Please Help

Hi. I read the guide on removing spyware and I followed your instructions. Spybot "fixed" these problems but I've found them again:

Windows Security Center.AntivirusDisableNotify
Windows Securtiy Center.AntivirusOverride
Windows Security Center.FirewallDisableNotify
Windows Security Center.FirewallOverride
Windows Security Center.SP2Update
Windows Security Center.UpdateDisableNotify

I just installed the SP2 and I cannot use the firewall and I'm assuming this has something to do with it. Before I ran all the programs that were suggested I was having problems with my computer just turning itself off and being slow. That seems to have gone away but like I said, Spybot is still finding those problems even after I click "fix." and I cannot use the firewall. AVG found some Trojan horse downloaders Istbar.GK Istbar.FB Istbar.EM Istbar9.D and Dyfica.3.AK but they are all in the vault now. I'm not sure if they are still a problem...I usually can fix my computer when this kind of thing happens but now I'm not so lucky. I apologize if I'm leaving out any information and I appriciate any help any of you can give me. I attaced a HijackThis log just in case you needed it...Thanks again.

 

It is just telling you that you disabled the built in check for Windows XP SP2. The Windows Security Center checks for AV's and a firewall.

Just have Spybot ignore these. See Spybot's Ignore Products settings and the Security tab.

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\TEKNUM~1 ←–– Delete this whole folder if it exist!

C:\WINDOWS\taskmgr.exe


NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot and attach a fresh HJT log.

 

That one flew by me Thanks!

 

I was just getting back on to say I rebooted in safe mode and enabled the view of hidden files and I CANNOT find the file

C:\WINDOWS\taskmgr.exe

I even searced and it cannot find it either :/

 

I made modifications to my previous post (post #2) so if you will go back and go thru the fix.

 

Okay I did what you said and I STILL couldn't find the C:\WINDOWS\taskmgr.exe file, I did find a C:\WINDOWS\TASKMAN.EXE file (but I didn't do anything with it cuz I wasn't sure if that was bad). I deleted the TEKNUM file however. Adaware and Spybot found nothing. I attached a HijackThis file...thanks for all the help...

 

there is still something wrong with my computer I don't know if anyone checked the latest HijackThis log but that stupid file I can't find is still showing up. I did a search online for the file name that I cannot locate and this is what I came up with http://sophos.com/virusinfo/analyses/w32wormexa.html. I didn't want to follow their instructions for recovery because I wasn't sure that is what we are dealing with. I'm soooo confused. I know my computer is not right because I CANNOT enable my firewall both choices are "greyed out" and off is selected. If someone can please help I would be so greatful. OH I reattached that HijackThis log...

 

I just did that Kapersky online Scan (it wouldn't work earlier) and this is what it found (see attachment)

 

Download Pocket KillBox to a location of your choice. Now find the file you downloaded and extract the contents of the zip file.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)


Now, Copy and Paste C:\WINDOWS\system32\cmsuartz.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\loavemsp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\taskmgr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log and let me know how things are running.

 

okay I did that. my computer is running a bit faster now however i still cannot turn on my firewall, its still "greyed out." (is this unrelated am I just crazy?) Attached is the recent HijackThis scan, that one file is still on there but it now says (file missing) after it. Thanks so much for coming back to this problem!

 

Click Start > Run > type services.msc and Click OK

Locate Microsoft Update Service and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Now scan with HijackThis and Check the Boxes for the following:

O23 - Service: Microsoft Update Service - Unknown owner - C:\WINDOWS\taskmgr.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

After you complete the above, see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...

 

Okay I haven't run Spy Sweeper yet because after I disabled the Update Service thing that file you told me to fix with HijackThis no longer shows up in HijackThis. If I reset it to automatic it it shows back up in the HijackThis scan, then when I disable it it disappears again...I didn't know what I should do...

 

You do exactly as my post says, set it to DISABLED and leave it here. This service is bad and should not be running.

 

Sorry I thought it was supposed to show up in HijackThis even after I disabled it...I'll run that Spy Sweeper now...thanks for you patience

 

No, it does not need to show anywhere, it is a bad service. I understand what your saying though. Trust me, this serivce you dont want to see

 

I just thought I'd update you, I ran that Spysweeper like you said and it found 2 Items and 994 Traces something about Potentially rootkit-masked files. I clicked next and made sure everything was checked then clicked next again but my computer froze so I'm going to have to do this process all over again. I don't know how late you'll be on so I was warning you that since I have to do this all over again its going to be about another hour and a half or so...*sigh* Thanks though for all your help...OH here is the attached file from the scan that didn't quite finish...

 

After you complete the Spy Sweeper scan, attach the log to your next post.

 

Okay...I ran spy sweeper again and this time it found 1017 traces and 2 items. It said it couldn't delete some until I restarted my computer so I did that and a screen came up where it was just running a huge list of files and saying removed. Then I ran the HijackThis so you could get the report. I still cannot enable my firewall - its still greyed out...

 

Please download Blacklight to its own folder...

F-Secure Blacklight

After download is complete, double click to run the program. Click "Accept" to procede. Then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post along with a fresh HJT log.

 

that blacklight thing didn't find anything...here are the requested logs...*sigh*

 

The requested stuff is in the post below, I don't know when you are going to be back on but I have some stuff to do today. My friend said I'm going to have to reformat but I'm hoping at all costs not to have to! I'll be back on later.

 

I still haven't done anything with my computer because I was waiting to see what will be reccommended, the logs requested are now a couple posts below. I still cannot enable my firewall, it says "for your securtiy, some settings are controlled by group policy" I have no clue what the heck group policy even is...I'll check back later to see if anyone has a clue what I should do...thanks in advance

 

Sorry, been really busy at work past few days. Your friend is wrong, you do not need to format.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment along with a fresh HJT log.

 

Hiya again and you don't have anything to be sorry for you've been great, believe me! Okay I did what you said, extracted it to C: and ran it, it only scanned for like 10 minutes and then was done. Attached is the requested logs. Thanks.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Reboot into Safe Mode and delete the files below:

C:\WINDOWS\psYrc <-- whole folder!

C:\WINDOWS\Tasks\SA.DAT

C:\WINDOWS\system32\9C7DFA8A05.sys

After you complete the above, run CCleaner and reboot into normal mode. Let me know how things are running and what problems remain.

 

Okay, I did the fix.reg thing and added it to my registry. Then I rebooted in safe mode and went hunting for those files...sigh...there was no psYrc folder only a file named that so I deleted it. In the C:\WINDOWS\Tasks folder I couldn't find a file named SA.DAT, the only thing in there was "Add Scheduled Task" thing. Then I looked in the system32 folder and couldn't find the file you asked me to delete. I did a search for all of these things too and couldn't find them. I have it set up to show hidden files/folders and when I had it searched I told it to search in them too just in case I screwed up. I'm not sure now what to do...

 

Are you still having malware problems?

 

I still cannot turn on my firewall, its still greyed out and says its "for your security, some settings are controlled by group policy"

 

First, what firewall is it?

 

sorry, the firewall that came with the service pack 2 for windows xp home edition. I tried to turn it on under start -->control panel-->windows firewall.

 

Ahhh...the Windows firewall isnt good enough for protection so I would personally recommend ZoneAlarm Firewall.

See this article on How to Protect yourself from malware!

 

okay cool, so is my computer okay even though its greyed out and I can't access it?

 

Does the account your logged in under have Admin rights?

 

yeah its my personal computer and noone else uses it

 

It's probably just the XP firewall acting stupid, I would just install ZoneAlarm and follow the article on How To Protect and you should ok.

If you want the XP firewall instead of ZoneAlarm which I dont recommend you can post this in the Software Forum and those guys could help you a bit more.

 

okay, well THANK YOU SO MUCH for all of your help!! Have a good holiday season.

 

Same to you, hope you have a great holiday season! Stay Safe!