PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Background

I had a lot of spyware infections a while ago, and before realizing about this, I was warned by a banner that filled and hacked my desktop background that says "Your system is infected by spywares, it could damage your system, bla bla bla......".
Then I did a big maintenance for this, cleaning up and everything. So eveything is back to normal again now. But the problem is that "banner, saying your system is infected with spyware, etc", is still showing up as my desktop background. I have tried to get rid of it by changing my display setting, but it still won't go away. If anyone knows how to get rid of this so I could bring my desktop backround to whatever it was originally again, I'd greatly appreciate it!
Thanks so much before!

Jer-
anderson_xl@yahoo.com

 

I have been dealing with this problem a LOT lately.


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi Garrick,
Thanx so much for your help, I really appreciated it.
And here I enclose the attachment for my log file as the scan result as u told me.

Hopefully, we can solve this problem even further, Thanks again n' I'll ttyl again soon.

Jer

 

The first thing I notice is that your Operating System is WAY out dated. After we get your systen clean you need to surf in to windows updates and get updated. To prevent future problems you need to install Service Pack 2.

First:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Second:
Please look in Add or Remove Programs for the following and Uninstall them if found:

SuperBar

Invisible Browsing


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

acftp.exe

tskmgr32.exe
(Not to be confused with taskmgr.exe)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\cvsrc.dat

O3 - Toolbar: SuperBar - {92AB84BA-6674-47E0-A36D-039FA7FE5FF4} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: (no name) - {07531599-F255-4050-B96E-ECE5AA2E63A5} - (no file)

O4 - HKLM\..\Run: [TaskMgr] C:\PROGRA~1\INTERN~1\tskmgr32.exe
O4 - HKLM\..\Run: [Sound Drive] C:\WINNT\SYSTEM32\Explorer5.vbs
O4 - HKLM\..\Run: [odbccom] C:\WINNT\Drivers\BIOS\odbccom.exe
O4 - HKLM\..\Run: [nkhyv] C:\WINNT\nkhyv.exe
O4 - HKLM\..\Run: [*odbccom] C:\WINNT\Drivers\BIOS\odbccom.exe
O4 - HKLM\..\Run: [*vbrun] C:\WINNT\addins\vbrun.exe
O4 - HKLM\..\Run: [*utilw] C:\WINNT\AppPatch\utilw.exe
O4 - HKLM\..\Run: [InvisibleBrowsing] C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe
O4 - HKLM\..\Run: [*adsvc] C:\WINNT\Registration\adsvc.exe
O4 - HKLM\..\Run: [*infotask] C:\WINNT\Config\infotask.exe
O4 - HKLM\..\Run: [*wtcp] C:\WINNT\Fonts\wtcp.exe
O4 - HKLM\..\Run: [*taskabr] C:\WINNT\addins\taskabr.exe
O4 - HKLM\..\Run: [*inetwms] C:\WINNT\Tasks\inetwms.exe
O4 - HKLM\..\Run: [*vssav] C:\WINNT\Cursors\vssav.exe
O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ALCHEM.EXE] C:\WINNT\TEMPORARY\ALCHEM.EXE
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {246D2212-67B3-4C43-AF7D-7E254E35B695} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {246D2212-67B3-4C43-AF7D-7E254E35B695} - (no file) (HKCU)

O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Download Pocket KillBox

Now, Copy and Paste C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\cvsrc.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\PROGRA~1\INTERN~1\tskmgr32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\SuperBar ←–– Delete this whole folder if it exist!

C:\Program Files\Invisible Browsing ←–– Delete this whole folder if it exist!

C:\WINNT\inf\acftp.exe

C:\WINNT\SYSTEM32\Explorer5.vbs

C:\WINNT\Drivers\BIOS\odbccom.exe

C:\WINNT\nkhyv.exe

C:\WINNT\Drivers\BIOS\odbccom.exe

C:\WINNT\addins\vbrun.exe

C:\WINNT\AppPatch\utilw.exe

C:\WINNT\Registration\adsvc.exe

C:\WINNT\Config\infotask.exe

C:\WINNT\Fonts\wtcp.exe

C:\WINNT\addins\taskabr.exe

C:\WINNT\Tasks\inetwms.exe

C:\WINNT\Cursors\vssav.exe

C:\WINNT\inf\acftp.exe

C:\WINNT\System32\spoolsrv32.exe

C:\WINNT\TEMPORARY\ALCHEM.EXE

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

NEXT:
Please run these online virus scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

LAST STEP:
Scan with HijackThis and attach the new log. Also, let me know exactly what problems you still have so I will know what to post next.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Aite,
Did all of that, but it still hasn't changed anything yet.
ps: i include the attachment of the last log as u asked.

Thanx for your help...... and still looking forward to solve this completely =)

 

Did you download and run HOSTER as I requested?

 

Hey guys,

there is a new link for HOSTER ---> http://www.funkytoad.com/download/hoster.zip

PP

 

Thanks PP! I noticed this last night when someone couldnt download it. Thanks for the new link.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Yup, has just done it just now cuz it wouldn't download. Thanx to PP!
Then, what else should i do?

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Ooh, sorry almost forgot to provide you with the latest log again, if it's still necessary. Thanx!

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Did you run HOSTER? Those entries are not going away. Run HOSTER again and select Restore Original Host. Then click make Host file Read-Only.

Then post a fresh HJT log.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi,
Now here it is:

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

acftp.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun

O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\inf\acftp.exe

C:\Documents and Settings\SONYVA~1\Local Settings\Temp ←–– Delete everything in this folder!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi there,
I had got to this step:

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\inf\acftp.exe

C:\Documents and Settings\SONYVA~1\Local Settings\Temp ←–– Delete everything in this folder!

But the problem was that for some reason these files could not be deleted. When I tried to delete them, it gave me the error pop up window saying if the file is being used by another person or program, Which didn't make sense to me. Because when I opened the task manager, these files weren't even there, so what's up with them were being used or running??
Or maybe there are some other ways to find out whether they're really running/being used or not, besides checking from the windows task manager, aren't there?? Please let me know if you know the other ways to end the running processes of these files' besides via the task manager, so that I could continue with the deleting process, then continue with the rest of the instructions.
Thanks!

sincerely,
Jer

 

Just procede and we will see what remains in the new log.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi again,

Ok then, so below is an attachment for the freshest log.

And, I have not encountered any problems so far yet since I've followed your instructions from the beginning, and things have also been running great since then, except for the One Problem that's still bothering me: That white warning Banner is still sticking good in my desktop background, and it hasn't seemed to go off.

I'll still be looking forward to get further instructions on how to get rid of this thingy.

Thanks very much for your help and the progress we've made so far, and I'll talk to u again soon.

Jer-

 

Please boot into Safe Mode with the viewing of hidden files and folders enabled per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun

O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINNT\inf\acftp.exe

NEXT:
Run CCleaner
(Do NOT skip this step)

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi there,
Okay, below's the freshest log.
That acftp.exe file still would not delete though, and still with the same problem as when I tried before, that it keep saying if that file is used by another person or program, after I click delete. I Hope you know what the problem is that's preventing it from being deleted.

Thanks again, and I'll catch you again later!

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Nope, just scanned it with that tool you provided, and no vundo was found.
I'm pretty sure if my computer is quiet clean now, only that banner still won't go off.

And below's the freshest log again.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Yea, I've been trying to delete that acftp.exe file from my hard drive, but for some reason it won't delete, because this file will always be running as long as my computer is on, so I still cannot figure out how to delete it.
I knew if that was the source of that banner virus.
And you probably right, that I might have to do some manual removal for this.

But yes, I'll try using that older version of symantec first, then I'll post another fresh log on the next reply.
Thank you!

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi,
Sorry, but that older version still did not help either.
I guess I needed to just do it manually. So Then I tried with the KillBox then proceeded it with the hijackthis, but still.... those files wouldn't go away.
So, I guess I'll be waiting for your or BJ's other way/solution on how to remove and destroy these viruses manually then.

Thanks much!

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi,
I've just been waiting for the further help/s, that's all.
Thanks!

 

Have you ran BOTH Vundo Removal tools in Safe Mode?

 

First download: - ProcessExplorer for Win NT/2K/XP

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ptfca.dat & acftp.exe once and then click the kill button. After you have killed all of the ptfca.dat & acftp.exe instances under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of ptfca.dat & acftp.exe then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun

O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat


Copy the bold text below to notepad. Save it as fix1.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINNT\inf\acftp.exe
(Click NO when it prompts to reboot, you will reboot after the next one)

C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log.[/QUOTE]

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Yes I have. And no trojan vundo was found.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi BJ,
Did all of these, but still the same thing. That banner still running on my desktop. I don't know what else I can do besides rehabilitating everything from the start again by installing the recovery xp program from the xp recovery cd which I don't have anymore.
So I hope you can still find a way to solve this problem without having to involve the xp recovery cd.

I also attach the newest log below, hope you see any progress on it.

[/QUOTE]

 

geek33,

Go thru post 26 again and follow every step word for word. You must do everything as is for this to work.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Yes, I did it every step and word for word. Please tell me what i've missed if u think I did miss some thing/s. But really.... I did it every single step as directed there.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

and another thing,
After I did that, now everytime I open my desktop quick launch, a small window keeps showing up(it's a window that says: "Backup Utility"), it's never shown before until after I did all of that (# 26). Could you help me getting rid of this window thingy?

