# my laptop has a virus and i need help 2 fix



## i like pie (Sep 14, 2006)

i have my aunts laptop
its got a bad virus. i tryed cleaning the registry like i did 4 mine but it didnt work
when it starts up it says cannot find the file "bootini.exe or any of its components thats about all i know. please help


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

If you have taken anything out of startups via msconfig please go to *Start*  *Run*  type in *msconfig*  click OK and click on the Startup tab. Click on *Enable All* then *Apply* and OK. Then please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## i like pie (Sep 14, 2006)

i dont have that file


----------



## i like pie (Sep 14, 2006)

msconfig. it say it not findit or any of its componants


----------



## Cookiegal (Aug 27, 2003)

Please post the HijackThis log.


----------



## i like pie (Sep 14, 2006)

i will run the scan tonight
it itakes forever


----------



## Cookiegal (Aug 27, 2003)

:up:


----------



## i like pie (Sep 14, 2006)

i tryed running hijackthis but every time i opened the file the comp closed it


----------



## i like pie (Sep 14, 2006)

im not useing the laptop whan im posting thease so plz make it so i can put it on a memory card if ur giving me a program


----------



## Cookiegal (Aug 27, 2003)

Download *The Hoster* from *here* UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Then try to open HijackThis and scan again.


----------



## i like pie (Sep 14, 2006)

plz also keep in mind that im doing all this in safen mode because its way way way to slow in normal


----------



## i like pie (Sep 14, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 7:31:39 PM, on 9/19/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Home\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [owjyvxoA] C:\WINDOWS\owjyvxoA.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\Kztyx\Rkhx.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://start.shaw.ca
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157722614147
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Microsoft Windows HDA Service - Unknown owner - C:\WINDOWS\System32\dllcache\svhda.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\owjyvxo.exe
O23 - Service: Microsoft Windows Spooler Services (Windows Spooler Services) - Unknown owner - C:\WINDOWS\wfbmgr.exe


----------



## Cookiegal (Aug 27, 2003)

Please download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: or whatever your primary drive is) 
Click "Make New Folder"
Type in *BFU*
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
*RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Alcra *PLUS* Remover. 
*Save it in the same folder you made earlier (c:\BFU)*.

Do not do anything with this yet!

*Reboot your computer into Safe Mode.* You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 Behind the *scriptline to execute* field click the folder icon







and select *alcanshorty.bfu*
 Press *Execute* and let the program do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the *complete script execution* box to pop up and press OK.
Press *exit* to terminate the BFU program.
Reboot into normal windows.

*Reboot and post a new HijackThis log please. See if you can get one take from normal mode this time.*


----------



## i like pie (Sep 14, 2006)

my laptop cant conect to the internet i cant do any of that and i cant boot it up in normal
mode so none of this helps


----------



## Cookiegal (Aug 27, 2003)

Click Start - Run - and type in:

*services.msc*

Click OK.

In the services window find *Command Service*.
Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

*Note:* You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Repeat the above for all of these services:

*Microsoft Windows HDA Service 
Network Monitor 
Windows Overlay Components 
Microsoft Windows Spooler Services *

*Click Here* and download Killbox and save it to your desktop but dont run it yet. Try installing it on the infected computer from a floppy.

Go to Control Panel - Add/Remove programs and remove these, if there:

*Internet Optimizer
TheSearchAccelerator* 
Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

F2 - REG:system.ini: Shell=Explorer.exe bootini.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe

O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe

O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe

O4 - HKLM\..\Run: [owjyvxoA] C:\WINDOWS\owjyvxoA.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\Kztyx\Rkhx.exe

O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe

O23 - Service: Microsoft Windows HDA Service - Unknown owner - C:\WINDOWS\System32\dllcache\svhda.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\owjyvxo.exe

O23 - Service: Microsoft Windows Spooler Services (Windows Spooler Services) - Unknown owner - C:\WINDOWS\wfbmgr.exe 
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\Program Files\Deskbar
C:\Program Files\TheSearchAccelerator
C:\WINDOWS\System32\lssas.exe
C:\WINDOWS\System32\bootini.exe
C:\WINDOWS\System32\logon.exe
C:\WINDOWS\owjyvxoA.exe
C:\Program Files\Internet Optimizer
C:\Program Files\Kztyx
C:\WINDOWS\SG9tZQ\command.exe
C:\WINDOWS\System32\dllcache\svhda.exe
C:\Program Files\Network Monitor
C:\WINDOWS\owjyvxo.exe
C:\WINDOWS\wfbmgr.exe 
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please. Let me know if you can connect to the Internet after doing the above.


----------



## Cookiegal (Aug 27, 2003)

Also, do you recognize this entry? It doesn't look like you're running Sygate Firewall and it's not in the proper location to be related to that program.

*O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe*


----------

