[Beck]

Hi! I have been having a problem with WinFixer and WinAntiSpy for about 2 weeks. (I see they are popular topics) I have gone through the "list" of things to do with a few minor snags, that hopefully someone can help me with. I am fairly new to computers, so bare with me

~I installed cleanup and ran it
~I attempted to install Ad-aware SE and after downloading it, recieved this message "Could not Intitalize Installation. File size expected 2855080. Size returned 1840248. Have no clue why it would not install or run
~I Installed CWShredder and ran it
~I already had Spybot and I updated it and scanned it. Fixed problems
~I already have Norton Internet Security. Did a full update and Scan
~ I rebooted
~ Downloaded HiJack This and here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 3:15:01 AM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Netscape Internet Service\dialer.exe
C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe
C:\Program Files\Netscape Internet Service\css.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\Bernard Denzer\Local Settings\Temporary Internet Files\Content.IE5\GY4OIEET\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\comnut.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\nsaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23FC7D03-4B53-4B64-B27C-66E47E671524}: NameServer = 205.188.146.145
O20 - Winlogon Notify: comnut - C:\WINDOWS\ServicePackFiles\comnut.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe







I'm not sure where to go from here, or if you can help me. Any advice would be appreciated. Thanks!

Edited by Beck, 06 September 2005 - 03:00 AM.

[Advertisements]

Welcome Beck to Geeks to Go!

HijackThis is being run from a temporary foldert.
Please create a new folder for it and place the program into that new folder.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  

• At this point press enter one time.
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\ServicePackFiles\comnut.dll
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
  
  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\comnut.dll
  
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  
  O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe"
  
  O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
  
  O20 - Winlogon Notify: comnut - C:\WINDOWS\ServicePackFiles\comnut.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[g2i2r4]

Welcome Beck to Geeks to Go!

HijackThis is being run from a temporary foldert.
Please create a new folder for it and place the program into that new folder.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this
  

  VundoFix V2.1 by Atri
  By pressing enter you agree that you are using this at your own risk
  Please seek assistance at one of the following forums:
  http://www.atribune.org/forums
  http://www.247fixes.com/forums
  http://www.geekstogo.com/forum
  http://forums.net-integration.net
  

• At this point press enter one time.
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\ServicePackFiles\comnut.dll
• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
  
  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  
  O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\ServicePackFiles\comnut.dll
  
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  
  O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe"
  
  O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
  
  O20 - Winlogon Notify: comnut - C:\WINDOWS\ServicePackFiles\comnut.dll
• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[Beck]

Silly question from a person who should probably not own a computer:

How do I find the Hijack program and how would I make that folder permanent? I made a new folder, but now I am lost again.
I looked for the temp folder, but I can't find it

Edited to add, I think I found it, but it says i can't open it, because it needs to know what program created it. Did I do something wrong when downloading it?

:hangsheadinshame:

Edited again: I think I figured it out

Edited by Beck, 06 September 2005 - 04:06 AM.

[Beck]

I can't seem to get my computer into safe mode. I reboot and start tapping the F8 button continuously. No menu ever pops up. How long should I tap, and am I doing something wrong?

[g2i2r4]

Here's how to boot to safe mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
Some computers use F5 instead of F8.

[Beck]

Couple of questions:
I was able to get my computer into safe mode. It then asked if I should be logged in under as Administrator, or My name. Does it matter which one I pick?

Also~
I chose Administrator and clicked on KillVondo.Bat. The warning screen popped up, and I hit enter. I entered C:\WINDOWS\ServicePackFiles\comnut.dll
and then hit enter, F6, and enter again, first I got a pop up from Norton saying that a malicious script has been detected. I assumed it was just the Vundo, so I selected to "allow once" and I got this message:

Script:C:/Documents and Settings/My name/Desktop starthjt.vbs.

Line: 3

Char: 2

Error: The system cannot find the file specified

Code 80070002

Source (null)


I hit a key, and got the blue screen of death. It did not go away, so I unplugged the computer, and here I am. When starting up the computer again, Norton flashed saying it was off, and told me to click on the icon on my tool bar, so I did.

Am I in completely over my head, and should I just call someone to come fix this? I'm really afraid that I am going to screw up the computer.

[g2i2r4]

So you're back in normal mode now?

I think we can do this together, just follow my lead.

Disable Norton. Then rerun the advise. We should let the entire script run once.

Don't move on, just take it one step at the time.



EDIT:

Just saw you first respons.

Silly question from a person who should probably not own a computer

First of all, there are no silly questions. The questions you don't ask often present a problem.

Anybody can own a computer and have a good time working with them. You just have to learn how.

Edited by g2i2r4, 06 September 2005 - 05:21 AM.

[Beck]

I'm pretty sure I am in normal mode. When you say rerun the advise and let the entire script run, are you talking about just going through all of the steps again?

[g2i2r4]

yes

See, no silly question, just you checking if you understand me correctly.

[Beck]

Should I start at Killbox again, or start by going into safemode and trying VundoFix?

If I do go into safe mode, does it matter if I log on as Administrator or my name?

Could the trouble be because I think I made a folder for HijackThis, when I actually haven't? Becuase That is when it seemed to go wrong, when Vundo was trying to open the Hijack.

[Beck]

Also, when I double click on the folder for Hijack that I made, It says that Windows can't open this file, and that it needs to know who created it. Is that supposed to happen?
I'm not sure why I could use it before, and not now

Another question (trying to problem solve) I did not download Windows SP1a, because I thought that since I have Windows XP already, I did not need it. Am I wrong ?

Edited by Beck, 06 September 2005 - 05:49 AM.

[g2i2r4]

Also, when I double click on the folder for Hijack that I made, It says that Windows can't open this file, and that it needs to know who created it. Is that supposed to happen?
I'm not sure why I could use it before, and not now 

I'm not sure what went wrong there. Let's start again. Remove the folder you made and everything in it.

------

Please download the latest version of HiJack This. Click here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it. Follow the instructions below if you are unsure how to save it in a permanent folder:

1.) Click on the link to download HiJackThis.exe.
2.) When it pulls up the box (for you to pick a location to save the file), click on the pulldown menu and select "[C:]".
3.) Click on the button to "create new folder" and name the folder HiJackThis
4.) Double click on the folder you just made (to go into the folder) and click "save" on the bottom of the box.

Another question (trying to problem solve) I did not download Windows SP1a, because I thought that since I have Windows XP already, I did not need it. Am I wrong ?

You really need at least SP1a and when we are done I advise you to update fully.

XP is like a house you bought. During use you find holes in it. SP1a fixes some of those. SP2 fixes more. Critical updates are made to fixe holes now, rather than wait for a bunch of holes.


If you did the killbox part already, move on to the safe mode part and start there.

[Beck]

I have hijack downloaded, Finally. (where is the smiley with the bag over it's head?)

I attempted to download SP1a, and I recieved the message "Cannot display window you are trying to view. Error code 0x80072F76
I have contacted Windows to try to figure out why, and I am waiting for an answer.

I'm now going to turn off Norton, and try again

Thank You for all of your help

[Beck]

I sucessfully reached safe mode, and double clicked KillVundoBat. I entered the file path and after clicking enter, F6, enter, I received the message "File path you entered does not seem to exist. Please check that you have the correct file path" I rebooted and tried it agin 3 times, with no success, and receiving the same message. The File Path I am using is:


C:\WINDOWS\ServicePackFiles\comnut.dll


Should I run another hijack log?

Edited by Beck, 06 September 2005 - 08:23 AM.

[g2i2r4]

Please do.

Don't update to SP2 yet, wait 'till we cleaned up.