Reposting to give you a zipped file... more manageable. Do you think this shonky site would let me edit the previous post to add an attachment? No way would that button work [and I was inside the time limit..]
Pinki, that driver list you are seeing is the boot-level drivers only, you need the rest of them. Now this list of drivers/driver groups is taken from my SP2 machine... I'm on a slowish connection so have not gotten around to dling that 60+MB SP3 file yet.
If you load these they may do the job, if they don't then nothing will be broken, you will still be able to start in normal mode cos the safeboot key is not read for a normal load. At worst, you'll get a bluescreen. You would then have to find the correct key from someone with an SP3 machine. I've done a bit of a web search and can not find a reference file or key list, not even a whinge that there is a difference.
This file will add these keys to those that you have there already. Note that your AV service will not have been started...
==Unzip the attached .reg file, dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
And give it a shot.
Pinki, that driver list you are seeing is the boot-level drivers only, you need the rest of them. Now this list of drivers/driver groups is taken from my SP2 machine... I'm on a slowish connection so have not gotten around to dling that 60+MB SP3 file yet.
If you load these they may do the job, if they don't then nothing will be broken - at worst, you'll get a bluescreen. You will still be able to start in normal mode cos the safeboot key is not read for a normal load. You would then have to find the correct key from someone with an SP3 machine. I've done a bit of a web search and can not find a reference file or key list, not even a whinge that there is a difference.
This file will add these keys to those that you have there already.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP …Timing of the F8 press can be important... you should wait until BIOS lists your hard drives; its action is then to simulate the addition of /safeboot to the load instruction in your boot.ini. Pressing F8 to early on my machine will start the Drive boot order menu, at least on my machine.
Heya, pinki.... starting with the silly stuff first.... just ensure that your Function keys are activated at boot and not the alternates on the keys. Do you not even get to the screen with the several Mode choices?
Thinking of slapping me cos you're not that silly? Okay, just check these two keys in your registry [in normal mode]:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal] ... should have almost 15 CLSIDs and maybe 30 other subkeys like File System, Primary Disk..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network] ... should have close to 20 CLSIDs and 60 - 70 other subkeys.
All these subkeys have only a Default value; they tell the kernel which drivers and driver groups to load [the scrolling list on the black background]. Some malwares delete them for a bit of fun.
You're doing fine. This should solve the redirection problem:
Use hijackthis to fix these two entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Delete this file:
C:\WINDOWS\privacy_danger\index.htm
To make things a bit easier, instead of using explorer [it is only a UI] use Task Manager instead.... even without your explorer running you can start it with Ctrl-Alt-Del. Then go Files > New Task[Run] and paste in:
H:\Help\HiJackThis.exe
To delete that file, run instead:
cmd
..and paste into the cmd window:
del /f C:\WINDOWS\privacy_danger\index.htm
Now try with a freshly dl'd copy of MBAM [or Run from the dl site]. Only if that will not work then do this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-Important! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
I understand, weasel, so let's work for the moment with what you have: please start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O3 - Toolbar: fdkowvbp - {88E2C28F-80C8-49BA-94A3-A5D4930B4A23} - C:\WINDOWS\fdkowvbp.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O21 - SSODL: kvxqmtre - {36124790-EB2B-4710-A22A-1A3E2E8AF093} - C:\WINDOWS\kvxqmtre.dll
O21 - SSODL: evgratsm - {AD7737B1-286C-46CE-A38C-EDF32F66B1EB} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: wnslvxtf - {79AA8769-D93B-4E62-9EC1-B4BBF684385E} - C:\WINDOWS\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {42957140-5665-4E2D-9D2D-A59910D26B86} - C:\WINDOWS\eqvwamkl.dll
Now delete these files... if they put up a fight I can give you a tool to do it with, else you can delete them from Safe Mode.
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\wnslvxtf.dll
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\system32\WIKI.DLL -this one may be in the windows folder if not here.
The deleter...Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Once those files are gone try again to run MBAM and the new version of hijackthis. If they still cannot run from the dl'd files, Run them from the dl site instead [Hijackthis will give you a warning about running from a temp folder, but proceed anyway].
