Tried but dont work :(

Read the instructions again for HJT.

No browsers should be running. You had Internet Explorer running. You need to extract HJT from the ZIP file and put it in the directory indicated and run it from there. Also you need to post HJT logs from normal boot mode not safe mode.

You have more problems then what you mentioned.

 

After fixing what I mentioned in my previous message continue with the below. Note, if you do not fix what I indicated first, you will not get any backups from HJT and thus if you make a mistake you will be unable to fix it.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\VINCE\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
O4 - HKLM\..\Run: [kiudwrnfobvf] C:\WINDOWS\System32\oysxth.exe
O4 - HKLM\..\Run: [Software] C:\WINDOWS\System32\Software\software.exe
I have to question this Bouncer entry. Do you know what it is? If not, fix it too. I wonder if it is a renamed Virtual Bouncer.
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\LiveUpdate.exe 110
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [iyaaqgd] c:\windows\bwjuejo.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.finefind.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://spy-ware-soft.com/freecounter.chm::/test.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)

After clicking Fix, exit HJT. Some of the above O15 entries will probably come back. We get them on the next pass with another procedure.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\IESearchToolbar <--- delete the whole folder
C:\WINDOWS\System32\Software <--- delete the whole folder
C:\Program Files\Bouncer <--- if you fixed the entry above them delete the whole folder.
C:\WINDOWS\System32\oysxth.exe
c:\windows\bwjuejo.exe
C:\WINDOWS\System32\spoolsrv32.exe
This next file (C:\WINDOWS\Downloaded Program Files\SbCIe028.dll) cannot be found using Windows Explorer because of where it is located. So we need to use a special procedure to delete SbCIe028.dll:
- Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s SbCIe028.dll
del SbCIe028.dll
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you forget to shut Internet Explorer down again?
C:\Program Files\Internet Explorer\IEXPLORE.EXE

You must always exit browsers before using HijackThis. Not doing so can affect the ability to fix items properly.

Did you forget to fix the below items last time or did you have a problem with finding the files and deleting them:

O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\liveupdate.exe 110
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

They are still in your HJT log now.

If order to help me help you, you must provide feedback on the instructions and you must answer questions. Remember I cannot see what happens at your end. You need to tell me if things work or if they do not work.

I had asked about the Bouncer stuff. Do you know what it is? I'm still assuming it is bad.

 

First let's fix the crazywinnings problem:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search21.thesearchs.com/search.html
O4 - HKLM\..\Run: [Bouncer RunStartup] C:\Program Files\Bouncer\liveupdate.exe 110
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Bouncer <--- if you fixed the entry above them delete the whole folder.
C:\WINDOWS\System32\spoolsrv32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Yes, you can use Wordpad. But when you save it, you must change the Save as type to Text Document. And then change the filename to move.reg.

You will get another prompt about saving a text document. Just say yes.

 

SO I guess that means you do not know what it is for?

Can you right click on the liveupdate.exe file and get Properties, Version info?

 

Exactly what are you doing! This log is from

Logfile of HijackThis v1.98.2
Scan saved at 6:47:10 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



So what is it that you are trying to do here.

 

Now you are running HJT from the ZIP file again. We had this all fixed by even back in message # 7. What did you do to the proper HJT that was:

C:\Program Files\hijackthis\HijackThis.exe

 

Why is savedump.exe running now? This was not running earlier. Exactly what have you been doing.
C:\WINDOWS\system32\savedump.exe

You need to do the following because I think they are conflicting with each other and blocking some changes.
Goto Add/Remove programs and uninstall all of the below (if installed - some I can see are)
- SpywareGuard
- SpyBlocker
- Spybot S&D
- SpywareBlaster
- Spykiller <--- this is junk anyway
- BestPopUpKill <--- this is junk anyway
- Bouncer <--- see if there is anything like this in add/remove programs. It may be called VIrtualBouncer

Then reboot and post a new HJT log that is properly installed.

Please look on your system for C:\Program Files\Bouncer\liveupdate.exe
Can you see this folder and file?

 

Why are these still in your log:

O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

Is it because there was no uninstall in Add/Remove programs? If so, exit all browsers and have HJT fix those entries. Then reboot in to safe mode and delete:

C:\Program Files\SpyBlocker Software <--- the whole folder
C:\Program Files\SpyKiller <--- the whole folder
C:\Program Files\BestPopUpKiller <--- the whole folder

Then reboot in normal mode and post a new HJT log.