I'm in a fix, I can't run any clean up programs

----- I'm new on these forums,and I have tried to follow the tips given in the posts here. Here is my problem, first off i'm running windows 2000 pro, last night i ran ad aware it found some spyware, today i scanned for viruses with mcafee antivirus, 59 things were found (malaware and trogans) everything was cleaned up or so i thought. When I rebooted the computer and tried to click any program I get an error, such and such has generated an error and will shut down by windows, therefore i can't run any program that you recommend to try and clean further. It won't even let me use the restore cd that came with computer, I get the same error message. I'm lucky I can even post here. Help please if you can, Thanks Danu

 

Hi Danu,

Can you do anything in Safe Mode?

Can you run Panda ActiveScan?
If so, please run that and save the log and attach it.

PP

 

I scanned with panda and it says file too big to attach. I tried to open word but It gives an error and closes the program. There is lots of spyware remaining surfsidekick and cashback, I can't remove these manually i tried.

 

Can you Copy and Paste the log into a post? Try that.

Also, try this:
Download and Install Ewido Security Suite

DoubleClick the Ewido Icon on your desktop and allow it to update to the latest malware definitions (Click Update > Start). Then, exit Ewido and boot to Safe Mode.
When in Safe Mode, open Ewido and click Scanner. Be sure the following boxes are checked (Binder - Crypter – Archives) and then Start Scan.

Allow Ewido to fix what it finds and click on Save Report. Save the log to where it can be easily found and attach it for me.


Also, try to send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it along with the Ewido Log when you post back.

I will try to check back as time permits.

Best luck
PP

 

Copy and pasting does not work, notepad shuts off before i can do anything. Can't i do system restore? I can't find where that is located on windows 2000 Pro. I would run the disk but it won't stay open long enough with out an error message. How do i run in safe mode? Thanks

 

Windows 2K doesn't have System Restore capability like XP or ME....

How To Boot To Safe Mode

Can you ZIP the Log and then attach it?

PP

 

winzip gives the error message winzip.exe has generated errors and will be shut down by windows. You will have to restart the program.Any program install on this computer give the same error message, I can only get on IE for email and browsing.

 

Are you able to do anything in Safe Mode?

 

This log is from after I ran mcafee search and destroy, and eiwig (spelling)

 

Hi Danu,

Let's give this a go, shall we? Note that there are a couple entries that I did not recognize. If you don't know them either, then perhaps it would be best to remove them.

I'm not sure how much of this your machine will allow you to complete, but do what you can and post back with the results.

And off we go . . . .

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure the Viewing of Hidden Files is Enabled.

Look in Add/Remove Programs for the following and try to Uninstall them if found:

SurfSideKick 3
ETB
Elite ToolBar
Virtual Bouncer
VBouncer
Media Access
CashBack
NaviSearch

+ note other suspicious entries

Now scan with HijackThis and Check the Boxes for the following, if they remain:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [mscin] C:\WINNT\SYSTEM32\m190309.EXE
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [lanbrup] C:\WINNT\system32\lanbrup.exe --> I do not know what this is, do you?

O4 - HKLM\..\Run: [SystemService] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [Jjvsm] C:\WINNT\system32\w?nlogon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Brct] C:\Program Files\atce\trdb.exe

O4 - Global Startup: palstart.exe --> Another one I don't recognize

O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab

O20 - Winlogon Notify: Guardian - C:\WINNT\system32\msg117.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINNT\system32\huzcon07.dll (file missing)

O23 - Service: Windows VisFx Components - Unknown owner - C:\WINNT\fklisvc.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\cfgmgr52.dll
E6F1873B.DLL --> Locate this with Windows Explorer
C:\WINNT\SYSTEM32\m190309.EXE
C:\Program Files\Media Access ---> The Folder
C:\WINNT\system32\lanbrup.exe --> Again, I don't know this one . . .
C:\WINNT\etb ---> The Folder
C:\Program Files\NaviSearch ---> The Folder
C:\Program Files\CashBack ---> The Folder
C:\WINNT\system32\exp.exe
C:\PROGRA~1\VBOUNCER ---> The Folder
C:\WINNT\system32\w?nlogon.exe --> Note ? in spelling
C:\Program Files\SurfSideKick 3 ---> The Folder
C:\Program Files\atce ---> The Folder
palstart.exe --> If you choose to remove this, you will need to hunt it down with Windows Explorer
C:\WINNT\system32\msg117.dll
C:\WINNT\system32\huzcon07.dll
C:\WINNT\fklisvc.exe

NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

I ran CC and search and destroy after deleting all that i found from the list. Search and destroy only found one thing, and deleted it. I'm still getting pop ups when I logged on to this site,from yieldmanager,and winfix. Attached is the hijackthis log.
Thanks, Danu

 

This Winfixer is a real pain to track down. I do not see it in your latest HJT Log.

Try looking in Add or Remove Programs for Winfixer or anything by WinSoftware, Ltd and try to uninstall if you find it.

ALSO:
Scan with HJT and fix these entries:
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINNT\system32\upjvzkbv.dll
O2 - BHO: (no name) - {CA3FC612-7BAC-3476-D8E9-7D82CF6B29C2} - C:\WINNT\system32\emey.dll

O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\aim.exe (file missing)


Then, boot to Safe Mode and delete these, if they remain:
C:\WINNT\system32\upjvzkbv.dll
C:\WINNT\system32\emey.dll
C:\WINNT\system32\exp.exe



NEXT:
If you cannot find Winfixer in Add/Remove Programs, please do the following . . .

Download Silent Runners and save it to your Desktop.
DoubleClick on Silent Runners and allow it to run. If your AV prevents the script from being run, you will have to allow it.

It will create a log - Please attach that for me and let's see what it has to say.

PP

 

I did not find winfixer in add and remove programs. When i rebooted in safe mode it just stops at the second page of the white writing, i waited several minutes and nothing. I rebooted in normal mode and didn't find any of the dll files. attached is the log. Thanks very much for all your help, Danu

 

Happy to try to help! I've still got a couple tricks up my sleeve . . . Hopefully they will be enough!

FIRST:
Do you know what this is? --> C:\Program Files\CMAPP\Client\cmappclient.exe
It doesn't look like a baddie, but I don't recognize it . . .


NEXT:
Please unzip Pocket KillBox to its own folder.

NOW, please open Pocket KillBox.

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until both have been entered:

C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe

C:\Program Files\atce

After both have been entered, ALLOW KillBox to reboot your machine. If it fails to do so, please do it manually.

Let me know how you fare with the above - If it doesn't work, we'll move on to "Plan B."

Best Luck
PP

 

Both files were removed with killbox. I don't know what C:\Program Files\CMAPP\Client\cmappclient.exe is, but it keeps trying to access my computer when I reboot. My firewall is catching it. Should i remove that one too? I also downloaded several programs from the How to protect yourself from malware thread ad-aware, spyware blaster,cw shredder, firewall,kill2me about:buster and hsremove. Thanks, Danu

 

It doesn't really look like malware to me, but it wouldn't be the first time a baddie looked legit!

Try navigating to C:\Program Files\CMAPP and see if you can tell what it does. RightClick the files in that folder and see if you can find the Propertyand Version info for them.

-- So, KillBox was able to find C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe??

-- How are things runnning now? Please attach a fresh HijackThis log.

PP

 

yes killbox deleted 2 files. I went to C:\Program Files\CMAPP there is 6 files in the folder, 3 of them are text with only 1 line here is what they say:

1st one____[Hyperlinker]
book|<a href='http://67.15.154.58/cmapp/zx-hclick.php?hid=1' target='_blank'>book</a>
the|<a href='http://67.15.154.58/cmapp/zx-hclick.php?hid=2' target='_blank'>the</a>

2nd one____search.yahoo.com/search=p=yahoo.com
search.msn.com=q=msn.com
www.google

3rd___800florals.com*|http://www.adsprve1.com/r.php?id=985
*800florals.com*|http://www.adsprve1.com/r.php?id=985
*lowermybills.com*|http://www.adsprve1.com/r.php?id=987
*800florals.com*|http://www.adsprve1.com/r.php?id=985
*peoplepc.com*|http://www.adsprve1.com/r.php?id=991

and there is a uninstall button.
It is running a whole lot better than it was. I'll attach the hijackthis log. Thanks Danu

 

That's odd - Looks like that atce folder returned. As for the CMAPP , that looks like it should go as well.

-- Is the WinFixer gone?

Fix these two entries with HJT:
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Brct] C:\Program Files\atce\trdb.exe

Try looking in Add/Remove Programs to uninstall them first . . .
If that can't be done, just delete those folders manually.

C:\Program Files\CMAPP
C:\Program Files\atce

PP

 

Winfixer appears to have gone. I ran HJT and removed
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Brct] C:\Program Files\atce\trdb.exe
then manually remove those folders in programs. I also ran several of the scans afterwards and only came up with one with spybot, wildtangent. It has been so much better thanks for all your help. Danu

 

Great! Happy to help!

Don't forget to check out Chaslang's Recommendations

Happy Computing
PP