Good luck.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Post also a fresh hijackthis [your version is obsolete!!] log with your comments:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
A note... if you dl MBAM to somewhere easy to find you can start it from Task Manager > File > New Task >... Enter mbam-setup.exe
Dangerous? Simply that it has capabilities that enable you to delete partition tables; change disk geometry, partition types... which are things you certainly do not want to do. You are making me uncomfortable.. so may I suggest that you ignore the TestDisk part and use the PhotoRec section instead?
"TestDisk doesn't need to be installed, you only need to extract the full windows subdirectory and run win\photorec_win.exe"
For the helpfile, which you should read, run doc\testdisk.html
Because doing that often is unwieldy I use batch commands of the form:
@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\doc" testdisk.html
-saved as, say, 00TestdiskHelp.cmd. You would naturally replace my path E:\Disk & System Tools\Disk Tools with yours...
Another:
@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\win" photorec_win.exe
-saved as, say, 00PhotoRec.cmd
Hello, shane... for a start I think you need a better Firewall. If you check the nod32 log entries you posted you will see that svchost.exe was contacting dangerous websites. Comodo Firewall Pro [free] would have alerted you to the fact that it was attempting to make web connections before any connection was made.
The hijackthis log shows as clean, but you could use it to fix these two orphaned entries:
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
Something must be there, though, to cause svchost to open connections, so to check a little further would you please:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will …
Heya, Polop, good stuff. But re your hurt, I was referring to file deletion; not sure I said or meant lost forever: "But not if they have been overwritten.... nothing can help then."
There is a great difference between deletion and erasure... deletion simply involves removing a file table entry and freeing up the file space on the disk; all the file still exists [until some other file is written into the freed space], it just does not have a pointer to it. The tool I suggested is pretty thorough, another good and quick one is Restoration.exe which has a distinct advantage in that it will dl to and run from a removable drive like a floppy with no installation required. Which means that there is less risk of new files overwriting deleted file space.
I was surprised when I first ran TestDisk for another task - it found a couple of partitions and some of their files that I had long since deleted or moved the boundaries thereof. A good tool just a bit dangerous, is all. Try it.
Regarding a backup program... it's not very helpful of me if I don't suggest one... after sorting through a selection this is the one I use [the freeware version].
http://www.2brightsparks.com/syncback/
Very easy to setup... and then it just works. Can't ask for more than that.
Its interface makes it easy to choose files, folders, to backup and also to remove unwanted backed-up material, schedule backups etc.
Hello, polop... I'm not going to take the time to examine each of the pests and their usual actions. I know of malwares which deliberately search for and delete jpg and vid files. Damage is done. I can give you another forensic tool [free] which will scan your disk thoroughly and find files [if they exist] even in deleted partitions. But not if they have been overwritten.... nothing can help then.
By the way... and I know that you have heard this advice before, but now there is a hammer behind it to drive it home... BACKUP!!! It's not as if it's a chore.... once you set it up it is automatic, in the background, no finger lifting required.
First thing to do when stuff vanishes is to check with cmd.exe's dir command, just in case it is a simple case of changed attributes.
Get TestDisk 6.9 ... It's not a simple tool to learn and run, but it works. If it doesn't find your missing files, then just accept that some lessons are hard. Beware!! that pgm can destroy your installation if you misuse it. So think before you press buttons... it does not ask for confirmations.
In case your redirection problem is a simple set of alterations to your Hosts File you might try this as a first step:
==download HostsXpert from http://www.funkytoad.com/content/view/13/31/
-click the top button Make Writable if it is available
-click Restore MS Hosts File button.
If instead you would like to clear your hosts file manually [C:\Windows\system32\drivers\etc\hosts] then apart from the helpful guff from M$ which may or may not exist in your hosts file, this should be the only [or bare minimum!!] entry:
127.0.0.1 localhost
Drag Hosts into an empty notepad, edit it and Save.
You may find that you are not able to save the changed/corrected file. This is because some security applications, possibly also various malware, will lock your Hosts file [make it read-only] as a protection. Lock/Unlock hosts exists in Zonealarm and Spybot S&D.
