cant get rid of three

i did all of the scans and cleaned everything apart from three. With the spybot scan i cleaned alot but three coulnt be deleted. I restarted several times and it scans ion startup but it just keeps giving the same message (restart and try again). Should i use another program or what? The Virus/spyware/Trojons that arent deleting are DyFuCA.Internet optimizer , Istbar.Slotch and Powerscan . Thanks

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

yeah, sorry ive done all of the steps, and upgraded every thing

 

Ok, Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed,including your web browser, e-mail. Close before running Hijack This!


Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

ive got a log file here...1 small problem...i have hijack this v1.98 on my old computer. My laptop (the one with the virus) wont load to the site with v1.99 so i just scanned it with v1.98 to see what happens. If this is useless then ill just have to keep trying tomorrow to try to load the new version!

 

actually, i got it this morning! i got it through google. Um yeah heres the scan for v1.99.

 

Hey, you have a few bad things. Lets start by deleting the bad files.

1) Boot into "Safe Mode"

2) Go into C:\temp\ and delete the file salm.exe

3) Go into C:\Program Files and delete the folder C:\Program Files\Windows ServeAd

4) Also in C:\Program Files delete the folder ISTsvc

5) Go into C:\WINDOWS\System32 and delete the file msa.exe

6) Also in C:\WINDOWS\System32 delete the file ssmr.exe

7) We also need to delete the following items:

C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

8) After removing the files listed above, Run HJT again and post new log so that we can fix other problems. Thanks!

 

You guys should delete the entire tsa folder.

Carry on

PP

 

thanks, i managed to delete all but two. I couldnt find msa.exe or ssmr.exe . They Didnt appear to be there, i also did a search in system32 but they werent there? Heres the new log file. I also deleted the whole tsa folder.

 

i think there is still aproblem though because the laptop still runs a bit slow... iguess the log file will tell us that.

 

Do this,

1) Download SpySweeper

2) Update definitions by clicking options, update definitions.

3) Reboot in "Safe Mode" and do a full scan

4) Post me the log as an attachment. Thanks!

 

Hi Hazza07,

Let's go ahead and just knock this out!

FIRST: O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au ---> Is this Legitimate and wanted?


NOTE: Some of the items you will be removing look very similar to legitimate and needed processes - - Please pay close attention to spelling!!

Please look in Add or Remove Programs for the following and Uninstall them if found:

Spyware Cleaner
WinAd
Windows ServeAd
ISTBar
Admilli Service
ISTsvc
EliteToolBar

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

wuaruclt.exe ---> Not to be confused with wuauclt.exe
crsss.exe ---> not to be confused with csrss.exe
syvgmofy.exe
AdmilliServ.exe
msa.exe
AdmilliKeep.exe
ssmr.exe ---> Not to be confused with smss.exe


Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [start uploading] crsss.exe
O4 - HKLM\..\Run: [S3wC] C:\WINDOWS\syvgmofy.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C}ïÁz î[ 8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\syvgmofy.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [*windows update] wuaruclt.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁÐ]*ú" ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\syvgmofy.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [WinSecured32] ssmr.exe
O4 - HKLM\..\RunServices: [start uploading] crsss.exe
O4 - HKLM\..\RunServices: [*windows update] wuaruclt.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [WinSecured32] ssmr.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [*windows update] wuaruclt.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://advnt01.com/dialer/internazionale_ver4.CAB

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\wuaruclt.exe ---> Not to be confused with wuauclt.exe
C:\WINDOWS\System32\crsss.exe --> Not to be confused with csrss.exe
C:\Program Files\ISTsvc ---> The Folder
C:\WINDOWS\syvgmofy.exe
C:\Program Files\Windows ServeAd ---> The Folder
C:\Program Files\Admilli Service ---> The Folder
C:\WINDOWS\System32\msa.exe
C:\WINDOWS\System32\ssmr.exe ---> Not to be confused with smss.exe
C:\PROGRAM FILES\COMMON FILES\tsa ---> The Folder
C:\WINDOWS\EliteToolBar ---> The Folder
c:\temp\salm.exe
C:\Program Files\Spyware Cleaner ---> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let us know of any problems you may have encountered with the above instructions and how your computer is running now. BJ or I will check back as time permits.

Best luck
PP

 

okay thanks, i probably wont be able to reply before tomorrow afternoon (australian afternoon). At the moment im doing the spysweeper scan. Ill send you the log file for that. And then tomorrow ill do the rest of the instructions. Thanks heaps.

 

okay, ive got a serious problem. My laptop wont start up now. It says theres some sort of error but the blue screen doesnt stay for long enough to read what it says. The last thing i did was the Spy Sweeper scan and i deleted everything that it found but i think theres something seriously wrong with my laptop, i cnat get into windows. Safe mode doesnt work either. What can i/shoud i do? can i pause the screen to see what it says?

