Hi,
I have been trying to fix a host of problems on my computer for weeks. I figured out that there was some kind of Malware/Spyware/Hijacker causing all kinds of problems, so I used AdAware SE, Spybot S&D, and HijackThis, but alot of the problems persisted. So I got Adware Spy and Spyware Doctor, which showed a whole lot more infections, as I was running the unregistered version of each of these they would not "clean" the files so I manually deleted them only to discover that Adware Spy is a notorious rogue which returns false positives in an attempt to scare people into buying the product. It appears that I removed only part of a malware infection because I am left with two problems.

1. HijackThis and Spybot show two unidentified BHOs and a slew of unidentified Active X (DPF files) which cannot be deleted in Spybot, and when I delete them in HijackThis they come right back, even without rebooting.

and

2. Every time I reboot my computer I lose internet connectivity. The computer redirects the startpage to http://www.microsoft.com/isapi/redir...r=6&ar=msnhome, which should be a legitimate site but returns with Page could not be found error. The network connections show that an IP has been asigned, but it won't work. To fix it I have to run WinsockxpFix which releases the IP and then I get a pop up which takes me to the LAC status, where I have to run the repair, then NOT restart as WinsockxpFix wants. Then I get connection again. VERY FRUSTRATING

Any help would be appreciated. I found HijackThis.de and ran the analysis, it coincided with? the same files I have been trying to delete. So I am including the analysis file as an attatchment. Thanks ahead of time.

Teresa

Hi there Teresa.

Have you also tried to scan and remove in safemode? Re-start youre comp ,hit f8 when booting up and select safemode (without networking).
Disable system restore (if you use it) and delete the old restore points , then delete all youre temp files and the content of the windows/prefetch folder.
Then scan youre comp with all the apps you have and fix all the bad stuff again , then reboot scan youre comp with some AV ,see a link for free online scans below also have a look at the "tools" link and see if there is something there you haven't tried yet.

After that can you post a new "full" hijackthis log?

Hi,

Thanks for the ideas, I had tried scanning in safe mode to no avail. But I had not tried deleting the prefetch files and disabling System Restore, (it never works any way), unfortunately, that didn't help either. I still have the exact same problem. However, HijackThis did find a couple of things that were different in Safe Mode. I am going to try to attach both the safe mode version and the version after reboot. If the system won't take two at a time, I will reply again with the reboot report (71105 4)

Thank you so much for trying to help me.

Sincerely,

Teresa

Hi,

Well I found out two things, First, the system will not take two files and Second, the second file replaces the first. So here is the HijackThis log from Safe Mode (71105 3)

T.

The only prob seems to be alot of "absolete" entry's , nothing that points to a real prob but still there is something strainge going on...


First scan and fix in normal mode and fix these:

And all the 016 can be fixed EXCEPT these: KEEP these and fix all the rest:


Then boot in safe mode and cleanup everything (temp/prefetch enz) again and run hijackthis again and see what entry's from the list above are still there and fix them again.


then see if you can find this entry in hijackthis and fix it and then go to youre system32 folder and remove , don't delete , "tscupgrd.exe" and paste it to a temp folder on youre desktop:


Then reboot and see if they stay gone.



PS; you know that there is a VPN client running on youre comp?

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

:cry: Hi Joe,

Thanks for trying to help. I really thought we had it that time, the HijackThis log in safemode showed everything GONE!!! But as soon as I rebooted everything was back and sameol' sameol' with the internet connection. This is so goofy, all I can think of is that there is a dll or something trying to reestablish the malware/spyware/hijacker. I'm going to try the whole thing again, only this time I am going to check the runonce locations in regedit in safe mode. Maybe something sneaky will show it's ugly face.

Any other ideas of where to look, the answer is obviously not in HijackThis. I've deleted the same files about 50 times. :x

Wish me luck and put your thinking caps on, thanks again for helping me. Here's the hijack log from safemode the other one is the same as the others. By the by, the tscupdate.exe line wasn't in hijack, but I moved it from system32 and stored it on the desktop anyway. And, yes, I know that I have Cisco VPN on my machine, I have no idea why, and it won't let me delete or unistall it, so I disabled it. Thanks again.

Teresa

I think if you can get rid of "tscupgrd.exe" in youre reg and do a manuall search for copys of the file and delete those(also search hidden and system files) , and get rid of that VPN client that youre machine should be clean. If you didn't install it then it must be used for something nasty i would think. It could be that that is whats being used to reinfect you , that is like an open door to ...?? who or whatever is in controll at the other end.

It isn't in add and remove programs? There should be a (hidden) folder in youre program files folder called "cisco systems" atleast.

O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

To see if the re-infection comes from the net , pull the network cable out of youre comp (when its off) and then remove everything again and re boot without internet acces and see what happends.