HP Pavilon Reformatting....help!

[Staren]

Hi guys. I could really use some help here. My little sisters have an HP desktop, and somehow loaded it up with more adware then I've ever seen before. You open IE and you get 6 popups right off the bat. Anyway how the computer is set-up is that the recovery files are on a partition on the hard drive. You can't reformat without it saving user settings and not getting rid of the problems I need to get out of the computer. I've run Spybot, AdAware, and two anti-virus programs but I can't find these ads. Even when I get all the scans to come out clean the system is still a mess. How do I do a full wipe on an HP and get it back to the way it came out of the box? Thanks. I'm almost to the point where I'll just have to go into command line and do an fdisk, but I'm afraid that I won't get drivers back and it would just cause a bigger mess.

[WhatsThisBoxFor?]

Have you tried the new Microsoft Antispyware program? (If your version of windows is supported) Try posting a hijack this log (sticky about it at the top of this forum) to see if the problem shows up there.

Hopefully you can sort out the problem without losing everything.

[Staren]

No I hadn't thought about the new Microsoft program. I'll give that a shot, and then see if Hijack This! shows anything. Thanks.

[Staren]

Nope, no good. I can't even download the program because by the time I get to the microsoft page for the program there are so many ads the system locks up and I have to do a forced end task to get IE to close. This isn't a bad system hardware wise. 2.0 P4, 512 PC2700 RAM, Win XP Home. My little brother has an exact copy of the system the girls have and his works fine so it has to be all the junk. I've tried reformatting it via the HP wizard a few times but it always saves the user settings so the problem is back in a few days. I don't even know how they caused this much of a problem. Google Toolbar was installed to begin with so the avriage everyday popups didn't get in, and Norton was always active, but then they come asking me a few months ago why their computer is so slow and I don't sit down for a minute before I see CoolWebSearch, 3 diffrent junk toolbars sitting in IE, Gator, Zongo, WeatherBug, and about 100 other things Spybot found. They say they haven't gone anywhere on-line, but they have to have downloaded a ton of crap to get all this.

Please, anyone with one of the newer HPs, I need to know how to do a full refrormat without it saving settings.

[glc]

Download the tools you need on your computer and burn them to a CD for installation on her machine.

[Rebel_526]

Usually there is a key (possibly F10) option on boot up to enter a boot menu. This should give you instructions on how to format/reinstall.

I don't know the model you have, but it should be similar to this:
HP Recovery


Hope that helps

[Staren]

Thanks again for the help everyone. I got Microsoft Anti-Spyware on her computer. Didn't fix everything, but at least it's now under control. I get a nice little allow / block box over 8+ IE windows. Though I'm now getting a warning saying the computer can't find Wild Tangent. I assume that can be removed in the registry somewhere, and that Hijack This will probobly catch it. Could someone look at this log please? It was run after I ran Anti-Spyware for the second time.

Logfile of HijackThis v1.99.1
Scan saved at 6:47:58 PM, on 3/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\Tfnngi.exe
C:\Program Files\zwvliu0s\zwvliu0s.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cvtg\gmuh.exe
C:\WINDOWS\System32\gusguyb\srvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\lpvvvb\pfpod.exe
C:\WINDOWS\System32\hhktq\yrqmnf.exe
C:\WINDOWS\SysCheckBop32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system\lelluigp.exe
C:\WINDOWS\System32\pruttct.exe
C:\WINDOWS\System32\pruttct.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\d?dplay.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {04A339CE-1DB8-4391-8E2C-77AA4351177B} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {07B3CC27-0ECB-49FF-981C-19A5A5EA743A} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {18A7FDEC-6034-4F94-B3F6-89E02B3AE8E7} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {213A7CF7-3BAD-466B-8BB9-07BA03460AFE} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {323BF2A5-5AC7-46F0-AE67-242AACAB7B4A} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {57A96123-E12D-4D37-9ADC-0F638386B2E3} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {608CC423-9029-42D3-B24D-F8823C6DDF86} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {654477C7-1C21-45DE-A316-384D0393AEAB} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {6C4E22C5-AFF7-4C9F-9A4D-C57DBA7F80DD} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {6F9C2F8E-4D2E-4F13-BEE1-6A2DD0049B83} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {712439BB-025E-4489-AB81-95D2DE76CB33} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {7F62A71C-36A1-4800-D2A9-16349654B4C4} - C:\WINDOWS\System32\wanf.dll
O2 - BHO: (no name) - {ABEA8FEA-D5F0-4435-A32D-28E0B50659AB} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {ABF15026-3DAB-4AD6-AA11-4E4D39072EB2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {B59108F1-E321-43F0-9FA7-56102DF5FC6B} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {B70F1744-5E0E-4F17-85A2-4B2D1D38A1D1} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {BCE4C846-0D97-460D-85BD-CE0718C2A3EF} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {BFB08FD8-B779-4352-8246-E3EB8E0A9FA2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {CBBF9C8D-7F11-4119-994D-0B3ADE46A4C2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {D7298FC4-8FD9-4A76-BBAC-20F2DACE0117} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {EA68F295-AFAB-4FCE-BACF-1CF271487958} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {FBC027CC-C53C-4FD6-9015-07028FA23B99} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {FE7F5B1D-336C-410E-AF3F-AAC57187CA65} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {C109664B-CEB1-420b-B353-D55A561536DD} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Tfnngi.exe
O4 - HKLM\..\Run: [C:\WINDOWS\jwrb.exe] C:\WINDOWS\jwrb.exe
O4 - HKLM\..\Run: [zwvliu0s] C:\Program Files\zwvliu0s\zwvliu0s.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [gmuh] C:\WINDOWS\System32\cvtg\gmuh.exe
O4 - HKLM\..\Run: [srvc] C:\WINDOWS\System32\gusguyb\srvc.exe
O4 - HKLM\..\Run: [pfpod] C:\WINDOWS\System32\lpvvvb\pfpod.exe
O4 - HKLM\..\Run: [yrqmnf] C:\WINDOWS\System32\hhktq\yrqmnf.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Zppiew] C:\WINDOWS\System32\d?dplay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105817805609
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.3.1/ttinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[glc]

This is AFTER running virus and spyware apps? Yikes. This is a nuke and pave candidate.

HP will send you restore CD's for a nominal charge.

[Staren]

Quote:

Originally Posted by glc This is AFTER running virus and spyware apps? Yikes. This is a nuke and pave candidate. HP will send you restore CD's for a nominal charge.

Ya that's what I was saying to begin with. I have no idea how my sister git it this bad. HPs restore system didn't help. Guess I need to order those CDs.

[Spiro]

My system is usualy locked down pretty well, but someone in my house played with IE security settings and lowered them all to the lowest settings...

I had alot of adware and spy ware running.....

Through Safe mode I ran a combo of Norton Antivirus 2004, then Adaware personal (from lavasoft.de) and then the Microsoft antispyware....

I was able to remove almost everything but that Pruttct.exe. I have never noticed it myself before as a normal running processs.... For a time it was using 50% of my resources. I would then manualy shut it down and used msconfig to removed it from startup. But it keeps re spawning the moment I shut it down.....

Other than that Im fine..... IF anyone has any info on this, would be a great help..... ANd hopefuly running in safe mode with those apps will help you out...

[comfortably_numb]

Quote:

Originally Posted by Spiro My system is usualy locked down pretty well, but someone in my house played with IE security settings and lowered them all to the lowest settings... I had alot of adware and spy ware running..... Through Safe mode I ran a combo of Norton Antivirus 2004, then Adaware personal (from lavasoft.de) and then the Microsoft antispyware.... I was able to remove almost everything but that Pruttct.exe. I have never noticed it myself before as a normal running processs.... For a time it was using 50% of my resources. I would then manualy shut it down and used msconfig to removed it from startup. But it keeps re spawning the moment I shut it down..... Other than that Im fine..... IF anyone has any info on this, would be a great help..... ANd hopefuly running in safe mode with those apps will help you out...

Have you managed to sort out your problem with pruttct.exe? I had the same thing happen after being on the Internet very briefly yesterday. Neither Ad-Aware or Spybot picked it up any problems.

I followed the advice of renaming the pruttct.exe file (see http://www.computing.net/windows95/w...um/164394.html ) and then ran Ad-Aware again. This time it found quite a few problems all relating to "e2give" and "Prutect". Hopefully I'm rid of this now . . .

Good luck!

[Lobos]

Hi Staren

Do this if you haven't formatted yet

Looks like you got quite an infection there


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.


Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Do not run it yet

Download Spybot 1.3 from this site Spybot 1.3. Install the program, update the definitions file. Do not run it yet

Download CleanUp! (Alternate Link if main link don't work) and install it.
Do not run them yet

---------------------------------------------------------------------------------------------------------------

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.



[/b]Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:[b]

Viewpoint Manager
WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):[b]

pfpod.exe
SysCheckBop32.exe
yrqmnf.exe
lelluigp.exe
pruttct.exe
wtta.exe
d?dplay.exe

Run hijack this put a check next to these close all browsers and hit fix
Make sure not to miss one don't worry if they are not there
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.42.87.219/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar

O2 - BHO: (no name) - {04A339CE-1DB8-4391-8E2C-77AA4351177B} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {07B3CC27-0ECB-49FF-981C-19A5A5EA743A} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {18A7FDEC-6034-4F94-B3F6-89E02B3AE8E7} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {213A7CF7-3BAD-466B-8BB9-07BA03460AFE} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {323BF2A5-5AC7-46F0-AE67-242AACAB7B4A} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: (no name) - {57A96123-E12D-4D37-9ADC-0F638386B2E3} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {608CC423-9029-42D3-B24D-F8823C6DDF86} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {654477C7-1C21-45DE-A316-384D0393AEAB} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {6C4E22C5-AFF7-4C9F-9A4D-C57DBA7F80DD} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {6F9C2F8E-4D2E-4F13-BEE1-6A2DD0049B83} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {712439BB-025E-4489-AB81-95D2DE76CB33} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {7F62A71C-36A1-4800-D2A9-16349654B4C4} - C:\WINDOWS\System32\wanf.dll
O2 - BHO: (no name) - {ABEA8FEA-D5F0-4435-A32D-28E0B50659AB} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {ABF15026-3DAB-4AD6-AA11-4E4D39072EB2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {B59108F1-E321-43F0-9FA7-56102DF5FC6B} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {B70F1744-5E0E-4F17-85A2-4B2D1D38A1D1} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {BCE4C846-0D97-460D-85BD-CE0718C2A3EF} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {BFB08FD8-B779-4352-8246-E3EB8E0A9FA2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {CBBF9C8D-7F11-4119-994D-0B3ADE46A4C2} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {D7298FC4-8FD9-4A76-BBAC-20F2DACE0117} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {EA68F295-AFAB-4FCE-BACF-1CF271487958} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {FBC027CC-C53C-4FD6-9015-07028FA23B99} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O2 - BHO: (no name) - {FE7F5B1D-336C-410E-AF3F-AAC57187CA65} - C:\Program Files\zwvliu0s\zwvliu0s.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {C109664B-CEB1-420b-B353-D55A561536DD} - (no file)
O3 - Toolbar: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll (file missing)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Tfnngi.exe
O4 - HKLM\..\Run: [C:\WINDOWS\jwrb.exe] C:\WINDOWS\jwrb.exe
O4 - HKLM\..\Run: [zwvliu0s] C:\Program Files\zwvliu0s\zwvliu0s.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe

O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [gmuh] C:\WINDOWS\System32\cvtg\gmuh.exe
O4 - HKLM\..\Run: [srvc] C:\WINDOWS\System32\gusguyb\srvc.exe
O4 - HKLM\..\Run: [pfpod] C:\WINDOWS\System32\lpvvvb\pfpod.exe
O4 - HKLM\..\Run: [yrqmnf] C:\WINDOWS\System32\hhktq\yrqmnf.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32


O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Zppiew] C:\WINDOWS\System32\d?dplay.exe

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\System32\pruttct.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\System32\pruttct.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.3.1/ttinst.cab



-----------------------------------------------------------------------------------------------------------------------------------
delete
C:\Program Files\zwvliu0s\ << This folder
C:\WINDOWS\System32\pruttct.exe << This file
C:\WINDOWS\System32\pruttct.exe << This file
C:\Program Files\sf\sf.exe << This file
C:\WINDOWS\System32\d?dplay.exe << This file
C:\Documents and Settings\Owner\Application Data\wtta.exe << This file
C:\ << This file
C:\WINDOWS\System32\hhktq\yrqmnf.exe << This file
C:\WINDOWS\System32\lpvvvb\pfpod.exe << This file
C:\WINDOWS\System32\gusguyb\srvc.exe << This file
C:\WINDOWS\System32\cvtg\gmuh.exe << This file
C:\WINDOWS\System32\netsync.exe << This file
C:\Program Files\zwvliu0s\zwvliu0s.exe << This file
C:\WINDOWS\jwrb.exe << This file
C:\WINDOWS\System32\Tfnngi.exe << This file
C:\Program Files\Viewpoint << This folder
C:\Program Files\WildTangent << This folder


Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

empty your recyle bin
reboot to normal

Run adaware , Spybot, and cleanup once again make sure to reboot between each one
come back post another log and let me how you computers running

Lobos

[autotran]

prutect showed up on one of our computers at work, I did a web search and came up with this thread. The exe file has been renamed to mp4xoc.exe and shows up in task manager twice (Win98SE). You can not end the task by ctrl alt del, it keeps coming back. I tried to delete in safemode and it was not allowed. I located the file in C:\windows\system32 and started up with the command prompt. I first renamed this file and then ran ad-aware, I was now able to delete all instances of prutect which had now grown to 25, it was 15 when it was first discovered. There seemed to be no more problems with the computer and it appeared to be running better. I then deleted mp4xoc.exe with no apparent ill effects. Dave

[kev7555]

This new thread just started addresses prutect:



http://forum.pcmech.com/showthread.php?t=150991

Isn't it funny how the most-infected computers always seem to be running Norton anti-virus?


-Kev