 

Attach a current HJT log and we will go from there with a new fix.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Aite, here it is:

 

First download: - ProcessExplorer for Win NT/2K/XP

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ptfca.dat once and then click the kill button. After you have killed all of the ptfca.dat's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of ptfca.dat then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat
O20 - Winlogon Notify: acftp - C:\WINNT\TEMP\ptfca.dat

Copy the bold text below to notepad. Save it as fix.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINNT\TEMP\ptfca.dat

Then click the red button with the X and allow Killbox to reboot your computer.

During the reboot, BOOT INTO SAFE MODE!

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun

Make sure All Browser Windows are Closed when you Click FIX.

Locate PocketKillbox

Now, Copy and Paste CC:\WINNT\inf\acftp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your computer, after you have rebooted this time attach a fresh HJT log.

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Yo BJ,
Okay, I did all of the directions on the post #34, except.....
When I got to this part:
" Locate PocketKillbox

Now, Copy and Paste CC:\WINNT\inf\acftp.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your computer "

The Killbox did not reboot for me because it gave me an error pop up saying:

"Pending File Rename Operations, Registry Data has been Removed by External Process!"

So then I had to reboot it by myself.

Do you think that must've affected the killing result??

And below is the freshest HJT log:

 

Hi Geek33,

I'm going to add a suggestion ( if Chas and BJ don't mind - I've had some success removing this baddie).

You'll need to follow these steps thoroughly and carefully. You might even have to try them a couple of times . . . .



And, off we go:

Look in this folder C:\WINNT\inf for all occurrences of acftp and ptfca (.ini, .exe. .dat, .bak,etc...) and delete what you can.

You should also run a search of your machine for acftp and ptfca and see where else they may be hiding out (Prefetch folder, etc...) and try to remove them. May as well delete ALL items in the Prefetch Folder.


NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acftp]



Leave it for now.


NEXT:
Make sure you are completely disconnected from the Internet.

Then, run CCleaner.


NOW:
DoubleClick on the fixmundo.reg file you made and follow the prompts to allow it to merge the registry entries into the registry.



NOW:
Please boot to Safe Mode.

THEN:
Open a command prompt by clicking Start, Run, and enter cmd and click OK.
Please enter the following lines in the command prompt window and follow each with the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

cacls C:\WINNT\inf\acftp.exe /g Everyone:f
cd C:\WINNT\inf
attrib -r -h -s acftp.exe
del acftp.exe
exit


NEXT:
Empty your Recycle Bin


THEN:
Scan with HijackThis and fix the following lines:

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat
O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun
O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat


FINALLY:
Reboot to normal windows and tell me how you fared. If you received any error messages along the way, let me (or BJ & Chas) know! As I mentioned, you may have to try this process a couple of times. Always be sure to do a thorough and complete search for all components of this baddie at the beginning of the steps!

Best luck
PP

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi fillie fan,
Much thanks for your effort to help!
I did as you direct, though I faced some problems in the process:
- only 2 or 3 .exe and .bak files were deleted
- when I got to the command page, this is what the result looked like:

Microsoft Windows XP [Version 5.1.2600]
<C> Copyright 1985-2001 Microsoft Corp.

C:\>cacls C:\WINNT\inf\acftp.exe /g Everyone:f
Are you sure <Y/N>?y
processed file: C:\WINNT\inf\acftp.exe

C:\>cd C:\WINNT\inf

C:\WINNT\inf>attrib -r -h -s acftp.exe

C:\WINNT\inf>del acftp.exe
C:\WINNT\inf\acftp.exe
The process cannot access the file because it is being used by another process.

C:\WINNT\inf>

So, i suppose the command did not succeed deleting that acftp file completely did it?

I had no idea what's why it kept saying it's being used though. It also says that everytime I try deleting it manually.

Thanks for your help, and maybe there's still something you can think of =), while BJ and Chaslang still thinking about some other possible way/s as well.

And here's the freshest log:

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

-- Were you able to do the fixvundo registry merge successfully?

-- Did you do the commands in Safe Mode?

I have had success with this procedure in the past, but a lot is tied to you finding all the backups, etc. . . on your machine. Did you try the procedure a couple of times?

I am not around this forum too much these days, but perhaps Chaslang or BJ can expand upon the steps I posted . . . .

Best luck to you!

PP

 

Re: PLS HELP! The Spyware Infection Warning Doesn't Wanna Go Away Frm My D-top Backgr

Hi,

Yes, the Fixvundo merged successfully.
And I did it a couple of times and in the safe mode as well.

Can you tell what's still infecting my system by looking at that log file?