 

Try and get anything from the blue screen if possible, also what does it say when you try safe mode?

 

well it says the same thing in safe mode but it only stays there for about half a second before restarting and doing it all over again. I guess il have to start at the top and work my way down yeah? it comes up just after the windiows home ediotion loads

 

If you can give me the STOP: error message as in numbers and message I can find out whats causing this.

See the image I attached, if you can get the information that I have in the box I can find out whats causing it. Thanks!

 

well...i wrote down what it says word by word and here it is.

Stop: C0000218{Registry file failure}
The registry cannot load the (File):
/systemroot/system32/config/SECURITY
or its log or alternative
it is corrupt, absent or not writable
beginning dump of physical memory
physical memory dump complete

Contact yuor system administrator or technical support group for further assistance.

 

Locate your Operating System disk, if you have not set your BIOS to boot from CD-ROM please do so.

1) Boot from CD-ROM (Press any key to boot from CD...)

2) After setup loads files and comes to the first screen, press R to boot into the Recovery Console.

3) Type the # for the installation you wish to do this on. Usually its 1 C:\WINDOWS Type in administrator password.

4) Now type each line as it is below:

md tmp

copy C:\windows\system32\config\system C:\windows\tmp\system.bak
copy C:\windows\system32\config\software C:\windows\tmp\software.bak
copy C:\windows\system32\config\sam C:\windows\tmp\sam.bak
copy C:\windows\system32\config\security C:\windows\tmp\security.bak
copy C:\windows\system32\config\default C:\windows\tmp\default.bak

delete C:\windows\system32\config\system
delete C:\windows\system32\config\software
delete C:\windows\system32\config\Sam
delete C:\windows\system32\config\security
delete C:\windows\system32\config\default

copy C:\windows\repair\system C:\windows\system32\config\system
copy C:\windows\repair\software C:\windows\system32\config\software
copy C:\windows\repair\sam C:\windows\system32\config\sam
copy C:\windows\repair\security C:\windows\system32\config\security
copy C:\windows\repair\default C:\windows\system32\config\default

Note: Security hive only is possible for the moment purpose, but other hives bring the registry back into the after installation state.

5) Exit Recovery Console and see if WinXP loads. If not please let me know ASAP so we can procede. Thanks!

 

okay, two problems it said that this file could not be copied copy C:\windows\system32\config\security C:\windows\tmp\security.bak and it said for this one copy C:\windows\repair\system C:\windows\system32\config\system That the system cannot find the file specified. For this reason my computer wont start up..ithink. Well when i startt up it asks be how to boot and i select normal but it says that it cannot start bacause \windows\system32\config\system is missing or corrupt. It says i can attempt to repair it etc.

 

Ok, Your going to have to do a reinstallation repair to repair your current install of WinXP. Do you know how to do this or do you need my step by step instructions?

 

sorry to be annoying but yeah ill need instructions because i dont really have any idea waht that is. Thanks

 

To start the "Reinstalltion Repair" follow below:

1) Boot from CD-ROM Drive (Press any key to boot from CD...)

2) Wait for setup to load files, when the first screen comes up press "ENTER" to continue with setup.

3) Press F8 to continue (EULA Agreement)

4) Now select the installation you wish to do the repair on, usually it will be "C:\WINDOWS "Microsoft Windows XP Home Edition"

5) Press "R" to begin the Repair on this installation.

6) Setup will then check drive c:\ and then delete system files, after this it will then copy the new files and begin setup.

7) During setup you will be prompted to enter certain information. As this is a "Repair" you shouldnt have to enter a product key.

8) After setup is complete, reboot and see how things work.

NOTE: After setup is complete you will have to reinstall Service Pack 2 if its installed now, and most important when setup is complete it may ask you to create user accounts, SKIP this step so it will not remove the accounts your currently have

Let me know if you have any problems with the repair.

Thanks!

 

i had a look at the setup on my laptop and i wasnt sure where it was going. i am doing this with the operating disc in arent i? and how many pagesd come up between step 4 and 5.
1.Yeah, first it loads files and then it says welcome to setup and i press enter...
2.then i get the licensing agreement (f8)
3.And then i get asked about installing windows xp on the selected item (C: partition1 (NTFS) 28608 MB (16460 MB free)...so i press enter for install
4.and then it asks me whether im sure that i want to install XP on a partition that contains another operating system.

I might be being a little bit to cautious but i do continue dont i? i am doing the right thing? Its just that nothing about reapir has come up yet. oh well. Thanks

 

DO NOT PRESS ENTER HERE, THIS IS WHERE YOU PRESS R FOR REPAIR OF THIS INSTALLATION, PRESSING ENTER HERE WILL REPLACE YOUR OPERATING SYSTEM AND ALL USER ACCOUNTS

After this step, you will get this:

When you get this, do you see "R" for repair at the bottom?

 

Sorry I got confused, running 2 installs here. Follow me below:

1) Boot from CD-ROM Drive (Press any key to boot from CD...)

2) Wait for setup to load files, when the first screen comes up press "ENTER" to continue with setup.

3) Press F8 to continue (EULA Agreement)
NOTE: Setup will now search for previous versions of Windows XP

4) Now select the installation you wish to do the repair on, usually it will be "C:\WINDOWS "Microsoft Windows XP Home Edition"

THIS IS WHERE YOU WILL PRESS R FOR REPAIR

5) Now just wait for setup to delete old system files and copy the new ones, after this your computer will restart and setup will begin.

If you have anymore problems let me know. Thanks!

NOTE: If you get stumped on anything do not continue until you ask, this is to protect your data on the drive. Thanks!

 

no it doenst ask me to repair on this screen. It says
* To set up windows xp on the selected item, press enter
* To create a partition in the unpartitioned space, press c
* To delete the selected partition, press D.

The only time i get asked to repair is straight after the setup loads the files...

I am running this with the operating system disc in the cd rom....

 

Ok, Not good..the first R is for the recovery console. Looks like the only thing you can do is press "Enter" and reinstall.

NOTE: Doing this will remove user accounts. Will most likely have to reinstall programs. Let me know what you want to do.

 

well i guess if theres nothing else to do then i geus i will...will this get rid of the viruses?

 

There may be other ways to fix this, let me do some research and I will get back with you in a few. Thanks!

 

im using the quick restore discs that hp gave me instead. the may give me drivers for some hardware...oh dont worry about it ive already started...i dont have much on my laptop anyway to worry about too much.

 

Ok, If you have any further questions and/or problems just let me know. Thanks!

Please see this sticky thread on How to Protect yourself from malware to prevent future infections. Good Luck and Browse Safely!

 

Re: new problem

okay thanks for all of your help.
Guess waht, i've got a new problem. Okay so i restored my laptop and then i wanted to get it protected as quickly as possible so i went to windows update and updated it, then i came to the prevention of malware site (the one below) and my norton antivirus detected a file called bloodhound.w32.EP.(which i cant gain access to and then cant clean). Then a box came up from messenger service came up which said that my computer may have serious errors in the registry and the file system and tells me to go to errorfixer.com. Note: This is exactly how my last virus(s) started. I have also noticed that when i start my laptop up i get a message in a black box saying C:\windows\system32\defragfat34.exe
i dont know waht this is. Is there a fast way to get rid of this bloodhound because i think it was the one that started the whole episode last time. By the way i did the errorfixer.com last time and all it was was a scan which said i had viruses and thjen asked for money...but how the hell doese that load from nothing? i was in no sites when it came up. Oh well help again would be greatly appreciated, thanks.

 

i did a system recovery, so my laptop was back to where i bought it from...so i sdidnt have any programs apart from norton before i connected to the internet. i was trying to get those sort of protection things as quickly as possible but the viruses got me first, ill quicly connect and get hijack this and then post a log. Thanks

 

heres a hijack this log. I got it off a disc so i didnt have to use the net.

 

by the way its only v1.98. Idont know how much difference that makes?

 

okay chaslang, ive just downloaded v 1.99. I'll give you a look. i tried the elite toolbar im not sure if it did anything. what is meant by a proxy server? im not really sure if those sites are expected by me. i dont see why anzwers is there. ozemail is my server, i have a hp laptop...yeah. so i dont really know. okay heres the v1.99 log. if its similar then ill just tell me to do the previous steps.

 

okay ive done all of the steps but none of the files/programs were there in windows explorer, i guess this means that hijack this worked? I've put on internet connection firewall, what are the first things i should do/install when i go on the internet for protection? I think everthing is running fine but i diont want to go on the internet before i know ive got as little as possible cahnce of being attacked. thanks for your help

 

no sorry, that log that i gave you was before i did all of those steps that you gave me, no i dont think the anzwers site is valid for me because i dont use it. Heres the log after the first steps you gave me, tell me if you want me to fix the anzwers one as well. i deleted C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\defragfat34.exe
(with explorer)

but icouldnt find any of the others, sorry in the previous message i got a little confused. So heres the new log minus
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.anzwers.com.au/ie4/sea

 

done, so now how well will the internet connection firewall protect me? Which other programs should i try getting first.

 

i dont know ive done something that the hp site told me i can do, i went to network connections, right clicked on local area connection and selected properties, went to the advanced tab and checked a box which "protects my computer and network by limiting or preventing access to this computer from the internet" and above this in blue it has Internet Connection Firewall.

 

yeah, okay thanks for all of your help, should i update to XP SP2? ive got Sygate on my other computer, it seems to be doing a fine job. Should i allow microsoft QMgr? it comes up constantly but i dont know what it is?