Posts by DMR

Make sure that Internet Explorer is not running, run HJT again, and have it fix:

O4 - HKLM\..\Run: [windows] iexplore.exe
O4 - HKLM\..\RunServices: [windows] iexplore.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Although your log currently shows no signs of malicious infections, if the IE "Run" entries in HijackThis automagically reappear at some point, I'd start suspecting foul play.

Hi jayboy,

The following two entries in your log are responsible for IE starting automatically when Windows starts:

O4 - HKLM\..\Run: [windows] iexplore.exe
O4 - HKLM\..\RunServices: [windows] iexplore.exe

There are also a couple of other things in the log which should be cleaned up, but first:

Your log indicates that you are using an outdated version (1.98.2) of HijackThis. Please download the latest version (1.99.1) using the link in my sig below, install and run the new version, and post the log it generates.

Tried the safe mode you said but just got list of drivers etc.

It's normal to see that list of drivers when you're booting into Safe Mode. On some systems however, this phase of the safe mode boot process can take a very long time, causing you to think that the system has frozen. Try it again, but this time just let the system sit and think about things for a longer period of time. Also- watch the hard drive's activity light on the front of the machine and listen for the grumbling sounds of hard drive activity; if you can see or hear even occational indications of activity, the system may not really be hanging.

Found a disk that give me a virus cheker antispam etc and installed it.

What exact product was that? Were you able to run any of the checks, or did the system start freezing before you could even do that?

See if the system will run if you boot Windows in Safe Mode. (you get to the safe mode boot option by hitting the F8 key as your computer is starting up). When Windows boots into Safe Mode, it loads only a bare minimum of drivers, processes/programs, etc., but that will at least get you to a place where we can do some initial looking around and troubleshooting.

Try this:

- Download and unzip The Pocket Killbox: http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

- Open the program, click on the folder button to the right of the "Full Path of File to Delete" box, and browse to the msohev.dll file. Hilight the file and then click OK.

- Select "delete on reboot" and put a check in the "unregister dll before deleting" box.

- Click the red button with the "X" in it and then choose Yes in the next two dialog boxes that pop up to reboot and complete the deletion process.

If the killbox is able to do its job, msohev.dll should be gone after the reboot.

I hope the Easter Bunny was extra specially nice to you.

Lol.
Unfortunately, the Easter Bunny was extra specially mean to me this Sunday- he had me fixing a client's "blowed up" computer for half the day.
Damn lop-eared, cotton-tailed #$^%&#$@! :mrgreen:

Seriously though- your log is squeaky clean now; glad we could help you get things cleaned up. :)

You have morphing/changing "O20 - Winlogon Notify:" entries in your log, which indicate an infection that HJT alone isn't going to be able to fix.

Please do the following:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

You may have some corruption in one of the Automatic Update components or folders. In the second post in the following link there's a list of instructions which might help clear things up:

http://www2.allusenet.org/pages/45426.html

Your latest log does look much better, but there are still a couple of things that need to go:

1. O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe

You need to uninstall Security iGuard; it has a dubious reputation at best. Scrolll down to the Security iGuard entry under the "Rogue/Suspect Anti-Spyware Products" category at the following page for more information:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

If Security iGuard is listed in your Add/Remove Programs control panel, uninstall from there.

2. Have HJT fix:

O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{FEC9BE58-0FA5-4B00-BE5E-EC7D052E91B6}\SVCHOST.EXE
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\k8440ihqe84e0.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\pKutoenr.dll (file missing)

3. Delete the following folder entirely:

C:\WINDOWS\system32\Services\{FEC9BE58-0FA5-4B00-BE5E-EC7D052E91B6}

4. Empty your REcycle Bin and reboot.

Post a new log after doing the above.

Are you sure that you posted the full contents of the HJT log?

On an XP system there should be more entries after the " O15 - Trusted Zone:" lines; I'd expect at least some entries beginning with "016" and "023".

Your HijackThis log is incomplete; you are also running the program from within a Temp folder, which is not advised. Please follow the directions below:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

-------------------------------------------------------------------------------------------------------------------

Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

-------------------------------------------------------------------------------------------------------------------

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. Once we analyse the log we can tell you what to do from there.

-------------------------------------------------------------------------------------------------------------------

Two things you can try:

1. See if you can delete the file when booted into Safe Mode. You get to the safe mode boot option by hitting the F8 key as your computer is starting up.

2. You may need to unregister the dll before you can delete it:

- Open a DOS box by typing "cmd" (omit the quotes) in the "Run.." option under your Start button menu.

