Trojan.vundo infected file in use - Please Help!

To Whom It May Concern,

Symantec AntiVirus Notification keeps popping up w/ Virus Found! Virus Name: Trojan.vundo. File: C:\WINNT\Web\printers\dbbin.dll. Clean Failed, Quarantine Failed; Access denied.

I have Tried all the Steps in your "Read and Run first". A lot of the tools find and supposedly remove infected files but the Notification keeps popping up. I also tried the tools in Safe Mode, with the same result.

I have also tried the Symantec Vundo Fix and Your VundoFix. Even in Safe mode I get "Process cannot access the file because it is being used by another process"???

The hjt log identifies the dbbin.dll in the 20 an 020 lines but as I said above can not be deleted because it is in use.

Please help.

Thank you in advance for your help,

rsd0562

 

First, please download Symantec Trojan.Vundo Removal Tool 1.4

*Please follow the instructions very closely to run the tool properly. After you complete the tool reboot and attach a fresh HJT log from normal mode.

 

Bjgarrick,

Thank you for the quick reply.
I downloaded the Symantec Trojan.Vundo Removal Tool 1.4 (fixvundo.exe ) as you suggested. I followed the directions on the download page. I ran fixvundo.exe from Safe Mode and then Normal mode. Still getting the Symantec AntiVirus Notification popping up w/ Virus Found!.
Also getting rtvscan memory error. Don't know if this is related to virus or not?

Both fixvundo.exe runs say the following:
1 file could not be deleted. Will be deleted on next reboot.
Scanned files: Safe mode = 116798, normal = 116800
Deleted = 0
Threads Terminated: 4
Registry Entries FIxed: 4

I had already run this fixvundo.exe and killvundo.bat the other day. They both say they find the problem but are unable to delete them because they are in use by another process?

The hjt log identifies the C:\WINNT\Web\printers\dbbin.dll in the 20 an 020 lines but as I said above can not be deleted w/ killvundo.bat because it is in use.

I have attached a hjt log from normal mode.

thanks again,

rsd0562

 

From now on please attach HJT logs without the MD5 as it makes it harder to sort thru.

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of dbbin.dll once and then click the kill button. After you have killed all of the dbbin.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of dbbin.dlland kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\Web\printers\dbbin.dll
O20 - Winlogon Notify: dbbin - C:\WINNT\Web\printers\dbbin.dll

Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINNT\Web\printers\nibbd.ini
C:\WINNT\Web\printers\nibbd.ini2
C:\WINNT\Web\printers\nibbd.bak
C:\WINNT\Web\printers\nibbd.bak1
C:\WINNT\Web\printers\nibbd.bak2
C:\WINNT\Web\printers\nibbd.tmp
C:\WINNT\Web\printers\dbbin.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Bjgarrick,

Again, thank you for your quick reply.
Followed your instructions but still getting Synmantec Antivirus Notifiication popup about trojan.vundo and same dbbin.dll file?

My system32 folder is under WINNT. Should I have entered C:\Winnt\system32\ for the Kill Box step? I entered the C:\windows\system 32 file list as instructed.

I dbl click on the executables from explorer to run all of your tools. I shut down explorer before I actually start the tool. Is this ok?

Results:

Process Explorer
winlogon.exe - no dbbin.dlls found
explorer.exe - 4 dbbin.dlls found and killed

HijackThis - two files fixed

fixvundo.reg - entries added

Pocket Killbox

copy and pasted as instructed and checked off "Delete on Reboot"
Unregister Dll was NOT available.
Got Pending Operations type error and I Rebooted into Normal mode.

Attached please find hjt log.

Thanks again,

rsd0562

 

I apologize, go back and complete post #4 again, I made adjustments so it should work this time. I have so many of these I forgot to change the locations, after you complete this fix run the Symantec Removal Tool once more from Safe Mode then attach a fresh HJT log.