ZoneAlarm : look under firewall, advanced;
Spybot : click Tools, Hosts File, uncheck "Lock Hosts file read-only as protection against hijackers"
Or just...[but a Spybot setting may over-ride this command....] do this:
Go Start, run, type cmd ...and press Enter. Paste this line into the window at the prompt, press Enter, close the window and try to save the file again.
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
Now try to get MBAM.
Oops! I meant, of course, MBRWiz [or MBRWhiskey]... but you'd have found it.
Sorry...
http://red.boot-land.net/index.html
This dl contains both tools, the latest versions.
The commandline tool is straightfwd, as I said earlier... just save it [may have to unzip first], open cmd, cd to the path and then type..
mbrwiz -to see the parameter helplist.
So basically:
mbrwiz /list
mbrwiz /disk= yours, counts from zero
mbrwiz /part= yours, counts from zero
So: mbrwiz /disk= the one /part=the one /type=07
07 is ntfs...
0c is FAT32...
I am not sure a Repair will do it, bob.. Repair would want to format the drive [partition]. I think all that his virus/pest has done is alter the piece of code in the boot sector which defines partition encoding type... ie changed it from NTFS or FAT32 to RAW . And it would only have to alter the code in the boot partition [usually C:] That code can be directly edited to whatever it was using [free] 3rd party tools. I have not done it, though. May have a scout around.
I'm looking for tools which you can boot with as well; I have a couple of tools which can directly edit partition type from a running XP.. so Sparkax would have to slave the drive to use them... but there is no problem there. Both are straightfwd to use, both can do EXTREME damage [it is their nature].
Testdisk-6.9
MBRWhiz [command line tool] [or MBRWhiskey for a GUI version] - the latter is simpler to use.
Anyway, both will allow you to edit the file structure type. They don't ask for confirmation... eg. if you set them to delete a partition, they just do it. BANG.
I can live with that solution. Cheers.
Can YOU find all your jpg etc files? With explorer? Then your file system is okay. When you click on a drive the first thing Explorer does is actually got to the hd and physically read that partition's file table [watch the drive activity lamp; it reads the first level of directories and files, and so on in as you click deeper directories... these are physical reads], nothing to do with registry at all. All the registry knows, or thinks it knows, is your drive letters. So if Picasa is lost then try blaming Picasa. Reinstall it. Picasa may use a sort of MRU entry in registry to hold a list of accessed or known files, I do not know. Just remember that it is a google product.
"A few days" ... like 30 or more? So windows has locked you out. Curse Bill Gates for being so suspicious, then do the Repair as in Bob's post. That will reset the clock.. then do what the lil popup beseeches, and go online to activate. Heck, all you have to do is click the popup. And if you've had Windows [a valid copy] for more than a year validation will be granted no matter what hardware you change. Even M$ understands that technology progresses... well, other ppl's tech, anyway.
If you don't actually have an installation cd, borrow a like one... eg if you had XP Home SP2, get one of those cd's.
I aint finished yet! When you visit the Windows Update site it uses an ActiveX to detect this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired].
Try deleting the RebootRequired key itself.
I just did and it seems to work. Without a reboot I could not use the update site to check for more updates... I deleted that RebootRequired key and it allowed me in without a restart. I took another dl and it regenerated that key.
I do not have your problem... so if I did a restart to get the new registry values read it would just automatically negate the restart prompt situation for me! So I killed explorer and restarted it, which forces a registry reread. No yellow security icon yet.
Yeah.. it is a shame - I tested it on an update which I had previously refused as not wanted... and it is prompting me to restart. So... the drawing board revisited.... Here is another key that lists dwords for updates for which a reboot is required:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired]
-export that key, then delete the dwords, not just set their value to zero.
I'm testing it now...
Bob, this M$ knowledge article may sort it for you: http://support.microsoft.com/default.aspx?kbid=832475
Run your eye down the article until you come to the 3 flag settings. Try putting the Flag = 0 into your key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile
Actually you may have another UpdateExeVolatile key there with a long hex number appended. Okay, so play safe and export the key, then set both flags to zero.
Say how it goes.
And because you saw this msg :
"No boot sector on hard disk - No bootable devices - press F1 to retry, F2 to go to options" - you were not actually booting from the cd. DBAN obviously wiped the disk but left the MBR intact, so the code from that has been loaded, but then it cannot locate the boot sector on the hdd... cos you wiped it. Anyway.. that is wot it is telling you. Reset your boot order using the F8 key at startup [F2?, or whatever key combo BIOS tells you to use] to set your cd as first boot device.
You have rundll32.exe in the wrong location. Please move it to C:\Windows\system32.
Then to do a quick check on rundll32.exe's functionality, rclick on your time in the task bar, select Adjust Date n Time. If that opens to show the clockface, then close it immediately - it means rundll32.exe is working. If you get the same error msg then please say so.
Thinking more on what you said and playing a little with files and saving, I am not at all sure how you got that double extension .reg.txt, or that Win32 message. It may have come about because of the way you have set things with the assoc command, and I am not at all keen to emulate that on my machine. So if you cannot run the fixkey.reg file by rclicking it, choosing Open With... and Registry Editor, then because I see you told jim laver that you had the cmd prompt available in normal mode you could enter these commands:
Go Start, Run, and enter cmd
Then in the command window enter:
assoc .exe exefile
assoc .cmd cmdfile
-and see how that helps.
Rayo, slow down, take a deep breath... then read the instructions I gave you in post #14, and follow them to the letter.
"fixkey.reg.txt" is NOT how that text should be saved, you MUST save it as "fixkey.reg".ie it MUST be a .reg file. See the bit about "all files"? When you use "Save as" you have the option of using the suggested file extension [in this case it is .txt because you are using notepad] or choosing from a list [in this case the only other option is "all files", meaning that the extension you set in "File name" will be the actual extension].
Another point, make sure there is a blank line after the last line of code in the notepad .
So re-read my instructions, follow them, and your sys should be okay. Actually you could simply rename the file you have already saved as fixkey.reg.txt to fixkey.reg, and then rclick it, and so on.
The advice you got from that other person was a wrong turn..:).
And that is not a usage for ping cmd. You can do this:
ping yahoo.com
or:
ping login.yahoo.com
But you cannot use it to enter email addresses or passwords ie, you cannot use ping to submit parameters to the target.
Rayo, you totally mistook what I was posting to you... By this: [key is an export from my machine] I meant that the key in the code box was a copy of that particular key from my machine, which is correct and working! Naturally, typing [key is an export from my machine] into the Run window would not work! I shall rewrite my post for clarification, and include a fix for another error you made that I query below.
Are you saying that this is what you actually did when the problem first appeared?:
"okay like the last thing i remember before my laptop got ruined was this
open cmd prompt
type: assoc .exe=.txt
press enter
type:assoc .cmd=.txt
press enter
...etc"
Why would you asscociate a file with a .exe extension with a file-type .txt [which is not a real file-type, by the way]?
Basically you are telling your sys to open .exe files with an application group called .txt, which I bet does not exist. Anywhere.
And.... you are telling your sys to open .cmd files with the same application.
A real association might look like:
assoc .rar WINRAR
So ..
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Hi. For the moment I will just assume that it is a problem only with an exe file link. Run this [key is an export from my machine]:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"Modification for your situation: you can copy that file to a floppy or thumbdrive and run it from there....
I could point out that if you can use the Administrator account to log in [because you did not password it also...] then to save coming back to this website from safe mode, just copy the post above as a txt file onto a floppy and copy/paste the URLs from that... should work.
And if you do not have an administrator account without a password... then most likely you can't do any of that. I don't want to suggest that you slave that drive into another sys cos you might infect that one also.. but do you have a spare hard drive lying around that you could temporarily load an OS onto [disconnect your main, infected drive first; use a drive letter that is NOT on your old drive, and no need to register the OS with microsoft], than add the infected drive and instead of those things above do this scan:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java.
Please ATTACH to your post the log it produces.
A few ideas, darkfly.. so let's play, see just what we can do without the keyboard.
I assume you have at least one account without a password, like the Administrator? If you are able, restart your sys in Safe Mode with Networking.
Go Start, and paste this into the Run window:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
...and this is what you do with that download:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Still in Safe Mode, paste this into the Run window:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also …
Brianan, mostly I don't hop forums.. atm I am playing in the other one, but chased you over here.... you would be able to delete that file from Safe Mode, unless they were very cunning.... but in any event this is a very handy tool:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
You cannot expect pestware writers to do the best job with their uninstallers.. this file may need removing, also:
C:\WINDOWS\SYSTEM32\mysidesearch_sidebar_uninstall.exe
This, enrish...
a Repair is almost the only option, well, the simplest one. However if you have a virus or some other piece of malware that is able to crash AVG8 in Safe Mode, then I fear it will junk your Repair job also. But try it. Your first priority should then be to clean the sys - if you are able to enter Safe Mode with Networking:
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeuse...s/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Please ATTACH to your post the log it produces.
Note. Do not format your machine until your data is safe by either one of two ways: repair or file copy. If a Repair and AV scan won't do the job, the next thing is to copy off your vital files, and a format would make that tougher. If you cannot get your sys clean, but are able to copy your files safely, then you can do a format [which deletes your File Allocation Tables, and so the malware files also get lost], and a clean installation.
Before I started that I would reinstall the firewall that you had, else load the installer file for , say, Zonealarm or other firewall that you like, into an Pen drive, Repair, start up or install …
Good on yer, caper.
Enrish, any computer repairman will have a bucket full of burnt disks. M$ may not like it, but unless they break the door down there is absolutely no way they can find out. You are permitted to make one copy, anyway....
Your sys sounds really messed up. So you cannot get into Safe Mode, with Networking? Just a blue screen on each attempt? Okay, a few points....
For a start... I have seen those "temp" files on the net, and they are fine but hardly comprehensive. A better way is to get CCleaner - out of the box it does a fine job, but is also customisable.
Disk Cleanup recommended and then dld software? - that must be some other third party disk cleanup, not the one in Windows [rclick a drive, eg C: and you will see it, also Defrag].
Install only ONE resident AV [such as AVG8] -they fight, and it can be bare knuckle stuff. But it does not matter how many online AV scans [they usually combine an AS scan also] you run, they will not conflict with your resident AV.
AVG8 is a combo AV and AS, and a bit of a drag on your sys, but it is good. I use Avast [also a combo] but it is lighter on resources.
AdAware is not as good as it used to be [my personal opion only...].
But your immediate problem is none of that - if you cannot get into Safe Mode then a Repair is almost the only option, well, the simplest one. However if you have a virus or some other piece of malware that is able to crash AVG8 in Safe Mode, then I fear it will …
Enrish, all you require to do a Windows Repair is an OEM installation cd of the same update status as your sys, eg XP SP2 Home, and you can just borrow one. Input your own Product Key though. Being an OEM machine, that will be on the sticker on the side of your box.
If you cannot borrow a disk from a mate or neighbour, nip down to your local puter shop and they should be able to burn you one for a couple of dollars.
A Repair will not cause you to lose any files, but it may break some of your third party software.
Nothing... it's working. :)
Just think, if you didn have a firewall, were running XP with no updates.. some of those might have gotten thru.
I updated on 9th July, it has clocked 12,000 attempts. The web is loaded with systems which patrol constantly looking for unguarded, open ports.
ComboFix does operations that are in general terms similar to other anti-malware tools. Briefly, I would not dream of attempting to emulate it manually. Check its bat file for some of its operations.
I see the point of your infection - a USB device.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera. Repeat in other User profiles.
Close ATF.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Please ATTACH to your post the log it produces.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Ripper! Glad it worked for you...
Cheers.
This one, again: "Start hijackthis, open the Misc Tools section, choose the Open ADS Spy button, then uncheck Quick Scan box, and finally press Scan."
Good work. Okay, navigate to this directory:
C:\DOCUMENTS & SETTINGS\Owner\LOCAL SETTINGS \Temp\_ISTMP1.DIR\
Delete these 3 files, and then the directory _ISTMP1.DIR :
_INS5576._MP
ZDataI51.dll
_WUTL951.DLL
Only if the files prove difficult to find or delete, use this Killbox deletion tool:
==Download killbox from here:- http://www.downloads.subratam.org/KillBox.zip -unzip it onto your desktop.
Dclick killbox to start it.
>Highlight the pathnames in the following block and copy them into clipboard [press Ctrl+C] [ or rclick, copy...]:-
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_INS5576._MP
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\ZDataI51.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_WUTL951.DLL
C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR-in killbox, go File menu, choose Paste from clipboard.
Select "Delete on reboot", "Unregister dll before deleting" if available, click the "all files" button.
Click the red and white X button, click Yes on the reboot prompt, click OK if a pendingfilerenameoperation box opens. [do not be concerned if it says it cannot find a file...]
If your computer does not reboot please restart it manually.
Good. Now run the ADS scan again and place checkmarks against these four for deletion:
C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 05EE1EEF (498 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : DFC5A2B2 (98 bytes)
Repeat the ADS scan to see that they, or similarly named files, do not re-occur. And then please say how things are, now.
Ah, that was a nice cleanup.
Navigate to and drag this file into an open notepad:
C:\WINDOWS\_delis32.ini
- attach that notepad to your next post.
Delete these files:
C:\aa0019f0269a2bb7fa4d45
C:\WINDOWS\system32\msexcr.ini
C:\WINDOWS\_delis32.ini
Start hijackthis, open the Misc Tools section, choose the Open ADS Spy button, then uncheck Quick Scan box, and finally press Scan.
Please save and post the log file.
**When this is done with, go to the Symantec site, find the tool suited to the removal of your version of their AV, dl and run it.
I'm guessing that you have some malware in your sys. Maybe you could give us a glimpse of some things...
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
A couple of points... did you get BIOS to see your IDE CD/DVD drive as IDE finally, and not SATA ?!! It showed up in My Computer with the disk in it recognised! Beats me....
The other point is... this is an upgrade Vista disk, so it will require an XP OS preinstalled on the hdd.
That error comes because your disk is formatted.. you cannot boot from it. So install XP and go from there.
...and if you rclick the Start button, > Start Menu tab, customize button, Advanced tab, scroll down and check that box... what happens?
I see that SDFix detected no malware. Please run this scan to see what it turns up:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Okay..... seen the pics... so you have one Sata hdd and the IDE CDRom. Connections, jumper are fine. A couple of things... because you have only one hdd you won't be using RAID at least for the time being... and choosing AHCI does not get you out of the jam [with Intel AHCI is included in the RAID setting] because there is still a need for a driver file to be loaded by floppy. Of course, there are ways around this when no floppy drive is fitted:
-temporarily add a floppy drive just for installation..
-slipstream the required file onto your installation cd..
-change the Sata configuration in BIOS to IDE emulation, ignore the F6 prompt during Setup, and after installation of the OS add the required driver file and change a couple of settings, then switch to RAID or AHCI mode. [pieceacake, done it with Intel chipsets]
...the second thing is: why is BIOS reporting your PATA cdrom [ok, IDE cdrom] as Sata cdrom? Can you flash that BIOS with a thumbdrive [or floppy] from in the BIOS?
And yep, that is an upgrade cd.. for upgrading XP to Vista. I don't know why M$ do that. But you load it from inside XP, not as a new installation from the cd. So if you have an installation cd for XP and do not mind losing the contents of the hdd [all your data, pics etc.] just load that XP cd, boot from it, …
Symantec/S32ENIL.dll .. is there any chance you typed that incorrectly, arthas? It should be the name of a dll that exists in that Symantec S32 directory under program Files. Anyway, i notice that you are running Avast from Alwill Software, so that Symantec error is a leftover from an incomplete uninstallation of Symantec. To fix that you should go to Symantec's website for the removal tool for the edition of their AV that you were using. For your immediate problem you can do this....
==Navigate to this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
-in the right pane rclick VDD and delete it.
-in the Edit menu point to New and then select Multi-string Value.
-type VDD in the Value Name box, press ENTER.
-exit Regedit.
The Symantec tool will clear out all ? remnants though....
[with Avast installed I am surprised you do not have this entry for VDD at that key:
C:\Program Files\Alwil Software\Avast4\aswMonVd.dll ... but anyway..]
That is an incomplete SDFix log. Try running it again.
Pieceacake... :)
Well, that got rid of the D:\autorun.inf for you, one other file deleted was a remnant of some adware, the other is as yet unclassified. I see nothing els, so I suspect your sys is now clean, and you should be able to also open D:?