After Effects Of Nt_kernel Error 1256

I have followed a few of the threads already posted on the kernel error 1256. I had all the same symptoms, but now most of them are gone (thx to the much recomended vundofix, and some manual deleting) like the pop up messages, and windows explorer works great. But I need some one-on-one help for some of the residu. The virus seemed to have messed my internet connection. I can't connect to the internet. It tells me the remote modem couldn't be found (error 797). I tried deleting that connetion, and creating a new. But regardless of the fact I TELL it to creat a broadband connection, it makes it a dial up... which doesn't work. I called aliant, and they think some settings have been changed.


Oh, and my C drive still is a big red X.


Anyway I really need someone to walk me thru how to get rid of all this stuff.


So far I've gotten rid of everything vundofix has found (even the ones it couldn't delete), got rid of the pos temps in C. I couldn't get combofix to work though. Even in safe mode thru comand prompt. It tells me it's not a valid win32 program.


And it would be nice if someone could explain to me how to find my highjack log... I see everyone posting it, I have no idea how to find it, that is, if it helps you fix my problem.


THX!

«1

Comments

  • I got combofix to work, I just tryed downloading it a a different site. Here's the log:


    ComboFix 08-02.01.6 - Owner 2008-02-01 21:36:25.1 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1435 [GMT -4:00]


    Running from: C:\ComboFix.exe


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat


    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat


    C:\WINDOWS\system32\ffaqfgpf.ini


    C:\WINDOWS\system32\gkuxwomq.dll


    C:\WINDOWS\system32\jlnmp.ini


    C:\WINDOWS\system32\jlnmp.ini2


    C:\WINDOWS\system32\mcrh.tmp


    C:\WINDOWS\system32\wixsoqbc.ini


    D:\Autorun.inf


    ----- BITS: Possible infected sites -----


    hxxp://au.download.windowsupdate.com


    .


    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))


    .


    2008-02-01 21:27 . 2008-02-01 21:19 1,592,659 --a------ C:\ComboFix.exe


    2008-01-31 16:24 . 2008-01-31 20:57 <DIR> d-------- C:\VundoFix Backups


    2008-01-30 15:40 . 2008-01-30 15:40 294 ---hs---- C:\WINDOWS\system32\dpwvhatg.ini


    2008-01-23 22:05 . 2008-01-23 22:05 <DIR> d-------- C:\Documents and Settings\Owner.CHIASSON\Application Data\Yahoo!


    2008-01-23 22:05 . 2008-01-23 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion


    2008-01-23 16:30 . 2008-01-23 16:30 <DIR> d-------- C:\Documents and Settings\Owner.CHIASSON\Application Data\ACD Systems


    2008-01-23 16:29 . 2008-01-23 16:29 <DIR> d-------- C:\Program Files\Yahoo!


    2008-01-23 16:28 . 2008-01-23 16:36 <DIR> d-------- C:\Program Files\Common Files\ACD Systems


    2008-01-23 16:23 . 2008-01-23 16:26 35,574,848 --a------ C:\acdsee-10-0-238-en.exe


    2008-01-23 16:22 . 2008-01-23 16:22 <DIR> d-------- C:\Acdsee


    2008-01-22 23:07 . 2008-01-22 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7


    2008-01-22 22:14 . 2008-01-22 22:18 32,981,120 --a------ C:\avg75free_516a1225.exe


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-01-26 16:03 --------- d-----w C:\Program Files\BigFix


    2008-01-23 19:15 --------- d-----w C:\Program Files\Ares Lite Edition


    2008-01-23 19:03 --------- d-----w C:\Documents and Settings\Owner.CHIASSON\Application Data\ZoomBrowser EX


    2008-01-23 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser


    2007-12-24 21:18 --------- d-----w C:\Documents and Settings\Owner.CHIASSON\Application Data\LimeWire


    2007-02-23 00:55 7,936,144 ----a-w C:\Program Files\DX81NTeng.exe


    2007-02-23 00:49 46,297,472 ----a-w C:\Program Files\directx_feb2007_redist.exe


    2007-02-22 21:17 14,705,768 ----a-w C:\Program Files\DivXInstaller.exe


    2007-01-24 19:36 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab


    2007-01-24 19:36 198,275 ----a-w C:\Program Files\FEB2007_XACT_x64.cab


    2007-01-24 19:36 151,583 ----a-w C:\Program Files\FEB2007_XACT_x86.cab


    2007-01-24 19:21 976,020 ------w C:\Program Files\BDAXP.cab


    2007-01-24 19:21 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab


    2007-01-24 19:21 91,265 ------w C:\Program Files\OCT2006_xinput_x64.cab


    2007-01-24 19:21 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab


    2007-01-24 19:21 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab


    2007-01-24 19:21 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab


    2007-01-24 19:21 85,235 ----a-w C:\Program Files\dxupdate.cab


    2007-01-24 19:21 77,160 ----a-w C:\Program Files\DSETUP.dll


    2007-01-24 19:21 503,144 ----a-w C:\Program Files\DXSETUP.exe


    2007-01-24 19:21 49,149 ------w C:\Program Files\OCT2006_xinput_x86.cab


    2007-01-24 19:21 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab


    2007-01-24 19:21 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab


    2007-01-24 19:21 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab


    2007-01-24 19:21 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab


    2007-01-24 19:21 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab


    2007-01-24 19:21 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab


    2007-01-24 19:21 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab


    2007-01-24 19:21 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab


    2007-01-24 19:21 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab


    2007-01-24 19:21 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab


    2007-01-24 19:21 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab


    2007-01-24 19:21 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab


    2007-01-24 19:21 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab


    2007-01-24 19:21 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab


    2007-01-24 19:21 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab


    2007-01-24 19:21 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab


    2007-01-24 19:21 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab


    2007-01-24 19:21 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab


    2007-01-24 19:21 13,265,040 ------w C:\Program Files\dxnt.cab


    2007-01-24 19:21 1,673,576 ----a-w C:\Program Files\dsetup32.dll


    2007-01-24 19:21 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab


    2007-01-24 19:21 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab


    2007-01-24 19:21 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab


    2007-01-24 19:21 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab


    2007-01-24 19:21 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab


    2007-01-24 19:21 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab


    2007-01-24 19:21 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab


    2007-01-24 19:21 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab


    2007-01-24 19:21 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab


    2007-01-24 19:21 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab


    2007-01-24 19:21 1,156,363 ------w C:\Program Files\BDANT.cab


    2007-01-24 19:21 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab


    2007-01-24 19:21 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab


    2007-01-24 19:21 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab


    2007-01-24 19:21 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab


    2007-01-24 19:21 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab


    2007-01-24 19:21 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab


    2007-01-24 19:21 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab


    2007-01-24 19:21 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab


    2006-08-05 02:33 5,118,736 ----a-w C:\Program Files\Firefox Setup 1.5.0.6.exe


    2006-08-13 17:00 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F303C95-540F-4FEC-A4CB-00D497AAEEAC}]


    C:\WINDOWS\system32\pmnlj.dll


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]


    "WhenUSave"="C:\Program Files\Save\Save.exe" [ ]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]


    "nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]


    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]


    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 17:54 241664]


    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]


    "AtariBanner"="c:\darcy and clayton zone\atari\Volume 2\Banner.exe" [2001-05-22 17:17 49152]


    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 577536 C:\WINDOWS\soundman.exe]


    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]


    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]


    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]


    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]


    "Creative Fatal1ty 1010 Mouse"="C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe" [2005-03-15 13:18 221184]


    "CreativeMS2020"="C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe" [2006-05-09 12:58 143360]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]


    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32 7204864]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "Power2GoExpress"="NA" []


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 02:06:36 53248]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]


    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles


    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk


    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]


    --a------ 2001-05-22 17:13 55296 c:\darcy and clayton zone\atari\Volume 2\Atari icon.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]


    --------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe


    R3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 13:12]


    S3 CtUsbMs;Creative HID USB Filter Driver;C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys [2005-10-26 17:30]


    S3 Stedman Service;Stedman Service;"C:\Program Files\Common Files\Primal Pictures Shared\Service\Stedman Service File.exe" [2006-10-31 18:13]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41668f21-ea88-11da-885b-806d6172696f}]


    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-01-28 12:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe


    "2008-02-02 00:00:00 C:\WINDOWS\Tasks\B6C53AB1846AAC19.job"


    - c:\docume~1\owner~1.chi\applic~1\doesgr~1\AXISSETUPMEOW.exe


    "2008-02-01 06:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"


    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-01 21:41:18


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\WINDOWS\eHome\ehRecvr.exe


    C:\WINDOWS\eHome\ehSched.exe


    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


    C:\Program Files\Network Associates\VirusScan\Mcshield.exe


    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


    C:\WINDOWS\ehome\mcrdsvc.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\WINDOWS\system32\dllhost.exe


    C:\Program Files\Digital Media Reader\readericon45G.exe


    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\SOUNDMAN.EXE


    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe


    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE


    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe


    C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe


    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\CTFaMicetra.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe


    C:\Program Files\iPod\bin\iPodService.exe


    .


    **************************************************************************


    .


    Completion time: 2008-02-01 21:44:41 - machine was rebooted [Owner]


    ComboFix-quarantined-files.txt 2008-02-02 01:44:37


    .


    2008-01-09 17:03:12 --- E O F ---


    So there we go, see if you can help me get my computer back like before please.


    thx

  • farbar
    farbar
    edited February 2008

    Hi,

    1. First of all the Vundo is still alive and breathing, it is not gone.


      I see no Hijackthis installed on your computer.

    2. You can download a Hijackthis installer from here:


      http://www.trendsecure.com/portal/en-US/to...is/download


    3. Install it to its default directory, run it and click Do a system scan and save a logfile. It scans and opens up a log. The logfile is also saved in hijackthis folder: C:\program files\Trend Micro\Hijachackthis.
    4. Read the following thread on removal of this malware and follow the instructions on prepration before removal: http://forum.bitdefender.com/index.php?showtopic=3998
    5. Post a hijackthis log.
  • Thank you, I'm about to download hijackthis, and transfer it to my computer.


    And, renv log is pretty much empty, I'll send you one along with my highjack this log anyway. RenV was one of the first things I did. But I'll follow your intructions, and do it again, thx so much for being so helpful.

  • Ok, here is the hijack log.


    I unziped hijack right on the C. (C:\hijackthis) it didn't give me that default you messioned (the link you gave me seemed to be broken, so I googled it)... doesn't matter but just if you kneeded to know.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:16:13 AM, on 02/02/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Digital Media Reader\readericon45G.exe


    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\SOUNDMAN.EXE


    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe


    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE


    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe


    C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\CTFaMicetra.exe


    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\WINDOWS\eHome\ehRecvr.exe


    C:\WINDOWS\eHome\ehSched.exe


    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


    C:\Program Files\Network Associates\VirusScan\Mcshield.exe


    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\WINDOWS\system32\dllhost.exe


    C:\HiJackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5082H


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5082H


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5082H


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: (no name) - {8F303C95-540F-4FEC-A4CB-00D497AAEEAC} - C:\WINDOWS\system32\pmnlj.dll (file missing)


    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


    O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE


    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"


    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    O4 - HKLM\..\Run: [AtariBanner] "c:\darcy and clayton zone\atari\Volume 2\Banner.exe" /0


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey


    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


    O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE


    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"


    O4 - HKLM\..\Run: [Creative Fatal1ty 1010 Mouse] C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe


    O4 - HKLM\..\Run: [CreativeMS2020] C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"


    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')


    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172525521609


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe


    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


    O23 - Service: Stedman Service - Unknown owner - C:\Program Files\Common Files\Primal Pictures Shared\Service\Stedman Service File.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8614 bytes


    And here is the renv log... is there maybe something wrong with my renv...?


    Ran on 02/02/2008 - 10:17:50.10

    Entries:                0  (0)
    Directories:            0  Files:             0
    Bytes:                  0  Blocks:            0


    Thx again farbar, you rock.

  • Darcy Chiasson
    edited February 2008

    Oh, and do you want me to rename HiJackThis to something like moon.exe too? And I emptied all my cookies and temps, and defaulted my privacy and security.

  • farbar
    farbar
    edited February 2008

    Sorry for the broken link.

    • Good news is that the vundo dll (pmnlj.dll) which was there when you posted combofix log is now removed.
    • You don't need to rename HJT and your RenV is OK.
    • Please uninstall limewire and any other p2p you have and remove the folder ander program files. You may keep the downloaded files and install the program after we finished the cleaning.
    • please go to add/remove programs and uninstall any program with the name WhenU or WhenUSave or


      Save or DriveCleaner Free in it.

    • Go to this site: http://www.virustotal.com/ upload the following files one by one and let them scan if they are clean just report it if not post the scan result.
      • C:\document and settings\your login name\application data\doesgr~1\AXISSETUPMEOW.exe
      • C:\WINDOWS\system32\nwiz.exe
      • C:\Program Files\DivXInstaller.exe
    • Tell me also about your internet connection, what have you already done? have you checked if your network card is installed with the right driver (start-right click my computer-properties-device manager- network adapters-under network adapters you should see your driver- right click- property). Do you have a modem or also a router?
    • Please report your progress, like you already did.
  • Hey,


    So I'm scanning the things now.... I have to put them on my memory stick and go over to my aunts laptop and scan in there. (obviously cause my internet wont work.


    There is a small consern though, C:\document and settings\your login name\application data\doesgr~1\AXISSETUPMEOW.exe doesn't really appear to exist. Like the right folder is there, and in the properties it says there is a file in it... however I can't see it. And I have the 2 options in 'folder options' adjusted so I can see hidden files.


    As for my internet connection, I havn't done much. I checked the network adaptors like you said. What am I looking for? All adapter properties say they are working properly. I tryed recreating a network, but like I said, it puts it as dial up. And it says divce missing. I only have a modem. And I know the it's not a physical problem, cause I'm running this lap top off the same cable.


    I'll keep you posted and the results of the 3 files


    thx

  • Ok, so the nwix was clean, the Divxdriver was too big, the site said it was past the max acceptable size (it was 14 Megs) and the asixx... wasn't... 'there' I could get to site to scan it, I tryed WRITTING it, instead of browsing... and the site it had 0 Ks.


    I checked for anything with those words in the add\remove... and I couldn't find any.


    Awaiting your istructions.


    And so you know, while I learn fast when it come to computers, my knowledge on internet connection stuff is quite limited, so you may have to be a little step by step when it comes to that.


    thx again!

  • farbar
    farbar
    edited February 2008

    Very good, we will do it step by step, I suggest you do the following (download the tools but use them one by one):

    • Open a notepad (start menu-all programs-accessorie-notepad)
    • Copy and paste the text in the code box below into it.
    file::
    c:\docume~1\owner~1.chi\applic~1\doesgr~1\AXISSETUPMEOW.exe
    C:\WINDOWS\system32\pmnlj.dll
    C:\WINDOWS\system32\pmnlj.*
    C:\WINDOWS\system32\dpwvhatg.ini
    C:\WINDOWS\system32\jmnlp.*
    C:\WINDOWS\system32\jlnmp.*
    C:\WINDOWS\system32\gkuxwomq.*
    C:\WINDOWS\system32\qmowxukg.*


    Folder::
    C:\Program Files\Save

    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F303C95-540F-4FEC-A4CB-00D497AAEEAC}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WhenUSave"=-

    • * Select save in:desktop


      * Fill in File name: CFScript.txt


      * save as type: All file types (*.*)

    • Drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system.


      It may reboot your system when it finishes. This is normal.

    • Use this URL to download the latest version :http://siri.urz.free.fr/Fix/SmitfraudFix.exe
      • search:
        • Double-click SmitfraudFix.exe
        • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
    • Clean:
      • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
      • Double-click SmitfraudFix.exe
      • Select 2 and hit Enter to delete infect files.
      • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
      • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
    • Download DTRweb-cureit from here to your desktop.
      • Doubleclick/run the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now". It will first make a quick scan of your system, let it clean what it find, and when it says "done"
      • Click on the Options->Change settings.
      • Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename
      • Click – Apply - OK
      • Click on Scan Tab. Choose Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all
      • After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
      • Save the report to your desktop. The report will be called DrWeb.csv
      • Close Dr.Web Cureit.

      • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • Please post all the 3 logs into your next reply. Meanwhile I am going to attend the Saturday night family gathering and come back tomorrow to go through the recovery of your Internet connection.
  • farbar
    farbar
    edited February 2008

    Try this first and see if the connection problem is fixed, then do the above steps:

    1. Then go to Start > Control Panel. Double click on Network Connections.
    2. Right click on your default connection and select Properties.
    3. Select the General tab.
    4. Double click on Internet Protocol (TCP/IP) under This connection uses the following items:
    5. Select Obtain an IP address automatically and Obtain DNS server address automatically.
    6. Click OK twice to save the settings. Reboot when prompted to.
    7. Go to Start > Run and type in cmd.
    8. Type in the following line one by one and pressing Enter after each line (there is space between the first word an \):


      ipconfig /renew


      ipconfig /flushdns


      exit


  • Darcy Chiasson
    edited February 2008

    I got up to the simitfraud fix. When I run it I get a: Windows cannot find 'C:\comboFix\kmd.exe'. Make sure you typed the name correctly, and then try again, to search for a file click the start button, and then click search. So do you want me to skip this step and do the other things you told me too?


    I did the combofix like you told me (by draging the txt file to it) and it worked, to you want the log?


    ** I did a search on my computer for KMD.exe and I found 2: KMD.EXE-0F38AFBB.pf & KMD.EXE-32C45867.pf They were in C:\windows\prefetch

  • I also have the 2 files virustotal couldn't scan ziped with a password, if you thought you wanted to take a look at them

  • farbar
    farbar
    edited February 2008

    Good work.


    Skip with that and anything to do with combofix. They are the files cleaned by combofix.


    Keep the files you have achieved for the time being, I am just a member of the forum and not a virus researcher, don't know which files they want to take a look at.


    Yes I want to see the logs by all three tools.

  • Darcy Chiasson
    edited February 2008

    OK, I can give you only 2 logs, remember, the smitfraud fix ( a few posts back) didn't work on my computer.


    So I'm doing the dr. web scan now. And he ipconfig /renew didn't didn't work. It says:an error occurred while reneing interface Local Area connection : unable to contact your DHCP server. request has times out.


    And that's all I have to report for now, the dr. web and combofix logs are on their way.

  • OK, I can give you only 2 logs, remember, the smitfraud fix ( a few posts back) didn't work on my computer.


    So I'm doing the dr. web scan now. And he ipconfig /renew didn't didn't work. It says:an error occurred while reneing interface Local Area connection : unable to contact your DHCP server. request has times out.


    And that's all I have to report for now, the dr. web and combofix logs are on their way.


    Ok, if you could manage it do this:

    • uninstall Combofix by going to: Start-Run Type in the box : Combofix /u and click OK. It will remove Combofix.
    • Do the cleaning part of Smitfraudfix in safe mode.
    Do you have just a modem or you have a modem and a router?
  • Darcy Chiasson
    edited February 2008

    OK, I only have a modem. No router.


    I unistalled combofix, but I stll have tha problem when I try using smitfraud: can't find C:\combofix\kmd.exe


    Here's the latest combofix when I used the CFScript.


    ComboFix 08-02.01.6 - Owner 2008-02-02 14:59:37.2 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.966 [GMT -4:00]


    Running from: C:\Documents and Settings\Owner.CHIASSON\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\Owner.CHIASSON\Desktop\CFScript.txt


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    FILE


    c:\docume~1\owner~1.chi\applic~1\doesgr~1\AXISSETUPMEOW.exe


    C:\WINDOWS\system32\dpwvhatg.ini


    C:\WINDOWS\system32\pmnlj.dll


    .


    The following files were disabled during the run:


    C:\WINDOWS\system32\sockspy.dll


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat


    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat


    C:\WINDOWS\system32\dpwvhatg.ini


    ----- BITS: Possible infected sites -----


    hxxp://au.download.windowsupdate.com


    .


    ((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))


    .


    2008-02-02 10:15 . 2008-02-02 12:26 <DIR> d-------- C:\HiJackThis


    2008-02-02 10:14 . 2008-02-02 10:13 318,369 --a------ C:\HiJackThis.zip


    2008-02-02 09:39 . 2008-02-02 09:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Bitdefender


    2008-02-02 09:26 . 2008-02-02 09:26 791 --a------ C:\bdmcon.lnk


    2008-02-01 23:23 . 2008-02-01 23:23 <DIR> d-------- C:\Program Files\Common Files\L&H


    2008-02-01 22:09 . 2008-02-02 14:56 81,984 --a------ C:\WINDOWS\system32\bdod.bin


    2008-02-01 22:06 . 2008-02-01 22:06 <DIR> d-------- C:\Documents and Settings\Owner.CHIASSON\Application Data\Bitdefender


    2008-02-01 22:04 . 2008-02-01 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-02-01 21:27 . 2008-02-01 21:19 1,592,659 --a------ C:\ComboFix.exe


    2008-01-31 16:24 . 2008-01-31 20:57 <DIR> d-------- C:\VundoFix Backups


    2008-01-23 22:05 . 2008-01-23 22:05 <DIR> d-------- C:\Documents and Settings\Owner.CHIASSON\Application Data\Yahoo!


    2008-01-23 22:05 . 2008-01-23 22:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion


    2008-01-23 16:30 . 2008-01-23 16:30 <DIR> d-------- C:\Documents and Settings\Owner.CHIASSON\Application Data\ACD Systems


    2008-01-23 16:29 . 2008-01-23 16:29 <DIR> d-------- C:\Program Files\Yahoo!


    2008-01-23 16:28 . 2008-01-23 16:36 <DIR> d-------- C:\Program Files\Common Files\ACD Systems


    2008-01-23 16:23 . 2008-01-23 16:26 35,574,848 --a------ C:\acdsee-10-0-238-en.exe


    2008-01-23 16:22 . 2008-02-01 22:09 <DIR> d-------- C:\Acdsee


    2008-01-22 23:07 . 2008-01-22 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7


    2008-01-22 22:14 . 2008-01-22 22:18 32,981,120 --a------ C:\avg75free_516a1225.exe


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-02 02:03 --------- d-----w C:\Documents and Settings\Owner.CHIASSON\Application Data\Lavasoft


    2008-01-26 16:03 --------- d-----w C:\Program Files\BigFix


    2008-01-23 19:03 --------- d-----w C:\Documents and Settings\Owner.CHIASSON\Application Data\ZoomBrowser EX


    2008-01-23 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser


    2007-12-24 21:18 --------- d-----w C:\Documents and Settings\Owner.CHIASSON\Application Data\LimeWire


    2007-12-23 23:57 8,464 ----a-w C:\WINDOWS\system32\sporder.dll


    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll


    2007-02-23 00:55 7,936,144 ----a-w C:\Program Files\DX81NTeng.exe


    2007-02-23 00:49 46,297,472 ----a-w C:\Program Files\directx_feb2007_redist.exe


    2007-02-22 21:17 14,705,768 ----a-w C:\Program Files\DivXInstaller.exe


    2007-01-24 19:36 45,305 ----a-w C:\Program Files\dxdllreg_x86.cab


    2007-01-24 19:36 198,275 ----a-w C:\Program Files\FEB2007_XACT_x64.cab


    2007-01-24 19:36 151,583 ----a-w C:\Program Files\FEB2007_XACT_x86.cab


    2007-01-24 19:21 976,020 ------w C:\Program Files\BDAXP.cab


    2007-01-24 19:21 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab


    2007-01-24 19:21 91,265 ------w C:\Program Files\OCT2006_xinput_x64.cab


    2007-01-24 19:21 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab


    2007-01-24 19:21 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab


    2007-01-24 19:21 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab


    2007-01-24 19:21 85,235 ----a-w C:\Program Files\dxupdate.cab


    2007-01-24 19:21 77,160 ----a-w C:\Program Files\DSETUP.dll


    2007-01-24 19:21 503,144 ----a-w C:\Program Files\DXSETUP.exe


    2007-01-24 19:21 49,149 ------w C:\Program Files\OCT2006_xinput_x86.cab


    2007-01-24 19:21 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab


    2007-01-24 19:21 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab


    2007-01-24 19:21 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab


    2007-01-24 19:21 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab


    2007-01-24 19:21 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab


    2007-01-24 19:21 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab


    2007-01-24 19:21 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab


    2007-01-24 19:21 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab


    2007-01-24 19:21 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab


    2007-01-24 19:21 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab


    2007-01-24 19:21 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab


    2007-01-24 19:21 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab


    2007-01-24 19:21 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab


    2007-01-24 19:21 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab


    2007-01-24 19:21 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab


    2007-01-24 19:21 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab


    2007-01-24 19:21 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab


    2007-01-24 19:21 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab


    2007-01-24 19:21 13,265,040 ------w C:\Program Files\dxnt.cab


    2007-01-24 19:21 1,673,576 ----a-w C:\Program Files\dsetup32.dll


    2007-01-24 19:21 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab


    2007-01-24 19:21 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab


    2007-01-24 19:21 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab


    2007-01-24 19:21 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab


    2007-01-24 19:21 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab


    2007-01-24 19:21 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab


    2007-01-24 19:21 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab


    2007-01-24 19:21 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab


    2007-01-24 19:21 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab


    2007-01-24 19:21 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab


    2007-01-24 19:21 1,156,363 ------w C:\Program Files\BDANT.cab


    2007-01-24 19:21 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab


    2007-01-24 19:21 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab


    2007-01-24 19:21 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab


    2007-01-24 19:21 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab


    2007-01-24 19:21 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab


    2007-01-24 19:21 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab


    2007-01-24 19:21 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab


    2007-01-24 19:21 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab


    2006-08-05 02:33 5,118,736 ----a-w C:\Program Files\Firefox Setup 1.5.0.6.exe


    2006-05-23 17:32 189 ----a-w C:\Program Files\audio.log


    2006-08-13 17:00 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F303C95-540F-4FEC-A4CB-00D497AAEEAC}]


    C:\WINDOWS\system32\pmnlj.dll


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]


    "nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]


    "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]


    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 17:54 241664]


    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]


    "AtariBanner"="c:\darcy and clayton zone\atari\Volume 2\Banner.exe" [2001-05-22 17:17 49152]


    "SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 577536 C:\WINDOWS\soundman.exe]


    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]


    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]


    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]


    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]


    "Creative Fatal1ty 1010 Mouse"="C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe" [2005-03-15 13:18 221184]


    "CreativeMS2020"="C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe" [2006-05-09 12:58 143360]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]


    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32 7204864]


    "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48 290816]


    "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "Power2GoExpress"="NA" []


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 02:06:36 53248]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]


    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles


    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=sockspy.dll


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk


    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]


    --a------ 2001-05-22 17:13 55296 c:\darcy and clayton zone\atari\Volume 2\Atari icon.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]


    --------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe


    R3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 13:12]


    S3 CtUsbMs;Creative HID USB Filter Driver;C:\WINDOWS\system32\DRIVERS\CtUsbMs.Sys [2005-10-26 17:30]


    S3 Stedman Service;Stedman Service;"C:\Program Files\Common Files\Primal Pictures Shared\Service\Stedman Service File.exe" [2006-10-31 18:13]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41668f21-ea88-11da-885b-806d6172696f}]


    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


    *Newly Created Service* - ENTDRV51


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-01-28 12:06:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe


    "2008-02-02 19:00:00 C:\WINDOWS\Tasks\B6C53AB1846AAC19.job"


    - c:\docume~1\owner~1.chi\applic~1\doesgr~1\AXISSETUPMEOW.exe


    "2008-02-02 06:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"


    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-02 15:00:57


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-02-02 15:01:33


    ComboFix-quarantined-files.txt 2008-02-02 19:01:25


    ComboFix2.txt 2008-02-02 01:44:41


    .


    2008-01-09 17:03:12 --- E O F ---


    And this is the Dr.Web


    miditest.htm C:\Darcy and Clayton Zone\Anvil studio\html Modification of BAT.Mtr.1429 Moved.


    Process.exe C:\Documents and Settings\Owner.CHIASSON\Desktop\SmitfraudFix Tool.Prockill Renamed.


    restart.exe C:\Documents and Settings\Owner.CHIASSON\Desktop\SmitfraudFix Tool.ShutDown.11 Renamed.


    B09F12BEd01 C:\Documents and Settings\Owner.CHIASSON\Local Settings\Application Data\Mozilla\Firefox\Profiles\ezzxc4al.default\Cache(2) Trojan.Winfixer Deleted.


    Process.exe C:\SmitfraudFix Tool.Prockill Renamed.


    restart.exe C:\SmitfraudFix Tool.ShutDown.11 Renamed.


    A0022505.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP511 Adware.NewDotNet Renamed.


    A0023578.exe C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP513 Adware.NewDotNet Renamed.


    A0025707.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP519 Trojan.Virtumod.267 Deleted.


    A0025739.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP520 Trojan.Virtumod.265 Deleted.


    A0025740.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP520 Trojan.Virtumod.265 Deleted.


    A0025791.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP521 Trojan.Virtumod.263 Deleted.


    A0025820.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP521 Trojan.Virtumod.263 Deleted.


    A0025848.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP521 Trojan.Virtumod.263 Deleted.


    A0025900.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP522 Trojan.Virtumod.263 Deleted.


    A0025921.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP522 Trojan.Virtumod.263 Deleted.


    A0025949.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP522 Trojan.Virtumod.263 Deleted.


    A0026005.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP523 Trojan.Virtumod.263 Deleted.


    A0026026.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP523 Trojan.Virtumod.263 Deleted.


    A0026053.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP523 Trojan.Virtumod.263 Deleted.


    A0026091.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP524 Trojan.Virtumod.263 Deleted.


    A0026107.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP524 Trojan.Virtumod.265 Deleted.


    A0026108.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP524 Trojan.Virtumod.265 Deleted.


    A0026157.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP525 Trojan.Virtumod.263 Deleted.


    A0026182.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP525 Trojan.Virtumod.267 Deleted.


    A0026198.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP526 Trojan.Virtumod.263 Deleted.


    A0026241.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP526 Trojan.Virtumod.265 Deleted.


    A0026257.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP526 Trojan.Virtumod.263 Deleted.


    A0026417.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP528 Trojan.Virtumod.265 Deleted.


    A0026458.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP529 Trojan.Virtumod.263 Deleted.


    A0026545.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP530 Trojan.Virtumod.263 Deleted.


    A0026620.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP531 Trojan.Virtumod.263 Deleted.


    A0026726.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP531 Trojan.Virtumod.265 Deleted.


    A0026781.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP532 Trojan.Virtumod.263 Deleted.


    A0026904.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP533 Trojan.Virtumod.263 Deleted.


    A0027016.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP534 Trojan.Virtumod.263 Deleted.


    A0027136.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.263 Deleted.


    A0028235.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Juan.29 Deleted.


    A0028236.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.260 Deleted.


    A0028240.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.263 Deleted.


    A0028241.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.266 Deleted.


    A0028242.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.263 Deleted.


    A0028263.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP535 Trojan.Virtumod.260 Deleted.


    A0028493.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP536 Trojan.Virtumod.240 Deleted.


    A0028537.bat C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP536 Probably BATCH.Virus


    A0028575.bat C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP536 Probably BATCH.Virus


    A0028657.dll C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP538 Trojan.Virtumod.265 Deleted.


    A0028664.bat C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP538 Probably BATCH.Virus


    A0028718.exe C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP539 Adware.NewDotNet Renamed.


    A0028719.exe C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP539 Adware.SaveNow Renamed.


    A0028800.bat C:\System Volume Information\_restore{B15A192A-0024-42A2-975A-EEF66F271A43}\RP540 Probably BATCH.Virus


    dgvjvvhb.dll.bad C:\VundoFix Backups Trojan.Juan.29 Deleted.


    fcqnwftt.dll.bad C:\VundoFix Backups Trojan.Virtumod.260 Deleted.


    pcbptrxh.dll.bad C:\VundoFix Backups Trojan.Virtumod.263 Deleted.


    pjcnkfwu.dll.bad C:\VundoFix Backups Trojan.Virtumod.260 Deleted.


    pmnlj.dll.bad C:\VundoFix Backups Trojan.Virtumod.266 Deleted.


    rjitcfgt.dll.bad C:\VundoFix Backups Trojan.Virtumod.263 Deleted.


    urqrpqq.dll.bad C:\VundoFix Backups Trojan.Virtumod.240 Deleted.


    Process.exe K:\SmitfraudFix Tool.Prockill Renamed.


    restart.exe K:\SmitfraudFix Tool.ShutDown.11 Renamed.


    I've been try that smitfraud, and it just wont even let me start it, it keeps looking for that kmd thing.


    And.... that's about it. I tryed looking in those properties of my default connection. But remember, I deleted the old one (cause I was making a new one) and the new one is considered dial - up, and there is nothing in the General tab. I did the same to my Local area connection, and the 2 options were selected.


    thx


    By the way, I'm on -4h time zone, what are you?

  • Darcy Chiasson
    edited February 2008

    WOW, ok smitifraud is working! I restarted the computer after that dr.web... and I could use it. results comming your way! (so the order was different than you told me to do: combofix then dr.web then smitfraud)


    SmitFraudFix v2.278


    Scan done at 19:34:47.87, 02/02/2008


    Run from K:\SmitfraudFix


    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT


    The filesystem type is NTFS


    Fix run in safe mode


    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix


    !!!Attention, following keys are not inevitably infected!!!


    SrchSTS.exe by S!Ri


    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix


    VACFix


    Credits: Malware Analysis & Diagnostic


    Code: S!Ri


    C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll deleted.


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix


    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix


    IEDFix.exe by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System


    !!!Attention, following keys are not inevitably infected!!!


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


    Registry Cleaning done.


    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix


    !!!Attention, following keys are not inevitably infected!!!


    SrchSTS.exe by S!Ri


    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Alright, fun stuff! I really need my internet back, so what next?

  • Good work. I want to get the connection back as badly as you want it. We have made progress but something is still holding us back. We move in two directions (malware removal+repair) and hopefully converge at the next step.


    • Do you know this service:


      O23 - Service: Stedman Service - Unknown owner - C:\Program Files\Common Files\Primal Pictures Shared\Service\Stedman Service File.exe


      I have not been able to find anything official or nonofficial on it. If you don't know it, I am going to remove it (you can't fix this with HJT) and then go on fixing the connection.

    • Do you have a firewall?
    • Run Hijackthis "do system scan only", check the following entry, close all open windows, and press fix checked (this program don't need to run at startup, you can always recover the startup via backup made by HJT): O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    • Reboot and make a fresh HJT log.
    • BTW my time zone is GMT+1 (West European)
  • Hey,


    That fie you asked me about : Stedman is my medical dictionary, (college) but I never ever used it, if you're at all supicious about it being infected, we can delete it. But so you know, it's not a adware program or something.


    Here is my hijackthis Log:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:31:39 PM, on 02/02/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\WINDOWS\eHome\ehRecvr.exe


    C:\WINDOWS\eHome\ehSched.exe


    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


    C:\Program Files\Network Associates\VirusScan\Mcshield.exe


    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\HPZipm12.exe


    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Digital Media Reader\readericon45G.exe


    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe


    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    C:\WINDOWS\SOUNDMAN.EXE


    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe


    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE


    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe


    C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\CTFaMicetra.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe


    C:\WINDOWS\system32\dllhost.exe


    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\HiJackThis\HiJackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5082H


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: (no name) - {8F303C95-540F-4FEC-A4CB-00D497AAEEAC} - C:\WINDOWS\system32\pmnlj.dll (file missing)


    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)


    O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe


    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE


    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"


    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe


    O4 - HKLM\..\Run: [AtariBanner] "c:\darcy and clayton zone\atari\Volume 2\Banner.exe" /0


    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE


    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey


    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


    O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE


    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"


    O4 - HKLM\..\Run: [Creative Fatal1ty 1010 Mouse] C:\Program Files\Creative\Fatal1ty 1010 Mouse\CTPoint.exe


    O4 - HKLM\..\Run: [CreativeMS2020] C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')


    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/resources/MsnPUpld.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1172525521609


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe


    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


    O23 - Service: P###ec (P###ESVC) - Sysinternals - C:\WINDOWS\P###ESVC.EXE


    O23 - Service: Stedman Service - Unknown owner - C:\Program Files\Common Files\Primal Pictures Shared\Service\Stedman Service File.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8298 bytes


    No, I don't have a firewall. Expept for windows firewall. My virus and spyware programs are McAfee, and spybot S&D, (I'm sure you probobly see that with my log) I used to have ad-aware but got rid of it when I got this virus, cause it wasn't working.


    Thx, I may not be as fast responding from now on, my aunt is taking her lap top back with her, so I'mm only be able to get to the internet like 3 times a day.


    Ok, thx.

  • farbar
    farbar
    edited February 2008

    Nowadays connecting to Internet without a firewall is a dangerous adventure. If you can't afford to by a decent AV with a firewall you can at least install a free firewall.


    Step 1.


    Fix this item with Hijackthis:


    O2 - BHO: (no name) - {8F303C95-540F-4FEC-A4CB-00D497AAEEAC} - C:\WINDOWS\system32\pmnlj.dll (file missing)


    Step 2.


    1.Empty your Temp folder, to do this:


    Reboot. Then go directly after reboot to start-run- type "%temp%" (without "), click OK it opens temp folder.


    select one of the files inside it in the right panel, then Ctrl+A to select all the contents and then Shift+delete to empty your Temp folder bypassing Recycle Bin. Click Ok to confirm. If you could not empty the folder because the files are in use go to start-control panel- folder options-view- and check show hidden files and folders. Then return to Temp folder and empty as much as you can.


    2. While your Internet explorer is closed go to start-control panel- Internet options- General- click delete- delete all- check 'Also delete files and settings stored by add-ons'. Click YES . Check if your privacy setting is lowered and reset if needed (please give me feedback on this).


    3. Go to start-run- type "cleanmgr.exe" (without "), click OK it shows C drive to be cleaned, click OK, check all the items but compress old files or at least Temporary Internet files, Temporary files and Recycle Bin. Click Ok to confirm.


    4. Reboot and check if your computer is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.


    Step 3.


    Run hijackthis and check if the item is with missing pmnlj.dll is returned. Then search with the search box if the pmnlj.dll is still there.


    To search for file:


    Go to start-search-click all files and folders - click more advanced options and check: search system folders, search hidden files and folders and search subfolders- click on search. Type the name of the file without extension up in the upper box.


    Step 4


    start-right click my computer-properties-device manager- network adapters-under network adapters you should see your driver- double click on the network driver- under general tab in the lower box should be: Use this device (enable)


    Step 5


    Go to start-control panel-network connections-remove the failed connection you have made before. On the left panel select create a new connection click on the New Connection Wizard- next- select connect to Internet- next- select the option- set up my connection manually- next- select Connect using a broadband connection that is always on –next-click finished.


    Step 6


    Restart and see if you get connected to Internet. If not follow the steps I suggested in my previous post:


    1. Then go to Start > Control Panel. Double click on Network Connections.


    2. Right click on your default connection and select Properties.


    3. Select the General tab.


    4. Double click on Internet Protocol (TCP/IP) under This connection uses the following items:


    5. Select Obtain an IP address automatically and Obtain DNS server address automatically.


    6. Click OK twice to save the settings. Reboot when prompted to.


    7. Go to Start > Run and type in cmd.


    8. Type in the following line one by one and pressing Enter after each line (there is space between the first word an \):


    ipconfig /renew


    ipconfig /flushdns


    exit


    9- Reboot

  • OK. thx. I followed the steps.


    1. Got rid of it.


    2. Temp folder deleted, all but one file.


    In my internet options, the format was a little different than you said. I couldn't find "delete all", I looked in all the tabs including general. But there was: "delete cookies" and "delete files". So I did those. And when I first had the virus, I saw in your thread with ancholess to change the privacy and security settings, so I defaulted them. But when I looked just now, the settings where 'low" again. So I defaulted them all again. (BTW I used firefox mostly, I did use IE for hotmail though, don't know if that helps you any)


    Did system clean up. All but compress old files.


    Created new restore points. (I think one WAS infected, when I first had my symptoms, I tried a system restore to the time prior to my infection... and it couldn't do it)


    3.Pmnlj is gone.


    4. There's several network adapters, I'm not sure which one is my internet connection,(I'm ok with computers, but not drivers, connection stuff ) but I checked, and there were all enabled.


    5. Created a new internet connection.


    6. I didn't connect to the internet still. I checked, the 2 items where already selected. When you say my default connection, do you mean my LAN?


    The ip renew thing gave me an error (like before), the other one worked.


    I was wondering, in my device manager, under "ports". Should I have one showing my internet connection. Cause the only thing under "ports (com&LPT)" is my printer. (there's no communication ports there, but I've seen them on other computers)


    And... as for my network adapters, do you want me to list them off to you? I don't have them here, I fergot to write them down, and I'm at college using the internet.


    So.... I think that's it so far, thank you for your help, I'll try to get back to a computer with internet as soon as I can.

  • farbar
    farbar
    edited February 2008

    First of all I am impressed both by the way you do the steps and the way you report back.


    That the dll is gone is excellent news as we are at the finish line in malware removal department.


    I am surprised you don't have the delete all option as it is a Windows XP SP2 option. If your windows is not updated it may effects the steps we are doing as they are specially written for this version.


    We don't have to know which network adapter you have and I don't think that is the issue. When you used some tools to remove the malware by removing the malware without doing the repair part you lost the connection because the malware had placed itself between your Internet browser and the system. Using HJT prevent this type of shooting in the dark.


    Lets try the repair part and hope the damage is to repair without a repair install of windows:


    Step 1.


    Make sure that the firewall is not enabled on your local area connection (start-control panel-double click windows firewall- advance- the option Local Area Connection schould be checked.


    Click Start, click Run, type cmd, and then press ENTER


    At the command prompt, type netsh int ip reset resetlog.txt, and then press ENTER to reset the TCP/IP network protocol.


    At the command prompt, type ipconfig /renew, and then press ENTER.


    If you get an error please make a note. And go on to step 2. Otherwise check the connection and then if needed go to second part.


    Step 2.


    1. Log on to the Microsoft Windows XP workstation as an administrator.


    2. Click Start, click Run, type cmd, and then click OK.


    3. At the command prompt, type and enter: netsh Winsock reset


    When the program is finished, you will receive the following message:


    Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.


    If you receive this message, go to step 4.


    If you are not logged in as an administrator, you will receive the following error message:


    Unable to reset the Winsock Catalog. Access is denied.


    If you receive this message, log off the computer, and then log back on by using an account with Administrator access. Typically, the first user account that was created has Administrator access. Then, repeat 2 and 3 .


    4. Restart your computer and check the connection. If it failed go on to next step.


    Step 3.


    Download LSP-Fix.exe from the following link and save it on your desktop. The download link is:


    LSP-Fix.exe download link


    Double-click on the LSPFix.exe icon and the program will launch.


    Make a screenshot of the open window ( to do that press Print Screen/SysRq on the keyboard-then go to start-all programma-accessories-paint- then press cltr+alt+V – you can then save it under file menu.) Please post the screenshot into your replay.

  • farbar
    farbar
    edited February 2008
    Double-click on the LSPFix.exe icon and the program will launch.


    Make a screenshot of the open window ( to do that press Print Screen/SysRq on the keyboard-then go to start-all programma-accessories-paint- then press cltr+alt+V – you can then save it under file menu.) Please post the screenshot into your replay.


    Eddit:

    • Don't fix anything. After making the screenshot just close LSPFix.
    • After opening paint press Ctrl+V (not clrl+alt+v)
  • Will do, I'll copy the thread and download the program in my stick, go home, and try to get to a computer with internet as soon as I can. Thank you.

  • If you get to a computer with Internet download IEFix from Majorgeeks .


    You can unzip the download and use the utility. Google IEFix if you needed information on that but roughly speaking it reregisters IE files and rests all the settings to original ones.

  • Check this also to make sure:


    Internet options-connections-LAN settings- all 3 options should be unchecked (specially "use a proxy server for your LAN").


    If you want you can wait with IEFix until we have tried LSPfix. But download it to have it ready.


    Here is information on how to use IEFix: http://windowsxp.mvps.org/IEFIX.htm


    The old versions of IEFix runs a system file checker. If this version doesn't have the option you may do it self before running IEFix. To do that: Go to the Run box on the Start Menu and type in:


    sfc /scannow


    It checks the integrity of system files and replaces them if needed. If the backup files are also corrupted it asks you to insert your Windows XP Install CD.

  • Check this also to make sure:


    Internet options-connections-LAN settings- all 3 options should be unchecked (specially "use a proxy server for your LAN").


    If you want you can wait with IEFix until we have tried LSPfix. But download it to have it ready.


    Here is information on how to use IEFix: http://windowsxp.mvps.org/IEFIX.htm


    The old versions of IEFix runs a system file checker. If this version doesn't have the option you may do it self before running IEFix. To do that: Go to the Run box on the Start Menu and type in:


    sfc /scannow


    It checks the integrity of system files and replaces them if needed. If the backup files are also corrupted it asks you to insert your Windows XP Install CD.


    One more thing: Just to experiment set your Internet options-security to lowest. Close IE, open and check the connection. In any case you have to set your security setting again to default.

  • Hey,


    Well I did everything you told in the post of feb 4th.


    I believe I have service pack 2. Though I have "windows XP media centre" so it may be a little different.


    Step 1: I disabled the fire wall. A typed those 2 things in comand prompt. The first one worked, but the second (renew) still said: An error occured while renewing interface local area connection: unable to contact your DHCP server. Request has timed out.


    Step 2: I sucsessfuly reseted the winsock. But hear this: when I reboot my computer, I had 2 connections under highspeed. My LAC and a new one: 1394connection. They were both enabled. And remember how I used to create a new connection, but it made it dial up? Well for the first time, it made a BROADBAND connection. So you seemed to have struck a good cord somewhere in step 1 or 2. (my internet still won't work though)


    Step 3: I ran it. And have the screen shot attatched.


    I think that's all you wanted, I'm sorta in a hurry right now, (I have a test in lest than an hour) so I'll get back to you on those other posts.

    /applications/core/interface/file/attachment.php?id=1438" data-fileid="1438" rel="">Winsock_2.bmp

  • farbar
    farbar
    edited February 2008

    Hi,

    • The members can't download attachments to prevent them from infecting. The virus researchers and the moderators can do that. So if you use the insert image right above the reply window you can post the screenshot.
    • About the option 'delete all' it is available on IE 7 and you have IE 6. So there is no problem with your SP2.
    • The winsock repair was needed anyway and you have noticed it sharply.
    • You don't have to and should not disable the firewall as this is the only firewall you have. Just allowing your LAN will do. If you are just experimenting it then O.K.
    • Do you have desktop or a laptop? I try to understand the two connections you have and the error you get like you use alternative servers (home and DHCP for example at the University).
  • Ok, I'll try to attatch the pic. When I clicked "insert image" it asks me for the URL. ... And I don't have the pic on the internet. Should I just type the path?


    Yes I reenables the firewall, I just disabled it when I created the connection this time.


    And I use a desktop. And it was a brand new computer, never used anywhere else, or for anything else than home.


    Well I gotta run!

  • O.K. Just report the items in the left panel (keep) and eventually in the right window (remove).

  • OK


    So it says their's no problems found.


    Keep: (discription in ())


    mswsock.dll (Tcpip)


    winrnr.dll (NTDS)


    rsvpcp.dll ((protocol handler))


    There we are. thx

  • OK


    So it says their's no problems found.


    Keep: (discription in ())


    mswsock.dll (Tcpip)


    winrnr.dll (NTDS)


    rsvpcp.dll ((protocol handler))


    There we are. thx


    The third one you meant rsvpsp.dll ?


    And you clicked finished.


    Just to make sure there is physical connection:Start-control panel-Internet connections-Local Area Connection-right click -properties-general-check show icon in notification area when connected. See if the icon in the notification area shows connection or not. If not there is no physical connection.


    Please check the LAN settings in Internet options as I said in my post


    This time try first ipconfig /release then ipconfig /renew check if this works.


    please go through my post about experimenting with security settings, doing sfc /scannow, and finally IEFix.


    Another option is to uninstall and reinstall your network driver.


    I am beginning to run out of options as my knowledge is limited in this area.


    After doing this all you may consider to contact a technical forum or to do a repair reinstall. In that case you don't loose anything, just repair reinstall and updating the OS.

  • Here is another idea:


    1.Disable 1394connection:


    • Go to network connections, right click the 1394connection, select disable.


      Repeat those release and renew commands mentioned to get connected.

    • If that did not worked. Go on with the next step.


    2. Set a static ip to do that:

    • Use the laptop of your aunt, and get connected at your home.
    • In the run box type ipconfig /all
    • Note the ip address, subnet mask, default gatway, (and DNS server in case you wanted to try this one too)
    • connect your PC.
    • Go to network connections, right click LAC, higlight Internet Protocol (TCP/IP), properties, general, check use the following address: fill in the three mentioned values but in case of ip address add 1 to the last number of IP address (192.******.******.101 becomes 192.******.******.102). click ok and reboot. Check the connection.
  • Darcy Chiasson
    edited February 2008

    All right.


    So yes, it was rsvpsp.dll. And, yes I did clicked finish, but that was my bad, I wasn't wanting to fix anything or anything.


    Thx alot for your help, I'll take a look at the few options you gave, then tell you if anything interesting happened. Just so you know, my father has my windows XP CD (or he hid it somewhere) and he's in mexico, so have no idea. So I can't do any repair with the CD until he's back (tuesday). Or I may just take it to a techy. Anyway, I'll keep you posted on if your last steps work.


    I'm pretty sure there is physical connection. I remember when I plug in my calbe, my LAN pops up in my notification area.


    Oh, and my C: is still a big red X.


    Well that's it for now, thanks for you help.

  • OH my! I just noticed I didn't do the IEFix. Man, I'm slipping. SO i'll keep you posted on that too.

  • farbar
    farbar
    edited February 2008
    OH my! I just noticed I didn't do the IEFix. Man, I'm slipping. SO i'll keep you posted on that too.


    Before doing IEFix you may run the sfc /scannow command, It may also help the redx.It checks and repairs the system files using the backups on your system. If the backup is corrupted too it asks you to insert your install CD. Then you can skip that and wait until your father comes back.


    BTW when you used LSPFix before clicking finish did you check I know what I am doing...? If not You have to run the tool again, check I know what I am doing... and click press.


    Thanks for keeping me posted.

  • And about that redx, try this:


    Empty the explorer cache: Open task manger (Ctrl+Alt+Del), processes, select explorer.exe, click end process. By doing this you get a blank screen but the task manger remains, go to file-new task- type explorer confirm.

  • K, thx, I'll try those.


    I really wish I could have my windows CD.


    Anyway, I was wondering, WHY is there a big red X. If the vundo created it, why didn't it go away with all the other symptoms (ecxept the internet). Or is it a change it made to the computer, regardless of it you get rid of kernel error or not?

  • K, thx, I'll try those.


    I really wish I could have my windows CD.


    Anyway, I was wondering, WHY is there a big red X. If the vundo created it, why didn't it go away with all the other symptoms (ecxept the internet). Or is it a change it made to the computer, regardless of it you get rid of kernel error or not?


    The vundo created it by changing some system files or adding registry items. The vundo is gone and can't create any of those but but the changes it made should be addressed. That is why I asked you to emptpy the explorer cache. And that is why you created a clean restore point.

  • The vundo created it by changing some system files or adding registry items. The vundo is gone and can't create any of those but but the changes it made should be addressed. That is why I asked you to emptpy the explorer cache. And that is why you created a clean restore point.


    First you should be connected, the rest is not difficult to Handel.

  • Darcy Chiasson
    edited February 2008

    I ran the scanow command, and the IEfix. Both need my XP disx to finish. By the looks of things, that windows scanow thing wanted to fix alot of files, (it poped up multiple times asking me to put in my windows CD, I just clicked ingore, for now) I have to pick up my father at the airport tonight, and he'll know where the CD is, then I run those things, and tell what it's it like... probobly wensday.


    thank you.


    BTW, on my LSPfix, you told me to check the "I know what I'm doing" but didn't really finish your sentence. Do you want me just to click finish, should I put some things in the 'remove' box?

  • BTW, on my LSPfix, you told me to check the "I know what I'm doing" but didn't really finish your sentence. Do you want me just to click finish, should I put some things in the 'remove' box?


    You just check the "I know what I am doing, etc" and click finish, you should not put anything in the remove box as they are the legit files.


    Remember to repeat those command (released and renew) again if needed.

  • Hey,


    So when I do the SFC scannow thing, it asks me to put in my windows XP proffessional CD2. ... I don't have one (my father is back). All I have is a backup disc we did about a year ago. But... we don't have a WINDOWS XP CD... it just came on the computer when we bought it, and were told to make a recovery CD. I tryed putting THAT in, and it didn't work. Do I need to buy windows XP now? Or would any windows XP professional CD do?

  • Hey,


    So when I do the SFC scannow thing, it asks me to put in my windows XP proffessional CD2. ... I don't have one (my father is back). All I have is a backup disc we did about a year ago. But... we don't have a WINDOWS XP CD... it just came on the computer when we bought it, and were told to make a recovery CD. I tryed putting THAT in, and it didn't work. Do I need to buy windows XP now? Or would any windows XP professional CD do?


    You can try it, insert a windows XP install CD and show the path to i386 folder. It should be possible because this is not a new installation.

  • Darcy Chiasson
    edited February 2008

    I got the IE fix to work, I could find the i386 file and all. But the scannow still doesn't work. I'm going to try a system recovery, can I chose what to recover, so I don't wipe out all my computer?

  • I'm not sure if i should do that right now. I got a hold of a installation cd. But there was only 1 CD, and it asks me to put in CD2. And what else is weird, is that I have windows xp media centre edition, but it tells me to put in a proffesional edition CD.


    Is there something I could download to replace my files?

  • farbar
    farbar
    edited February 2008
    I'm not sure if i should do that right now. I got a hold of a installation cd. But there was only 1 CD, and it asks me to put in CD2. And what else is weird, is that I have windows xp media centre edition, but it tells me to put in a proffesional edition CD.


    Is there something I could download to replace my files?


    Right now I have no idea what to do to with scannow because the files are in i386. When you found the folder to do the IE fix you should be able to do this also.


    But I am not sure if and how you have done the suggestions in my last posts. So I put it again together:


    Step 1.


    Just to make sure there is physical connection: Start-control panel-Internet connections-Local Area Connection-right click -properties-general-check show icon in notification area when connected. See if the icon in the notification area shows connection or not. If not there is no physical connection.


    Step 2.


    Double-click on the LSPFix.exe icon and the program will launch.


    Ceck the "I know what I am doing, else etc" and click finish


    Step 3.


    Go to control panel -network connections, right click the 1394connection, select disable.


    Step 4.


    Go to Start > Run and type in cmd


    Type in the following line one by one and pressing Enter after each line:


    netsh int ip reset resetlog.txt


    ipconfig /release


    ipconfig /renew


    ipconfig /flushdns


    Reboot. If it did not recover the Internet connection try step 5.


    Step 5.


    Set a static ip to do that:

    • Use the laptop of your aunt, and get it connected at your home.
    • In the run box type ipconfig /all
    • Note the ip address, subnet mask, default gatway, (and DNS server in case you wanted to try this one too)
    • connect your PC.
    • Go to network connections, right click LAC, higlight Internet Protocol (TCP/IP), properties, general, check use the following address: fill in the three mentioned values but in case of ip address add 1 to the last number of IP address (192.******.******.101 becomes 192.******.******.102). click ok and reboot. Check the connection.
  • K, thx, I'll try those.


    Anyway, I was wondering, WHY is there a big red X. If the vundo created it, why didn't it go away with all the other symptoms (ecxept the internet). Or is it a change it made to the computer, regardless of it you get rid of kernel error or not?


    I know it is not much of concern right now but you can fix it by doing the following:


    Open a notepad (start menu-all programs-accessories-notepad)


    Copy and paste the text in the code box below into it.


    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]


    Save the file to the desktop as driveicons.reg and make sure the "Save as type" field says "All files". Locate driveicons.reg on the Desktop and double-click on it and confirm.

  • farbar
    farbar
    edited February 2008

    I edited the step 4 of the above post:



    Step 4.


    Go to Start > Run and type in cmd


    Type in the following line one by one and pressing Enter after each line:


    cmd /c netsh winsock reset catalog


    ipconfig /release


    ipconfig /renew


    ipconfig /flushdns


    Reboot. If it did not recover the Internet connection try step 5.