 

Bjgarrick,

Again, thank you for your quick reply.
Sorry but I still am getting the getting Synmantec Antivirus Notifiication popup about trojan.vundo and same dbbin.dll file?

What could I be doing wrong??

I ran everything from Safe Mode w/out Networking. I also disconnected the cable modem.

After the Killbox.exe step I rebooted back into Safe Mode w/out cable then ran the Symantec Removal Tool ( fixvundo.exe )

fixvundo.exe results:
trojan.vundo removall was successful
the system will delete 1 trojan.vundo file from your PC on the next reboot
1 file could not be deleted. Will be deleted on next reboot.
Scanned files: Safe mode = 118354
Deleted Files = 3
Viral Threads Terminated: 4
Registry Entries FIxed: 4

Should I run the fixvundo.exe directly after Pocket Killbox w/out rebooting in between?

Same results as last time.

I dbl click on the executables from explorer to run all of your tools. I shut down explorer before I actually start the tool. Is this ok?

Results:

Process Explorer
winlogon.exe - no dbbin.dlls found
explorer.exe - 4 dbbin.dlls found and killed

HijackThis - two files fixed

fixvundo.reg - entries added

Pocket Killbox

copy and pasted as instructed and checked off "Delete on Reboot"
Unregister Dll was NOT available.
Got Pending Operations type error and I Rebooted into SAFE mode.

Ran Symantec Removal Tool ( fixvundo.exe ) from SAFE mode - see Results above

Rebooted into Normal mode. Got Error.

Attached please find hjt log.

Thanks again,

rsd0562

 

Bjgarrick,

I just re-read the instructions for Symantec Removal tool (fixvundo.exe) and realized I didn't run it twice in a row?

Once I run it once from Safe Mode, do I reboot back into Safe Mode or Normal Mode and run it again?

thanks,

rsd0562

 

Let's forget about Vundo for now and cleanup the other baddies in your log then we will come back to Vundo.

Allow me a few moments to check over your log!

 

Download Pocket KillBox
(Don't run it yet)

After you download Killbox please uninstall Microsoft Antispyware so it will not block anything we try to fix.

Now, please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O2 - BHO: Bho - {7CE7D3FC-C121-4c2c-924E-E017BBE2364B} - C:\WINNT\system32\julliuub.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\Web\printers\dbbin.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINNT\system32\mlrnnteg.dll

O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -

O20 - Winlogon Notify: dbbin - C:\WINNT\Web\printers\dbbin.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

C:\WINNT\system32\julliuub.dll
C:\WINNT\system32\mlrnnteg.dll
C:\WINNT\Web\printers\dbbin.dll

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you have completed the above and windows has loaded from the reboot, attach a fresh HJT log from normal mode.

 

Bjgarrick,

I have run all the steps from SAFE MODE w/ networking with the cable modem Disconnected.

I uninstalled MS Antispyware and it is still uninstalled.

During Pocket Killbox, I was able to check the Unregister.dll on dbbin.dll only.

As you probably know, I still have Symantec Antivirus Notification popup pointing to same c:\winnt\web\printers\dbbin.dll file.

Attached please find new hjt log after reboot into normal mode.

thanks again,

rsd0562

 

Please download VundoFix222.exe

Once you have downloaded it please unzip it to your desktop.

Once unzipped please open the vundofix222 folder and double click killvundo.bat

Let it run and follow the onscreen commands.

Once your computer reboots please post a new hijackthis log and the vundofix.txt from inside the vundofix222 folder.

 

Bjgarrick,

It appears that killvundo.bat would not run.

I have AOL antispyware running. Could this be preventing any fixes from working?

Am I running these fixes correctly? How should they be run? From Safe Mode, Normal Mode, W/out Networking, w/ networking, disconnect cable modem or not??

I downloaded vundofix222 as instructed. I ran it from Safe Mode , no networking, w/ cable modem disconnected.

I dbl clicked on killvundo.bat and a blue screen came up. I hit "enter" as instructed. Then something flashed that I couldn't read. The screen went black w/ just safe mode displayed in every corner. I waited a few minutes and nothing seemed to be happening. I had to do ctrl-alt-delete and restart.

I rebooted into normal mode and saved the log as vundofix-1.txt.
I then ran the batch file again from Normal mode w/ cable modem disconnected. I dbl clicked on killvundo.bat and hit "enter" as instructed. Then something flashed that I couldn't read. My active background went away. I waited a few minutes and nothing seemed to be happening. I had to do ctrl-alt-delete and restart. When I hit restart I got an error message about explorer.exe followed by another error message about winlogon.exe saying it creating an error log. Don't know where or what this error log is called?
I attached the log from the 2nd run of killvundo.bat from Normal mode.

A few weeks ago, before this trojan.vundo appeared I had the winfixer2005 problem. I uninstalled it but it still came back. I deleted anything named winfix. It seemed to go away after that.

I was unable to attach more than 2 files so here is the log from the 1st killvundo.bat I ran from Safe Mode.

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
restart.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

List of files found
--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 112 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 516 'explorer.exe'


Killing PID 160 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------



thanks again,

rsd0562

 

If you can uninstall the AOL Spyware Protection stuff it would probably help, after you uninstall this you can try the below fix:


Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\Web\printers\dbbin.dll​

• Press Enter to continue with the fix.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\Web\printers\nibbd.*​

• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\Web\printers\dbbin.dll
O20 - Winlogon Notify: dbbin - C:\WINNT\Web\printers\dbbin.dll​

• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Once your machine reboots please attach a fresh HJT log from normal mode.

 

Bjgarrick,

Ran from Safe Mode w/ cable modem disconnected. I have Win 2000. I have enabled hidden files and folders.

Killvundo.bat displays the following msg: "The process cannot access the file because it is being used by another process. Attempting to delete c:\winnt\web\printers\dbbin.dll".

I could not uninstall AOL spyware protection, it was not in add/remove programs?

Norton still popping up w/ msg that it can't quarantine file.

What should I try next?

Attached hjt log from Normal mode after reboot.

thanks,


rsd0562

 

Bjgarrick,

I just ran Process Viewer from Normal Mode. The dbbin.dll module is in the Winlogon.exe Process.

Can I do anything w/ this information?

How can I kill the winlogon.exe process? Then delete dbbin or run killvundo.bat?

Will dbbin.dll and winlogon.exe come back on reboot?


thanks,

rsd0562

 

If followed word for word, this fix always works!

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of dbbin.dll once and then click the kill button. After you have killed all of the dbbin.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of awvtr.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\Web\printers\dbbin.dll
O20 - Winlogon Notify: dbbin - C:\WINNT\Web\printers\dbbin.dll


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINNT\Web\printers\nibbd.ini
C:\WINNT\Web\printers\nibbd.ini2
C:\WINNT\Web\printers\nibbd.bak
C:\WINNT\Web\printers\nibbd.bak1
C:\WINNT\Web\printers\nibbd.bak2
C:\WINNT\Web\printers\nibbd.tmp
C:\WINNT\Web\printers\dbbin.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Bjgarrick,

I followed your instructions word for word and still have problem. What could I be missing?

Enclosed please find hjt and Killbox logs.

I downloaded Process Explorer 9.2 and Pocket Killbox to the Desktop and unzipped them to their own folders ( not on the desktop ).

I copy and pasted the regedit files into notepad and saved as instructed to desktop.

I rebooted into Safe Mode, but did not disconnect cable modem.

I opened windows explorer and went to folder for Process Explorer and Dbl clicked Procexp.exe. I then closed Windows Explorer. Then double clicked on Winlogon.exe and it did not have any .dll's of any kind?
Explorer.exe had 4 dbbin.dll's.

Ran hjt and Fixed 2 files.
Ran fixvundo.reg.

