View Full Version : coolwwwsearch.searchtoolbar cannot be removed
Spiderman
2006-07-21, 21:16
Hello I am having a problem with 'coolwwwsearch.searchtoolbar' which I cannot remove. When Spypot (1.4 and updated )finds it and fix it it ask me to allow it run on start up to be able to remove it but on start up it finds 'coolwwwsearch.searchtoolbar' again and says the same thing. I also made a scan with the free updated Ad-adware SE Personal build 1.06r1 but which does not find anything, its add-on vx2cleaner also does not find anything.
Here is my hijackthis log. I should be grateful if you can help:
Logfile of HijackThis v1.99.1
Scan saved at 12:54:22, on 2006-07-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Here is the log from Pandaonline scan:
Cannot paste it as the mesage becomes too long, pls see attachments.
Thanking you in advance
Spiderman
2006-07-21, 22:27
I forgot to add:
I use AVG free updated daily automatically.
Windows XP sp1 all updated exept for sp2.
Sorry I was not able to add to the original posting.
Thanks again
Hello and sorry for the wait.
If you are still in need of assistance please go here and post a link back to this topic to flag a helper.
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
Please read the first post in the thread and don't post any logs there. ;)
Cheers.
Spiderman
2006-07-24, 16:22
Hello and sorry for the wait.
If you are still in need of assistance please go here and post a link back to this topic to flag a helper.
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
Please read the first post in the thread and don't post any logs there. ;)
Cheers.
Pls note that I cannot reboot in safe mode (I do not know why-at the start I succeded but I believe as I installed more and more applications it just dont go there), I should be grateful if you help in accordance.
Thanks beforehand
LonnyRJones
2006-07-25, 02:16
Hi
Could i see a SpyBot results report
Run SpyBot check for problems, when its finished right click and choose copy results to clipboard
and past that back here please.
Spiderman
2006-07-25, 02:38
I cannot paste its too long. Pls find it in attached file.
LonnyRJones
2006-07-25, 02:55
CoolWWWSearch.SearchToolbar: Configuration file (File, nothing done) C:\WINDOWS\rdt.ini
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Spiderman
2006-07-25, 05:00
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/ipdnssec6.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/fixiemapi.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/dmsadmins.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/qwinnta.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/sesmgr.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/dumpsprep.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/mqspbkup.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/mptsgsvc.gif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\http://69.50.166.98/users/conrad/web/cithlper.gif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
And here is for Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 21:53:40, on 2006-07-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\antispyware\HijackThis.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
One question in the meantime also pls:
I have the following installed in the add/remove applications:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Can I/Should I remove the last two or which one can I remove, its not hurting me in any kibd but i read in the forum that old versionof java has loop
holes.
Thank You for your help and understanding
LonnyRJones
2006-07-25, 10:07
Hi
c:\messanger.ini < delete
D:\For_PC\shareaza\EvID4226Patch211a-en.zip < delete that and what it installed, Frankly if it was my pc anything downloaded with a p2p program would be uninstalled and the p2p programs to.
D:\Kasaa_My Shared Folder\ < do you have kazza ?
Once you install J2SE Runtime Environment 5.0 Update 7
these can and should be uninstalled >
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
"Java Runtime Environment (JRE) 5.0 Update 7" http://java.sun.com/j2se/1.5.0/download.jsp
Let us know or any problems over the next few days.
Spiderman
2006-07-25, 17:07
Thank you Jones.
In fact I did not installed 'D:\For_PC\shareaza\EvID4226Patch211a-en.zip' but tried it once, I did not installed after I got a pb with my safemode and reinstalled everything. Neither do I have Kazaa, these are some files which has remained after I unsintalled it.
I did what you said for the J2SE.
I thank you for everything. All seems to be fine now. I have some questions however. What does Fixwareout fix/do?Is it virus or spyware/malware? I suppose its Wareout which I found to be present in Spybot's updates, so how come it could not be removed.? Is it a new type?
Finally I have got Spywareblaster, Spybot, AVG, AD-adware SE(with which I scan everyday) and IEspyad which I use and update regularly. DO I need another software to prevent any infection of this type in the future?For instance is Spyware Terminator ok or do u have any other suggestions or will Spybot be updated shortly to take care of it?
Thank You very much again, waiting for your reply.
Spiderman
2006-07-25, 17:09
Thank you Jones.
In fact I did not installed 'D:\For_PC\shareaza\EvID4226Patch211a-en.zip' but tried it once, I did not installed after I got a pb with my safemode and reinstalled everything. Neither do I have Kazaa, these are some files which has remained after I unsintalled it.
I did what you said for the J2SE.
I thank you for everything. All seems to be fine now. I have some questions however. What does Fixwareout fix/do?Is it virus or spyware/malware? I suppose its Wareout which I found to be present in Spybot's updates, so how come it could not be removed.? Is it a new type?
Finally I have got Spywareblaster, Spybot, AVG, AD-adware SE(with which I scan everyday) and IEspyad which I use and update regularly. DO I need another software to prevent any infection of this type in the future?For instance is Spyware Terminator ok or do u have any other suggestions or will Spybot be updated shortly to take care of it?
Thank You very much again, waiting for your reply.
One more thing, I forgot, can you propose me a site where I can fix my problem with the safe mode which I cant go to. Thanks
Spiderman
2006-07-25, 17:42
I have presently gogle toolbar with pop up blocking.
I should like to know which is better to install of goggle or yahoo toolbar.
Thanks
LonnyRJones
2006-07-25, 19:52
Fixwareout is for a rootkit type infection although i dont think the infection was present in your case, thats why SpyBot and other anti spyware and virus scanners have problems with it.
goggle or yahoo toolbar: I suggest getting SP2 and using it's built in popup blocker
Spywareblaster, Spybot, AVG, AD-adware SE, IEspyad, Ewido
Great :)
Do you have a firewall and do you use a hosts file ?
http://www.mvps.org/winhelp2002/hosts.htm
Turn off Spybots tea timer
Start Hijackthis and place a check next to these items If there.
F2 - REG:system.ini: UserInit=userinit.exe
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O18 - Protocol: vskype - (no CLSID) - (no file)
====================================
Hit fix checked and close Hijackthis.
When you next reboot tea timer should alred to those changes, click allow do not tick the box remember decision.
Also: Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
Spiderman
2006-07-25, 21:12
I should also be grateful if you give me your opinion if I can safely remove the following with hijackthis:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af...dxIE601_fr.cab
and also if i can safely manually delete the following:
c:\windows\help\CHMRedir.chm
c:\messanger.ini
c:\program files\net2phone commcenter\CC_Versn.dll
c:\windows\rdt.ini
C:/Documents and Settings/PropriTtaire/Application Data/Mozilla/Firefox/Profiles/z2o7kw9o.default
C:\WINDOWS\inetdata\1.02.05.dll
Report from Blacklight beta
07/25/06 13:35:57 [Info]: BlackLight Engine 1.0.42 initialized
07/25/06 13:35:57 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/25/06 13:35:57 [Note]: 7019 4
07/25/06 13:35:57 [Note]: 7005 0
07/25/06 13:36:16 [Note]: 7006 0
07/25/06 13:36:16 [Note]: 7011 1312
07/25/06 13:36:16 [Note]: 7026 0
07/25/06 13:36:17 [Note]: 7026 0
07/25/06 13:36:26 [Note]: FSRAW library version 1.7.1019
07/25/06 13:55:24 [Note]: 7007 0
New hijacklog:
Logfile of HijackThis v1.99.1
Scan saved at 14:11:45, on 2006-07-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Thank you beforehand
Spiderman
2006-07-25, 21:34
I should greatly appreciate your advice as to if I can safely remove the following:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af...dxIE601_fr.cab
and manually delete the following files:
c:\windows\help\CHMRedir.chm
c:\messanger.ini
c:\program files\net2phone commcenter\CC_Versn.dll
c:\windows\rdt.ini
C:/Documents and Settings/PropriTtaire/Application Data/Mozilla/Firefox/Profiles/z2o7kw9o.default
C:\WINDOWS\inetdata\1.02.05.dll
As you suggested I installed the Host file but do not know if it did as i just clicked on the mvps.bat file.And here is the log for:
Log file of backlight
07/25/06 13:35:57 [Info]: BlackLight Engine 1.0.42 initialized
07/25/06 13:35:57 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/25/06 13:35:57 [Note]: 7019 4
07/25/06 13:35:57 [Note]: 7005 0
07/25/06 13:36:16 [Note]: 7006 0
07/25/06 13:36:16 [Note]: 7011 1312
07/25/06 13:36:16 [Note]: 7026 0
07/25/06 13:36:17 [Note]: 7026 0
07/25/06 13:36:26 [Note]: FSRAW library version 1.7.1019
07/25/06 13:55:24 [Note]: 7007 0
Logfile of HijackThis v1.99.1
Scan saved at 14:11:45, on 2006-07-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Thank you beforehand
LonnyRJones
2006-07-25, 22:23
04 TkBellExe < either uninstall real player or that 04 can be fixed but
If you keep the program ensure it is the latest version, visit there website.
If you fixed TkBellExe restart your pc and rename
C:\Program Files\Common Files\Real\Update_OB\realsched.exe to realsched.OLD
04 SunJavaUpdateSched, go into the windows control panel > java and set it to not auto update, its buggy
Update suns java manualy
Sun Java V1.5.0_07 is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Afterwards it's important to uninstall the old version's.
Leave the other items you mentioned
c:\windows\help\CHMRedir.chm
c:\windows\rdt.ini
those shouldnt be present any longer ?
c:\messanger.ini < i did say delete that
c:\program files\net2phone commcenter\CC_Versn.dll
If you delete that the program might not work
C:/Documents and Settings/PropriTtaire/Application Data/Mozilla/Firefox/Profiles/z2o7kw9o.default
Im unsure of this one
C:\WINDOWS\inetdata < delete this folder
Spiderman
2006-07-25, 23:44
:bigthumb: 04 TkBellExe < either uninstall real player or that 04 can be fixed but
If you keep the program ensure it is the latest version, visit there website.
If you fixed TkBellExe restart your pc and rename
C:\Program Files\Common Files\Real\Update_OB\realsched.exe to realsched.OLD
I have made an update of real and deleted the TKbellexe (Hope i did right!)
04 SunJavaUpdateSched, go into the windows control panel > java and set it to not auto update, its buggy
Update suns java manualy
Sun Java V1.5.0_07 is Available:
http://forums.spybot.info/showpost.p...80&postcount=2
Afterwards it's important to uninstall the old version's.
Already done
Leave the other items you mentioned
c:\windows\help\CHMRedir.chm deleted
c:\windows\rdt.ini not present
those shouldnt be present any longer ?
c:\messanger.ini < i did say delete that
Already deleted Sir
c:\program files\net2phone commcenter\CC_Versn.dll
If you delete that the program might not work
Did not delete
C:/Documents and Settings/PropriTtaire/Application Data/Mozilla/Firefox/Profiles/z2o7kw9o.default
Im unsure of this one
Did not delete
C:\WINDOWS\inetdata < delete this folder
deleted
Do we finally know what the problem was since no rootkit was present.?
Thank again
Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 16:28:51, on 2006-07-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\WinClamAVShield\sp_clam.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
C:\antispyware\HijackThis.exe
C:\Program Files\internet explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.polymtl.ca/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.biblio.polymtl.ca:8080/biblio
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/094c80af0f7d19f01815/netzip/RdxIE601_fr.cab
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
LonnyRJones
2006-07-26, 04:52
SpywareTerminator was once on the rugelist
http://www.spywarewarrior.com/rogue_anti-spyware.htm#spyterm_note
If you decide to keep it you should turn off its resident shield or SpyBots tea timer.
"Do we finally know what the problem was since no rootkit was present.? "
Im not sure, if the CHMRedir.chm or rdt.ini files return let us know.
