Hi. I'm going to assume that you have not run any tools yet; we'll fix a few things but then I will want you to post a new log - that one is missing its head...
First off, go into control panel, add/remove pgms, and uninstall Ipwins.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it. First off, make a quick check on your hosts file : go Tools, click Hosts File - in the notepad that opens the default is a hashed example followed by a valid hosts redirection line, 127.0.0.1 localhost
If there are no other such lines in the file then skip the Hoster instruction block below.
=Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
=Click the Restore MS Hosts Button and then click OK and exit Hoster.
Close killbox for the mo.
Next, start hijackthis, do a Scan Only and place checkmarks against these entries that still exist, and press Fix Checked.
O4 - HKLM\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385475FD01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [fnbsxaaa] C:\WINDOWS\System32\fnbsxaaa.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O16 - DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} (AppCaller Control) - http://www.bombndash.com/common/AppCaller.ocx
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
Back into killbox - select "Delete on reboot", click the "all files" button.
>Copy the pathname in the following line into the textbox:-
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\System32\fnbsxaaa.exe
C:\WINDOWS\System32\svehost.exe
C:\WINDOWS\System32\clcl3.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\System32\xpkngpis.dll
In killbox, go File menu, choose Paste from clipboard. Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
Fine. Now, if the header of your hijackthis log does NOT contain this line: Logfile of HijackThis v1.99.1 - I want you to do this: download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it in place of your other Hijackthis.exe.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-Click the Scan and Save a Logfile button. Post the log here.
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
I think this one which has persisted after that fix we tried is a vundo beast. Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it, and click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will shutdown your computer - click OK.
Restart your computer and post the contents of C:\vundofix.txt
Rename Hijackthis.exe to bunny.exe and post a new HijackThis log. [dclick bunny.exe to start it...]
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
Meant to add, but forgot: you REALLY SHOULD update your windows to SP2 via the windows update service. It is for your security.... if you have trouble with download speeds then i think M$ will send you a cd for a couple of $....
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
===Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {4959A7E4-149E-4BB2-8DF9-4C44CC39BB51} - C:\WINDOWS\System32\geefe.dll (file missing)
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
-Now press Config button, Misc Tools tab and then Delete a File on Reboot; in the window which opens paste into the text box the following pathname, press Open and then Yes...
C:\WINDOWS\System32\xpkngpis.dll
===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
That soundservice one is playing tough. Okay, we'll direct Vundofix right to it.
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Add more files? line, paste into the new window these two pathnames [one per line]:
C:\WINDOWS\System32\xpkngpis.dll
C:\WINDOWS\System32\sipgnkpx.*
Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Check the vundofix log to see if it detected and removed C:\WINDOWS\System32\xpkngpis.dll.
If it did not then:
- in a windows explorer folder > tools>folder options>view, and press Show hidden files and folders
- restart your pc in Safe mode:
[ if you would prefer to use a script to do this next task automatically use the instructions below the line..]
- start regedit, navigate to this key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- delete the entry in the right pane:
SoundService= "rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm"
- Now inside windows explorer navigate to and delete this file: C:\WINDOWS\System32\xpkngpis.dll.
Go back into normal mode, post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.
_______________________________________________________
..save this text below as SSRem.reg in a scratch folder, dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor.
_________________________________
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundService"= -
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
I would like to see that vundofix log, please. No matter that you doubled the pasting, but keep in mind that deletion of text is always an option.. :)
Explanation of the SSRem.reg file: This was an "automatic" way for you to remove a registry value, and meant merely to save you entering the registry and doing it manually as I had listed above in that post.
More clearly:
..save the text between the lines as SSRem.reg to a scratch folder [copy the text to a notepad and Save as SSRem.reg - select Save as type "All files"] , dclick it and agree to merge it with registry; else if it then just opens in notepad then rclick the filename, select Open with, and Registry editor.
_________________________________
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundService"= -
_________________________________
SSRem.reg is just a name i made up that had some meaning, for SoundService Removal. The .reg extension is recognised as a registry editor file type, meaning that execution will merge that instruction in the text with the registry. Any name will do as long as the extension is .reg -eg sosweet.reg
gerbil
Industrious Poster
4,206 posts since May 2005
Reputation Points: 239
Solved Threads: 300
