Master Chaslang, I need your help again.

I am trying to repair one of my wife's friends computers. this was in bad shape. I found no antivirus on it. To the best of my ability i have already done the read this first part of advice (except for the online scans because i don't have this pc online.
Problem 1 that is left now. Kept getting a recurring VISUAL C++ RUNTIME LIBRARY ERROR---C\WINDOWS\SYSTEM32\TYPWPHK.EXE.

I had installed my norton 2004 and ran it and it only found one baddie. i tried to install the update file from MG after burning it to a cd from my pc, but it would not let upload the file saying it was no signed. I then unistalled norton (also used the removal tool from MG). And then loaded AVG-Free with the updated defs. Found a bunch of baddies and cleaned them all out. except one. It comes up as C:windows\system32\twpR32.dll. And it will not let me delete it , quaranteen it or anything. I tried to do a search for the file and came up empty. Any advice to get rid of this? So far the Visual C++ has stopped popping up.

 

ok, problem number one....after downloading to cd and installing hsfix on the infected pc, it starts to run and stops at number 5 and does nothing more. so i rebooted into normal mode and installed the blbeta. i ran this, it found 177 things and dropped the text on the desktop. i went to send this file to a cd so i could send it too you, but for some reason the cd writing wizard is telling me there is no blank cd in the drive to write to no matter how many times and different cds i use. I'm totally lost at the moment.

oh yeah, the visual c++ error is intermittent now, but avg is picking up the twpr32.dll error stating "trojan horse backdoor.generic2.rox" cant do anything to this, and now another was popping but i didn't get a good look at it.

got the 2nd one. C:\windows\system32\twpR64.sys
trojan horse backdoor generic2.RLI

#3
c:\windows\system32\2q.dll
trojan horse backdoor deneric2.ROX

 

got part of it to work here is the log.

 

right now i am in the middle of installing service pack 2 for xp. some things i wanted to make you aware of. there is no sound and no little speaker in the lower system tray...it has huge icons on the desktop and you cannot change the resolution or screen size. also only has one option for color (16bit). i did manage to get online with dial-up, painfully slow to begin with , but seemed abnormally slower than dial up usually is. I was going to wait until xp sp2 installs, then redo the whole "read and run me first". and go from there. good idea or no?

 

you are absolutely right and i apologize for jumping the gun. when i did get it onto a dial up connection, it was trying to automatically update. I did get sp2 installed, but knocked out a bunch of drivers. had the resource cd and got sound and video drivers reinstalled and have 2 setting of resolution instead of the gigantic one that was there before. again i apologize and will not jump the gun again. i'm am going to do run the program you have just previously mentioned and will post the results and will wait for further help.

 

ok, here are the files. i will do nothing till i hear from you. I do want you to know that for some reason now the visual c++ errors have stopped and avg hasn't popped up with the 3 virus detections like before...not sure why.

 

i could not locate that folder anywhere. am running the blb now.

 

ok, here is the log.

 

ok, things seems to be running ok, was getting ready to put it back on the net. I found the orginal dell cd that came with the pc to install norton2003, i was going to take the avg off, and put this back on. needed to know if there was anything else for me to do first. The avg resident shield popped up again while i was just leaving the pc run, but i couldnt get to it fast enough to see what the the virus that it had detected said other than something like c\window\system\volume...something or other. I popped open avg and opened the resident shield, and it is set for scanning all files instead of just "infectible files". Do you think it would be ok to uninstall the avg and put back on the norton that came with the pc? or do you think it better to leave it avg?

 

Ok, as per your instructions, i have not reinstalled the norton because i do not know if the owner has the subscription update and will leave it with avg.

I have created a new clean restore point.

When going through the (how to protect yourself from malware)...i downloaded "zonealarm" to a disc to install on that pc. When i went to the control panel of the pc to turn off the window firewall in the security center, the security center window opened displaying this...

SECURITY ESSENTIALS
The Security Senter is currently unavailable because the "Security Center" service has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service), and then open the Security Center again.

restarted the pc and got the same message.

on the 3 icons that appear below, i can open the automatic updates, the internet options...but when trying to open the window firewall it states (due to an unidentified problem , windows cannot display windows firewall settings.)

I have not yet installed the zonealarm firewall, waiting for your instructions.

 

ok, the owner is on their way to pick up this pc, anything else should do? i am about to install zone alarm even with the security problem.

 

i tried, but it does not work. i tried to uninstall it to see if so i could reinstall it, but now it gives me an error that it cannot find some file. i tried to manually through ad/remove programs, had problems there to. did an explore to find anything zone alarm and trying to get rid of it manually, didn't help.

 

i am actually using the pc i am trying to fix, i have it on a dial up connection. here is the log

 

ok, here is the log. I'm really sorry for all this trouble, i thought i did it right, but that xpsp2 screw up .

 

ok, got the xphomefix and unzipped it. I tried to burn the results to a cd, but i'm getting that error from the cd-writing wizard saying either there is something wrong with the cd, or no cd in the drive no matter which cd i use. so i tried to get online, i got the connection, but it would not let me access a webpage, kept saying server not found.

So here are the results, i hope i dont make any mistakes typing this.

Report.txt notepad

Mon 06/12/2006
Running from: c:\findqool\FindQool
Please note: legit filess might be listed. if you are unsure of what is listed leave them alone

known file names

MD5 check....

files found with locate com.
re-check using dir /a:-d
d:\documents and settings\all users\start menu\programs\startup
...

HKEY_Local machine\software\classes\folder\shellex\columnhandlers\{ce3q44d8-bc88-4d62-a890-42d9625f8d6}

...
runs, listed here as doublecheck for locate com results
HKLM
HKCU
...

files in winlogo shell and userinit
listed here as doublecheck for locate com results
shell REG_SZ explorer.exe, c:\windows\system32\klyph.exe
suereinit REG_SZ c:\windows\system32\userinit.exe, vggtrni.exe

...
SWReg utility...

 

here are the 2 logs. i still cant get a webpage to open, just get the "the page cannot be displayed" warning no matter which website i try to go to.

when i right click to send a file to somewhere, for some reason it is coming up with 2 cd drives with the same letter one says "direct cd drive (D)"and the other says "cd-rw drive (D)"

It wont let me burn anything to a cd, no matter which of the 2 i pick.

Still cant get into the windows firewall to see if it is on or off. and cant install or uninstall zonealarm.

But at least it is running a lot faster than before.

waiting for your next instructions....or do i shoot it?

 

k, before i go any further, when i went to services.msc and found the TRUEVECTOR INTERNET MONITOR...and right clicked properties...the process is already stopped. should i hit start, and see if i can connect to a webpage before doing anything else?

 

ignore that...last statement. when i change the startup type to disabled and try to hit ok, or apply, it says access denied, i think the only way out of that window is to hit cancel. do you still want me to do the rest?


and actually i'm not real sure that the sp2 has anything to do with it, i have had it online after that whole melee occured and the cd-rw was writing yesterday.

 

i cant seem to get this zonealarm out. everything i do is "access denie" or is being used by another program.

 

ok, just wanted to let you know, i got the truevector to stop. i had to do it in safemode then took out the vsmon (think i did that in safemode too). still a bunch of ZoneAlarm files on there that it wont let me take out. their website was totally no help at all. while trying to take a lot of them out, i kept getting a message that the files were in use possibly by another user? that confuses me a bit. Well the internet is up and functional. not sure about outlook express, not sure if it was set up before i got the pc, there was so much damage when it was brought to me that there were no programs responding too well, and never checked the outlook. I still cant seem to get the cd-rw to write. it reads fine, it just wont write. i went into the device manager and uninstalled it, and reboot to have it pick it up again, hoping maybe it was just a driver issue that would resolve itself. but same thing. like i said before, if i right click on a file to "send to" a location. the option brings me up 2 (D) drives....one says cd direct drive, and the other cd-rw drive. weird huh. might try taking a cd-rw out of one of my other pc's just to see if it will write. ( well i guess i shouldn't say it wont write, it tells me that the cd i'm using is no good, or full, or something to that effect. I'm a Little nervous about installing that other firewall...do you think i should still try it?

 

Just wanted to let you know how things are.

!. i tried to install the other firewall, gave me a huge warning not continue with the installation because ZA was installed and could create serious conflicts and possibly cause the pc not to even be able to boot. I took this warning seriously and decided not to do it as yet.

2. i uninstalled xp sp2 and all is fine with the cd-rw now. the drivers stayed so there was nothing i had to reload ( that kind of shocked me)

3. back to the firewall problem. did some research on the web of how to get rid of the zonealarm. had to go into the registry and delete the vsdatant folder ...i have the specific location at home, can post it if you need it. anyway, after i removed that folder, i was able to delete all the zone alarm files except for vsmon.exe. But it was still enough to install the other firewall.

So with that all problems are fixed wanted to thank you for all your help and patience. I have one recurring warning from the firewall about a "dedicated.hideout.net" from the svchost and what to do with it. when i blocked it the first time, after that it would not let me load a webpage, it would keep saying "this page cannot be displayed". so i went back into the controll panel of the firewall and removed it from the blocked list and i could access webpages again. i went to windows update to get all the updates for the xp that is running on that machine , and while it was downloading , the window popped up again asking me what to do with "dedicated.hideout.net". I didn't do anything, i just let the window stay there while the update was running. do you have any idea what that is or how to stop it if it is dangerous?

 

correction dedicated.thehideout.net

 

that is the weird part. the first time, i had just opened IE and the homepage is set to YAHOO. after a minute or so, the firewall window opened up and asked about "dedicated.thehideout.net" and what i wanted to do with it. i had it block it because i didn't know what it was. then when i went to go from Yahoo to MG , it came up with the "page not found" screen and i looked down and the little monitors that indicate internet activity were not blinking anymore. i still had connection, but nothing could come or go. i actually rebooted to see if maybe something just fouled up for a second. the connection went through, but still could not access a webpage. I opened up the firewall and looked to see what was blocked. it didn't say "dedicated.thehideout.net" it said svchost was blocked. so i removed that from the list and proceeded to open up a webpage and it opened fine.

Later when i was on windowsupdate, it did it again, only i just let the window hang there until i was finished letting windows do its thing.

Then just a little bit ago, i was back on windowsupdate, finishing up the rest of the downloads (there were 48 critical that the system needed-or so it said) and a window popped up with an IP address this time, well i let it hang there until windows update was done, and rebooted. it wouldn't let me on the webpage again, i opened the firewall, and sure enough, svchost was on the block list again. not sure what is going on....oh yeah, i tracked the IP address and came back as "Sandy.thehidout.net" located somewhere in washington state, or lower alaska, it couldn't pinpoint it.

any clues?

Is it possible, i have the firewall settings wrong? i left at the default settings so far.

 

hurrican electric means nothing, have never seen anything like that on the pc. i don't have the ip address anymore.


i ran all the windows updates, installed spyware blaster as the spy catcher. and rebooted. did some surfing to see what would happen and i did not receive anything from the firewall after that.

I had the girl come get her pc lastnight before i received your latest message. if needed i can go and get the info you need if you think that it is necessary. I gave her a quick rundown on the programs installed for security, and gave her the info to your website. and told her to quit downloading junk ( she is a big bearshare, and limewire fan).

Like i said, if you think it's necessary, i can get the info that you request if you do not feel the system is completely clean.

let me know.

 

well, not totally properly, seems to be some kind of glitch with the outpost, seems after you have been on the web and shut down the pc, the nesxt time you restart the pc and go to surf, you cannot get on a webpage. have to open up the firewall and remove the svchost from the blocked applications list. any clue as to why this would happen? other than having to go in and unblock it, it seems to be running fine.

 

i kind of figured it was me. will get it taken care of. As always, you guys are the greatest. Thank you for your time, patience , and may god bless you everyday.

Sincerely, a greatful follower of MG

Gino


PS. i gave her explicit instructions to visit the forums...especially the malware, and if she has any problems to come to you. Have great day, and a wonderful life.