Trying to make sure computer is cleaned..

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by srmjdm, Sep 19, 2006.

  1. srmjdm

    srmjdm Private E-2

    I recently received this Dell dimension 2350 and it was full of junk. Have worked thur the READ & RUN ME FIRST sticky, up the step7 the HijackThis log posting. I think I followed all the steps correctly, if not I am sure someone will let me know. I know on one of the scans it was not able to delete "kybrdff_e7.exe". WHen I first got this computer everytime I would log on to the internet, it would have all kinds of popups. It would also change my startpage to different things, usually "findmorehits.com".

    Can anyone tell me what the kybrdff_e7.exe is and if I need to get rid of it?? Also can anyone tell me if I have cleaned the computer off all the problems it had?

    Thanks in advance!

    Renee
     

    Attached Files:

    srmjdm, Sep 19, 2006
    #1
  2. srmjdm

    srmjdm Private E-2

    runkeys & shownew
     

    Attached Files:

    srmjdm, Sep 19, 2006
    #2
  3. srmjdm

    srmjdm Private E-2

    ok just got a popup that said something about
    exittracking.com/?site=mygeek

    what is causing these popups??

    thanks
     
    srmjdm, Sep 19, 2006
    #3
  4. srmjdm

    srmjdm Private E-2

    hijackthis log
     

    Attached Files:

    srmjdm, Sep 19, 2006
    #4
  5. srmjdm

    srmjdm Private E-2

    srmjdm, Sep 19, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a few different problems. Let's begin with the Virtumonde infection.

    Please run this Virtumonde aka Trojan Vundo Removal and attach the request log.

    Make sure viewing of hidden files is enabled (per the tutorial).
    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\kybrdff_e7.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0002099b.exe
    c:\kybrdff_e8.exe
    c:\dfndrff_e8.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
    O2 - BHO: (no name) - {FD319CB8-786C-405F-8BCC-0F312CA92DF6} - C:\WINDOWS\system32\ssttu.dll
    O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e8.exe
    O4 - HKLM\..\Run: [defender] c:\\dfndrff_e8.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O18 - Protocol: bw+0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {8A6DC210-C2CB-4847-BB02-E8F565968E87} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Deskbar <--- the whole folder
    C:\Program Files\Common Files\zwkq <--- the whole folder
    C:\kybrdff_e7.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0002099b.exe
    c:\kybrdff_e8.exe
    c:\dfndrff_e8.exe
    C:\deskbar.exe
    C:\dfndrff_12.exe
    C:\kybrdff_12.exe
    C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
    C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
    C:\WINDOWS\srvaxjfple.exe
    C:\WINDOWS\srvdhdshmx.exe
    C:\WINDOWS\system32\rhufhofg.exe
    C:\WINDOWS\system32\vcshost.exe
    c:\stub_113_4_0_4_0newer.exe

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and attach new logs from the below:
    - HJT
    - GetRunKey
    - ShowNew

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Sep 20, 2006
    #6
  7. srmjdm

    srmjdm Private E-2

    Will start on your helpful advice when I get home this afternoon and will post the requested logs and let you know how things are working.

    Just one question.. I noticed that logictech desktop messenger was on the log a lot, I am sure it is something that installed when I installed the new wireless mouse and keyboard set, but why in the world does it show up so many times on that log? Just curious.

    Thanks for all your help!
    Renee
     
    srmjdm, Sep 20, 2006
    #7
  8. srmjdm

    srmjdm Private E-2

    Ok, ran the Virtumonde removal tool. Had to run it twice because the first time it said it couldnot delete c:\windows\system32\ssttu.dll
    It rebooted and ran again and the second time it deleted it.

    On the next step
    "Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\kybrdff_e7.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0002099b.exe
    c:\kybrdff_e8.exe
    c:\dfndrff_e8.exe"
    I did all that except for killing C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0002099b.exe. It was not listed in my process.


    Next step "After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\Deskbar <--- the whole folder
    C:\Program Files\Common Files\zwkq <--- the whole folder
    C:\kybrdff_e7.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo0002099b.exe
    c:\kybrdff_e8.exe
    c:\dfndrff_e8.exe
    C:\deskbar.exe
    C:\dfndrff_12.exe
    C:\kybrdff_12.exe
    C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
    C:\WINDOWS\bwUnin-7.2.0.157-8876480SL.exe
    C:\WINDOWS\srvaxjfple.exe
    C:\WINDOWS\srvdhdshmx.exe
    C:\WINDOWS\system32\rhufhofg.exe
    C:\WINDOWS\system32\vcshost.exe
    c:\stub_113_4_0_4_0newer.exe
    "
    I did all that except for the last three
    C:\WINDOWS\system32\rhufhofg.exe
    C:\WINDOWS\system32\vcshost.exe
    c:\stub_113_4_0_4_0newer.exe
    I couldn't find any of those to delete.

    Followed the rest of the steps and here are my new logs.
    Let me know what's next.
    Thanks very much!

    Also in case it mattersI am running Windows XP home edition service pk2 and IE6.

    Thanks again!
    Renee
     

    Attached Files:

    srmjdm, Sep 20, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. A couple new items showed up and one item remains from the previous HJT log (Deskbar).