- At the command prompt in the DOS window, type the following command (replace the example path to the msohev.dll file below with the full, correct path to the file's location on your particular system):

regsvr32 /u C:\Program Files\Microsoft Office\Office10\msohev.dll

Close the DOS window after the command command completes and see if you can then delete the file (you might have to reboot before you try the deletion).

Glad you finally got it sorted. :)

Isn't it a wonderful thing to spend days troubleshooting your network only to find that it was the ISPs fault? I love it when they muck about and make changes without notifying their customers... Grrr!!

I have to log off for the night now, but please do check with your ISP in the mean time and see if that yields anything usefull.

I do have more questions, but as I said- I really do have to call it quits for the night; I'll be back online at some point tomorrow,

As the problem has effected all of your LAN machines at the same time, I would first have a good look at the common elements upstream- the ICS machine, any hardware firewall/router, etc.

Does the ICS machine itself also exhibit the same problems?

should I run hijackthis on a client computer or the main one? Will it make any difference?

HijackThis can only interrogate and fix the computer that it is running on (and in the case of multi-boot systems, it only works within the currently-booted environment). Given that, and the fact that you said the problem was network-wide, I'd run HJT on the ICS computer first.

Give us more history on the problem, though:

- When did it start?

- Had you made any software adds/removes/changes at around that time?

- Did all of the machines start exhibiting the problem at the same time, or was it something that seemed to propagate through the network over a period of time?

- What are the steps you've taken so far to try to rectify the problem?

There are a few things that can cause problems with secure sites; not all of them are related to malicious programs, and not all of them will be indicated in a HijackThis log. The threads in the following link have many suggestions and possible fixes for secure-site related problems. Give the suggestions a try and let us know the results:

http://www.daniweb.com/techtalkforums/search.php?searchid=333240

Glad we could help you get it sorted out! :)

... But please be careful with that "I love you" stuff- my girlfriend uses this forum sometimes too :o :mrgreen:

Why can't I just uninstall and reinstall this dang thing?

That was my first suggestion; try that first if you haven't already. It's just that in a number of reports I read on the issue, even reinstalling didn't correct the glitch.

That should do it- thanks. :)

The x10net.dll is a component of the ATI Wonder video card software; it provides funtionality for the remote.

- Have you recently added or upgraded that software (or made any other system changes) just prior to receiving the error message? Give us a little more detail on the history of the problem.

Here are a couple of things you can start with:

1. Completely uninstall the ATI software (and possibly the hardware as well) and then reinstall it from scratch.

2. There are many reports of a bug in the software which will produce the exact error you are seeing. The fix involves editing the Windows Registry, though; you need to be very careful if you attempt it, and making a backup of the Registry before doing so is definitely advised. Explanations of the problem and instructions for the fix(es) can be found in the following links:

http://forums.tweaktown.com/showthread.php?p=222255#post222255
http://www.driverheaven.net/archive/index.php/t-16097.html

And the official word from ATI is as follows:

Regarding Remote Wonder issue:

There are two potential issues that may occur after installing the Remote Wonder drivers. These errors can occur with any version of the driver and affect the x10net.dll file. Both errors appear as Windows loads and occur for different reasons. They appear as follows:

1. 'RUNDLL' error loading c:\progra~1\ATI... The specified module could not be found.

2. Run DLL as an app has encountered a problem and must close.

"AppName: …

That error is generated by the rundll32.exe system file, which is responsible for managing numerous other components. To give us a better idea of which exact program/module rundll32 is having trouble with, please click on the "More info" button in the error message dialog box and post the full and exact text of what you see there.

Alternately, you can look at your system and application logs to see if they contain additional information on the error. To view the logs, open the Event Viewer utility in your Administrative Tools control panel.

don't know the difference between the CD-R and CD+R.

All of those "dashes", "pluses", "R"s, and "W"s can get a bit confusing, can't they? :mrgreen:

"+R" and "+RW" are DVD formats only; the recordable (data) CD formats are "-R" and "-RW".

CD-R (CD-Recordable) disks/drives can record data, but only once; you cannot later erase/overwrite the data you've already written to disk.

CD-RW (CD-ReWritable) disks/drives can also record data; the difference being that, like a floppy, you can later erase that data and reuse the disk (many times, even).

The USB "flash" drives are definitely handy, and given that they're also relatively inexpensive, you should probably go for the largest capacity that you can afford.

However- keep in mind that if the data you need to back up is important enough to you, you should also archive a redundant backup of the data onto a more permanent/longer-lasting type of media such as a CD. Blank CDs are cheap, so they're a good middle-ground between other storage media like floppies (really cheap, but less than 2M capacity and a very limited reliable "shelf-life") and DVDs (not cheap, but around 4G capacity and a long "shelf-life").

Dare I try to defrag in the same way?

Yes, Defrag can suffer from the same problems as ScanDisk in terms of being interrupted by other running programs. When you run Safe Mode, Windows does not load/start most (if not all) of the third-party programs which can interfere with ScanDisk and Defrag.

Have we given up?

No- we definitely haven't; please just hang in there Den.

Those of us who volunteer here do so in/from different time-zones, and also have "real-life" circumstances which can keep us from being as "present" here as we would like to be (the flu and other such fun ailments being the case at the moment for at least a few of us).

As dlh6213 asked you to run remv3.zip, please wait for his response; I'm sure he'll get back to as soon as he can.

Thanks for understanding.

I have a question, why do you have a keylogger?

Um... you might just want to leave that one alone, Danny. ;)

While I doubt this has anything to do with your toolbar settings problem, the following HijackThis entry indicates that you're infected with a keylogger trojan:

O4 - HKCU\..\Run: [BPK] C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\BPK.EXE

This is not a Good Thing. :mad:
More information on the trojan (including removal instructions) can be found here:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.perfect.b.html

For XP, try this:

http://www.bleepingcomputer.com/files/shellxp.php

The file may have become corrupted; viruses or other "nasties" can do this.

Tell us which version of Windows you're running and we'll tell you how to replace shell.dll with a fresh copy from your installation CD.

Corrupted items such as cookies or cached Internet files can often cause browsing problems similar to yours. If you haven't already:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5
5. Application Data\Mozilla\Firefox\Profiles\profilename\Cache
6. Also delete the Application Data\Mozilla\Firefox\Profiles\profilename\cookies.txt file

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

1. In IE or FF, can you reach web sites by their IP (as opposed to their URL)?

In the location/address bar of IE and FF, type the following to see if you can reach (respectively) Yahoo, Google, and this site:

http://66.94.230.34
http://216.239.57.147
http://69.93.117.133

2. Did the original occurrence of the problem coincide in any way with your installing the Ares package?

3. Although this doesn't sound like it applies to your particular problem, do keep in mind that different network/Internet programs use different network communication ports and protocols. In other words, just because an instant messaging program works doesn't necessarilly have much to do with a web browsing problem; the two types of programs may be using entirely different "channels of communication".

That entry does not come up as a nasty in spywareblaster.

It probably is legit; I just didn't have the time to verify it when I posted. My suggestion to delete it was more of a "better safe than sorry" determination, given the fact that if it was legit, it would just be reinstalled the next time it was needed.

:)

Oh, OK. As long as you know where it comes from and why, don't sweat it.

Some general FYI on DPFs: DPFs (Downloaded Program Files) are Active X objects that get downloaded (to your C:\%WINDIR%\Downloaded Program Files folder) when you visit sites that utilize such objects. It's usually OK to have HJT fix DPF entries, as the controls will just be downloaded again the next time you interact with a site which needs/uses them. Most DPFs are legit though, so if you know what they are or know which site installed them, it's safe to leave them installed.

Your log looks clean now. Are you still experiencing any problems, or do the "nasties" seem to be gone?

OK - the wowikk file seems to have been deleted in the course of this, which is a Good Thing.

However, you still have the following entry in your log, and I agree with HawkeVIPER tha it needs to go:

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

Have HJT fix that entry. After doing so, run HJT again and post a fresh log.

I am beginning to think the above website is a scam to try and get you to buy their product. I have went to it on antoher computer and it said the same thing. Plus I have never not ran antivirus software. let me know what you think.

I think you are correct.

Why?:

A) Variants of the kuang infection have been around for years; any currently-updated anti virus program should be able to at least detect them, if not clean them entirely.

B) After having a look around the webzcan site, I agree with your assessment that the they are just trying to entice people to buy their product. For one thing, the exact page that you linked to on that site is just a static web page. In other words, anyone who went to that page would receive the same "warning" message as you; the site has performed no scan of your sytem whatsoever which resulted in that warning. Trust me- the machines on my network are behind about 8 layers of hardware and software protection, are totally infection-free, and I still got the same "warning" as you.

If the online scans from Panda and TrendMicro, and scans with your McAfee A-V program find no "nasties", your system is most likely "clean".

That's OK- it's almost 4 AM in my end of the world; the only thing I should be :o about is the fact that I'm still awake battling HJT logs at this hour :cheesy:

Thanks for the reminder though- the logs are all yours now; I'm logging off and heading for the warm, comfy pillow...

An addition to DMR's instructions. Can you first run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload wowikk.exe

;) :o

(In other words- thanks Chris...)

