Limewire trouble again!!!!

[wormit]

Thank you again for helping me with my earlier problem couple of weeks back.

Well i went and downloaded limewire again and the next thing i know i got trojans on my computer!!!
I ran a scan with avg free anti virus software and it caught Trojan horse IRC/backdoor SDBOT2 and Trojan horse  downloader generic UDR. I seemed to have taken care of these two trojans (avg free deleted those after the scan and when i ran the scan again they were not there); and found another trojan called trojan horse downloader generic UEF!!!!
In the avg free scan the boot sector has changed.

When I ran spybot it had the following in red
1.Windows security center.updatedisablenotify
2.Windows security center.antivirusdisablenotify
3.Windows security center.antivirusoverride
4.Windows security center.firewalldisablenotify
5.Windows security center.firewalloverride
6.Windows security center.sp2update
(the registry keys seemed to have changed)
I selected "fix checked" in spybot but when i run the scan again and again the same six of these appears.
I have zone alarm as my fire wall

What should i do? Shall i uninstall limewire?



 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' />

[birdman]

Wormit,

      My experince with limewire has lead me to belive That its nothing more than a tool used by
crackers and script kiddies to install loads of trojans and other malware on your PC .Its bout time to step up
to the next generation of P2P software called µtorrent.You can download µtorrent here
http://www.utorrent.com/download.php

[wormit]

ok so i uninstalled limewire and downloaded what you said.

But what about the spybot results that i mentioned.... It is something to worry about?

[guestolo]

Hi again Wormit, those entries from Spybot may be nothing too worry about
But can I see a fresh hijackthis log please
Let's make sure it looks clean please

[wormit]

Hi  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

Here's the HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:24:50 AM, on 3/26/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\services.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - D:\WINDOWS\services.exe

[guestolo]

==Download and save rdrivrem.zip
[attachment=486:attachment]
UNZIP the contents to your desktop so you now have a rdrivrem folder on your desktop
Do not run this from within the zip file

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

Once in safe mode
go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder
I'll need to see it later

Reboot back to Normal mode

Post back a fresh hijackthis log and
Post the contents of rdriv.txt in the rdrivRem folder

[wormit]

Logfile of HijackThis v1.99.1
Scan saved at 12:37:24 PM, on 3/26/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\Webshots\WebshotsTray.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - D:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe




             RDrivRem Log 12:30:07.10  Sun 03/26/2006


      ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

WinRep.exe present!
services.exe present!


      ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~



I did a scan and found trojan horse downloader generic UEF again. I deleted it through avgfree.

[guestolo]

Looks good

I did a scan and found trojan horse downloader generic UEF again

If you do find it again, let me know the exact location you are finding it at on your computer please

You appear to have multiple installs or updates for sun Java
Access your add/remove programs and remove any old versions of Java or updates
The latest is
J2SE Runtime Environment 5.0 Update 6

You can leave that one alone
but remove any older updates or versions
You can also remove WildTangent GameChannel if not needed and found in add/remove


This service that's running
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
Do you need it running?
Do you compile your own java scripts, I'm not too familiar with it, this is why I'm asking

I can see by your log you enjoy online gaming, can I have you fix some activex controls please
They will be reinstalled if needed, some may be outdated or unrecognized, if you know them to be safe, you can leave them alone

Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll

O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab

O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab


After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

*Install  SpywareBlaster 3.5.1 by JavaCool[/url]  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

using Internet Explorer (not Firefox or any other browser as they won't work)
Go to this link>>>Click HERE
    * Click on Windows Validation Assistant
    * Click on the Validate Now button.
    * Be patient while the ActiveX loads, do not click on any links.
    * Read the instructions on this page while it's loading. You will be prompted to install - click YES.
    * Enter your product key then click continue
    * When it says "Validation Complete" please click Continue to return to your previous activity
    * Copy what it says and paste it here.

[wormit]

The following message came up on the page you wanted me to enter the windows validation key:

Validation Failure: Product Key Failed Validation[0x80080220]  

  Why did my machine fail validation?

The product key found on your computer is from a Volume License Key (VLK), which has been blocked. A VLK is typically licensed to organizations who want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is then blocked from passing through validation.


If you received a computer with a VLK, and you do not have a Volume License Agreement with Microsoft, then you may be a victim of software piracy. If this has happened to you, please see below for the steps you can take.


If you do have a Volume License Agreement with Microsoft, you believe you are using the appropriate VLK assigned to your organization, and your VLK has not been reported as stolen or lost, please contact your system administrator, Large Account Reseller (LAR), or Enterprise Software Advisor (ESA) to report the problem
 


I removed the older versions of java and WildTangent GameChannel.

[guestolo]

Your copy of Windows is probably not legit, I think I asked you this before
Also, I'm sure I told you this before, without the security patches that the updates supply
Your system will always be vulnerable to attacks

*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

Go to START>>RUN>>In the open field
Type in

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
Then go back to Internet Options in Control panel and Reset Web Settings again

                 [indent][color=\"#CC0000\"]Protect this computer against Future Attacks[/color][/i][/b][/indent]

"Check for updates every couple of weeks" with SpywareBlaster
after every update just simply click the "enable protection on all unprotected items"
                   
*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Check for updates with your anti-spyware programs and run a scan on a regular basis
In addition>>Open Spybot 1.4
Click the Immunize button on the left
OK>>Immunize at the top green cross
Please use the Immunize feature in Spybot after every update

*Make sure your Firewall is enabled and running
A Firewall is very important
This provides a line of defense against someone who might try to access your computer without your permission
This is especially true on an unpatched machine

Did you see this before

This service that's running
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
Do you need it running?

[wormit]

i did a scan with avg free and the trojan horse downloader generic uef was there. The path was
C:\System volume information\_restore{34fcc7e2-024d-43a8-8903-42de892ddbeb}\rp235\ao448017.exe

I didnt do the cleanup yet.

Dont think im using the java web server.

[guestolo]

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- JavaWebServer

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Can you do the same for the next 2 services as well
Messenger
This is not MSN Messenger
and also
Alerter

Then run the final cleanup steps
That file
C:\System volume information\_restore{34fcc7e2-024d-43a8-8903-42de892ddbeb}\rp235\ao448017.exe
Is in your system restore folders, clearing them as I posted earlier will remove it

[wormit]

I ran a scan again and it didnt find any viruses  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' /> (but the boot sector and hosts were changed as before)

So I guess my computer is back to normal... Thank you again http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[bobloblaw]

be careful these days... seems like there is spyware in most files.

[wormit]

lol

[guestolo]

As your problems appear resolved, I'll lock this topic
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />