To make a restore point: Start > programs > accessories > system tools > system restore and follow instructions there.
[[the quick way in is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
No prob with having done #38, just follow on. And nobody you know has a cd you can borrow? no nerdy kids nearby? Tell me about your puter, was it loaded with XP SP2 when you got it? If so, there is a chance that the necessary system repair files are in a hidden partition on it...
gerbil 216 Industrious Poster
gerbil 216 Industrious Poster
I gotta get a rubber stamp made up.....
Welcome, Slappey...oops, Growler...:).. let's start -
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press
Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/file...Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{20689ED6-9A8C-480D-8D42-438F6CEA161D}: NameServer = 85.255.116.104,85.255.112.229
gerbil 216 Industrious Poster
Welcome, Slappey... let's start -
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press
Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{48A8E314-92AE-4E60-A158-2B78F584F05C}: NameServer = 85.255.116.84,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D5C8730-793B-4838-9E9B-E51A852300EE}: NameServer = 85.255.116.84,
gerbil 216 Industrious Poster
Ha! you got the rubbish version of firefox. Use what you have to get the REAL thing from Mozilla.com and uninstall the firefox you have.
gerbil 216 Industrious Poster
disconnect from the net.. still high? while off the net shutdown f-secure... still high? get process explorer from sysinternals [winternals..?]
gerbil 216 Industrious Poster
OS self-protects: it will not let you format the systemdrive. Get a third party format software on a floppy, or just do it when you enter Windows Setup to reinstall... if that is what you are putting in.
gerbil 216 Industrious Poster
windows OS is damaged, poss the registry. Grab an installation cd of the same update level, eg SP2, and it can be either a M$ version or an OEM one, and change your emergency boot order to CDRom first [my BIOS tells me to hit F11 to get that menu...], run Windows Setup and do a Repair [go past Recovery Console in setup - you do not want that].
gerbil 216 Industrious Poster
Do these things in this order.. if you wish download all three apps before you run them; post the results in a new thread in Viruses n Nasties forum
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option.
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
HiJackThis
===download hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.
-in that folder …
gerbil 216 Industrious Poster
you have a smitfraud - i don't think Smitfraudfix will detect it tho - feel free to get the latest version and run it to check, but only run Option 1 and post the result. [don't run option 2 without a positive detection, cos SMF is keen to bust something, and it sets onto your desktop n does that in instead..].. :)Otherwise you could just use HT to fix [in SAFE mode]:
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
...and then still in safe mode search for:
C:\WINDOWS\system32\msnhlp32.dll
....and delete it. Try SMF...
gerbil 216 Industrious Poster
What is with all the creative formatting? when posting you should turn wordwrap OFF. Anyway.. this to go on with:
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option.
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
gerbil 216 Industrious Poster
nick, are you still interested in help? cos you have some trouble there..
Oh, here, just in case, to get you started.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press
Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
===To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced …
gerbil 216 Industrious Poster
..and here is a more complete list of files to paste into Avenger:
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
C:\WINDOWS\system32\drivers\oryeobyk.sys
C:\WINDOWS\system32\drivers\ovygriae.sys
C:\WINDOWS\system32\drivers\fakofips.sys
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak2
When that completes, please UPDATE AVG AS, make sure that Recommended action is set to Quarantine [instructions in earlier post]; then run CCleaner, and lastly scan with AVG.
Post all those logs.
gerbil 216 Industrious Poster
Kristy, it is not important but you can skip my last post #38 to you re avenger - a more complete version follows this.
Please make a restore point before you do the next step..... I need you to run this batch file - it will list several registry keys to a text file in your C:\ root folder, C:\krquery.txt, and then remove them from the registry. To run the batchfile simply copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop. Then just dclick the icon to run it. Post me the txt file please.
******************************************************************
REM file to test if all entries exist and then delete them
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd >c:\krquery.txt
reg query "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" >> c:\krquery.txt
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd /f
reg delete "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" /f
******************************************************************
Now, do you have a task scheduled such as a regular backup? I can see Apple, CA, McAfee and RegistrySmart, but there is another …
gerbil 216 Industrious Poster
I'm not sure we should encourage self-help..tsk... we'll be outta business. Nice work... :). Now get this combofix n run it also...
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
gerbil 216 Industrious Poster
Kristy, do you have, or can you borrow, a windows installation CD? cos I think to get explorer working better you need to run system file checker. That is, start, run, type sfc /scannow -and Enter. That would/should fix any errors that some components may have.
Checking those logs you provided now...
Meanwhile, could you pls run Avenger again with this script to be pasted in?
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
gerbil 216 Industrious Poster
Does XP have a list of allowable file extensions? Is there a way to add do the list?
A] yes, and it's in explorer: tools, folder options, file types. Quite a list there, and its length depends upon your loaded applications [they add to it automatically any file types they may wish to use]
B] yes. See the New button? best to stick to standard types of extensions though. See midi's web.
There is quite a bit you can do with that window -eg you can use it to add items to the Rclick context menu, set certain file types to open an app of your choice.... it takes you to dima's window also...
gerbil 216 Industrious Poster
Actually, before you post a new hijackthis log please do these things:
===GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 -the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG A-S 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file. Post the log file.
Combofix
===Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Your firewall had a lot of strange entries in it which enabled them to contact the net, but i see no trace of a firewall in use now. Are you relying upon window' firewall? It is a great thing right up until the moment you get infected, and then it is just false security. Get a good one - Zonealarm free, or Kerio. Now.
Please uninstall Soulseek and delete its folder from program files. It may be valid but i don't trust it with the spelling error in its parameter.
gerbil 216 Industrious Poster
Yes, i would not ask otherwise - some malware detect hijackthis initialising and stop so as to hide from it. Please do and repost.
gerbil 216 Industrious Poster
That soundservice one is playing tough. Okay, we'll direct Vundofix right to it.
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Add more files? line, paste into the new window these two pathnames [one per line]:
C:\WINDOWS\System32\xpkngpis.dll
C:\WINDOWS\System32\sipgnkpx.*
Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Check the vundofix log to see if it detected and removed C:\WINDOWS\System32\xpkngpis.dll.
If it did not then:
- in a windows explorer folder > tools>folder options>view, and press Show hidden files and folders
- restart your pc in Safe mode:
[ if you would prefer to use a script to do this next task automatically use the instructions below the line..]
- start regedit, navigate to this key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- delete the entry …
gerbil 216 Industrious Poster
One other thing, i asked earlier for you to remove Norton/Symantec from your sys - I then assumed that this file detected by combfix was a relic from that AV - it is likely a problem file, it IS in the wrong area, and you don't want it. Please paste these two lines into the Avenger text box:
Files to delete:
C:\symlcsv1.exe
If Avenger still is not working for you, then we can try this manual way: download Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it.
You will then have to navigate to every single one of those files and rclick them and select Delete. All 23 of them. :|
Run ComboFix again and post its log.
gerbil 216 Industrious Poster
Kristy, re Avenger... did you enter the whole block including the files to delete label? I can enter it into avenger on my machine and it tis quite happy about it.
Try this online scanner... we'll have to give up on panda for the while. : http://www.kaspersky.com/virusscanner post the results.
Perhaps you can try Avenger on this file- paste in this block:
Files to delete:
C:\windows\.protected
Did you manage to run f-secure's blacklight?
gerbil 216 Industrious Poster
Kristy, my apologies, I missed an important line with my cut and paste.... I have corrected the instruction, and taken the opp to add more files:
-you must be in an Administrator-privileged account to run this procedure...
Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box these lines as one block:-
Files to delete:
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\f3pssavr.scr
C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat
C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE
C:\WINDOWS\WSYS049.SYS
C:\WINDOWS\system\tnebli.tmp
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\ttvwa.tmp
C:\WINDOWS\system32\ycbeg.tmp
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
===I want you to do a manual search for this file ; if you find it, delete it:
w03a1090.dll
Next do a Scan Only with hijackthis and check these two entries for fixing, and press Fix Checked:
O4 - Startup: .protected
O4 - Global Startup: .protected
See how you go..
gerbil 216 Industrious Poster
Pleased you're pleased, ghg, but save some thanks for the people who write the tools we use, who ferret out every known variation of some pest and update their work.
Everything looks ok from here, esp if it's working for you.
Cheers, g.
gerbil 216 Industrious Poster
Nice, Easy, glad you're happy.. If the ppl who generated that guid, have made such a rare bird of an application that i can't find it out there, then James, imo there is a great chance it is dodgy. But it could well have been sonic's work; I spose it could be their way of encoding his machine info for their updater? I dunno; it would be fixable by reinstallation of their sware if it came to that..
gerbil 216 Industrious Poster
Ha. Garn. Would i hurt your sys? I had played with Unlocker, liked its capabilities, but didn't have any tough files to delete. Which is nice, I guess.
So, just a couple of things to fix: the startup entry for Ipwins, and one I missed from before.
Fix these:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
Is everything okay now? No popups, and cmd.exe is free?
There is one entry in the log that bothers me : C:\Program Files\Common Files\{F0889D5B-088C-2057-0720-05012306002c}\Update.exe
- I have no idea where that could have come from, you may know or can find from its properties, but I can see no harm in renaming its extension to .xbak [the x is to remind you that it is a .exe, should some valid pgm protest.
gerbil 216 Industrious Poster
Go to add/remove pgms and remove a program with a name like MyWay [searchbar, whatever..]; delete the folder from Program Files.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press
Show hidden files and folders.
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
==Download Lspfix.exe from http://cexx.org/lspfix.htm -start it by dclicking the .exe, and press Finish.
==Start Hijackthis, do a Scan Only and place checkmarks against all of …
gerbil 216 Industrious Poster
Spyware Doctor? Oh, yes you do have it, I can see it - just go to add/remove pgms if you wish to uninstall it.
Use HT to fix this one - it should have gone after your first startup after you installed windows:
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
CCleaner
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
Now rename hijackthis.exe …
gerbil 216 Industrious Poster
Ripper... a guinea pig at last.. :)
Please get Unlocker from here: http://ccollomb.free.fr/unlocker/
Install it, uncheck the update option during installation if you wish; navigate to ipwins.exe [C:\Program Files\Ipwindows\ipwins.exe] and rclick it - a small window should open -select Delete and Ok. Please tell me if it works... and if so, delete the whole folder.
Do not worry about dll.host - its Global startup entry was fixed successfully.
You mentioned ipwins.dll -was this correct, or did you mean ipwins.exe?
gerbil 216 Industrious Poster
Ok, I'll format those posts, meanwhile run Smitfraudfix to clean:
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.
And we can also do a bit of file removal, plus a rootkit check or two...
Please read thru the instructions on this page and then dl and run RooKitRevealer [link is at foot of page..]:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
And another:
F-Secure Blacklight Beta
===Download the latest trial version of Blacklight beta from http://www.f-secure.com/blacklight/
Dclick the .exe [they change the name occasionally when they update it so I am not giving it here...], click Run, …
gerbil 216 Industrious Poster
Use cmd.exe. Go run, type cmd and Enter, and then navigate to the folder using chdir, and then type del this sucker. Do it in safe mode.. not to be any safer but cos no processes would be using it there - no handles to it. Or go get Unlocker.
What does the drwatson log show? \windows\drwatson\drwtsn32.log - drag it into a blank notepad.
gerbil 216 Industrious Poster
Uninstall pgm IpWindows.
C:\Program Files\Ipwindows\ipwins.exe -delete this file and the folder.
==Either: go Control panel > folder options OR: in an explorer window > tools>folder options;
-then view tab, press Show hidden files and folders, Apply and Ok.