Well, the mystery "wowikk.exe" file is still there :(

Try this:

1. Open HijackThis and click the "Open the misc. tools section" button.

2. Click on the "Delete a file on reboot..." button.

3. In the resulting "Enter a file to delete on reboot" window, navigate to C:\WINDOWS\system32\wowikk.exe and select it as the file to be deleted. If you still can't find the file, try manually entering "C:\WINDOWS\system32\wowikk.exe" (omit the quotes) in the "File name:" box.

4. Leave HijackThis open and reboot the system.

Very cool; glad we could help :)

Here's the official blurb from Microsoft on that error:

http://support.microsoft.com/?kbid=269075

And some of the links in this Google search have more information on possible causes and fixes:

http://www.google.com/search?hl=en&q=SYSTEMced&btnG=Google+Search

OK- let us know if Ad Aware is able to detect/remove the nasty.

Also, in terms of this:

I couldn't locate the file. I don't think it is there anymore.

Did you have Windows Explorer's veiw options set to show hidden files/folders when you searched for "wowikk.exe"? If not, adjust the view options as follows and look for the file again:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

Your log still shows the signs of the about:blank infection. Please download About:Buster from the following link; install it and run it according to the directions given in the link:

http://www.majorgeeks.com/download4289.html

Post a new HJT log after doing so.

clkoptimizer is definitely adware, but current reference files for Ad Aware SE are supposed to detect it. Are you positive that you are running the latest version of Ad Aware, with the most current reference file installed? If Ad Aware actually does detect it, but can't clean it, try running Ad Aware in safe mode.

Also: the following entry in your HijackThis logs indicates that you've had at least 1 instance of Internet Explorer running when you've been running HJT:

C:\Program Files\Internet Explorer\iexplore.exe

HijackThis cannot fully perform all of its fixes unless all instances of your web browser are closed.

Glad you got sorted out :)

I have had all 3 on at one time and don't see why you are having aproblem installing firefox...

Agreed. I can't say where your problem lies either, but I can say that I had Netscape (version 7.1 at the time) installed on one of my computers and then later installed both Firefox and Mozilla without any problem; all three browsers have been working fine on the machine since then. As suggested, a re-download might be worth a try.

You're not clean yet, though- a new nasty has appeared in your latest log:

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

Have HJT fix the above entry, reboot into safe mode, and do the following:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the C:\WINDOWS\wupdt.exe file.

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

Post a fresh HJT log once you've done the above.

Good- it looks like your clean now. According to Microsoft, the fdeploy dll is a valid Windows component:

Fdeploy.dll Category Fdeploy.dll is an MMC extension to gpedit.dll that provides settings for Folder Redirection Group Policy.

Now that you've gotten rid of the nasties, here are some suggestions to minimize your chances of future infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here.

5. Obviously: install a good anti-virus program and enable its "auto-protect", "auto-update", and email-scanning features.

6. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

Overall, that sounds pretty good in the end; test-drive the system for a bit and let us know how it goes.

As far as the fdeploy file goes: it did look suspicius to me, but I could find almost no info on the file whatsoever. The only thing I could find was that a legit file of that name is associated with the "Close Combat" game, but it didn't look like the legit fdeploy.exe should be living in the C:\WINNT\system32\ folder.

On thinking about it further, I take it you don't have Close Combat installed, yes? Even if you did, I highly doubt that the legit fdeploy program would need to add an entry to the Windows Registry to make it start automatically when Windows starts. If the Panda scan wasn't able to disinfect/delete the file, do this so that we can be more sure:

1. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". Click OK

2. Go to your C:\WINNT\system32\ folder and locate fdeploy.exe.

3. Right-click on the file, and choose Properties from the context menu that opens.

4. Under the Version tab of the Properties window, look through the Company Name, File Name, etc. listings and tell us what they report. If the file's Properties window offers you no Version tab; tell us that as well. A lack of info in the Version tab …

winpack.exe is a trojan which, among other things, performs browser redirects.

1. Have HijackThis fix the " O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe" entry, reboot, delete C:\WINNT\system32\winpack.exe, and empty your Recycle Bin.

2. Make sure you have the most current virus definitions for AVG and run a full system scan.

3. Go to the following two sites and run their free online virus scans:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com/

4. Get back to us with the results.

You are infected with the latest VX2 variant, which is extremely nasty and persitent. As crunchie already mentioned- do not do anything that we don't suggest, and do what we do suggest exactly, and in the exact order given! As you've already found out, the infected files will both morph and multiply if you don't follow instructions to the letter.

Do not try to keep throwing Ad Aware and SpyBot at this problem; they are not capable of fixing this particular infection and will only magnify the problem.

As crunchie asked before: why is your %systemroot% directory named "C:\WINNTOLD"?! That is not the normal name of the root system directory for any version of Windows. Can you give us any elightening info on that?

And there was much rejoicing... yay. :mrgreen: