Open that C:\WINDOWS\web\related.htm file in notepad [just drag it onto a fresh notepad], and edit it thus for the time being:
from: RelatedServiceURL="http://related.msn.com/related.asp?url="
to: RelatedServiceURL="http://127.0.0.1"
OR [to use google as your std search engine...]
to: RelatedServiceURL="http://www.google.com/search?q=related:"
The first to: option just stops the file sending you off to the Alexa site via MSN, the second to: puts you straight to Google.
If that works then you might run this also:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
-it will reset your hosts file and check some other settings are correct.
In Security settings for IE you want:
prompt for signed AX,
disable for unsigned AX,
disable for init and script AX not marked safe,
enable to run, and
enable to script safe AX.
Okay... well, a couple of points.
You have Alexa.... it sends you off to MSN to run the Alexa search engine when you do searches... read about it here: http://www.imilly.com/alexa.htm
If you wish to get rid of it, get Adaware:
==Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.
Let it remove it for you.
Updates. Go to CP, security centre, Manage settings for auto updates.... and choose. [ I use notify... cos sometimes a big dl is inconvenient at a time MS chooses, and some you may not need, but most you do]
But that log is clean, how could it not be?
Get an AV and afirewall... while in Security Centre turn ON windows firewall until you get set with a proper one.. do that NOW. When you install Xp and before you go on …
That's it? All of it? No AV service? No firewall? And you have not kept up with windows updates [your IE6 is old..].
Post that HT log too....
I have a feeling I may regret this, but...
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER either alongside your program files or on your desktop.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
=start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Further, this AS service will remove Think-Adz for you...
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and then Save the log file; post the log file.
Sure, use this tool:
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Remove/fix the hijackthis entries that exist as I listed before:
O4 - HKLM\..\Run: [{6A-AA-A8-87-ZN}] C:\WINDOWS\system32\kpdsrngl.exe MSM002
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinqldq.exe MSM002
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kpdsrngl.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinqldq.exe
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\system32\kpdsrngl.exe
C:\WINDOWS\system32\swinqldq.exe
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
And if you do have trouble still, try deleting them in safe mode....
Hiya, let's see what this does for you...
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [{6A-AA-A8-87-ZN}] C:\WINDOWS\system32\kpdsrngl.exe MSM002
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinqldq.exe MSM002
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kpdsrngl.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinqldq.exe
O21 - SSODL: mssms - {C6F57800-110D-4959-AEAE-6F541A9E9AAD} - (no file)
O23 - Service: svchost - Unknown owner - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
Delete these files:
C:\WINDOWS\system32\kpdsrngl.exe
C:\WINDOWS\system32\swinqldq.exe
Now to remove that dud O23 service...
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service [svchost], rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....
System Restore Points Clearance:
==You SHOULD clear all your system restore points because some have been infected..... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools …
Hello, and okay, yes, they do find stuff, but with two AV services onboard they are mostly finding each other. AVs interfere badly and unpredictably...Yyou must make a choice and remove one. Now. If Symantec is to go you may require the removal tool from their site.
Good, done? Then download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:\WINDOWS\system32\cbxxwuu.dll (file missing)
O2 - BHO: (no name) - {995DB826-EEC0-4E6E-AD33-BD91AFF3A079} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\wjkyjeyf.dll (file missing)
O2 - BHO: (no name) - {DAA14BEE-A8FA-4606-9912-7730089D77E5} - C:\WINDOWS\system32\vtstq.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrax.dll,startup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\kerxuulr.dll",forkonce
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\frmsorts.dll",sitypnow
O20 - Winlogon Notify: cbxxwuu - cbxxwuu.dll (file missing)
O20 - Winlogon Notify: mllml - C:\WINDOWS\system32\mllml.dll (file missing)
O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\system32\drvrax.dll
C:\WINDOWS\system32\kerxuulr.dll
C:\WINDOWS\system32\frmsorts.dll
C:\WINDOWS\SYSTEM32\winzlo32.dll
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white …
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Microsoft] servicess.exe
O4 - HKLM\..\RunServices: [Microsoft] servicess.exe
O4 - HKCU\..\Run: [Microsoft] servicess.exe
Delete this file:
C:\WINDOWS\system32\servicess.exe
Say how you get on...
See the backups tab in Scan Registry? Hit it, select the backup made for the 5000 job and Restore those entries.
Registry cleaning does have its place.. just where, I am not sure. 5000 sounds like a lot, some of those would be removed in the course of time because they are merely "last used" pointers to files etc that many pgms incl Windows keep a record of...., some ,yes, are the remnants of slack pgm uninstallers.
Think of the registry as a lawn the size of a tennis court - you took the scissors to a few square inches of that lawn.... if you must clean then do first review the items your cleaner is going to remove. Here is a free one:
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
[Note …
..else your CD is less-bootable than you think it is...? Is it genuine or a copy of a genuine? It may be missing a couple of important loader files.
What, about 2 mins before the BIOS screeen appears? Then may I suggest that your power supply is dying or merely borderline capable? When your PS completes its self-checks and detects that its voltage outputs are respectable [it takes a couple hundred milliseconds...] it sends a Power Good signal to the motherboard which then allows the processor to run; np PG signal, nothing happens. Bolt in a replacement.
This is unrelated, but...Java update!!! This is for security reasons. Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.3 is current....
Ah, a brother to cnbjmo.dll : you will have some fun removing this one [dgsetu.dll]. Try this as a first step on it and its mates with similar names to dgsetu.dll...
==This one is a general purpose deleter, Unlocker : http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Delete the file and fix the key in Safe Mode.
You will not survive long out there with a naked XP - get SP2.
Fix these two:
O9 - Extra button: BINGOOO - {613A924A-A883-45FB-A11D-2D8D72EB135E} - C:\Program Files\BINGOOO\BINGOOO.exe (file missing)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
...and you should be okay.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O2 - BHO: 0 - {3F8E60AA-BFE7-4DE3-0E9C-6165A537892A} - C:\Program Files\Movie Maker\quhac.dll (file missing)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll (file missing)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
O18 - Filter hijack: text/html - (no CLSID) - (no file)
Uninstall Wingames, delete it from pgm files, C:\PROGRA~1\IWINGA~1\.
Okay, please run HT again and repost with the fixwareout log.
Keep working at it; your sys is filthy. I'd help, but I don't have the time.... I'm just peering at a few posts.
Looks okay to me, rabbott.
Personally, I would not have file sharing pgms as startup entries, rather I would start them on demand. As they are it means your connection capability can be eaten up by ppl uploading silently from you, and you may or may not appreciate that... if not, fix these two:
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
Do all those elements of your active desktop still work? Fix the ones that do not [O24 entries].
And that is all. Good luck out there.
That's okay, rabbott, they are empty directories, so you can delete them manually .
C:\PROGRA~1\BEARSH~1\BAK
C:\PROGRA~1\BLUBSTER\BAK
C:\PROGRA~1\MSNMES~1\BAK
C:\PROGRA~1\HPPHOT~1\HPHINS~1\UNIPATCH\BAK
Then ...go ahead and run option 4 next -this will reset your restricted and trusted sites in IE, tools, internet options, security. If you have added trusted sites you will have to re-enter them afterward [for an extra level of security I keep the https box checked here]. That is up to your judgement.
Your domains are removed, so if you have the following programs:
SpywareBlaster protection must be re-enabled.
Spybot Immunize must be set again.
IE-SpyAd must be re-installed.
Post another hijackthis log afterwards...
I know that you have Panda AV, but it may pay to try one of these. Theory is that it is possible that your resident AV could be affected by any malware, whereas an online scan will not be. First clean:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Just in case:
==AVG AntiRootkit from http://free.grisoft.com/doc/5390/lng/us/tpl/v5
One of these two:
==Pandasoftware ActiveScan using IE only from http://www.pandasoftware.com/products/activescan? - just follow through the pages, supply a "valid" email address... To reduce the number of detections run either CCleaner or ATF cleaner first [to remove cookies].
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
Sorry I cannot help further.
Mmm... as a first step I would reinstall my burner software. But I am not the one to ask, I still get pretty excited when I do a fault-free load and burn.
