Hijack This Log help

Hello BigMoneyYea welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Uninstall Microsoft Antispyware - As you have all ready experienced, it's not very good as a form of protection. I recommend you read the following thread that discusses this product being RogueWare:

ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the author's. We always recommend removal.

==================================================

Downloads
Download
KillBox v2.0.0.175

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Viewpoint
SurfSideKick 3

==============================================

Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


Locate and delete the following folder(s), if present:

* C:\Program Files\viewpoint
C:\Program Files\ SurfSideKick 3

===============================================


When doing the fix, you shall be viewing these instructions from Wordpad.
Copy the filename(s) listed below.
Select/Highlight all the filenames & then click on Wordpad's 'Edit' menu & select 'copy'

• 
  
  
  LIST OF FILES THAT NEED TO BE KILLBOXED
  
  C:\Windows\system32\repairs.dll
  
  

Launch KillBox.exe

1. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
   Click the dropdown-arrow next to the "Full Path of File to Delete" field.
   Verify that the filenames you pasted are found in there.
2. Select/tick the following:
   • Delete on Reboot
     [*] End Explorer Shell While Killing File
     [*] Unregister.dll Before Deleting * if it's not grayed out
3. Click the RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

• If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

===============================================

Reboot in normal mode

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O20 - AppInit_DLLs: repairs.dll


Please remember to close all other windows, including browsers then click Fix checked.

============================================

Then do a fresh online scan at Panda ActiveScan

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Next'
3. Enter your e-mail address & click 'Send' ...begins downloading Panda's ActiveX controls.- 8MB
4. In the next window, & checkmark the following:
   • Disinfect automatically
   • Scan compressed files
   • Scan e-mail files
   • Detect unknown viruses (heuristic)
   • Detect spyware
5. Begin the scan by selecting All My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
6. If it finds any malware, it will offer you a report. Click on see report
7. Then click Save report
8. Post the contents of the report in your next reply

Please do a fresh scan with HJT and save the log


Please post a fresh
Hijack This log,
Panda scan report
so that we can check if your system is clean.

I followed your post step by step as told. The SurfSideKick 3 still will not let me delete the folder as you told me to do so and it doesn't appear on the add/remove program list.

Here is the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:21:43 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O20 - AppInit_DLLs: repairs.dll



and here is the panda activescan log:

Incident Status Location
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\system32\repairs.dll Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\STEVEN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\Ssk.log
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl Adware:adware/savenow No disinfected Windows Registry Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Steven\Local Settings\Temp\bundlep.exe Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Steven\Local Settings\Temp\i29.tmp
Adware:Adware/DelFinMedia No disinfected C:\Documents and Settings\Steven\Local Settings\Temp\w181609.Stub.exe
Adware:Adware/ExactSearch No disinfected C:\Documents and Settings\Steven\Local Settings\Temporary Internet Files\Content.IE5\4T2FKDMJ\installer_VENDARE[1].cab[installer_VENDARE.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Steven\Local Settings\Temporary Internet Files\Content.IE5\8527ST2N\upexactpop[1].html
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\system32\bk.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\system32\repairs.dll
Spyware:Spyware/Altnet No disinfected D:\Documents and Settings\Default User\Local Settings\Temp\asmfiles.cab[asm.exe]
Spyware:Spyware/Altnet No disinfected D:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab[asm.exe]
Adware:Adware/SAHAgent No disinfected D:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP695\A0057065.dll
Adware:Adware/SaveNow No disinfected D:\System Volume Information\_restore{BFC56D8C-863A-44A3-B07E-D806F81CEB57}\RP1\A0000028.exe
Adware:Adware/P2PNetworking No disinfected D:\System Volume Information\_restore{BFC56D8C-863A-44A3-B07E-D806F81CEB57}\RP1\A0000033.dll
Adware:Adware/P2PNetworking No disinfected D:\System Volume Information\_restore{BFC56D8C-863A-44A3-B07E-D806F81CEB57}\RP1\A0000034.DLL
Adware:Adware/P2PNetworking No disinfected D:\System Volume Information\_restore{BFC56D8C-863A-44A3-B07E-D806F81CEB57}\RP1\A0000036.cpl

Hi again BigMoneyYea

When you are doing your HJT scan for reposting, are you in safe mode, if so Please do the next one in normal mode.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).


==================================================

Please download one of the following AntiVirus programmes, Update the virus definitions
We will use this later

AVG Anti-Virus
Avast Home Edition
BitDefender Free Edition v7


The Temp folders must be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Cleanup! (Alternate Link) if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Download
RegLite

==================================================

Reboot into Safe Mode

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder(Highlighted in Blue)

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Locate and delete the following files,

C:\WINDOWS\system32\ repairs.dll
C:\WINDOWS\system32\bk.exe

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows.

======================================================

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs.dll


Please remember to close all other windows, including browsers then click Fix checked.

Locate and delete the following folder(s), if present:

* C:\Program Files\ SurfSideKick 3
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl


Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Uncheck the following :

• Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.

Run the antivirus programme scanner, you downloaded earlier and tell us what it finds if anything

Run another Panda scan.

Please post a fresh
Hijack This log,
Antivrus scan log,
Panda scan report
so that we can check if your system is clean.

regards

alba :smile:

What did you do?

I followed the previous reply to a "T". And what I have to say is...

WHAT DID YOU DO TO MY COMPUTER?

Again side kick wouldn't let me delete when you told me to, but after rebooting and everything it finally showed up in the add/remove programs list and after removing it, I could finally delete the folder.

The good note is, the SideKick 3 is gone and so are the popups and the slowness. However, my main problems now are:

1) My recycle bin is gone and nowhere to be found
2) I can't use the search feature, A "Search Companion" window comes up with the message: "Unexpected error. Search could not be completed.
And the windows installer window comes up asking for a cd rom or something to install whatever
3)I cannot access the "All Programs" tab from the Start menu. It refuses to do anything when I click on the All programs arrow.

So can you please help me fix these things now?

Here is a fresh hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:32:27 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVASTA~1\ashDisp.exe
C:\Program Files\Avast Antivirus\aswUpdSv.exe
C:\Program Files\Avast Antivirus\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast Antivirus\ashMaiSv.exe
C:\Program Files\Avast Antivirus\ashWebSv.exe
C:\Program Files\Avast Antivirus\ashSimpl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast Antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast Antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

The Avast! antivirus didn't have a log that I could copy and paste.
And the panda scan didn't work properly as you explained it on the previous log.

Hi BigMoneyYea

Sorry about what happened, unfortunately the removal of the virus affected the windows components in the registry.

what do you mean?

And the panda scan didn't work properly as you explained it on the previous log

Click to expand...

What happened?

Please carry out the fixes first and then we will fix the Windows settings.
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Please remember to close all other windows, including browsers then click Fix checked.


Please carry out the following instructions to restore your settings

1. From start menu click Run
enter "sfc /scannow" (no quotes)
Click OK

The command "sfc /scannow" tells Windows to perform a complete Windows file check and replace any missing or corrupt OS files to original Microsoft specifications. Note that you'll need the Windows XP CD to complete this task.

If your recycle bin hasn't returned, please do the following;

2. Restore reycycle bin
Download the recycbin-2.reg file and save it to your hard drive (you may want to right click and use Save Target As).
Double-click the recycbin-2.reg file. You will be prompted to enter the information into the Registry. Answer Yes. REG files can be viewed in Notepad or any text editor, as to the specific Registry keys and values that are updated. After the REG file has been imported, right click on the Desktop and select Refresh

I'm sure you will let us know how you got on

warm regards

alba

HI BigMoneyYea,

I can see your problem, I think it is a disgrace that when you buy a new pc, with the cost of xp built into the price that you don't get the disc with it.

Could you borrow a XP disc from a friend, any XP disc would do, if so try doing this again;
Please carry out the following instructions to restore your settings

1. From start menu click Run
enter "sfc /scannow"(no quotes)
Click OK

The command "sfc /scannow" tells Windows to perform a complete Windows file check and replace any missing or corrupt OS files to original Microsoft specifications. Note that you'll need the Windows XP CD to complete this task.

Please do the following
Delete the following files in red and Folder in Blue

C:\DOCUMENTS AND SETTINGS\STEVEN\FAVORITES\SHOPPING\Best Buy.url

C:\DOCUMENTS AND SETTINGS\STEVEN\APPLICATION DATA\Sskcwrd.dll

C:\DOCUMENTS AND SETTINGS\STEVEN\START MENU\PROGRAMS\WhenU


Now please run HJT and save the log do not fix anything.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.
Reboot your computer.
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Then do a fresh online scan at Kaspersky

Make sure that you choose the "fix" or "clean" option when available
Please Take note of any files that were uncleanable and post the filenames here in your next reply




Please post a fresh
Hijack This log,
Antispyware.log
kaspersky scan report



regards
alba

I just don't know...

OKAY. So after waiting for a few days to get the cd from across the country it doesn't fix the problems because the CD is actually a Microsoft Office XP Standard cd. But why doesn't this fix my word so I can at least open and write papers. I'm a student.

Is there any other way I can get ahold of something to fix my computer?

In response to your last entry:
1) the trend micro website doesn't work, go try it (and why should I download more things that have done nothing but take away parts of my computer that can't restore?)
2) I don't know what the Kapersky does other than disappear
3)here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:12 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVASTA~1\ashDisp.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avast Antivirus\aswUpdSv.exe
C:\Program Files\Avast Antivirus\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast Antivirus\ashMaiSv.exe
C:\Program Files\Avast Antivirus\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast Antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast Antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

So lets see:
1) can't open documents or make new ones on word, excel, etc (I AM A STUDENT!)
2) Can't use the search function for anything
3)can't browse 'all programs' from start menu
4)don't have media player all music and movies have been affected or can't be seen
5)can't change power settings for my screensaver and my monitor just shuts off now quickly
6)has deleted my creative mediasource player for my mp3 player and even the disc for that won't correctly install it back onto my comp, says it is missing a file, even after downloading it from the website, error message appears when trying to open the application saying can't find the folder even though it is friggin in it

So this has been a boatload of good since god knows what thing i downloaded and ran as told by you deleted god knows what in my comp. Any ideas that don't involve deleting other stuff that is imperative to a normal functioning computer?

I AM A STUDENT, I NEED MY COMPUTER, I AM TIRED OF THE SAME 30 SONGS ON MY MP3 PLAYER AND CAN'T CHANGE THEM WITHOUT THAT STUPID MEDIASOURCE THING

AND HOW DO I GET AN XP CD THAT I NEVER WAS GIVEN??

Quote:
Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows.

I did rename that folder back to Windows. However, when Alba told me to originally rename it, he didn't specify which folder to rename Windoz and there was 2 different folders under that name. I believe I renamed the wrong one at first because it won't let me change it back, it says error renaming. In order to change the other one to Windoz, i made that folder Windowss and that is how it is now. Perhaps that is causing the problem.

This is what comes up when the Windowss folder is highlighted:'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\HTML Help
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\ITStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss\\(default)

As opposed to the folder that was Windoz, but is back to Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\(default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\DeviceNotSelectedTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\GDIProcessHandleQuota
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Spooler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\swapdisk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\TransmissionRetryTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\USERProcessHandleQuota

When I run sfc /scannow nothign comes up so I assume there are no missing or corupt files. I don't know anyone with a cd, so where would the backup location be of the "recovery partition"?

Unless mistaken, you should have these keys in your Registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > > > > contains few entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowsss > > > > contains many entries


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

IF THE ABOVE IS INCORRECT, STOP & INFORM ME NOW

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If the above is correct, I want you to do this...

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

In the smaller left hand pane-> Left-click once on the Windows folder

**Look at the Address bar & confirm that the location remains the same

Right-click & select Rename-> Rename it from Windows to Windows2 -> Hit Enter



After you have done that, Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_CURRENT_USER\Software\Microsoft\Windowsss

In the smaller left hand pane-> Left-click once on the Windowsss folder

**Look at the Address bar & confirm that the location remains the same

Right-click & select Rename-> Rename it from Windowsss to Windows -> Hit Enter

Exit Registrar Lite & reboot your computer

Disclaimer:

Ask me not for a gurantee because I offer none.
I have tried this on another computer & it has worked.

Click to expand...

I attempted what was told in the last entry with naming the other folder windows2 and trying to name the windowss back to windows. There is still an error when trying to rename the windowss folder.

Furthermore, now that I have named the other folder Windows2, I cannot name it back to Windows. There is an error renaming window that comes up for that now as well.

In response to the entry before that:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowss <--why did you rename this? This folder isn't even in the fix.

You were supposed to rename the windows folder under this key...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

There should be only 1 windows folder under each KEY. Did you try a system restore??"

I renamed that folder because it was the first windows folder I saw and wasn't directed which one I was supposed to do. I now know it wasn't in the fix but Alba didn't specify. How do I try a system restore???

Alba posted...

Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the smaller left hand pane-> Right Click the Windows folder(Highlighted in Blue)

Select Rename-> Rename it to Windoz-> Hit Enter

Now look in the larger right hand pane-> locate and double click AppInit_DLLs

Under Value-> Remove(Delete)-> repairs.dll

Locate and delete the following files,

C:\WINDOWS\system32\ repairs.dll
C:\WINDOWS\system32\bk.exe

Reboot and Open Reglite again-> go back to the folder you renamed to Windoz and Rename it again, back to Windows

Click to expand...

So he sent you to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows but you renamed the one located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

So it's not really his fault as he did specify the folder and location. Anyway..let's try to address your issue. First lets try to rename the Windows folder again..

Reboot into safe mode and make sure you are logged in as the administrator of the PC.

Open Reglite again and navigate to this folder....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

*Note* The orginal windows folder is the one we are after so navigate to whatever you named it. It should have 5 sub keys in it. Highlight the folder...click properties. Then click 'Permissions' and make sure your user has FULL access to it. Then click "Take OwnerShip" of the folder.

You should then be able to rename it back to Windows. There should be ONLY 1 folder named Windows in this key..HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft The others will be WindowsNT, Windows Media...ect

If that doesn't work..then try system restore...

To start system restore click Start>>>All Programs>>>Accessories>>>System Tools>>>>System Restore.

If you can not launch it by that method...reboot into safe mode and select "Command Prompt Only" Then type in the following command and hit enter.

%systemroot%\system32\restore\rstrui.exe

Both those will open the restore wizard. Choose a date prior to when this issue occured and restore your PC back to that date. We can then start over and address your issues.

Okay.. I'm running out of ideas here. No idea why my last fix didnt work. :4-dontkno

Let's try one last time.

READ THIS OVER CAREFULLY BEFORE PROCEEDING


Open Reglite and Navigate to these keys: (they are all located near each other)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowsss

Click on the [+] sign next to each folder to expand each folder till you get something that looks like this..





From the Windows2 folder, copy CurrentVersion & paste it into the Windows folder

Microsoft\Windows2\CurrentVersion --->> Microsoft\Windows

From the Windowsss folder, do the same .. (all of it goes to the Windows folder)

• CurrentVersion --> Windows
  Help --> Windows
  Html Help --> Windows
  ITStorage --> Windows
  Shell --> Windows

The end result looks like this



Close reglite & reboot your computer