    First goto Add/Remove programs and uninstall the below if found. Tell me what you find:
    Search Bar

    Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
    O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\qsffvgxv.dll


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (tell me what you find):
    C:\Program Files\Deskbar <--- the whole folder
    C:\WINDOWS\system32\qsffvgxv.dll

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and attach new logs from the below:
    - HJT
    - ShowNew

    Make sure you tell me how things are working now.
     
    chaslang, Sep 21, 2006
    #9
  10. srmjdm

    srmjdm Private E-2

    Okay finally got back to complete your last recommendations, here's what I did...

    First goto Add/Remove programs and uninstall the below if found. Tell me what you find:
    Search Bar

    Clicked the Change/Remove button and the screen kinda flipped but the item Search Bar is still there, only now there is no size listed for that program.


    Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)
    O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\qsffvgxv.dll

    Deleted those two lines.

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (tell me what you find):
    C:\Program Files\Deskbar <--- the whole folder
    C:\WINDOWS\system32\qsffvgxv.dll

    Booted into safe mode and could not find the C:\Program Files\Deskbar
    but did delete the C:\WINDOWS\system32\qsffvgxv.dll.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and attach new logs from the below:
    - HJT
    - ShowNew

    Make sure you tell me how things are working now.[/QUOTE]

    And here are the two requested logs...
     

    Attached Files:

    srmjdm, Sep 25, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Locate the below file and delete it:
    C:\WINDOWS\system32\gebcd.dll

    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach a new log from ShowNew.
    Also, this time remember to tell me how things are working.
     
    chaslang, Sep 25, 2006
    #11
  12. srmjdm

    srmjdm Private E-2

    ok
    deleted file C:\WINDOWS\system32\gebcd.dll
    merged fixWLK.reg
    and attached new log.
    computer seems to be running fine, my home page hasnt changed lately, and I havent gotten any popups either. Of course I havent really been using this computer much because I wanted to get everything fixed before really using it. but it does seem to be working better as far as popups and my home page changing.

    Thanks for all your help!
    Renee
     

    Attached Files:

    srmjdm, Sep 26, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That SearchBar registry key is still there. It must be an ownership problem!

    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

    Run Registrar Lite navigate to the following key and take ownership of it (explained further down):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    To take ownership of the key do the following:
    • Copy & Paste the registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the Menu
    • Select Take Ownership
    • Now leave RegistrarLite running and continue
    • Now run the REGISTRY PATCH below in this message.
    • Tell me the results. Any error messages?
    • Now in RegistrarLite click View and then Refresh
    • Now navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • Does the above SearchBar key still exists! If so, right click on it and select Delete.
    Here is the Registry Patch - make sure to redownload and overwrite the previous copy

    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach a new log from ShowNew!
     
    chaslang, Sep 27, 2006
    #13
  14. srmjdm

    srmjdm Private E-2

    Downloaded, ran , and took ownership of the key. No problems or error messages.

    Redownloaded and remerged patch, everything worked right as far as I can tell.

    Looked for that SearchBar key (wasnt sure I knew what to look for but I did not see anything about a SearchBar did have this red highlighted deskbar one Is that what I should delete?) here is what it had listed:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG7Uninstall
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BCM V.92 56K Modem
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cayman 3300 Series USB Network
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DBTB00001.DBTB00001Deskbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ewidoantispyware4
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873339
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885835
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885836
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB886185
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887472
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888302
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890046
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890859
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB891781
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893756
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803v2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB894391
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896358
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896423
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896424
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896428
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB898461
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899587
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899591
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900485
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900725
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901017
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901214
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB902400
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB904706
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905414
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905749
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908519
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908531
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB910437
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911280
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911562
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911564
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911567
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911927
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB912919
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB913580
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914388
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914389
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB916595
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917159
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917344
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917422
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917734_WMP9
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917953
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB918439
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB918899
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB919007
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB920214
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB920670
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB920683
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB920685
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB920872
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB921398
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB921883
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB922582
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB922616
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB925486
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lavasoft VX2 Cleaner
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Logitech Resource Center
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird (1.5)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda ActiveScan
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Registrar Lite 2.00
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSAUNINST
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WGA
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WgaNotify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows XP Service Pack
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{036AA4D4-6D32-11D4-9875-00105ACE7734}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45EBDA59-D33B-433A-956E-B2F236468B56}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5809E7CF-4DCF-11D4-9875-00105ACE7734}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A708DD8-A5E6-11D4-A706-000629E95E20}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C2B82CFE-049B-11A2-D046-83830F792135}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D78653C3-A8FF-415F-92E6-D774E634FF2D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0A37341-D692-11D4-A984-009027EC0A9C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\(default)
     
    srmjdm, Sep 27, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is a different one that we had fixed part of earlier. You can delete that key for Deskbar too. The one I was worried about was Search Bar

    Attach a new log from ShowNew so I can verify that it is now gone.
     
    chaslang, Sep 28, 2006
    #15
  16. srmjdm

    srmjdm Private E-2

    okay deleted that Deskbar line. merged the new fixwlk.reg and attached a new shownew log.

