Member Panel

marielle

I appreciate any help you can offer.? I pretty sure my system's been hijacked by WinAntiSpyWare and another program.? I've read some great advice and have been trying to take the steps.

What I have found is that I do not seem to be able to boot in Safe Mode.? All I get is a blank screen that says "safe mode" in the four corners, but no icons, or any way for me to access programs.

(I then ran AVG, Norton Antivirus, Adaware, spybot, and ccleaner without being in safe mode.? All were updated before I ran them, and I disconnected from the internet before running AVG and Norton.)? I also downloaded and ran ewido.? I changed to Mozilla for my web browser, but no doubt the bad stuff in IE is still on my computer.

I thought perhaps I forgot to put the System restore back on, and when I checked it today, it is "suspended".? I ran the Disk Cleaner, but it is still suspended.

After I get these things resolved, I will rerun all the antivirus, etc stuff in safe mode, and return for some desperately needed help to get rid of the malware problem.? (I anticipate having to get Hijack This! and will definitely need some hand-holding to get me through that.)

Thank you in advance --- you guys are great!

Mary

joe5

Hi Mary , welcome to PCHF.

Can you post a hijackthis log? Maybe after removing the malware the other problems are gone to.

Please attach it as an txt file to youre post.

PS; have a look at this for youre system restore problem:

Why is System Restore suspended on my machine although I have enough free space on my system drive? Answer: This can occur when the following conditions are true:

? A drive that is not a system drive that has System Restore enabled on it has reached less than 50 MB of free disk space.

? A copy, delete, modify operation was made to a file that is monitored by System Restore on such drive.

This will cause System Restore to suspend across the system. To resolve this issue please visit :
http://support.microsoft.com/default...b;EN-US;299904.

marielle

Hi there--

Here's the file from HJT. Good luck!

joe5

Before using Hijack This Can you please do this for me:

Show hidden files and folders:

For XP:

1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.

Then disable system restore to prevent re-infection.
(if you have/use it.)
(you can turn it back on when youre pc is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download Process Explorer by Systernals from HERE

And download Ccleaner from here.

Also download KillBox by Option^Explicit from HERE

Download swap.zip from here.

Unpack the swap.zip.

Double Click swap.bat.
This can take awhile to run.
Don't worry, your computer will reboot by itself, so let it finish the job.

After that boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of accdvd.dll once and then click the kill button.

After you have killed all of the accdvd.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of accdvd.dll then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\accdvd.dll
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O20 - AppInit_DLLs: ibg3z3wjzhwnzxdll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: accdvd - C:\WINDOWS\repair\accdvd.dll

and it looks these are already uninstalled , you can fix these to if you dont want/use them any more:

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {0D072730-7C33-4843-A716-FE301E7E2E08} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0D072730-7C33-4843-A716-FE301E7E2E08} - (no file) (HKCU)

Now click fix checked and close HijackThis. And run Ccleaner now to cleanup.

Please copy the text in the quote below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\repair\accdvd.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

PS: I would recommend to install atleast SP1 , but better is to install SP2 to make sure youre better protected.

marielle

Hi--

Here's the scoop:

1. Process Explorer

I had no problem with the winlogon.exe properties. However, I did not have a "explorer.exe" line. I did investigate all the lines, and could find no evidence of accdvd.dll though, other than what was on winlogon.

2. Hijack This

I did not have this line:

020 - AppInit_DLLs: ibg3z3wjzhwnzxdll.dll.dll........dll

I did check and fix the line:
020 - Winlogon Notify: accdvd - C:\WINDOWS\repair\accdvd.dll

but it kept coming back. I believe it is still there.

3. Killbox.exe

I did as instructed. I got the following message:

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

It did not reboot itself, so I did it manually.

4. The start menu does not appear when booting in Safe Mode about 75%. It does not appear on my screen in regular mode about 30% of the time.

Thanks so much for your help so far and I will wait for a response. I attached my most recent Hijack This log.

Mary

joe5

Originally Posted by marielle

2. Hijack This

I did not have this line:

020 - AppInit_DLLs: ibg3z3wjzhwnzxdll.dll.dll........dll

That is correct , The "swap.zip" has taken care of that infection

Originally Posted by marielle

1.? Process Explorer

I had no problem with the winlogon.exe properties.? However, I did not have a "explorer.exe" line.? I did investigate all the lines, and could find no evidence of accdvd.dll though, other than what was on winlogon.

I did check and fix the line
020 - Winlogon Notify: accdvd - C:\WINDOWS\repair\accdvd.dll

but it kept coming back.? I believe it is still there.

3.? Killbox.exe

I did as instructed.? I got the following message:

"PendingFileRenameOperations Registry Data has been Removed by External Process!"

It did not reboot itself, so I did it manually.

There must be also an explorer.exe line there and because the accdvd.dll wasn't stopted there you had all those following problems and has it come back.
Apart from that everything else is gone.

Let's try again , the explorer.exe line has to be a little below the winlogon.exe line (you may have to scroll down abit)

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE

Then boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of accdvd.dll once and then click the kill button.

After you have killed all of the accdvd.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of accdvd.dll then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\accdvd.dll
O20 - Winlogon Notify: accdvd - C:\WINDOWS\repair\accdvd.dll

Now click fix checked and close HijackThis.

Please copy the text in the quote below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\repair\accdvd.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

Member Panel

Sponsors and Ads

Live Tag Cloud