Trojan-Downloader.Win32.Small.hs" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\a_i_037.exe infected by "Trojan-Downloader.Win32.IstBar.iu" Virus! Action Taken: No Action Taken.

[greyknight17]

Yep, you did it correctly.

Most of these are just junk registry entries. We'll clean that up now.

Get noscript and run it. See if scripting is enabled. If not, enable it with that program. Then try running Silent Runners again.

Delete these:

C:\Program Files\sf\
C:\WINDOWS\system32\a_i_037.exe

Delete everything in this folder:
C:\Program Files\Panicware\Pop-Up Stopper Anti-Spyware\Quarantine\

Download CCleaner and install it. Run it and click on Issues. Scan it. Then check all those listed and hit the Fix selected items button.

Download FxIstbar and run it.