I was recently infected with a virus which I suspect came from an E-mail. For the last two days I have attempted to find a cure by surfing around and purging my system. Alas, only little lambs eat ivy. The virus seems to rewrite itself on reboot and start flinging ads if I maintain an Internet connection and boot normally.

Previous to infection I was running a hardware firewall on my router but little in the way of security when it came to software. Since, I have updated my Spybot to 1.4 and also maintain the most recent version of Ewido. Spybot was clear on the last safe boot scan but Ewido found some malware which I thought had been taken care of. After quarantining, removing fully, and rebooting to normal I start getting ads and so I come here. I'll attempt to post my HJT log in the next one. Timely help is very much, very much, very much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:13 PM, on 6/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\command.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ipconfig.exe
C:\Documents and Settings\Aaron\Application Data\??pPatch\r?ndll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rqjgw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dmqkipd.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Rces] "C:\PROGRA~1\RACLE~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cxvwhnv] C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844448B7-0F10-403D-840D-455BE67224E9}: NameServer = 64.105.172.26,64.105.163.106
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dllhost.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Sorry about all that craziness. I wasn't able to post the Ewido report. This is after running HJT earlier today and about 12 hours idle time. It doesn't seem to throw up so many ads but it looks pretty bad from the reports. . .


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:55:16 AM 6/21/2006

+ Scan result:



C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\__delete_on_reboot__a_s_a_p_p_s_r_v_._d_l_l_ -> Adware.CommAd : No action taken.
C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_ -> Adware.CommAd : No action taken.
[1128] C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\asappsrv.dll -> Adware.CommAd : No action taken.
[1132] C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\asappsrv.dll -> Adware.CommAd : No action taken.
[1308] C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\asappsrv.dll -> Adware.CommAd : No action taken.
[724] C:\WINDOWS\QWFyb24gTC4gVHVja2Vy\asappsrv.dll -> Adware.CommAd : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\J7MF01LE\mediaview[1].cab/amm06.ocx -> Adware.MediaMotor : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\SPU301IB\876057[1].exe -> Adware.Mirar : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__d_l_l_h_o_s_t_._d_l_l_ -> Adware.PurityScan : No action taken.
HKLM\SOFTWARE\ClickSpring -> Adware.PurityScan : No action taken.
C:\Program Files\oatp\__delete_on_reboot__i_m_s_u_._e_x_e_ -> Downloader.PurityScan.be : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\54I303TR\!update-3895[1].0000 -> Downloader.PurityScan.co : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\J7MF01LE\installer_2512[1].exe -> Downloader.Qoologic.at : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\J7MF01LE\idlemg[1].exe -> Downloader.Small.buy : No action taken.
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D09M0706NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : No action taken.
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\54I303TR\thiselt[1].exe -> Trojan.Popuper : No action taken.
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : No action taken.


::Report end

I'd like to copy and paste the Spybot report along with all this stuff but I don't know how. The scan ran concurrently with Ewido earlier today and found all sorts of little goodies nestled among my system files and registry. They are hailed by such names as "ABetterInternet.Aurora", "Network Monitor", "Smitfraud-C.", "SurfSideKick", "Web-Nexus", and one of my personal favorites (after deleting it from my registry in safe mode and rebooting only to find it back) "Command Service". I can write up the directories by hand if you need me to. Please tell that doesn't have to happen. Please! MAKE IT ALL STOP AAAAAAGH!

As you can tell, this is really freaking me out.

Hey, I almost forgot. Do you need my system specifications??

Hello.
It appears you have not read the pinned topics in this forum:


Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
See:
You and Windows, a joint effort (http://forums.spybot.info/showpost.php?p=25290&postcount=4)

Also:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)


If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

This is a busy forum with many people waiting for assistance, sorry for the wait.

Regards. :)

I was really hoping that this wouldn't become an issue. I stopped taking MS updates a while back because it requested that I put the installation CD in the drive; the very same CD the whereabouts of which were lost to me some years ago. They may be in Alaska where I was living a few years ago but I'm about two thousand miles from there right now. I did read and understand several of the stickies heading the forum and I was hoping that a fix wouldn't require me to update my OS. Thanks for your time.

