Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

computer crashing

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby andorusan » October 30th, 2007, 5:49 pm

Interesting,

The first can't be found while the second opens no problem.

Also opens with just "notepad" as you'd expect.

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm
Advertisement
Register to Remove

Unread postby beynac » October 30th, 2007, 6:11 pm

It looks as if your notepad file has been deleted (the one in the System32 folder). We need to copy the other one to that folder.
  • Click on Start then My Computer
  • Navigate to the folder C:\Windows
  • Scroll down and find Notepad.exe
  • Select the file (single click) and then right-click and select Copy
  • Scroll up and open the System32 folder
  • Right-click in the right hand pane and select Paste
Close the window and then try to open a text file. Does Notepad open? If it does, please try running HijackThis.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 30th, 2007, 9:50 pm

Ha!!!

I was able to fix notepad. I copied notepad into system32 but it didn't work. I could, however, open notepad directly from within system 32.
When I took a look at the properties of notepad in the start menu it showed something strange:

C:\WINDOWS\system32\actmovie.exe

So I renamed actmovie.exe as notepad.exe and it works perfectly.

But no luck with HLT - still gives the same error message

Thanks as always,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 31st, 2007, 7:10 am

Good morning Andrew.

That is very strange. :? I need to get this straight in my mind. If you click My Computer, navigate to C:\Windows\System32\notepad.exe and then double-click on the file , it opens. If you try to open the same file using the Run command, it says that it can't be found. Your shortcut on the Start Menu was pointing to actmovie.exe. You amended this to notepad.exe and can now open Notepad using the shortcut. Is this correct?

Let's try restoring the default shortcut behaviour. Download this file to your desktop: http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip. Extract the contents to your desktop and then double-click on the file (linkfile_fix.reg) to run it. Reboot the computer.

I haven't had any response to my request for help yet but, in the meantime, I'd like you to run another scan. As you can see, this will attempt to run HijackThis. If it doesn't work, just post whatever reports it produces.

--------------------------------------------

Deckard's System Scanner (DSS)

Download Deckard's System Scanner (DSS) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Please post the contents of main.txt and the extra.txt in your next reply.
Note: Apart from producing the reports, the scanner will also:
  • create a new System Restore point in Windows XP
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • run HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


------------------------------------------

Please post:
  • The answer to my question about Notepad.
  • The Deckard reports (main.txt and extra.txt)
How is the computer running now? Apart from not being able to run HiajckThis, are there any other problems? Is it still crashing?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 31st, 2007, 10:34 am

Hi beynac,

When I copied notepad into system 32 (from which it was absent) I could open it by clicking on it directly. I could also open it using run just by entering notepad.

When I added a desktop icon from system32 and tried the desktop it wouldn't open. That's when I noticed the strange extension and changed both the desktop and menu names to wordpad.

Believe it or not - since I have XP pro - when I sign in I always sign in as user. I only have the option to sign in as Administrator when I'm in Safe Mode. I'm not even sure what will happen if I try to sign in as administrator. Maybe it will ask for a password I don't have :shock:

I'll try later tonight.

The computer is running much better - not crashing anymore and running faster. The new eccentricities continue, however. Everytime I boot up I get an error message saying some program can't find it's way to the dynamic link library kernel32. Also, I can't run videopiggy.

I really appreciate all the work you've done.

Thank you,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » October 31st, 2007, 11:26 am

Hi Andrew.
When I copied notepad into system 32 (from which it was absent) I could open it by clicking on it directly. I could also open it using run just by entering notepad.

When I added a desktop icon from system32 and tried the desktop it wouldn't open. That's when I noticed the strange extension and changed both the desktop and menu names to wordpad.

Aha - that explains it! :) It looks like that issue is sorted out, but we still don't know what deleted it. We'll leave that on the back-burner for the moment.

Believe it or not - since I have XP pro - when I sign in I always sign in as user. I only have the option to sign in as Administrator when I'm in Safe Mode. I'm not even sure what will happen if I try to sign in as administrator. Maybe it will ask for a password I don't have :shock:

The Administrator you see when you use Safe Mode is, as you say, not available in Normal Mode. You always sign in as "User". Is this the only option you have? If so, then "User" must have administrator status. My understanding is that you must have one user account with administrator status. Windows will not allow otherwise. I have just checked this on my own computer. I have one user account ("David") with the type "Computer administrator". I have just booted into Safe Mode and logged on as "Administrator". Windows will not let me change the status of the "David" user account to the "Limited" type. It says that I must have at least one user account with administrator status.

To check this, click on Start > Control Panel then double-click on User Accounts. You should see two users: "User" and "Guest". Check that "User" has "Computer administrator" under it.

The computer is running much better - not crashing anymore and running faster.

I'm glad that the computer's running better but there is still obviously a problem we need to find and solve. :)

. The new eccentricities continue, however. Every time I boot up I get an error message saying some program can't find it's way to the dynamic link library kernel32. Also, I can't run videopiggy.

I know that you get this problem with HijackThis and VideoPiggy, but what other programs do you get it with? (I am aware that we still need to sort out the SmartBridge error!)

I look forward to hearing how you get on with the Deckard Scan.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » October 31st, 2007, 10:52 pm

Howdy,

Small family crisis kept me from the computer.

I think I was able to restore the default shortcut behaviour - but I don't know how to tell. I can't see that my computer is any differenet.

DSS caused my computer to crash twice before I gave up. :cry:

Thanks,

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » November 1st, 2007, 5:09 am

Hi.
Small family crisis kept me from the computer.

I hope that everything's OK now.

I think I was able to restore the default shortcut behaviour - but I don't know how to tell. I can't see that my computer is any differenet.

This was done to make sure that there wasn't a problem with the shortcuts. If they're working, that's fine.

DSS caused my computer to crash twice before I gave up.

I can't say that I'm surprised. :( However, it's one more bit of information about your problem. I'll continue my research.

. The new eccentricities continue, however. Every time I boot up I get an error message saying some program can't find it's way to the dynamic link library kernel32. Also, I can't run videopiggy.

I know that you get this problem with HijackThis and VideoPiggy, but what other programs do you get it with?

Could you please let me know the answer to this.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » November 1st, 2007, 2:06 pm

Good evening Andrew.

I would like the answer to the question in my previous post but I think that it would be a good idea to clear up some of the other issues we have with the computer.

-----------------------------------------------

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 3
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer
--------------------------------------------

Motive SmartBridge is a process which allows a user to submit files to the Internet for support. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. As you are having problems with it, I suggest that we stop it running at startup. If you disagree, please ignore that step, but please let me know.
  • Open WinPatrol
  • Click on the Startup Programs tab
  • Select Motive SmartBridge and click the Disable button
  • Select RebateNation0 and the click on the Remove button
  • Click the Close button
Click on Start then My Computer, find the following folder (highlighted in red) and delete it, if present : C:\Program Files\Rebate_Nation

-----------------------------------------------

In an earlier post you said:
I downloaded microsoft updates but for some reason service pck 3? couldn't install properly.

There is no official SP3 for XP yet. Was this a non-Microsoft update or was it the SP3 for Microsoft Office? Could you please give me as much information as possible. Also, of course, let me know which other programs are giving you the startup message (or were you referring to Motive SmartBridge).
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » November 1st, 2007, 6:24 pm

Howdy,

Did Java but a little scary. I couldn't remove:

J2SE Runtime Environment 5.0 Update 1

Error 1696. Could not access network location
$USERPROFILE%\My Documants\My Pictures

Then I didn't have access to the internet nor could I turn off or reboot the computer. After a couple of hard reboots things seem to be back to normal .

I disabled Motive SmartBridge and removed rebate nation. I'm not sure what I stand to lose by doing so but the simpler this computer runs the better I like it.
(Not since the days of 5.25" floppies when DOS had to be loaded from a disk to boot up have I felt in control of a computer's operating system)

I've checked many different programs and the only other program that dosn't work is SpywareBlaster. It gives me that same error message as HJT but I get it twice and then it gives me

Cannot find import; DLL may be missing, corrupt, or wrong version
File "MSVBVM60.DLL", error 127

When I start the computer I get the smartBridge Error for something called:

GetProcessImageFileName

As for the SP3 - there is one for XP office - my computer is always asking me to download it and I ignore the request since it has failed in the past.
It looks legit... heres what I found
XP Service Pack 3

http://www.microsoft.com/downloads/deta ... laylang=en

Size: 52.3 MB

Office XP Service Pack 3 (SP3) provides the latest updates to Microsoft Office XP. SP3 contains significant security enhancements, as well as stability and performance improvements. This service pack applies to any level of Office XP. It contains all updates included in SP1 and SP2, in addition to updates released after SP2. SP3 applies to the following Office XP products: Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, Access 2002, FrontPage 2002, Publisher 2002, and Office XP Web Components.

More information for this update can be found at http://www.microsoft.com/downloads/deta ... laylang=en

Thanks as always and I hoped this helps.

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » November 1st, 2007, 7:16 pm

Eureka! (maybe). One of the files that HijackThis needs is Msvbvm60.dll. It looks as if there could be a problem with this file. It could be missing or corrupted. Download the Visual Basic Runtime files from here and save the file ("VB6.0-KB290887-X86.exe") to your desktop. Don't run or install it yet.

-------------------------------------------------------

Show hidden System Files
  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View tab
  • Advanced Settings:
    • Under Hidden files and folders, select Show hidden files and folders
    • Uncheck Hide extensions for known file types
    • Uncheck Hide protected operating system files (Recommended)
  • Click Apply
  • Click Apply to All Folders
  • Click Yes to confirm
  • Click OK
------------------------------------------------

Click on Start > My Computer and navigate to C:\Windows\System32\ and look for Msvbvm60.dll. If it's there, rename it to Msvbvm60.old. If not, don't worry. Close the window. Double-click on VB6.0-KB290887-X86.exe on your desktop. When prompted, run the file, accept the licence agreement and the Browse and select Desktop (you will probably have to scroll up). Click OK. There should now be a file called vbrun60.exe on your desktop. Double-click on that file to install the VB Runtime files. Once this is complete, delete the two installation files from your desktop.

Reboot and try running HijackThis. If successful, post the log.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » November 1st, 2007, 8:11 pm

:D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D :D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:05 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?032242654a15478386af5974d99b9dbf
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?032242654a15478386af5974d99b9dbf
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9905 bytes
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » November 2nd, 2007, 10:37 am

:wav:

That's great news, Andrew! :D

We now know what was causing the problem with HijackThis. The thing that worries me, is that some files seem to have been deleted or corrupted (e.g. notepad.exe and Msvbvm60.dll). The problem with SmartBridge could be caused by the same situation with the file 'psapi.dll'. The error uninstalling Java looks like it could be a registry problem. We will try to find out more about the Java problem and then I would like you to run an online scan. If you have any problems with either of these steps, please give me details but do complete the other one.

You have the Symantec Security Center running as a service. I will take the opportunity to get rid of this while running the batch file. We'll have a look at the Office XP SP3 issue later.

-----------------------------------------------------

First, I would like to see a couple of your registry entries.

Open Notepad (Click on Start then Run. Type notepad into the textbox and click OK.) Select the contents of the Quote Box below, right-click and copy it, then paste into Notepad.
@echo off
sc stop "SymWSC"
sc delete "SymWSC"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" >> beynac.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" >> beynac.txt


Still in Notepad, go to Format (upper menu bar) and untick Word Wrap
Go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: regcheck.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

On the Desktop, double-click on regcheck.bat. This should create a text file (beynac.txt) on your desktop. Please post the contents of this as a reply to this post.

-----------------------------------------------------

Kaspersky Online Scanner

Be aware that downloading the definition files and scanning the computer may take an hour or more. Please be patient and let it run.

Using Internet Explorer, go to: http://www.kaspersky.com/virusscanner
  • Click on Kaspersky Online Scanner
  • Click the Accept button (see the note below if using IE7)
  • Follow the prompts to download and install the ActiveX component(s) and other software
    • If a yellow information bar appears at the top of the browser window, click on it and select Install ActiveX Control
    • If a message box appears, click on OK or Run as appropriate
  • Click Accept again (see the note below if using IE7)
  • When a message box appears, click on Install to allow the installation
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the Save as... button:
  • Save the report to your desktop (N.B. Save as type: Text document (txt))
Note: You may get a window without the Accept/Decline buttons. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

----------------------------------------------------

Please post the following:
  • The contents of beynac.txt
  • The Kaspersky report (you may need several posts. If it's ridiculously long, let me know but please post the first part of it - say two posts)
  • A new HijackThis log
Are you still getting the error message about SmartBridge? This should have stopped when you disabled the startup.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby andorusan » November 2nd, 2007, 12:34 pm

Just came home for lunch - I have a meeting in 15 minutes and then I'm out of town until Saturday night. I will take card of everything then.

Feeling goooood about this progress. :D

Also feeling a touch of emoticon envy ;)

Thanks

Andrew
andorusan
Regular Member
 
Posts: 29
Joined: October 22nd, 2007, 8:17 pm

Unread postby beynac » November 2nd, 2007, 12:41 pm

I'm out of town until Saturday night. I will take card of everything then.

Thanks for letting me know.

Feeling goooood about this progress.

So am I. :D

Also feeling a touch of emoticon envy

:lol:

I look forward to hearing from you at the weekend. Have a good trip!
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 273 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware