winantiviruspro2006

I ran adaware already. this is after that scan.

Wow, these are getting more creative. Now I'm getting popups for drivecleaner.com and when I click cancel, it tries to install anyway, but the browser is blocking the automatic install.

I hate these people.

Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :wave: :wave:

OK, I did all that, although, as I said before, my computer isn't fully booting into safe mode. I get no desktop, just the black screen. So I was able to run this stuff with the task manager.

Spybot found some registry keys related to winantivirus2006 and supposedly deleted them. I can't find a log file for this.

Well done, your HJT log is almost clean.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there)

Winantivirus

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Documents and Settings\Rafi\My Documents\Save Flash\SaveFlash.dll (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramunrising/sis/mjolauncher.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

winantivirus or anything to do with that name.

Reboot into normal mode and turn system restore back on.

Other than the above entries, your HJT log is clean.

Regards Howard

Well, I wasn't able to do that from safe mode, because I am still not able to get the desktop to load in safemode. It gets as far as the dialog that says "you are starting in safemode" etc, then the dialog suddenly disappears and I am left with the black screen and the words 'safe mode" in the corners. However I can ctrl alt del into the task manager, but I dont' think it's loading everything.

So I did what you said in normal mode. I'm enclosing the hijack this log.

I did not find any directories or files with winantivirus other than the cookie from the site.

Aaaannnnd after all that, here's what just popped up:

Edit: Removed nasty url.

Did you boot into safe mode under your normal user name as instructed?

Regards Howard

I was able to start up safe mode, but the desktop and explorer never load. The only way to run programs in safe mode is to open the task manager and click "new task" and use the run dialogue to find the program to run. So I can't do a search for nasties in safe mode. I also can't turn on or off system restore in safe mode.

Also, when I look a the running processes in my safe mode window, there are quite a few less than usual. I wonder if all the normal processes are really loading? maybe that's why the desktop never loads?

would that make a difference in the various scans and tools that I've been using.

So other than not doing a file search in safemode, i did do the hijack this fix.

Sorry to hear you`re having problems.

Try the instructions from normal mode, then post a fresh HJT log.

Regards Howard

Here's something interesting (don't know if it means anything):

I booted back into safe mode and of course, no desktop, because explorer.exe wasn't running in the task manager. So I manually loaded it using the run dialogue, and the desktop loaded.

And then it "blinked" off. And explorer vanished from the task manager. I did this several times with the same results. On one occasion, I noticed that wmiprvse.exe loaded right before explorer blinked out, and then both of them blinked out.

Clue?

BTW the same winantiviruspro popup just loaded. The log files I posted before were run in normal mode. Whatever is doing this, it's not showing up.

The wmiprvse.exe is a legit Windows file and is nothing to worry about.

I`d still like to see a fresh HJT log.

Regards Howard

Right.

Here ya go.

The mjolauncher is related to a shockwave game my wife paid for and downloaded.

the fujifilm thing is from me uploading my pictures to be printed.

Both of these have been on the computer for a while. The virus showed up thursday.

BTW what is bbeeg?

Your HJT log is as clean as a whistle.

I can`t fix what I can`t see.

I`m not sure what you mean by "what is bbeeg" Can you please explain?

Is there only one account on the computer? The reason I ask, is there`s nothing in your HJT log, but you`re still getting popups. If there is more than one account on the computer, please post a HJT log from each account. You should also check in add remove programmes for each account and make sure Winantivirus2006pro or whatever it`s called isn`t there. If it is, uninstall it.

You said the virus was still there on thursday. We`re on tuesday now, is it still there?

Regards Howard

I said the virus showed up thursday. I'm still getting popups.

This took a little while because in the interum, all heck broke loose.

When I switched to the other profiles, I couldn't get "my computer" to open (it would blink all but the wallpaper, and then not load). I think in retrospect the system started to become much more unstable after I ran Look2me destroyer (on your list of things to run) so I just reloaded a registry from 8/12 and so far it's more stable.

So here are the 4 profile logs from before the registry reload, and here's the most recent on the main profile channe (listed as just hijack.log).

All the HJT logs are clean.

Download and run this tool HERE. Follow the instructions and then post the vundofix log.

Regards Howard

Well, I think this may be it. BTW I downloaded this from your standard link before and ran it twice and got nothing. This one you just sent me to is an updated version. It found and deleted several files--named bbeeg (which is what I asked you about before).

So, what is bbeeg, and do you think it's the culprit?

That`s excellent.

Is your system running ok now?

If it is, I think we can say this is solved.

Regards Howard

This thread is for the use of mskiermd only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Well, it's been 10 minutes and no popups. I'll update you tomorrow. I hope that's the problem.

Looks like it's fixed. No popups yesterday, and I was ACTUALLY ABLE TO BOOT INTO SAFE MODE!

This BBEEG thing is NASTY. It was preventing explorer from loading in safe mode.

Thanks for your help.

The Vundofix is what got it (the newer one).

That`s good news.

Thanks for letting us know.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of mskiermd only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Someone sent me a question asking if I was able to get into safe mode, since he's having the same problem:

Yes, once I got rid of bbeeg and geebb and all its nasty incarnations, safe mode worked normally again. Also the other problem that I was having, of the explorer not loading in other profiles, was gone as well.

In fact, after running all these spyware fixes, the computer is faster than ever!