Look, that is exactly what you were supposed to get and see. That file isn't supposed to be there and you should have clicked Finish.
I guess just uninstall it and note that this thread is closed.
Since you don't wish to run any programs given to fix I honestly cannot offer anymore help.
Okay I clicked 'Finish' and it removed it.
Wondered if that would happen.
Download LSP-Fix
Follow the instructions given HERE on the running of the program.
Well my computer really doesn't want to cooperate with anything. When I loaded LSP-Fix, I got this.
I didn't move anything into the remove box; that was already there. I exited without making changes, but should I press 'finish' to make corrections?
This LSP-Fix won't screw over my computer, will it? I don't "enjoy reinstalling my operating system". =(
When I clicked "Fix It" after checking the two, I got this message. I rebooted and did the HJT log anyway:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:29 PM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uptimer4.exe
C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - …
Okay, I deleted the temp files. Any further instructions? By the way, thanks very much for helping me through this all day and night.
Yes, I disabled Superantispyware. The ComboFix folder had 2 files it it: hidec and NirCmd. I've deleted the ComboFix folder.
Yes, I added Stumble Upon as a trusted site.
One more thing: I think Comodo is flagging these files. Were they created by ComboFix? If so, I gather I should delete them?
I disabled the antivirus & firewall and tried to run combofix one more time but still no avail. I found the combofix folder, but there was no log in it.
Also here is a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:15 AM, on 1/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uptimer4.exe
C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} …
Disregard my previous post. The search found no meqkmk.dll! That's good, right?
The installation CD IS the Recovery CD and is what you would have needed if there had been a problem with the use of combofix, I have never experienced that but that is not to say it couldn't happen.
Anyway,
Follow my instructions for uninstalling combofix.
I was having you run combofix to try to see if a specific file was actually still on the computer and it's location and then have it remove it. But you can do it manually.
You will have to begin with a file search for this file meqkmk.dll
Go to Start, Search, All Files and folders.
Be sure to choose the Advanced Search option and be sure that Search System Folders, Search Hidden Files and Folders and Search Sub folders are checked.
You will need to search in "C" drive.
I need to know the location of this file. You probably will have to remove it manually rather than use combofix and possibly edit the registry to remove it if it is on the computer.
I'm running a scan now, so far it hasn't been found.
I just got a Comodo virus alert staying it detected viruses in the ComboFix folder:
Located at C:\ComboFix\
What's going on with it? I haven't deleted ComboFix yet, but I'm not trying to run it either. Also, should I ignore these if they're ComboFix?
Since you cannot run combofix you will have to uninstall it.
Go to to Start > Run
Type in boxcombofix /u
Note: the space between the X and the /u
When shown the disclaimer, Select "2"
Even then it didn't prompt me. I copy pasted the uninstall line you gave me into run, and again I got the small loading screen for ComboFix, and it again did nothing afterward. Would it be safe to just right-click delete it since it never really gets installed?
It is not IN combofix, combofix would have installed it on the computer. So you have no windows cd? Did you receive one with the computer? If not then the recovery partitions was very likely all ready installed on the machine.
I don't know if it came with a recovery disk; I checked in the box and there was nothing. Of course, it came with the Windows installation CD, but I can't find that either. If it means anything, I have what would be considered a "mini laptop" (10.6" screen - Averatec brand), and sometimes these mini-computers don't come with all the stuff a regular computer comes with.
I downloaded it from the Microsoft website:
http://support.microsoft.com/kb/310994
And I chose the correct version and service pack. It loaded into ComboFix, but that's all.
No, I didn't receive a prompt.
I downloaded ComboFix and dragged the Windows Recovery file into it (since I needed to download it). After it loads into ComboFix... nothing happens. I double clicked on ComboFix and it gave me the loading screen, and then nothing. I closed all windows and disabled Comodo, so I'm not sure why nothing is happening.
Also, I've read that ComboFix may cause problems if you don't know what you're doing (which is me in a nutshell). Is it safe for me to run it? This laptop has all my info on it and I don't have it backed up on a separate drive...
Alright, I rebooted. However, this time I heard an error tone when it was done rebooting, but no message box appeared. Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:10 PM, on 1/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uptimer4.exe
C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In …
Ok, I did as you said and deselected "Accept 3rd party cookies" and uninstalled ClamWin so that only Comodo is running.
It's running a lot smoother and hasn't had any more suspicious pop ups compared to yesterday when my I was first infected. From the HJT log, does my computer seem clean? If not, are there other recommended scans I should do? I won't rest until my comp is uncontaminated!
Alright, I scanned with ESET, and it didn't find any infections. Here's the log:
\# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3733 (20090102)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=d500403c28a2df48853eb36da7308088
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-01-03 09:20:59
# local_time=2009-01-03 04:20:59 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=352359
# found=0
# scan_time=5767
And here's the subsequent HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:07 PM, on 1/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Uptimer4.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Wiley\Webster's New World\HKML_SRV.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
Let me just start with how I believe I got the crudload of viruses. I use Comodo, and often times it'll pop up the "allow or block" box when I encounter something benign. I'm so used to clicking allow that yesterday I stupidly allowed in something that screwed with my comp big time.
Comodo stopped working, my internet connection cut off, my comp kept trying to download something from rapidshare (didn't do it though), and I kept getting pop ups from sagipsul or something.
I scanned it with malwarebytes and this was the result:
___________________________________
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 2
1/2/2009 4:29:11 PM
mbam-log-2009-01-02 (16-29-11).txt
Scan type: Quick Scan
Objects scanned: 55143
Time elapsed: 6 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 15
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 21
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\efcAPIBS.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fcunxyli.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMfeBRH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ddcBRifC.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f287042a-b2d3-474b-b8f0-2bed84ac5c7b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f287042a-b2d3-474b-b8f0-2bed84ac5c7b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomfebrh (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f287042a-b2d3-474b-b8f0-2bed84ac5c7b} (Trojan.Vundo.H) -> Quarantined …