    Let me know what's next.

    Thanks for all your help!
    Renee
     

    Attached Files:

    srmjdm, Sep 28, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can now delete the two registry patches ( fixme.reg and fixwlk.reg ) from your Desktop.

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Sep 30, 2006
    #17
  18. srmjdm

    srmjdm Private E-2

    Thanks for all your help. I hope everything is working right now. I am going on and following the suggestions in the "How to protect yourself" link.
    I do have one more question as of right now.. maybe you can help me with it. I recently purchased the wireless Logitech mouse and keyboard. For some reason sometimes when I hit the space bar while typing it does not space. Is there some kindof setting to adjust that or is the keyboard just being defective? Any ideas?
    Thanks again!
    Renee
     
    srmjdm, Sep 30, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That would be a problem you should discuss in the Hardware Forum.
     
    chaslang, Oct 1, 2006
    #19
  20. srmjdm

    srmjdm Private E-2

    one more question.
    I tried to go to WindowsUpdate and update my computer but after I downloaded the updates and tried to install them. The install failed. Can you help me figure out what I need to do? I tried redownloading them but the install still failed.

    Thanks again
    Renee
     
    srmjdm, Oct 1, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That would be a topic for the Software Forum now since we have removed your malware. But you need to be more specific and what is failing. Is the actual update process failing? Do you get an error message? Windows Updates downloads and installs in one step.

    You could try the below two things:
    - add Windows Update to your Trusted Zone (i.e., put this url in the TZ: update.microsoft.com )
    - now try the below:

    Copy the contents of the below Quote Box into Notepad. Then click File and then Save As. Change the Save as Type to All Files. In the File Name field enter C:\WinUpFix.cmd and then click save. This will create the WinUpFix.cmd file in the root folder of drive C.
    Now while you can directly run the WinUpFix.cmd file by double clicking on it, that will not allow you to see any errors if any do occur. So a better method is to run it from a command prompt window. Click Start, Run, and enter cmd and click OK. This opens the command prompt window. In the command prompt window type the following lines each followed by the enter key:
    cd c:\
    WinUpFix.cmd

    Write down any error messages if you get any, and post them back in your next message in your original thread. Post the exact word for word message. You do not need to write down the success messages which will be output as the script runs. Only note any failures.

    If you do not get any error messages, check to see if Windows Update works now. If it does not, I would suggest trying the Software Forum.
     
    chaslang, Oct 1, 2006
    #21
  22. srmjdm

    srmjdm Private E-2

    ran the winupfix.cmd and this is what came up in the cmd window

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Owner>cd c:\

    C:\>WinUpFix.cmd

    C:\>C:\WINDOWS\system32\net.exe stop bits
    The Background Intelligent Transfer Service service is not started.

    More help is available by typing NET HELPMSG 3521.


    C:\>C:\WINDOWS\system32\net.exe stop wuauserv
    The Automatic Updates service is stopping.
    The Automatic Updates service was stopped successfully.


    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\atl.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\jscript.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\msxml3.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\softpub.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wuapi.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wuaueng.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wuaueng1.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wucltui.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wups.dll

    C:\>C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\wuweb.dll

    C:\>C:\WINDOWS\system32\net.exe start bits
    The Background Intelligent Transfer Service service is starting.
    The Background Intelligent Transfer Service service was started successfully.


    C:\>C:\WINDOWS\system32\net.exe start wuauserv
    The Automatic Updates service is starting.
    The Automatic Updates service was started successfully.


    C:\>
     
    srmjdm, Oct 1, 2006
    #22
  23. srmjdm

    srmjdm Private E-2

    Here are screenshots of what update says when I try to install the updates.
     

    Attached Files:

    srmjdm, Oct 1, 2006
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Attach a copy of the below log file here:

    C:\Windows\windowsupdate.log


    At any point in time did you have Symantec software installed and did you ever run the automatic removal tool they created called SymNRT?
     
    chaslang, Oct 2, 2006
    #24
  25. srmjdm

    srmjdm Private E-2

    Here's the update log.
    As for the Symantec software, I do not know. I received this computer used from someone who went thru and just deleted everything before selling it to me. So I don't know if Symantec was on it or not.

    Thanks for all your help.
     

    Attached Files:

    srmjdm, Oct 3, 2006
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 4, 2006
    #26
  27. srmjdm

    srmjdm Private E-2

    me again..LOL
    I tried to follow the steps in the link you posted.
    Section B Windows Server2003 and Windows XP, step 2 Verify that the following registry entries are present:
    I do not have the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn in my registry. Ionly have
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon

    So now I am stuck again... any suggestions???
     
    srmjdm, Oct 10, 2006
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I guess this means you did not understand step 2 of the procedure. They are telling you that you need to create that registry key and all the subkeys and values if it does not exist.

    I will give you a patch to use to create this but you need to take this topic to the Software Forum if this does not resolve your problems. This is not a malware problem and we are overloaded with malware problems to fix in this forum.

    Now Copy the bold text below to notepad. Save it as fixSL.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    chaslang, Oct 11, 2006
    #28

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds