heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's

[amateur]

Hi,

You can go ahead and delete fixreg.reg from your desktop now.

Please make sure that the TeaTimer is still disabled as per my previous instructions. Then, scan with HijackThis and place a checkmark against the following entries.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

Close all browsers and windows other than HijackThis and click on 'fix checked'.

=================================

Restart the computer for the changes to take effect.

=================================

Spyeraser is reported to be a lesser quality anti-spyware program, as you can see it yourself here:

http://www.pcmag.com/article2/0,2817,2091004,00.asp

Quote:

SpyEraser is a danger to itself and to others. It's poor at removing existing spyware, sometimes killing innocent processes, and it's even worse at keeping systems from getting infected in the first place. Look elsewhere for spyware protection.

I would recommend that you remove it via Add or Remove Programs and then delete its folder too. There are better alternatives.

C:\Program Files\Uniblue\SpyEraser

===================================

Quote:

Machine seems to run fine now .

Glad to hear that the machine is running fine now. You are all set with SP3 and recovery console installed. The logs are clean.

===================================

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /
  
  
  
  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

===================================

A colleague of ours has excellent information and tips on the prevention of malware here for your future reference.

Please respond to this thread one more time so we can mark this thread as resolved.

Good luck with your next project.
Happy Surfing!

[Roc 65]

OK,

Deleted Fixreg
Spyeraser is gone.
HJT instructions followed

One last problem -

I seemed to have uninstalled combfix, however I still get the comboFix related error on bootup: "Windows cannot find 'c:\combo-fix\combofix.bat'...."

During the run of combofix /u I had an error:

cannot remove combofix.....

but it seems to be gone

I also had AVG catch a (PUP) potentially harmful program called hidexec.ev: c:327882r2fwjfw\hidec.exe - probably not related to the problem above, they just happened at the same time. I had AVG move the PUP to the vault.

By the way, how often do I empty the vault?

Would you help me get rid of this error before we end this post? I have searched for and deleted any file "combo*.* and deleted any remnants.
I have restarted a couple times and still get the error?

Thanks
Almost done!

[amateur]

Hi,

Quote:

I seemed to have uninstalled combfix, however I still get the comboFix related error on bootup: "Windows cannot find 'c:\combo-fix\combofix.bat'...."

It sounds like an old registry entry that may be causing it but I cannot see it in your logs. Are there any other user accounts?

Quote:

During the run of combofix /u I had an error:

cannot remove combofix.....

but it seems to be gone

Do you remember the end of that sentence? What was the reason it gave for not being able to remove combofix?

Also, an old copy of combofix may not have been properly uninstalled. C:\327882R2FWJFW belongs to Combofix, not a harmful item but AVG cannot differentiate the good use of hidec.exe from the bad use. The AVG report indicates that Combofix was not perhaps properly uninstalled, not necessarily now, perhaps at an earlier time. I suspected that and that's why I was asking if you had an older copy still installed.

Delete the Combofix and Combo-fix from your desktop if still present. Create a fresh Restore point (instructions below) just to be on the safe side, and then delete C:\327882R2FWJFW. Also delete these folders, if present: c:\combo-fix and C:\Combofix

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

==============================

Restart the computer and if you're still getting the Combofix.bat error, post a fresh HijackThis log from every user account in the system.

[Roc 65]

Hi,

Quote:

It sounds like an old registry entry that may be causing it but I cannot see it in your logs. Are there any other user accounts?

We only have one user account.

Quote:

Do you remember the end of that sentence? What was the reason it gave for not being able to remove combofix?

Unfortunately I only remember that it had something to do with hidec.exe

Quote:

Delete the Combofix and Combo-fix from your desktop if still present. Create a fresh Restore point (instructions below) just to be on the safe side, and then delete C:\327882R2FWJFW. Also delete these folders, if present: c:\combo-fix and C:\Combofix

Restore point created. All Combofix files were already gone and the C:\327882R2FWJFW was gone as well. Rebooted and still have the error. Would it do any good to re-install ComboFix, re-run it and maybe it will overwrite the reg or hidec?

HJT -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:49 AM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6054 bytes

[amateur]

Quote:

Would it do any good to re-install ComboFix, re-run it and maybe it will overwrite the reg or hidec?

Yes, it's well worth a try.

[Roc 65]

Well, I tried, no luck. It couldn't find hedec.exe and aborted once it recognized that the recovery console was already installed.

Any ideas?

[amateur]

Hi,

Sorry for the late reply. I was coming back from an overseas trip and didn't have any access to internet for a couple of days.

The recovery console installation is a one-time process. If you're trying to drag and drop the Microsoft package again, it's normal for Combofix to abort the process saying that it's already installed.To run Combofix, just double-click on Combofix.exe. However, you don't need to run it anymore. Simply use the instructions to remove it.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /
  
  
  
  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

[Roc 65]

Hi,

Sorry for the delay. I have to travel for the next few days, so I'll get back to you when I return.

Thanks for your patience.

[amateur]

No problem. That's fine. Once you uninstall Combofix, if the shortcut is still present on the desktop after uninstalling it, please delete it.

[Roc 65]

Hi,

It's been a while since I could focus on this one. I ran Combofix /u and it seemed to remove the program, unfortunately I still get the error message on boot-up:
"Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search."

The uninstall removewd the shortcut from my desktop

I guess I am at a loss for what to do next? Is there any way to find the start-up script that searches for a combofix executable and delete it?

[amateur]

Hi,

It has been a while and I don't remember if I asked for this.

Open HijackThis and go into the Config option when you start HijackThis, and then click on the Misc Tools button at the top. You will then click on the button labeled "Generate StartupList Log". Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste the list here please.

[Roc 65]

Hi,

You have but it's been a while. Here it is:

StartupList report, 9/22/2008, 7:19:05 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\******\****** Partition Manager Personal 1.6.4\epm0.exe
C:\Program Files\******\****** Partition Manager Personal 1.6.4\epm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PS2 = C:\WINDOWS\system32\ps2.exe
AGRSMMSG = AGRSMMSG.exe
HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

[1428]
rdghixrd = "C:\Combo-Fix\Combobatch.bat"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Uniblue SpyEraser Nag.job
Uniblue SpyEraser.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[ActiveScan 2.0 Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\as2stubie.dll
CODEBASE = http://acs.pandasoftware.com/actives.../as2stubie.cab

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://photos.walmart.com/WalmartActivia.cab

[get_atlcom Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEGetPlugin.ocx
CODEBASE = http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx

[OnlineScanner Control]
InProcServer32 = C:\WINDOWS\system32\ONLINE~1.OCX
CODEBASE = http://www.eset.eu/buxus/docs/OnlineScanner.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.co...?1093930840796

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsof...?1124160269328

[Java Plug-in 1.6.0_07]
InProcServer32 = C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,565 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[amateur]

Hi,

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\1428]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer and let me know if you're still getting that error.

[amateur]

Hi,

There's a fair chance that the above fix will not work. If that's the case, please try the following.

Please download The Avenger to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

Open the program. Check the 'Input script manually' option.

In the box that opens, copy/paste the text inside the code box:

Code:

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\1428\  | rdghixrd

Uncheck 'Scan for Rootkits'.
and click 'Execute'

Reboot if prompted. It will produce a log on reboot. Please post the contents of it.

[Roc 65]

You are right, the 1st action did not work -

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\1428|rdghixrd" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[amateur]

How about the second one? It should have worked, but did it?

[Roc 65]

It did!!!!

Can we close this monster thread?

If so, I truly appreciate your help!

[amateur]

Hi,

Hurrayy... Yes, we can close it now. Please delete the fixreg.reg Avenger.exe and Avenger.zip files from your desktop. Avenger is an extremely powerful tool and we wouldn't want it lying around and cause any mishaps. Also delete its folder please:

C:\Avenger

Enjoy your surfing and stay safe!

[Roc 65]

Outstanding support, Thank you amateur!

[amateur]

You're very welcome. Glad we were able to help.

Take care!