I ran Pocket Killbox ( by clicking on killbox.exe from windows explorer ), then closed down windows explorer and Deleted Temp Files and clicked OK. Then with Killbox still open I copy and pasted from notepad the files to be deleted. Notepad was open the whole time.
Unregister dll was only available for C:\Winnt\Web\printers\dbbin.dll.

Got Pending Operations msg. Said OK. Exited Pocket Killbox. Rebooted machine into Normal Mode. Ran hjt.

Again, what could I be doing wrong? Am I running from the right safe mode? Should cable modem be connected or disconnected?

Thanks,

rsd0562

 

I still see AOL AntiSpyware running, if you have not already uninstall this! Disable any antispyware program and any antivirus programs like Norton.

Be sure you are completely disconnected during the entire process! End each and every process of the DLL running in winlogon.exe or explorer.exe before doing anything else.

Try it once more after doing the above!

 

Bjgarrick,

I finally figured out how to disable the AOL Spyware Protection. Plus I disabled Norton. Followed below instructions and the Norton Virus Pop-up is gone. Is this because Norton is Disabled? For some reason I can not Enable Norton. I right click on Icon then click on Enable and it enables for a second then it goes right back to disabled?
How do I Enable Norton again?

Process Explorer found no dbbin.dll's in the Winlogon.exe. It found 4 in explorer.exe.

Thank you for being so patient w/ me.

Attached please find hjt log.

thanks again,

rsd0562

 

Please download Vundo3

Once you have downloaded it please unzip it to your desktop.

Once unzipped please open the vundo3 folder and double click killvundo.bat.

Let it run and follow the onscreen commands.

Once your computer reboots please post a new hijackthis log and the vundofix.txt from inside the vundo3 folder

 

Bjgarrick,

Attached please find both logs.

I Downloaded Vundo3 to the desktop and unzipped it to the desktop.

Ran as you instructed. I ran it from Safe Mode w/ out cable modem attached.
Said it could not find the file specified.

I ran it again from Normal Mode w/ out cable modem attached. Same thing it could not find the file specified.

The file is still in C:\WINNT\Web\Printers\dbbin.dll.
I am still getting the Norton message.

The vundofix.txt attached is from the Safe Mode run.

thanks,

rsd0562

 

BJ,

Can you help me with Chaslangs instructions. I am not very technical but can follow direction. thanks for being patient w/ me.

I do have 3 Users on the machine. I will have to give them Admin rights and sign on as them. Then I should run through the Read and Run first for each one? I only did this for myself as Admin.

I need help w/ how to do below. Thanks.
- make sure registry edits have not been disabled via a registry entry
- look at the registry keys using a tool like Registrar Lite and make sure the registry entries are not marked as Access Denied. If they are, you will need to take ownership of them before you can remove them.
- check other user accounts. Do they have problems? If so, fix them.
What should I run for these other Accounts??

thanks again,

rsd0562

 

First, lets start by getting a HJT log for each account including yours. Attach the logs with names so I can keep them separate, you will have to post twice to get all 3 logs but this is ok. I will create a fix for each HJT log (account) and then we will try the Vundo fix again.

 

BJ,

There are actually 4 Users plus one I don't recognize. There is a user called "Aspnet", in the Users Group? Is this a system thing? Can I delete this User?

I have attached 4 logs in two posts.

thanks again,


rsd0562

 

BJ,

Here are the other 2 logs.

thanks,

rsd0562

 

I see a few things your first few HJT logs doesnt show, so lets try 2 scans and then we will clean each account then try vundo fix again.

First, I need you to completely remove the AOL software, if this is your ISP then keep what you need but make sure the spyware protection stuff is removed because I still see that running. As far as the other ASP account, you can delete this account!

After you uninstall the AOL software please follow the below...


Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT logs from each account.

 

BJ,

Well it appears like SpySweeper got rid of the Trojan.vundo. Norton pop-up is not coming up. Hooray!! But now Spysweeper keeps popping up w/ message "Big Fish Tool Bar running in memory" do you wish to run spysweeper?

Attached please find Spysweeper log plus Ran HJT for all Users from Normal Mode - Had to post in 2 messages.

My machine froze during the Removal Process of SpySweeper? I checked off all the settings you suggested, plus got updates. I uninstalled Aol spyware protection and disabled Norton.

While running Spyware I got the message "Big Fish Tool Bar running in memory" do you wish to run spysweeper? I said yes and scan started. I happen to be in Normal Mode w/ Cable modem attached and didn't want to kill it once it started. I hope this is ok.

Took about an hour to run. Then when I went to remove everything the progress bar had about 6 bars and hung. I thought it would take a while to run so I went to bed. In the morning it was in the same spot. "Virtumonde" was displayed. Control Alt Delete brought up the Task Manager but couldn't do anything. Couldn't click on anything, couldn't do Control Alt Delete again. I had to manually Reboot back into Normal Mode.


Thanks again for all of your help with this. I can not thank you enough. You guys are great.

rsd0562

 

BJ,

two more logs.

thanks again,

rsd0562

 

BJ,

Also, could not remove User ASPNET. I tried to set the password and log in as ASPNET but got Message: "the local policy of this system does not permit you to log on interactively"?

thanks,

rsd0562

 

This fix is for hijackthis-ib-1.log!​

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)

O4 - HKCU\..\Run: [Ghkde] C:\WINNT\system32\??ool32.exe
O4 - HKCU\..\Run: [Orha] C:\Documents and Settings\tearlesscry\Application Data\sswb.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\system32\??ool32.exe ←–– Manually search for this file, it will most likely be at the bottom of the list because of the ? which indicates an unprintable character! After you find it, delete it!

C:\Documents and Settings\tearlesscry\Application Data\sswb.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

This fix is for hijackthis-kd1.log !​

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

w?crtupd.exe

sswb.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Seqcndv] C:\WINNT\system32\w?crtupd.exe
O4 - HKCU\..\Run: [Orha] "C:\Program Files\esue\sswb.exe" -vt ndrv

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\esue ←–– Delete this whole folder if it exist!

C:\WINNT\system32\w?crtupd.exe ←–– Manually search for this file and delete when found!

NEXT:
Run CCleaner to clean up cookies and temp files.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

The hijackthis-admin-1.log one is clean!

Do you want the Big Fish software? If not, look in Add/Remove programs and uninstall.

After you complete ALL of the fixes, reboot and let me know how things are running overall and if any problems remain.

 

BJ,

Finally got back to the computer and followed your instructions.
I forgot to attach one of the User logs last time, so I included it this time.

Attached please find 4 logs.

I couldn't find some of the things to delete.

Below were NOT found for User kd.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

C:\WINNT\system32\w?crtupd.exe

Below were NOT found for User ib.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html

C:\WINNT\system32\??ool32.exe

C:\Documents and Settings\tearlesscry\Application Data\sswb.exe


Thanks again for your help.

rsd0562

 

BJ,

Attached please find other 2 logs.

Thank you for all of your help. I appreciate it very much.

Finally, no more Trojan.virus pop-up.

thanks again,

rsd0562

 

Your logs are clean, are you having any further problems?

 

BJ,

Thank you for all of your help. Everything seems to be running fine.
Should I reinstall the Aol spyware protection?
Also, what do you recommend to Block Pop-ups?

The only thing I'm still getting on reboot is a "Windows File Protection" error. Files that are required for windows to run properly have been replaced by unrecognized versions. To maintain system stability Windows must restore the original versions of these files. Insert your windows 2000 professional cd now."
When I insert the cd it still does not correct the problem?

I'm also getting a rtvscan memory error. I can't find where I wrote down the exact error and it doesn't happen all the time??

I don't know if these are spyware related or not??
If you can direct me to the correct forum, I will post these errors there.

thanks again for all of your help,

rsd0562

 

For antispy protection you should see this article on How to Protect yourself from malware!

For the other errors/problems I would post those in the Software Forum. Those guy's will get you fixed up.

Good Luck!