Hi

Is your windows legit ? if not and you cannot update, even if we cleaned it up completly it will most definately JUst get infected again probably within days

I realize that there's a fair chance I could B reinfected in short order and I sincerely hope I'm not wasting your time here. It won't allow me to upgrade unless I have a CD and, as I've explained, I don't have that.

I plan to maintain updated versions of Spybot, Ewido, and AVG from here on out and simply hope that those three layers will keep me safe. The reason I ended UP in this pickle was a complete lack of any software protection.

Run one at a time SpyBot 1.4,ewido then avg while the pc is in safe mode
reboot back to normal afterwards save a new hijackthis log and post that.

And done.


Logfile of HijackThis v1.99.1
Scan saved at 3:26:20 AM, on 6/22/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rqjgw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dmqkipd.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Rces] "C:\PROGRA~1\RACLE~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cxvwhnv] C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844448B7-0F10-403D-840D-455BE67224E9}: NameServer = 64.105.172.26,64.105.163.106
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dllhost.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later
Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKCU\..\Run: [Rces] "C:\PROGRA~1\RACLE~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [Cxvwhnv] C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\
====================================
Hit fix checked
scan once again place check next to
O20 - AppInit_DLLs: C:\WINDOWS\System32\dllhost.dll
hit fix check, disregard the error.
Close Hijackthis.

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (http://downloads.subratam.org/Lon/qooFix.bat) (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

Ewido popped up before I could do the second scan with S&D - it reported that it had found the adware "MediaMotor". I cleaned it and proceeded as directed.

Look2Me-Destroyer did not find anything in its scan but clicking on the second button caused my computer to reboot.

That's what happened. Here's the log:


Logfile of HijackThis v1.99.1
Scan saved at 4:05:02 PM, on 6/22/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844448B7-0F10-403D-840D-455BE67224E9}: NameServer = 64.105.172.26,64.105.163.106
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/22/2006 3:29:02 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

"Restoring SeDebugPrivilege for Administrators - Succeeded"

Thats why i suggested the look2me tool

Any problems now ?
What happens exactly step by step when you visit windows update ?
If its not an authentication problem we might be able to help

Isn't this where U remind me to turn S&D Resident back on??

I went to the Windows Update site and after loading for like five years it asked me to validate the software by clicking on a button. Doing that, it said, "You have encountered an unknown error. Please contact your local product support team for further assistance with this issue." HOW CAN I FIND MY LOCAL PRODUCT SUPPORT TEAM?!?! AAAAAGH!



So, am I clean for the moment??

Hi

Yes you should turn SpyBots Tea Timer back on,

Lets try to solve this update problem
Try the diagnostics tool mentioned here
http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=485803&SiteID=25
write down any error codes you see
also >
http://www.microsoft.com/genuine/diag/

I activated the S&D Resident and it immediately tells me about a "System Startup user entry". Change: "Value deleted". Entry: "Rces". Old data: "'C:\PROGRA`1\RACLE`1\dllhost.exe' -vt mt". WHAT'S TO B DONE?!

S&D presents this box to me but the bottom option - "Remember this decision?" - obscures what my choices actually R. My system doesn't seem to B feeding me ads any more but I don't know what will happen if I should choose the left or right button or even the upper-right 1 ("X")!!!

Ok do this please

Turn off Tea Timer (right-click its icon in the tray area near the windows clock and choose exit)
If it is not in the tray area open SpyBot > mode > Advanced > tools >
resident page and uncheck Tea Timer
Close SpyBot if open.
Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat.
Turn Tea timer back on again via SpyBots tools resident page.

I need to take care of this box before I can do that stuff.

When I started using my computer today to check the news, it brought up Look2Me-Destroyer without action on my part and when I opened the task manager it was displayed as a system task. Is that usual??

I closed the S&D Resident window about "Rces" and then it threw up another 1. Category: "System Startup user entry". Change: "Value deleted". Entry: "Cxvwhnv". Old data: "C:\DOCUME`1\Aaron\APPLIC`1\PPATCH`1\RNDLL`1.EXE". Again, my choices R obscured by "Remember this decision?" What's supposed to happen?? I find the black and white lists for Resident to B very confusing!

