Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I've run ad-watch and spybot. Everyday a trojan is detected and deleted.
Last time I posted my hijackthis log the administrator locked my note. What am I doing wrong?
Anyway here is my log. What should I delete?
Logfile of HijackThis v1.99.0
Scan saved at 8:40:44 AM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
HijackThis should be downloaded to a folder of it's own on the C drive, for example, create a folder C:\HIJACKTHIS and run it from there. Part of the fix is a cleaning out of temp folders, so it can't be in one.
I downloaded hijackthis to it's own folder on the c drive
here is a new log
Logfile of HijackThis v1.99.0
Scan saved at 10:47:50 AM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
The red arrow indicates that you're logged on and have posts in the thread. If you hover over it, also gives you the number of posts that are yours in that thread.
This thread will be moved to the appropriate security section by one of the Mods.
Pipsy - I am fairly good on spyware removal but when I started taking a look at your log, I realized I was way in over my head. You are loaded with bad stuff and some of it is tricky so I was afraid all I would do is make it harder for the pros to find all the stuff that needs dealing with.
I'll flag this thread for some expert attention and you should get instructions within a day or so.
You should print this out and/or save it to text where you can access it in safe mode. It's very important to follow the instructions completely, and in the order given.
Download and install Ad-aware (link in my signature). Open and check for updates. Close for now.
Download CWShredder 2.0 from here. Save it to the desktop. Double click to install.
Go to start>run and type services.msc. Locate Wintools in the list, right click and select properties. Stop the service, then set startup type to disabled, click apply and OK out.
Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.
Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.
Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to you user account.
Open CWShredder from the new shortcut on the desktop, close ALL other windows and click fix.
Open C:\Program Files and delete the folders Admanager Controller, SED and Toolbar.
Open C:\Program Files\Common files and delete the folder WinTools.
Open C:\WINDOWS and delete the files jvxwgpy.exe, lofyz.exe and mmups.exe.
Open C:\WINDOWS\system32 and delete the folders vmss and wsxsvc.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Run Ad-aware in full scan mode. Delete all it finds.
Open LSPFix and place the dolsp.dll in the remove column, check the box I know what I am doing and click finish.
Open RegSeeker. Click find in registry and search the entire registry for WinTools and WTools. Delete all.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.
Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.
Hey, Newt! Thought you said you were calling in an expert??
Who is this "Dave" guy anyway? What does he know about comp security? Last I heard, he was a multi-boot specialist, with every known flavor of Windows...oh, that's right, so he could infect every drive on his comp at once and compare behavior. Newt, I think the guy needs psychiatric help. He asks people to send him infections! He's one guy you should never put on "auto accept"!!
Pipsy Relax, and follow along with Dave. Ask questions if you don't understand something. You are in very good hands.
no Admanager Controller or Toolbar folders
no lofyz.exe in Windows
but found a series of files in Windows all started at the suspicious Jan15 12:16 or 12:17 date:
and when I try to delete Windows/temp it says 'desktop' is a system file and removing it may cause your computer not to work correctly
desktop is in a few of the folders in there
Should I delete them anyway?
Should I delete the other suspicious files?
Pipsi
You can safely remove the desktop.ini files and yes, remove the other files also. Look for folders in Program Files named Internet Optimizer and 180 Solutions and delete if present too.
Ad-aware has 665 quarantined files
Should I delete and how?
System config Utility box opens on reboot
says: on diagnostic or selective start up mode.
options to go back to normal start include going back to previous settings
worried will restore stuff
couldn't run Rav says:
Failed to load ActiveX control!
-- You must have administrative rights on this computer;
you also must have the Internet Explorer security settings to the Medium level.
i have my internet settings on medium level
hijack file:
Logfile of HijackThis v1.99.0
Scan saved at 12:05:55 PM, on 1/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
An entry in the log suggest you have used the startup tab in msconfig to disable some programs. If you know those are OK, leave them, otherwise recheck all entries on the startup tab, reboot and post a new log.
Log looks clean otherwise. If you can get a clean report from an online scan, then do turn system restore back on and create a manual restore point.
Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.
That will give you some added layers of protection against unwanted parasites.
What does he know about comp security? Last I heard, he was a multi-boot specialist, with every known flavor of Windows...oh, that's right, so he could infect every drive on his comp at once and compare behavior. Newt, I think the guy needs psychiatric help. He asks people to send him infections! 
He's one guy you should never put on "auto accept"!!
