Now delete your Smitfraudfix version and get the latest, 2.242, otherwise Crunchie will do his nut. And of course, present a new log.
gerbil 216 Industrious Poster
gerbil 216 Industrious Poster
DeOnna, try option 2 again with just these two:
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
gerbil 216 Industrious Poster
Be nice to see your vundofix logs...
Nothing shows there. Maybe you have infected [sys] files...
dl this file from http://noahdfear.geekstogo.com/FindAWF.exe -to your desktop, perhaps.
-option 1: dclick the .exe to start the program, select option 1 to start the process. Please post the contents of the notepad that opens, else you may wish to continue the process yourself by successively selecting each and all options.
gerbil 216 Industrious Poster
Well, the sys is obviously still pretty filthy, a repair would have fixed damaged sys files but not affect any malware that had their own files.... you've got 30 days to activate, why not run Panda now that you are online with it?
Use CCleaner first. http://www.ccleaner.com/
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Numerous costly pgms but no disks? I won't ask.....
gerbil 216 Industrious Poster
Hello, coach....[are only americans nicknamed coach?] - for a start, if you clicked a link [fine] and an activeX control immediately started downloading [not fine] you have your IE security settings WAY too low. Try medium as a minimum, that way you will be prompted for signed [owned] controls, and unsigned ones just won't be downloaded. Firefox or Opera won't accept them at all because they do not use them.
"too many problems to fix"? ... this from your security software?
Routers have firewalls; what you invite, they allow past. That's it.
Put these downloads on your thumbdrive, run them, suck out the files [logs] we need and post them. You can put the downloads all at once onto the thumbdrive, then install as required or copy in to the bad sys.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it …
gerbil 216 Industrious Poster
DeOnna, for some reason [not your fault, it's the trojan...] that operation did not fully work, so please repeat option2 with the same block of entries [repeated below]
[We are trying to copy the original files back into their proper locations, overwriting the affected files.]
So:
-option 2, FindAWF: dclick the .exe to start the program, select to restore files, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Snapfish\Snapfish PhotoShow\data\Xtras\bak\mssysmgr.exe"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
deonnanicole commented: Great help, with easy to read instructions...thanks so much!! :) +4
gerbil 216 Industrious Poster
Lo, lofti..
....you have a vundo infection, or traces of one, so please rename hijackthis.exe to imabunny.exe - this is important.
May I ask, had you already fixed some entries in your hijackthis log? I ask because some things I was expecting to see in the tools' logs are not there....?
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
==Please start hijackthis, -select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [580eaae6] rundll32.exe "C:\WINDOWS\system32\vdwrcaiu.dll",b
O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\ondsrngo.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O20 - AppInit_DLLs: 22.dll
Good.
Dclick killbox to start it.
>Highlight the pathnames in the following lines as one block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\WINDOWS\system32\vdwrcaiu.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
C:\WINDOWS\SYSTEM32\ondsrngo.exe
C:\WINDOWS\SYSTEM32\22.dll
>In killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
=Okay, …
gerbil 216 Industrious Poster
Okay, deonna... you have no AVG AS log for me?
Firstly I want you to go to CP, add/remove pgms and uninstall all old versions of java [keep only 1.6.0.2], then go to C:\Program Files and delete all these folders and their contents if they exist:
C:\Program Files\Java\jre1.5.0_06
C:\Program Files\Java\jre1.5.0_10
C:\Program Files\Java\jre1.5.0_09
C:\Program Files\Java\jre1.5.0_11
C:\Program Files\Java\jre1.6.0_01
Okay, next:
-option 2, FindAWF: dclick the .exe to start the program, select to restore files, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
"C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Snapfish\Snapfish PhotoShow\data\Xtras\bak\mssysmgr.exe"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
Hello, lofti...
as Suspishio pointed out your sys is loaded, he has identified the culprits, more are hidden. I understand your trepidation - we can automate the removals if you wish....
Open a windows explorer folder, > tools > folder options > view, and
-press Show hidden files and folders
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
It appears that you have …
gerbil 216 Industrious Poster
Aw, heck.. :o
Crunchie, give deonnanicole an elephant stamp for posting the first installer log... and then delete it, maybe?
Deonna, there is no CCleaner log that I am interested in, you just run it to clean [if you use FF be sure to visit Applications tab and ensure Mozilla cookies box is checked]..... but I would have liked to see the AVG AS log.....
If you have not already run it, please run it now.
You have a trojan downloader that has replaced many of your system files with infected copies, so next...
==Please dl this file from http://noahdfear.geekstogo.com/FindAWF.exe -to your desktop, perhaps.
-option 1: dclick the .exe to start the program, select option 1 to start the process. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
Not sure ul get a reply from mattpas, nomee, thread is well old. You run a windows Repair from the installation media.... it is a part of Setup that searches for and repairs an old installation thereby saving your data. No formatting is involved.
Mmm.... I see now that you are also in another thread that was also not started by you, with crunchie... follow his advice.
gerbil 216 Industrious Poster
Ripper!. I am pleased for you..
Cheers, g.
gerbil 216 Industrious Poster
G'day, h8, you can access explorer via taskmanager, file, new task, enter explorer.exe.
Use hijackthis to fix these entries:
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
Delete this file also:
C:\WINDOWS\\system32\AquaReal.ocx
Now run this file: http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
Say what transpires.
gerbil 216 Industrious Poster
Ok, but note that ComboFix now has a datestamp - if your version times out it will not run, and i think the time is something like 2 weeks [not sure on that].
gerbil 216 Industrious Poster
Looks good.
One last step, sreddy.... option 4. This will reset your restricted and trusted sites in IE, tools, internet options, security. Importantly, examine the list of trusted sites - if there are entries here that you did not add use Option 4 [for an extra level of security I keep the https box checked here]. I think this option is up to your judgement, but if you have added only a couple of trusted sites [which you would have to re-enter afterward], use option 4!!
If you use SpywareBlaster, IE-SpyAd, Spybot etc you will need to re-enable their restrictions afterwards.
Cheers.
gerbil 216 Industrious Poster
D'you see that? D'you see that?!! It actually went through! Wheee...!
But it popped up a new bak folder, albeit an empty one so let's delete that one and hope it finds no more:
Option 3 again, with this lonely entry to paste in:
C:\PROGRA~1\IBM\MYHELP~1\PLUGINS\BAK
And finally for neatness sake you can fix this entry with hijackthis:
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
And that should almost do it, sreddy.... this time post only the notepad produced by FindAwf, please.
gerbil 216 Industrious Poster
"...print out a copy of..." Urk. TIF are the webpages you've visited, pages you've downloaded... some ppl leave the folder size setting as determined by windows setup, you could be talking 100+ MB of data. And most webpages for ease of editing/rebuilding are built up from 100's of individual items.. an individual TIF may just be a gif image of a yellow line, or a silly little pattern of dots or... to get the idea just open your TIF folder, dclick on a few image files and you will see what I mean.
Please don't print them out, cos I love trees.
Note that word in their name: Temporary.
gerbil 216 Industrious Poster
Blank popups combined with that error? Obviously the host malware is scripted poorly.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
gerbil 216 Industrious Poster
Call it malware tools then.
Don't build up a comprehensive collection of tools though apart from those which [auto-]update only the detection files - a lot of the tools we use are updated from week to week or more generally as required by developments, superseded versions my well be useless, and worse give a false sense of security. Many of these tools are single file types which are replaced wholly.
..now there was an old virus... nah, no virus could be that crude... do an online scan at Panda after running a cleaner such as CCleaner [check its configuration if you use FF]
gerbil 216 Industrious Poster
Whoops!! Use this set, NOT the previous one, sreddy, that one is bound to fail....
Sigh.
C:\Program Files\C4ebreg\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\VideoraiPodConverter\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\ATI Technologies\ATI.ACE\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\IBM\Personal Communications\bak
C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\ThinkPad\ConnectUtilities\bak
C:\Program Files\ThinkPad\Utilities\bak
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak
C:\Program Files\Common Files\Lenovo\Scheduler\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\IBM\SQLLIB\BIN\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak
gerbil 216 Industrious Poster
Hello baffula, please delete your copy of hijackthis and get this one, install it in its place:
==download hijackthis: http://www.majorgeeks.com/download5554.html
..... and then rename hijackthis .exe to imabunny.exe because you have what appears to be a vundo infection.
Before you post a fresh log please fix these entries with hijackthis:
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKCU\..\Run: [License Manager] "C:\Program Files\License_Manager\license_manager.exe " /silent
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0 .0.15-3.cab
O20 - Winlogon Notify: jkkljhf - jkkljhf.dll (file missing)
Next go to your program files directory and delete these folders and their contents:
FunWebProducts
License_Manager
Good. Now please make a fresh scan, post the log.
gerbil 216 Industrious Poster
Hi, sreddy, that log is clean, so was the AVG scan.. [do you actually own IBM?.. cos you've got all their software there.. :)]
Ok, give option 3 one more shot with this set of folders to delete; if it fails then sorry, but it will come down to manual deletion. Automating it for you with a script would probably take just as long for me to write as for you to do them by hand...
C:\Program Files\C4ebreg\bak\c4ebreg.exe
C:\Program Files\C4ebreg\bak\isamtray.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\QuickTime\bak\QTTask.exe
C:\Program Files\VideoraiPodConverter\bak\VideoraiPodConverter.exe
C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Google\Google Talk\bak\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Talk\bak\googletalk.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\IBM\Personal Communications\bak\tpam.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe
C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe
C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\IBM\SQLLIB\BIN\bak\db2systray.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe
C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\delayStart.exe
Good luck.
gerbil 216 Industrious Poster
Good day, buoy, would rather you had posted into a fresh thread, your post has nothing to do with the previous user's problem.
Anyway, use hijackthis to fix these entries and see how you get on:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.serial99.com/?a
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O13 - WWW Prefix: http://www.serial99.com/?
gerbil 216 Industrious Poster
A damsel in distress.... okay.
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Restart your computer in Safe Mode.
- Open the SmitfraudFix folder and double-click SmitfraudFix.cmd, select option #2 - Clean [type 2 and Enter]
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\
Restart in normal Windows. Please post C:\rapport.txt
[You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.]
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and …
gerbil 216 Industrious Poster
That looks good to me, doc, how are things to you now?
If you are stilll having problems tyr this cleaner and scan:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
gerbil 216 Industrious Poster
Thank you for that, sreddy. Some of the google etc files have no bak files but are represented in the AWF scan. There may be something interfering with the cleanup. Run ATF cleaner again [instructions given again] and then use AVG AS - it will clean any AWF files it finds.
Please fix this entry with hijackthis:
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
==Download this temp file cleaner from [url]http://www.atribune.org/ccount/click.php?id=1[/url] --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==GET AVG antispyware 7.5 here.. [url]http://free.grisoft.com/doc/5390/lng/us/tpl/v5[/url]
or here.. [url]http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free[/url]
-Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file with a fresh hijackthis scan log please..
gerbil 216 Industrious Poster
Hello, sreddy, it appears that FindAWF is having problems.
It looks like you uninstalled the Google tools etc, and iTunes, but after the trojan had copied out some files...? To simplify the copying of the backed up files it would be good if you were to delete files and folders which you have uninstalled or deleted since the trojan copied them out of their normal directories. So...
Did you uninstall all of Google toolbar, Video Player, Google Talk?
Did you uninstall iTunes, Quicktime?
[what I am trying to say is that it appears that some trojan bak direcories are for files that no longer exist, which is not a problem, but means that we could simplify the process. Of course all those bak files in the last list I gave could be deleted manually, it would be tedious thougn.]
gerbil 216 Industrious Poster
sreddy, that last option 3 run barely worked; only a couple of folders were deleted. Could you try it again with this list please?
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\iTunes\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\VideoraiPodConverter\bak"
"C:\Program Files\Analog Devices\Core\bak"
"C:\Program Files\ATI Technologies\ATI.ACE\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\IBM\Personal Communications\bak"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\Utilities\bak"
"C:\WINDOWS\ime\IMJP8_1\bak"
"C:\WINDOWS\system32\dla\bak"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\IBM\SQLLIB\BIN\bak"
"C:\Program Files\Java\jre1.6.0_02\bin\bak"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak"
"C:\WINDOWS\system32\IME\TINTLGNT\bak"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak"
gerbil 216 Industrious Poster
It seemed to copy all the files back. Now this:
-option 3: start the program again, select to remove bak folders, into the text file that opens paste all the text between the lines:
_____________________________________________________________
"C:\sdwork\bak"
"C:\sdwork\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\C4ebreg\bak"
"C:\Program Files\iTunes\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\VideoraiPodConverter\bak"
"C:\WINDOWS\system32\bak"
"C:\Program Files\Analog Devices\Core\bak"
"C:\Program Files\ATI Technologies\ATI.ACE\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\Google\Google Talk\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\IBM\Personal Communications\bak"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\Synaptics\SynTP\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\ConnectUtilities\bak"
"C:\Program Files\ThinkPad\Utilities\bak"
"C:\WINDOWS\ime\IMJP8_1\bak"
"C:\WINDOWS\system32\dla\bak"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\IBM\SQLLIB\BIN\bak"
"C:\Program Files\Java\jre1.6.0_02\bin\bak"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak"
"C:\WINDOWS\system32\IME\TINTLGNT\bak"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
Actually, fix all three incl the restore one.
Did you do a reinstallation recently?
gerbil 216 Industrious Poster
Yep, you did, sometimes we're just way too slack here. I put it down to there being other, more fun or demanding things to do...
You have one too many resident AV services, uninstall one and restart. They spend a lot of your CPU time checking each other out....
Use hijackthis to fix these three log entries [the first two have done their job by now, which was a simple cleanup task and something to do with mediaplayer...][don't fix the last one if you REALLY do wish to run system restore at every startup]:
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\GOBLIN~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [WMC_0] C:\WINDOWS\system32\cmd.exe /c """""C:\WINDOWS\inf\unregmp2.exe"" /ShowWMP"""
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
There! How are things now?
gerbil 216 Industrious Poster
You still have a beta for IE!? Gee.... my halfpenworth? [bit like a cent, just older] worth of advice would be to stick with IE6, unless you desire a shoddy, bloated attempt to emulate FF, in which case get IE7 and find some sites still do not support it.
Use old java versions if you really want to get knocked down by malware hunting for them...
Common virus stuff? Your resident AV should pretty much cope? But obviously it does not... if you are getting repeat problems perhaps you don't have SP2, or did not clean completely [perhaps you still have an active downloader portion of the infection remanent..]
Toss us a hijackthis scan log [see top sticky].
gerbil 216 Industrious Poster
The toolbar will have a file that it runs from, and a reg key to start it. Remove them. Then follow up with a cleaner and online scan, Kaspersky or Panda.
gerbil 216 Industrious Poster
Hi. Uninstall Google Desktop. Make sure the O4, O20 and O23 entries are removed. Restart. Does stuff work now?
No? Then repair the links: http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip
Let me know what works [or not... ]
gerbil 216 Industrious Poster
I'm sorry, but I don't think I can help you any further, pacian... it looks like a registry setting is blocking your account from using AIM, but I would have thought a reinstallation would have cleared that. There is obviously a setting outside of AIM that affects you; I have no ideas on that. It would have been nice if you could have managed a Panda scan as per below, but I don't think that would solve your current problem, anyway.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here...
Cheers. I hope someonelse knows what could be the block.
gerbil 216 Industrious Poster
FindAWF -option 2:dclick the .exe to start the program, select to restore files, into the text file that opens paste in all the text between the lines:
_____________________________________________________________
"C:\sdwork\bak\issimsvc.exe"
"C:\sdwork\bak\w32main2.exe"
"C:\Program Files\C4ebreg\bak\c4ebreg.exe"
"C:\Program Files\C4ebreg\bak\isamtray.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\VideoraiPodConverter\bak\VideoraiPodConverter.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
"C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\IBM\Personal Communications\bak\tpam.exe"
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\ACTray.exe"
"C:\Program Files\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe"
"C:\Program Files\ThinkPad\Utilities\bak\TpKmapAp.exe"
"C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe"
"C:\Program Files\Common Files\Lenovo\Scheduler\bak\scheduler_proxy.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\IBM\SQLLIB\BIN\bak\db2systray.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Lenovo\PkgMgr\HOTKEY\bak\TPHKMGR.exe"
"C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
"C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\bak\delayStart.exe"
_____________________________________________________________
-close the text file and click Yes. Please post the contents of the notepad that opens.
=Please uninstall via CP all old versions of Java.
gerbil 216 Industrious Poster
gerbil 216 Industrious Poster
Okay, CCleaner would not be the culprit.. your sys shows a total of seven RR runs that I have seen. Somewhere I remember seeing a reference to an AIM virus or trojan that strangely included a copy of sysinternals rootkit revealer... I am wondering if it runs RR when you try to start the infected AIM pgm.
Naturally I cannot at the moment find that reference.... sigh...
gerbil 216 Industrious Poster
Heh! Please don't question me too closely on Norton - I have not used it in ages!
If you cannot find any settings to control its startup options I think you are facing reinstalling it over itself, and then updating from the website.
I use AVG AV - it gives settings to enable/disable its various components but there is no option to set it to start or not at sys startup. In msconfig and other startup control applications there is the option to select whether it does start, but there is no way to write that option in if it is missing.... apart from reinstalling it, of course.
I suggest you go Start, run msconfig, startup tab and see if Norton is represented there...
gerbil 216 Industrious Poster
Please use hijackthis to fis this entry:
O15 - Trusted Zone: *.doginhispen.com
You have a trojan downloader that has replaced many of your system files with infected copies, so next...
==Please dl this file from http://noahdfear.geekstogo.com/FindAWF.exe
-dclick the .exe to start the program, type 1 and enter to start the process. Please post the contents of the notepad that opens.
gerbil 216 Industrious Poster
Ok, thanks for that domain info. Did you run Superantispyware; did it clear a vundo infection for you?
=This next removes registry traces; the first 3 are for a quite new bit of malware ntde1ect.com, the last is for that virus that Panda cleaned....
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as delkey.bat, as type "all files", to your desktop; dclick it to run.
__________________________________________________________
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\AutoRun\command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\explore\Command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\open\Command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\AutoRun\command" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}" /va /f
__________________________________________________________
=Use msconfig to remove an old startup entry for Google Web accelerator. [go Start, run msconfig, startup tab...]
..and that is about it, but for your re-establishing startup entries for Symantec. Do let me know how that goes.
gerbil 216 Industrious Poster
...and this?: Those O17 entries have meaning for you, I assume? - DomainName = corp.du.ae?
Do you know that domain? I ask only because it is a bit rare.....
Just a couple of things to tidy up, but first a query of your sys:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}" /s >C:\showkey.txt
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}" /s >> C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}" /s >> C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
Re Norton/Symantec, all the startup entries have disappeared... you will have to start it manually and reset the default options - I am not familiar with its interface now so you will need to explore it, but just ensure that settings for autostart with windows are selected [it may require reinstallation to achieve this?]
gerbil 216 Industrious Poster
Great....
Those O17 entries have meaning for you, I assume? - DomainName = corp.du.ae?
==Check the properties of this one- C:\WINDOWS\system32\actskn45.ocx -if it is not one you want then we shall delete it below.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {F0CBF6F9-4471-4257-ABC4-BCE4EF2ED5ED} - btasv.dll (file missing)
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [{9B-BD-DF-F9-ZN}] C:\windows\system32\kndsregq.exe OLI001
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\ugcw.exe" -start
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
- …
gerbil 216 Industrious Poster
Oh, you betcha. See if there is a copy in cache [system32\dllcache - you must show protected files and folders to see dllcache\..], but there may also be a copy in downloaded M$ files directory from a windows update...?, but that should be the same as the copy in cache.
Got one?... uh-oh... cos it should have been automatically replaced into system32\ from cache copy by windows...
Not got one?.. then get it from windows updates.
I really don't know how it could go missing.... possibly from a glitch during an update session?
You could use hijackthis to fix these two entries:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
-apart from that your log is clean.
...but I warn - I know Vista like I know the back of my head.
gerbil 216 Industrious Poster
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here with a hijackthis scan log..
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
gerbil 216 Industrious Poster
Interesting, Liz. Not one instance of svchost.exe running. I am not used to that. But then this is a Vista machine and I don't know too much about them.
C:\Windows\System32\svchost.exe
It may be an incompatibility with your version of hijackthis.... which is out of date/superseded.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and delete your old desktop copy. Make a fresh log for us.
gerbil 216 Industrious Poster
Hello, doc... if you still require a bit of help then this may be it.
Please remove one of your two resident AV scanning services - they will conflict and disrupt your system.
These entries are for repairs that have benn done previously but not fully implemented by whatever tools you ran. Please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)
O2 - BHO: (no name) - {36B37709-CEF0-4387-923E-51E22D5AD1B4} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O20 - Winlogon Notify: rceky - C:\WINDOWS\java\Packages\rceky.dll (file missing)
Good. Now please rename Hijackthis_v2.exe to imabunny.exe and run another hijackthis scan, and post the log.
gerbil 216 Industrious Poster
Hello, Sreddy, if you still need help could you start off with this, please?
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And post a fresh hijackthis scan log also...
gerbil 216 Industrious Poster
Pacian, I need to ask - did you run Rootkit Revealer even before I asked? Because there are 4 traces of separate runs in your first hijackthis log.... then, after I got you to delete them [post #16 above] there are now in your last hijackthis log 3 new runs of that service showing?!! Did you actually run Rootkit Revealer 3 times since you posted the previous hijackthis log?
gerbil 216 Industrious Poster
I don't know. What is the situation? If AIM is still not working I would simply reinstall it.