I closed the S&D Resident window about "Rces" and then it threw up another 1. Category: "System Startup user entry". Change: "Value deleted". Entry: "Cxvwhnv". Old data: "C:\DOCUME`1\Aaron\APPLIC`1\PPATCH`1\RNDLL`1.EXE". Again, my choices R obscured by "Remember this decision?" What's supposed to happen?? I find the black and white lists for Resident to B very confusing!

My connect burped when I sent the 1st 1 and I wasn't sure if it made it. . .

Please fallow my last instructions
Tell me how that went and post a new hiajckthis log

It automatically denied the other Resident deal. I reset TeaTimer. Here R the goods:


Logfile of HijackThis v1.99.1
Scan saved at 4:21:07 PM, on 6/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Rces] "C:\PROGRA~1\RACLE~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [Cxvwhnv] C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} -
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844448B7-0F10-403D-840D-455BE67224E9}: NameServer = 64.105.172.26,64.105.163.106
O20 - Winlogon Notify: Run - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

OK do this in the order written

Turn Off Tea timer

Start Hijackthis and place a check next to these items If there.
O4 - HKCU\..\Run: [Cxvwhnv] C:\DOCUME~1\Aaron\APPLIC~1\PPATCH~1\RNDLL~1.EXE
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} -
O20 - Winlogon Notify: Run - C:\WINDOWS\
====================================
Hit fix checked and close Hijackthis.

Run resetteatimer.bat then turn Tea timer back on.
In the furture do not tick the box remember this desision
There are several fix's mentioned in this thread for tea timers gui problem
http://forums.spybot.info/showthread.php?t=122

I followed your instructions. When I ran ResetTeaTimer.bat it threw up a DOS window and then quickly closed it. It looked like there were about five lines of text saying that it couldn't find various files but it went by 2 quickly to B sure. I clicked the .bat many more times in order to get a better look at that text but it's a little 2 quick for me. I'm going to reboot and run another HJT log for the next post.

Logfile of HijackThis v1.99.1
Scan saved at 5:04:47 PM, on 6/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Rces] "C:\PROGRA~1\RACLE~1\dllhost.exe" -vt mt
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{844448B7-0F10-403D-840D-455BE67224E9}: NameServer = 64.105.172.26,64.105.163.106
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

Post 17
http://forums.spybot.info/showpost.php?p=30205&postcount=17

The diagnostic tool had a lot of mumbo-jumbo for me. It also tried to change my registry (which I denied) before bringing up the diagnostic window. "Blocked VLK" showed up in red on the first line and there were many other letters and numbers under a handful of tabs which I could relate to U if U'd like.

If your not willing to try troubleshooting windows update we are finished.

good luck

I've been doing the things that U ask me to! My last post was to report what happened. What am I supposed to do??

Try the diagnostics tool mentioned here
http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=485803&SiteID=25 (http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=485803&SiteID=25)
write down any error codes you see

dirrect download link http://go.microsoft.com/fwlink/?linkid=52012

I ran the diagnostic tool. I explored both of your links and nothing that Liu said seemed applicable to me. As I said before, the first line of MGADiag.exe ("Genuine Validation Status") reads "Blocked VLK" in red text. Further down, "Download Center code" says "Expired Code." WGA Version = Registered, 1.5.530.0. Signature Type = Microsoft.

I'm happy to relate to U any other relevant information found by running MGADiag.exe but U have to B specific. U may have picked up from my speech patterns, grammar, and spelling that I have some degree of intelligence. I'm not that savvy when it comes to computers. It's important that U R specific in your instructions to me; that way, there is less time wasted in this back-and-forth banter.

We learn through repetition. Specificity is key.

I'm not that savvy when it comes to computers.

I suggest you take that computer to a repair shop and then get Windows updated and patched.

Good luck. :)

Thanks a lot for helping clean my computer. The pop-ups have stopped and it's only every few days that 1 of my progs finds a new bit of ware to obliterate. I learned quite a lot about viruses and proper security and most of it is thanks to your direction both in this thread and others. Here's my personal log:

:confused: :mad: :confused: :( :confused: :sick: :blush: ;) :bigthumb: :)

Have a good 1.

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.