===To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode with Command Prompt and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Start hijackthis, do a Scan Only, and place checkmarks against all of the following, and press Fix Checked:
O2 - BHO: (no name) - {3DBAF53B-2576-4993-B270-411256569E8C} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\aejetnss.dll",setvm
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: dllhost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
-Now press Config button, Misc Tools tab and then Delete a File on Reboot; in the window which opens paste into the text box the following …
gerbil 216 Industrious Poster
And I have found a smitfraud file...
===Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
gerbil 216 Industrious Poster
Pls try vundofix, sdfix and panda again. I think vundofix may need to run a few times... the reason I say this is that i can SEE the vundo files in your ComboFix log...
gerbil 216 Industrious Poster
Kristy, just wait a mo while I check something, meanwhile please locate these and uninstall them; if they are not available in add/remove pgms then do a search and delete all their files/folders:
Funwebproducts or similar name
Messengerskinner
VirtualVillagers - the cracks are infected.
Gilbert Goodmate - infected
Family Feud - infected
Panda scan only runs in Internet Explorer.... when you hit the Scan my PC button a new window should open immediately to request a frew pers details....
gerbil 216 Industrious Poster
I'm sorry that this work is coming thru in bits and pieces, but it's not easy, and I'm just looking at things in snatches.... please as a matter of urgency choose just one resident AV product and uninstall any other[s]. Since you have the CA suite, dump the others. I can see CA, mcafee and Norton products in that mix... Online scanners do not matter i this regard.
You must use only ONE firewall, also. They should auto-detect each other and switch them off, but....
Ignore the missing system files atm - they are only backups for a system recovery, and then are just for 16-bit apps.
gerbil 216 Industrious Poster
Kristy, run this one before you do the actions in my previous post #12....
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
gerbil 216 Industrious Poster
Kristy, did you set the AVG action to Quarantine as i wrote in my earlier post on running AVG A-S? It found heaps but did nothing about them..!!?? If it was not, then please set it correctly and re-run AVG AS.
Pls run this because there are virus traces in those logs:
Panda Online Scan:-
http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
This next should get a couple of files that ComboFix pointed out:
===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will …
gerbil 216 Industrious Poster
My fault... del this one: C:\Program Files\Ipwindows\ipwins.exe
gerbil 216 Industrious Poster
I don't know what discs you have with your machine, but first you need to change the boot order - early on in POST hit F10, or maybe Del, and change the order so that CD boot is first...[if HD boot is first your sys will not search any further]. Now you need Recovery Console; when in that run:
chkdsk /p
No go still? Then run:
bootcfg /rebuild
in the console. A search will be made for any OS's on your machine, when they are found you will be queried about adding them to the boot.ini file.
gerbil 216 Industrious Poster
Good-oh. Kristy, but do that system state backup only after you are clean! [otherwise your reg backup may contain some dud entries..]
Do those cleanup steps first, in the order I wrote them.
Actually, you can just get those 2 files from your install cd. This is from M$:
1. Insert the CD into the CD drive or DVD drive.
2. Click Start, and then click Run.
3. In the Open box, type cmd, and then click OK.
4. At the command prompt, type the following commands, pressing ENTER after each command:
expand CD-ROM Drive Letter:\i386\config.nt_ c:\windows\system32\config.nt
expand CD-ROM Drive Letter:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
Simple! The full article is here:
http://support.microsoft.com/kb/324767
gerbil 216 Industrious Poster
config.sys is NOT config\system, and the msg was about the latter.. config has system, sam, software, security and default -they are all used for startup in XP.
Safety?: well yes, there are excellent levels of protection - just once in a while do a system state backup [like no-one ever does....] to update the files in %systemroot%\repair, [or put the backups into another folder eg repairnew ] in which case the restoration of your sys' health is straightforward; but those five files are also backed up in every system restore point......
The trick is to get at them - recovery console cannot access them inside the System Volume Information folder, and if you restart your sys using an earlier-created set of files then System Restore will not know they exist! .... so you restart your sys using any old set from \repair, then access SVI and copy out the five files from a restore point just previous to the crash to a C: root temp folder, and finally use recovery console to copy em in to where they belong, in system32\config. And restart - your sys is now at the state it was in just before the crash.