You know, you have a fairly uninteresting set of home pages. If you don't like them clear those R0 and R1 entries, and choose a homepage that you actually use a lot, or to save wasting downloads just use about:blank [you set that via internet options, general, Use Blank]..
marci, delete this folder and these two files:
C:\SystemRoot
C:\Documents and Settings\greg\x.dat
C:\Documents and Settings\greg\z.dat
How are things running now?
Heather, a windows Repair replaces windows files and restores its registry settings, third party software files and reg entries are not affected so I think the problem may lie in that direction....
Because you mention Trillian it may be worth searching for and deleting these two WildTangent files which may have been installed along with Trilllian [bundled "spyware"]:
wtcpl.dll and wtcpl.cpl
May work, may not. The Repair was worth a try, at least it pointed the search in another direction.
Does going Start, run, typing control and pressing Enter work?
Ah, a common misinterpretation of Microsoft's options, Heather - you entered Recovery Console, and you don't want that.
At that point in the process instead of typing R press Enter to start Windows Setup [Repair is a mini version of installation]
=> To setup Windows XP now, press Enter.
Next comes the license agreement, you will then be presented with a list of installations to choose from to repair [usually just the one installation...]. Select your installation and type R. If Repair is not shown as an option then exit Setup, DO NOT "continue to install a fresh copy without repairing" or you will lose data and applications.
Setup will copy files etc and then reboot your computer. Don't boot again from the CD by pressing any key when the message appears, just wait a moment and your machine will restart.
Enable your firewall [ or windows firewall is sufficient at this time] and validate your XP.
Say how you get on.
Hello again, Marci.
It appears that you have a vundo infection, or traces of one.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
==What files are in this folder: C:\SystemRoot ?
==Please move Combofix from where it is to either your desktop or a new folder.
==Copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\lkbewbtb.ini
C:\WINDOWS\system32\stpgqvlf.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\qbdxdgri.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\gjllm.ini
C:\Documents and Settings\marci\x.dat
C:\Documents and Settings\marci\z.dat
C:\n.bat
C:\z.dat
C:\x.dat
C:\WINDOWS\Fonts\svchost.exe
For a one-off restart into Safe Mode go Start, run, enter msconfig; under Boot.ini tab check /Safeboot, Apply, Close, select Restart.
You could run this to give us a look at recent files and a few other settings..
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Other than that it appears that some registrations have been corrupted; I would try a Repair of Windows via the Setup on your installation CD.
SMF must be run in Safe Mode.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
Hi, mom,
would you please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: {ff58c7ee-4a23-ebaa-ede4-6729d6ba4500} - {0054ab6d-9276-4ede-aabe-32a4ee7c85ff} - C:\WINDOWS\system32\kcicddhl.dll (file missing)
O2 - BHO: (no name) - {0240CB11-AA5B-46C3-9FFC-684D4D489AC2} - (no file)
O2 - BHO: (no name) - {AAB76CC5-7767-458C-A3BF-D7F36F08AEA2} - (no file)
O2 - BHO: (no name) - {DEB27EE4-F5C0-4C9C-81A0-77D9285651D5} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [38d88512] rundll32.exe "C:\WINDOWS\system32\btbwebkl.dll",b
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm098NCUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
O20 - Winlogon Notify: hggefec - hggefec.dll (file missing)
O20 - Winlogon Notify: vqwmqfqj - vqwmqfqj.dll (file missing)
Good. Now we remove this service:
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ubckcong.exe (file missing)
Delete this folder:
C:\program files\MyWebSearch
Delete these files:
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\btbwebkl.dll
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be …
Here is a good cleaning tool:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
And do you currently have any problems? I see none. If you want us to look a little deeper you could run this next, but if there are no visible problems it is not necessary.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Syl, your log is fine. Short, and that is nice - most folks ignore the instructions on running hijackthis and leave a bunch of apps running. My own log is short like yours, shorter, even.
Rundll will show all the time it is handling a process from a dll, the more threads it is handling the more memory it uses, but it should only ever use a percent or two of you CPU time, mostly in TM it should show zero time. And it will come up under your name if it is handling a dll launched by your profile.
I'd read your combofix log but you attach or whatever instead of pasting in plain text - it makes reading tedious..
See these two entries?
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
-they are why Rundll is running all the time. Mine does not cos I don't have entries like that in my startup. I can observe rundll in TM by starting timedate.cpl from the taskbar clock.
Mary, that is an outdated version of VundoFix and it seems to have only partially run, although the files it should have picked up are now gone; those files you mention, system32\pmnlijg.dll and system32\mljjk.dll are more vundo files.
Please delete your copy of Vundofix.exe and C:\vundofix.txt and dl a new copy from the link above. Post the log.
.
Hello, Emily... ;), a false positive is a detection of a file or part thereof as being a threat whereas it is actually a part of a valid program. It's just a fact that some programs have genuine and good uses but can also be used with malintent. Like a knife.
I do not know Trojanhunter, I see that it is not free... but I would have thought it would have produced some sort of log with which to impress you..? Anyway, try to whittle down your list of running antispyware tools -Spybot should suffice. AVG AS will timeout after a month unless you buy it. It is good, but I use the on demand service which is free.
It appears that you have a vundo infection, or traces of one so as a first step...
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Good. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ugoawqyt.dll (file missing)
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [5d9f7909] rundll32.exe "C:\WINDOWS\system32\cublwkkf.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c008A73D.dat
Now we remove this service:
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\lifvavvb.exe (file missing)
=Go Start, run, type services.msc -and press Enter. Maximise the window and at foot …
Ok, I'll bite. What exactly did your Trojanhunter remove? The logs appear identical apart from the appearance of that pgm and the loss of AVG AV.
I see no problems in either log, malware problems, that is. I do see what appears to me to be far too many protection services running; they must bog your system terribly. Now I have no idea where you surf, what you download etc, but just as a guide I run AVG AV, Spywareblaster and Zonealarm firewall. That's it. Possibly 6 months ago AVG detected and jumped on a virus from a site I entered. I have AVG AS and Adaware to use on demand for spyware scanning , I am sorry to say that AVG AS has ever only once found a pest, a minor one. My sys is not loaded with realtime scanners.
It all depends upon where you go, what you click on, I guess... Yes, I do get a few false positives because of the tools I play with.... currently AVG AV is detecting and blocking Icesword which is annoying the tripes outta me...
:).. if you open Applications tab in CCleaner, you will see a Mozilla/FF section for cleaning files there...
Rabbott, I am sorry, that was unbelievably slack of me. I think it's time I took a break from this stuff.... but let's finish this first. Okay, option 3 again, but with this corrected text:
= FindAWF, option 3: start the program again, select to remove bak folders, into the text file that opens paste all the text between the lines:
_____________________________________________________________
C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\Picasa2\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\hp\drivers\hplsbwatcher\bak
C:\Program Files\eBay\eBay Toolbar2\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\Google Desktop Search\bak
C:\Program Files\GRISOFT\AVG7\bak
C:\Program Files\HP\HP Share-to-Web\bak
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\ScanSoft\OmniPageSE\bak
C:\Program Files\Trend Micro\Internet Security 2006\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
Then, if and only if these two sections of the report are empty...:
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
...go ahead and run option 4 next -this will reset your restricted and trusted sites in IE, tools, internet options, security. If you have added trusted sites you will have to re-enter them afterward [for an extra level of security I keep the https box checked here]. That is up to your judgement.
-this removes your domains, so if you have the following programs:
SpywareBlaster protection must be …
Some Spyware tools modify those settings, Kyle, when you run them.
G'day, Kyle. Sorry but I forgot to post this:
ComboFix appears to be down for an indeterminate period - it's all up to the writer.
C:\WINDOWS\system32\cemetrix.dll - a problem file. Delete it.
This is a game file:HGStart9USA.exe - it got "disinfected", so your game may not work... a Far Eastern one?
I'd delete your hijackthis backups to get rid of warnings.
To get rid of this pair: Adware:adware/popper Not disinfected Windows Registry, Adware:adware/commad Not disinfected Windows Registry you will need to run eithe Adaware or AVG AS:
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Hello, Christina, please do all that your system will allow of these:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new folder either alongside your program files or on your desktop.
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
If you can get access to that AVG AS report I would like to see it also.
Yes, I am afraid so - you have restored to a point before Photoshop created its registry entries, the registry files you loaded in the restore point don't know about Photoshop. Just reinstall over the top of the old installation.
Looks like Combofix has a bug in the date check... just have to wait for it to be fixed.
I tested it, tried my earlier copy and it uninstalled itself, dld the latest [with FF] and it uninstalled itself okay [it should not have done that...] with no effect on FF.
Fun times, kyle. Guess you could try this scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
..And this [it shows some useful stuff]:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Hello, Ken, please start hijackthis select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F5D64B74EAF6} - C:\WINDOWS\system32\wvusssq.dll (file missing)
O2 - BHO: 0 - {3844D88F-F2C2-4409-B9A1-9322676A141D} - C:\Program Files\Internet Explorer\qukadotal859.dll (file missing)
O2 - BHO: (no name) - {3A844AB4-970A-4381-9713-784F20C27F3D} - C:\WINDOWS\system32\hgdbc.dll (file missing)
O2 - BHO: (no name) - {57024DD0-8931-4F3C-BC8F-B210A6BC916E} - C:\Program Files\Windows NT\mexokas83122.dll (file missing)
O2 - BHO: (no name) - {96ACAB33-32F9-3C5F-DA58-4FE607F10ECD} - C:\WINDOWS\system32\kzyaaje.dll (file missing)
O2 - BHO: {69a1b6e2-db4d-0368-ff34-563bee4165f9} - {9f5614ee-b365-43ff-8630-d4bd2e6b1a96} - C:\WINDOWS\system32\xslwcsfy.dll (file missing)
O2 - BHO: (no name) - {B0FAEA97-5490-4284-AE4D-63E808E01806} - C:\Program Files\Windows NT\mexokas4444.dll (file missing)
O4 - HKCU\..\Run: [Jinodyd] "C:\Documents and Settings\ken\My Documents\?racle\?ti2evxx.exe"
O20 - Winlogon Notify: wvusssq - wvusssq.dll (file missing)
O24 - Desktop Component 0: (no name) - about:Home
Good.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post with that log another Hijackthis log, please.
That worked well, Rabbott, but please now uninstall your old versions of java via add/remove pgms, vsn 1.6.0_3 is current.
Okay -option 3, FindAWF: start the program again, select to remove bak folders, into the text file that opens paste all the text between the lines:
_____________________________________________________________
C:\hp\KBD\bak\KBD.EXE
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\bak\wcescomm.ex
C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\system\bak\hpsysdrv.DAT
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\hphmon04.exe
C:\WINDOWS\system32\bak\hphmon06.exe
C:\WINDOWS\system32\bak\ps2.exe
C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
C:\Program Files\eBay\eBay Toolbar2\bak\eBayTBDaemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe
C:\Program Files\GRISOFT\AVG7\bak\avgcc.exe
C:\Program Files\HP\HP Share-to-Web\bak\hpgs2wnd.exe
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\ScanSoft\OmniPageSE\bak\opware32.exe
C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
Then, if and only if these two sections of the report are empty...:
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
...go ahead and run option 4 next -this will reset your restricted and trusted sites in IE, tools, internet options, security. If you have added trusted sites you will have to re-enter them afterward [for an extra level of security I keep the https box checked here]. That is up to your judgement.
-this removes your domains, so if you have the following programs:
SpywareBlaster protection must be …
Yeah, they do that sometimes. Log is clean, anyway.
Ah... I see now what I missed... I gave you some extra work because of it - sorry about that, chuc.
I missed that the last Combofix run deleted ssttr.dll, but it did leave its run keys. The first Vundofix run removed those keys but because the file was gone did not report that it had done so...
The second Vundofix run was unnecessary. Your HT is a clean log. Almost polished, really.
Cheers, and thankyou.
There are bad files there; try running Vundofix this way:
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss.*
Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log.