Glad we could help. Be careful how you use your computer, especially your work computer! You don't need to be getting fired over something stupid like this.
Go to Start, Run, type regedit in the box, and hit Enter.
At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"
Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version \Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""
In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.
If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)
PC seems fine now. HC did the trick - Is their virus software worth buying?
If you're looking for the best antivirus, I would recommend Nod32; I don't think it costs any more then the others. You can do a search here on DaniWeb, or on the net, for other opinions and comparisions.
By the way I am looking at building a new PC, what motherboard would you recommend for around 100 to 150 euros? and should I go for AMD or Pentium? (Iwould like at least 2.5 gig)
There will probably be a lot of varying opinions on MB's and CPU's, you may find what you're looking for in the Hardware section (http://www.daniweb.com/techtalkforums/forum7.html). If not, post your own question there. If I were building a PC, I would probably get an ASUS MB and Pentium CPU, but that's just me.
Happy to hear your PC is working properly again :)
Boot into Safe Mode and do a search for lqfax12n.dll, and delete any instances found.
If any could not be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\system32\lqfax12n.dll)
Empty your Recycle Bin, reboot normally, and search for the file again to make sure it's gone.
Then, right-click in an open area of your desktop, select New, Folder; give the new folder a name (something like HJT or HijackThis), and drag the hijackthis.exe icon that is on your desktop into the new folder.
Close any open browser windows, scan with HJT, and post a new log please.
Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.)
Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll.
Do a search for MSplg7.dll and delete any instances found.
Empty your Recycle Bin and reboot normally.
Close any open browser windows, scan with HJT, and post a new log please.
thanks so much!!but i still cant get rid of A0059569.exe..it doesn't matter right?what does this virus do?it will appear during the ad-adware scan.Only the exe file.thanks alot!!
Did you have A0059569.exe scanned at Jotti? What were the results?
Thanks VERY, VERY much. Things seem clean now. I haven't had any bad-looking behavior for the last 24 hours - since even before these last couple of fixes - so I THINK things are clean.
Why are you trying to remove this? It's the driver for you video card.
You now need to reinstall your video card drivers either with the CD that came with your computer, the CD that came with the card (if you added it seperately), or you can download them from the manufacturers (NVIDIA) website.
2. Followed HJT instructions During FIX, MS AntiSpyware popped up saying CWS was trying to install. MS claims to have blocked and fixed. (Although I ran CW Shredder the other day and IT thought it had fixed everything, too). Ran MS Scan - clean (but it was this a.m., too, before this)
3. On reboot, McAfee says it is broken and wants me to reinstall - I suspect that's because of one of the HJT removals... was that an error? (Not a big deal, but I probably should reinstall).
A question - I read somewhere that AWS is better behaved these days - is it OK to reinstall or is it still considered spyware?
Download, install, and update CWShredder 2.15 --http://www.intermute.com/products/cwshredder.html. Run it, and press Fix (not scan). Close any open windows, other then CWS, before hitting the Fix button.
Nothing you fixed with HJT should have hurt McAfee, but it is possible one of the malicious files on your system corrupted it. McAfee may have a 'Repair' option, if it does, try that first. If not, then reinstall it.
I've also heard that the Weatherbug is not much of a pest anymore. Myself, I wouldn't trust it, but if you like it, and can put up with it's ads (if it still does that), then go ahead and reinstall it).
Also, you may wish to consider disabling CTHELPER.EXE -- quote from sysinfo: "CTHELPER is a background task that is …
I've merged your threads so anyone looking at this will have all the relevant information available. For future refrence, instead of starting a new thread, simply making a new post in the existing one will bring the thread back to the top of the forum where it will have a better chance of getting spotted.
Disconnect from the net and reboot into Safe Mode.
Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.
Then run a full system scan with Ewido (note: you will be posting the log from this scan in your next reply).
Still in Safe Mode, scan with hijackthis and have it fix the following entries:
Update your antivirus program and allow it to fix whatever it finds.
Scan with HJT and have it fix the following entries:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [xbnsrhy] c:\windows\system32\avaxrc.exe r O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Remember to close any open window before hitting Fix checked.
Go to the following locations and delete the highlighted files:
Do a search for the following files and delete any instances found:
Systb.dll Winobject.dll Winserv.exe Wupdt.exe
If any of files cannot be deleted in normal mode, try Safe Mode.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Empty your Recycle Bin and reboot.
Close any open browser windows, scan with HJT, and post a new log please.
Disconnect from the net and reboot into Safe Mode.
Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.
Then run a full system scan with Ewido (note: you will be posting the log from this scan in your next reply).
Still in Safe Mode, scan with hijackthis and have it fix the following entries:
And see if this will help with that file you're trying to get rid of:
Download, install, and update CWShredder 2.15 --http://www.intermute.com/products/cwshredder.html. Run it, and press Fix (not scan). Close any open windows, other then CWS, before hitting the Fix button.
If it comes up clean, you can try to get some info on it by going to the file and right-clicking on it. Then go to Properties and get whatever info you can (Company, Version, etc.). After that, right-click on it again, and chose Open With...; you may get a warning message, if you do, click on the Open With... button. Choose Notepad (or Wordpad) to open it with. Most likely you will just see a bunch of gibberish characters, but keep looking through it -- sometimes some tell-tale information is provided.