Which pretty much goes to prove - do not ever let your sys crash. Ok, it sounds involved, but it's just one step after another on a logical pathway.
gerbil 216 Industrious Poster
Kristy, when this cleanup is over you should do a backup of your system state cos a couple of files are missing [google for how...], note that this is not the same as a system restore!!
More work: go to add/remove pgms and remove this pgm, then into C:\program files and delete its folder:
IpWins
Good, now please fix these with hijackthis in normal mode:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [SetupVentureAfrica.exe] C:\DOCUME~1\Kristy\Desktop\SETUPV~1.EXE /r
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {FFC0A381-8145-4CFD-A768-A2259776C179} (PTV xVectorMap Plugin 3.1) - [url]http://xvectormap.ptv.de/xvectormap/PTVxVectorMap31.cab[/url]
Now please do these runs in this order:
Combofix
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
..or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if …
gerbil 216 Industrious Poster
Then check page 1 of this thread for my advice.... there is a difference between Windows Update and Microsoft Update [are you sure it was Windows update that caused the hang?]. The state of the former is checked by your security centre, it does not check the latter. If you have them both turned on the updates come down the one pipe.
gerbil 216 Industrious Poster
===Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {4959A7E4-149E-4BB2-8DF9-4C44CC39BB51} - C:\WINDOWS\System32\geefe.dll (file missing)
O2 - BHO: Image Helper - {64D712D1-84D9-281C-CE7D-32439D631863} - C:\WINDOWS\system\bpmtcs32.dll
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpkngpis.dll",setvm
-Now press Config button, Misc Tools tab and then Delete a File on Reboot; in the window which opens paste into the text box the following pathname, press Open and then Yes...
C:\WINDOWS\System32\xpkngpis.dll
===Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
===Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load …
gerbil 216 Industrious Poster
Ok, that is prob a bit harsh, cos it is very likely not your fault, but you owe me a beer for struggling a bit of the way into that log - my eyes died trying..... Do this:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options;
- then view tab, press Show hidden files and folders, Apply and Ok.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish.
After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
HiJackThis - get a fresh copy, remove the …
gerbil 216 Industrious Poster
Kristy.... you have to help us help you... check the log posts in a couple of other threads -your's does not look like them. Please format it correctly and repost. A start would be to turn off wordwrap in notepad, but I think you may have to do some manual work as well - I dunno. Sorry.
gerbil 216 Industrious Poster
Ha. It beats me why your firefox cookies are not being removed by ATF Cleaner. Here is another cleaner, the one I use myself.... I just gave you ATF cos it is easily configured for a quick clean during a spyware removal job. CCleaner is more comprehensive; I suggest you get it and have a play....
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
Now run Ccleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
[For future quick temp file cleaning select the options you wish to use. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is a furphy, much loved on some websites, but cleaning it is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.]
…
gerbil 216 Industrious Poster
I was interested in the log Avenger made when it removed this file: C:\WINNT\system32\ggoyadys.dll
Any log remaining would be at C:\avenger.txt, but it may have been overwritten. The errror msg comes up cos the file is gone - I didn mean you to run it again but to retrieve the log for me from the earlier run. There is no need to re-run AVG [all those cookies should have been taken out by ATF cleaner before that last AVG run] - it came up clean already.
Do you have any problems still?
gerbil 216 Industrious Poster
Wow.... a great collection of malware. Are you serious that Adaware did not remove some of this??? Ri-ight...
Don't try a Repair with all this bad gear, you will face certain disappointment. In fact, a reinstall is called for.... but it is fixable without that if you wish to try - I look on it as an exercise for me... A reinstall will destroy any files you have in the same folder as the OS.
gerbil 216 Industrious Poster
i wuz just being silly about the HP file... anyway, I have gone as far as I can with advising you on this one - I just do not know 98. You do seem to have a fair load of scanners on the machine; my advice would be to keep the Kaspersky AV, stop the teatimer, and uninstall all the others. You can run Spybot on demand.