Yes, it's okay to 'bump' but please wait a bit longer before doing so. I realize you'r anxious to get your computer fixed, but there are only a few of us here trying to resolve dozens of users problems, and we can't be here all the time. I'd say that if you don't get a response within 24 hrs to go ahead and give it a bump to make sure it isn't being overlooked.
Please follow the recommendations in these threads to help protect and start the cleanup process of your system:
Then close any open broswer windows, scan with hijackthis, and post a new log and wait for instructions on removing the Aurora infection and anything else remaining.
Go to each of these highlighted files and right-click on it; go to properties and give us whatever info you can on them (Company, version, etc.) in your next post:
Go to Start, Run, type regedit in the box, and hit Enter.
At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.
Then click on Edit, Find; in the box, type or paste SideFind, and then click on Find Next
Right-click on any entries found and click on Delete.
Continue using the Find Next option until you get the Finished searching through registry message.
Speaking of which- I know that definitely meant that I was up too late, but does it also mean that you got up at some unholy early hour just to sneak in a few posts here before work? :cheesy:
No, I did it during my lunch break while at work, that's why they were so short -- I saw how far behind we were and wanted get as many answered as I could.
Then, right-click in an open area of your desktop, select New, Folder; give the new folder a name (something like HJT or HijackThis), and drag the hijackthis.exe icon that is on your desktop into the new folder.
Close any open browser windows, scan with HJT, and post a new log please.
Spybot and Adaware come up clean, but downloaded and ran "Adware Spy" today and it presented me with over 400 registry items mainly in Local Machine, IE, ActiveX Compatibility, that read like a who's who of every malware signature ever invented. Couldn't use it to fix the issues though as you have to buy before they do that.. And I was a little suspicous that such a huge number had bypassed the other adware checkers.. Not sure if it's just a sales gimmick?
It is most likely a gimmick; Adware Spy is identified as 'Rogue/suspect antispyware' here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Where you can find this statement regarding Adware Spy (and other products in this 'family'): "... the dubious distinction of generating the most false positives on a "spyware free" system -- flagging hundreds of items as "spyware," including completely legitimate programs like Nero, Adobe Acrobat, and AdShield, among others."
And if that doesn't clean it up, download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in this thread.
Yes i did system restore 3 weeks ago as soon as this thing appeared again. The system restore was successful but it made no difference. Do you think that repair would fix it? & if so, why do you think folk do a full format when there is a repair option on the windows disk that come with PC's.
Other than that, have you ant more ideas?
I don't know if the repair will correct your problem because I don't know what the problem is.
Many people, I believe, do a full format because they don't know the Repair option exists, or they don't know how to use it. Also, as far as I know, the Repair will not remove any malware, it will only fix and replace corrupted and missing Windows files.
I do have one other suggestion, but since I don't know a lot about it, I can only get you started, and then turn this over to one of our other members who is more familiar with it.
Please do the following:
Open the Event Viewer utility in your Administrative Tools control panel.
In the Event Viewer, look through the System and Application logs for entries flagged as Warning or Error; double-clicking on any of those entries will open a "details" window with more information about the error/warning. If you find any entries that seem to relate to program hangs/crashes or anything else related to the problems you're having, post the full …
Go to C:\Program Files and delete the Viewpoint folder.
For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp Cookies History Local Settings\Temporary Internet Files\Content.IE5
Delete the entire contents of your C:\Windows\Temp folder.
Delete the entire contents of your C:\Temp folder (if you have one).
Do a search for *.tmp and delete all entries found.
Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.
Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, …
Just wondering, there is a 'repair' option on the windows disk. Don't know if i chose that after putting it in the drawer or if you go through bios & boot up with the Windows disk, but could that solve it? & would we lose all our files & settings using this option?
What you are referring to is an in-place upgrade (aka repair installation); instructions can be found here:
You shouldn't lose any files or setting but, as always, it's best to have everything backed up just in case. It's possible that could resolve your problem without having to reinstall Windows.
However, before you try that, have you tried using System Restore to return your system to a point prior to when you started having this problem? If you do this, you may need to remove the things we just cleaned off again because they could be a part of your restoration.
Disconnect from the net and reboot into Safe Mode.
Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.
Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).
Still in Safe Mode, scan with hijackthis and have it fix the following entries:
Go offline until this is completed (you may wish to print these instructions).
Boot into Safe Mode and do a search for jiorzm.exe and delete any instances found.
If any could not be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\windows\system32\jiorzm.exe or C\windows\prefetch\jiorzm.exe)
Reboot (normally), empty your Recycle Bin and search for the file again to make sure it's gone.
O16 entries are safe to be fixed with hijackthis, they will be removed, but any legit ones will be restored next time you visit the site; it's just easier (and cleans up the log more) if they are all fixed rather then researching each one to seperate the good from the bad.
The easiest way to find out about the O17 entry is to contact your ISP and ask if that IP address is theirs.
Post a new log after the Norton scan and fixing the noted HJT entries :)