Spiderman
2006-07-26, 05:27
Thanks I have turn off the real time protectionin the Spyware Terminator, it seems that it was slowing the pc anyway.
I will check them, if the CHMRedir.chm or rdt.ini files return i sure will post again.
Thank you for all and please let me know, if you are aware of a good site/forum (like here) where I can ask for help to solve the problem of not being able to go to the safe mode.
Thanks
LonnyRJones
2006-07-26, 05:56
Thanks for reminding me
What happens exactly when you try getting into safe mode ? have you tried
logging in as administrator ?
Spiderman
2006-07-26, 16:41
Hello Jones, unfortunately its me again.
I am now having some problems on startup.Each time I start the pc, Spybot resident shows me to allow or deny the following:
Value deleted:
TKBellExe
SunJavaUpdateSched
SpywareTerminator
Value changed:
UserInit C:\Windows\system32\userinit.exe
Spiderman
2006-07-26, 16:58
When I go to safe mode (with F8) and select safe mode here is what it gives me (i translated myself from french so it could be thats its not exactly the same), then it goes to normal mode:
Windows n'a pas demarré correctement. Un nouveau logiciel ou materiel peut etre responsable de ce probleme.
Si votre ordinateur ne repond plus, a redemarre de facon inattendue ou a ete arreté automatiquement
pour proteger vos fichiers ou vos dossiers, choissiser l'option Derniere bonne configuration connue
pour revenir aux dernieres parametres fonctionnant correctement.
Si une tentative de démarrage precedente a ete interrompue en raison d'une défaillance d'alimentation ou car
le bouton d'alimentation ou de reinitialisation a ete activée, ou si vous ne connaissez pas la raison de ce
probleme choissiser Demarer Windows normalement
Mode sans echec
Mode sans echec avec prises en charge reseau
Invité de commande en mode sans echec
Derniere bonne configuration connue <vos derniers parametres fonctionels>
Demarer Windows normalement
Utiliser les fleches Haut et Bas pour mettre votre choix en surbrillance.
English Translation:
Windows did not start up properly. A new software or material may be responsible for this.
If your PC is not responding. has not started in a normal way or has been started automatically to
protect your files or folders, choose the option Last Known good configuration to revert to the last
parameters working correctly.
If a previous startup has been interrupted due to a power failure or because the power button or the
reinitialisation button has been pushed, or if you do not know the reason of this problem choose
Start windows normally.
Safe Mode (I suppose)
Safe Mode with online support.
Command line in safe mode
Last known good configuration<your last functionning parameters>
Start Windows normally
Use the arrows UP and down to make your choice.
LonnyRJones
2006-07-26, 19:56
"Safe Mode (I suppose)"
And what happens if you choose safe mode ?
Rightclick on Tea timers icon in the windows clock area on your taskbar and choose exit then restart Tea timer by running TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Spiderman
2006-07-26, 21:31
It shows a black screen and a blinling cursor on the top right and after some 30 seconds it returns back to the same screen. All the three options to go to safemode does the same thing, they return back to the same screen which I translated before.
Other Question not related to safe mode:
When Windows load up it shows me a blue background screen showing and waiting for you to choose between the two possibilities to log (I think) One is called 'Proprietaire' and the other 'UserXp'. Can I configure somewhere to go directly to 'Proprietaire' and skip this part.?Or is this this the problem to safe mode?
Pb with tea time seemed ok.Thanks
LonnyRJones
2006-07-27, 00:02
How long have you had problems with safe mode ?
Try setting windows to log in automaticly
Windows control panel user accounts
change the way users log on, set to use welcome screen
Click on the Owner (Proprietaire) account and set it to not use a password.
Let me know if that helped.
Spiderman
2006-07-27, 00:19
The problem existed since long ago may be two years or more.
At the start when I just bought the pc there were not many applications run and I remember I had access to the safe mode but as I put more and more applications (i dont know if it depends on this however) I was no longer able.
Both Welcome screen and 'rapid change of utiliser' were already chequed.
I never used a password to log in, it had no password set. (We r not many to use the PC).
Thanks
LonnyRJones
2006-07-27, 05:16
Try setting it to not use the welcome screen
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
(@echo off
echo Running from %CD%
Echo.
Echo Checking HKEY_LOCAL_MACHINE\SYSTEM\Select
reg query HKEY_LOCAL_MACHINE\SYSTEM\Select /v "Current"|find "Current"
Echo .
Echo Checking CurrentControlSet-Minimal
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal 1>nul
Echo ..
Echo Checking ControlSet001-Minimal
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal 1>nul
Echo ...
Echo Checking ControlSet002-Minimal
reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal 1>nul
Echo ....
)>>logit.txt 2>&1
Run check.bat
Spiderman
2006-07-27, 07:18
When I removed the welcome screen and when I press F8 to go to safe mode it does not even go to the screen i translated before but continues to boot normally (I tried several times without sucess, I do not know if the settings/delay when starting is the same or not when you boot in each mode-with/without welcome screen. I did not changed anything.).
So I reverted back to the welcome screen. i made two logs each with the welcome screen and the other without. Here they are:
Log with welcome screen:
Running from C:\Documents and Settings\Propri‚taire\Bureau
Checking HKEY_LOCAL_MACHINE\SYSTEM\Select
Current REG_DWORD 0x1
.
Checking CurrentControlSet-Minimal
..
Checking ControlSet001-Minimal
...
Checking ControlSet002-Minimal
....
Log without welcome screen:
Running from C:\Documents and Settings\Propri‚taire\Bureau
Checking HKEY_LOCAL_MACHINE\SYSTEM\Select
Current REG_DWORD 0x1
.
Checking CurrentControlSet-Minimal
..
Checking ControlSet001-Minimal
...
Checking ControlSet002-Minimal
....
Hope you will find something repairable, thanks.
LonnyRJones
2006-07-28, 20:00
Hi
Are you familur with msconfig ?
It has an option to restart to safemode (safeboot) BUT dont use that, that would couse the pc to get stuck into a repeating cycle.
There is an option called /bootlog that might help
start run type msconfig press enter > boot ini tab and tick the box next to [X]/bootlog click apply, close and choose restart windows. now press f8 again and try to get into safe mode (you'l have the same problem) so let windows start up in normal mode.
c:\windows\Ntbtlog.txt now either attach or send me this file
Send it to submitlonnyATsubratam.org
Replace AT with @
Dont zip and attach, those are not working.
Spiderman
2006-07-28, 23:39
i sent the file to the said address saying, i quote:
Here is the log file to response to 'coolwwwsearch.searchtoolbar cannot be removed'.
Now the PC is giving me a configuration message each time I start even if I unchecked the bootlog option in boot.ini section in msconfig.
Thank You
LonnyRJones
2006-07-29, 02:59
Hi
Theres a box on that configuration message you can check to not show it again.
That log didn't help as i thought it would
Perhaps uninstalling any un-needed or unused program will help
Also go Start > Run > type in cmd
At the command prompt type in chkdsk C: /r or whichever drive you want to check > Enter
Accept the message that chkdsk will run at the next reboot.
Restart your PC
Then run Disk Defragmenter
Start > Programs > Accessories > System Tools >Disk Defragmenter
Spiderman
2006-07-29, 06:48
I checked the box to not show the mesage again at the start and I noticed that in the msconfig the 'use modified boot.ini file is selected'. I believe this is normal, can you please confirm. Selective start up is selected and all in this part is selected except for 'use original boot.ini file'.
As u suggested I defragmented C which is about 80% empty but I still cannot go to safe mode.
The part of the file not defragmented is not in use any more, if u believe its necessary to delete it to defragment completely, I can redo it again.
Thank You
PS: Do I need to defragment all drive, because I did only for C where windows is installed?
LonnyRJones
2006-07-29, 07:53
yes its normal for [x] use modified boot ini to be checked.
Im asking around about the safe mode problem, that might take some time.
Spiderman
2006-07-29, 16:07
No problem.
Thanking you for ur kind effort.
LonnyRJones
2006-07-30, 08:26
In control panel user accounts make a new account with administator privileges, shut down the pc wait a few minutes then start, try f8 (selective startup) and safe mode again , please.
Spiderman
2006-07-30, 17:31
Hi,
I did add another account named 'Check_SM_Jones' as you suggest with admintrator login privileges and I closed and startup again but the problem is the same. It does the same thing as I described before.
I deleted the account afterwards.
Thanks
LonnyRJones
2006-08-03, 09:21
In order to get more exposer post here mention the safe mode problems, that you have a topic here at SpyBotinfo and are malware free.
Let me know when you have posted so i can tract the thread.
SWI Forums - PC Troubleshooting:
http://forums.spywareinfo.com/index.php?showforum=28
Spiderman
2006-08-03, 18:19
I posted it in the forum as Spidermaninfo.
http://forums.spywareinfo.com/index.php?showtopic=81942
Thank you
Spiderman
2006-08-06, 02:56
:confused:
Hello,
I have caught yet one more problem. I should be grateful if you can advise.Its not malware/virus (I believe). I was trying Azureus and copied and paste a directory from Shareaza to the Azereus directory. But now I cannot access neither delete this directory. Its giving me the following messages even after closing Shareaza, rebooting and trying to delete it with Killbox (with delete, delete on reboot and replace on reboot: none works). I tried to uninstall Azereus (from Windows Install/Uninstall)and try to install it again but it gives me an eror message.
The message it gives me when I want to delete the directory is as follows:
Impossible de suprimer le dossier Fanaa 2006-MP3-VBR-320kps[DJLUV]:Access refusé
Verifier que le disque n'est pas plein ou protegé en ecriture, et que le fichier n'est pas utilisé actuellement.
Translation:
Impossible to delete the directory Fanaa 2006-MP3-VBR-320kps[DJLUV]:Access Denied
Verify that the disk is not full or write -protected, and that the file is not actually in use.
I also tried to remove the read only property of the directory but it returns back to partially write-protect again and do not delete.
Can you please help me delete/fix this problem.
Thank You beforehand for your help.
LonnyRJones
2006-08-06, 04:32
Post the full locations of the folders you need to delete
and tell me if there are any files inside them
Spiderman
2006-08-06, 06:02
C:\Program Files\Azureus_Old\Shared\Fanaa 2006-MP3-VBR-320Kbps[DJLUV]
The folder 'Fanaa 2006-MP3-VBR-320Kbps[DJLUV]' contains audio files in it but not important files.
It would be easier to consider eliminating C:\Program Files\Azureus_Old\Shared\*.*
As the 'shared' directory contains only the directory 'Fanaa 2006-MP3-VBR-320Kbps[DJLUV]' which contains the files.
PS:When I tried with killbox and delete on reboot it gives me an error saying there is a program not letting it do it on startup so I put off Tea Timer and tried again. I hope I did right. But it still did not succeed.
Thank You
LonnyRJones
2006-08-06, 08:46
OK
Manualy delete all the files and subfolders within the sharred folder
then give me a list of whats left.
Spiderman
2006-08-06, 17:39
'shared' directory contains only the directory 'Fanaa 2006-MP3-VBR-320Kbps[DJLUV]' which contains the files.
But I cannot get into the folder 'Fanaa 2006-MP3-VBR-320Kbps[DJLUV]' . Access is denied.
Thank You.
LonnyRJones
2006-08-06, 23:04
Open notepad go edit and turn off wordwrap
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
cacls %ProgramFiles%\Azureus_Old\Shared /T /E /C /G System:F Administrators:F
cacls %ProgramFiles%\Azureus_Old\Shared\Fanaa 2006-MP3-VBR-320Kbps[DJLUV]\*.* /T /E /C /G System:F Administrators:F
cacls %ProgramFiles%\Azureus_Old\Shared\Fanaa 2006-MP3-VBR-320Kbps[DJLUV] /T /E /C /G System:F Administrators:F
Run check.bat then try deleting the contents of Fanaa 2006-MP3-VBR-320Kbps[DJLUV then the folder itself
Spiderman
2006-08-07, 04:39
:confused: Hello,
I did exactly as suggested but it does not work. The problem is the same, I am still not having access to the folder to see the files or to delete.
Thanking you beforehand for further suggestions.
LonnyRJones
2006-08-07, 06:03
Try this batch file, make it the same way.
(@echo off
cd %ProgramFiles%
move "Azureus_Old\Shared\Fanaa 2006-MP3-VBR-320Kbps[DJLUV]" %temp%\
)>>logit.txt 2>&1
then post contents of (your desktop) logit.txt
Spiderman
2006-08-07, 06:18
AccŠs refus‚.
//My comments Translation : 'Denied Access' (I suppose.)
LonnyRJones
2006-08-07, 06:37
One more try, although i do not like helping with anything related to filesharing.
Download xcaclsIT.zip to your desktop
http://downloads.subratam.org/Beta/xcaclsIT.zip
Extract the files inside to c:\
that will create a folder called c:\xcaclsIT
open that folder open badfiles.txt copy then paste in (including the quotes)
"c:\program files\Azureus_Old\Shared\Fanaa 2006-MP3-VBR-320Kbps[DJLUV]"
save then exit notepad and run xcaclsIT.bat.
It will download and install a Microsoft tool, when it is finished fallow the prompts to reboot your PC.
Open the c:\xcaclsIT folder again and run afterreboot.bat
Spiderman
2006-08-07, 07:10
Running from C:\xcaclsIT
Le type du systŠme de fichiers est NTFS.
C: est intŠgre.
Files proccessed and moved to C:\xcaclsIT\!backups
Le fichier sp‚cifi‚ est introuvable.
//My translation:The spcidied file cannot be found
No matches found.
// I appreciate your help. It did not lead me to reboot and made a reboot manualy and run the afterreboot.bat.The report it gave is posted above but the folder is still there.:confused: .It still not accessible
Thanks again. Please help
Spiderman
2006-08-07, 17:14
Hello,
I noticed one thing which i do not know if it may help. I noticed that by right clicking to the propeties of the folder it says 0 octets, 0 files and 0 folders. But I do not know at which stage it became like that (I remember having seen it with files at the start but I am not so sure).
But its still not accessible: Acsess Denied.
Thank u
LonnyRJones
2006-08-07, 20:57
Sounds like the folder is corrupt, since it is cousing no harm and what we have tried hasnt worked I suggest we just leave it be.
Spiderman
2006-08-07, 21:21
Ok, but if you do come about other solution, please post it. Please do not forget to do the same for the safe mode problem. May be if i succeed to go in the safe mode it could be deleted from there. Does it do any harm to let the icaclsIt and resource kit in the PC.?
Thanks
LonnyRJones
2006-08-11, 11:18
You can delete the c:\icaclsIt folder but leaving it and that ms file wont ofcouse any harm.
Another helper i know suggested this tool for that folder that wont delete.
http://www.jrtwine.com/Products/DelFXPFiles/
Spiderman
2006-08-11, 17:37
It says:
Recursive folder deletion is not available in the non-registered version of Delete FXP files
It did not delete the folder.
Thank you.
LonnyRJones
2006-08-17, 11:28
Hi
What version of nero's incd is it you have , apperently some versions are know to couse safe mode problems.
http://ww2.nero.com/nero6/us/InCD_4_Release_Notes_prev.html
Version Number: 4.3.0.5
Release Date: 09-10-2004
Bug Fixes
The problem of not being able to boot in safe mode after installing InCD is fixed
Spiderman
2006-08-22, 06:51
I do not know where to find it on my pc. But when I look in c:\Program Files\Ahead\InCD\InCD.exe it says version 4.3.0.3, do u think thats the problem?I hope so. But when I click on Incd.exe nothing happens.
Thank You
Spiderman
2006-08-22, 16:12
You are right I uninstalled the old Nero and replaced it with a more recent one. And I effectively could go to safe mode with F8.
But I was not able to delete the folder from there. I logged on in safe mode with both 'Proprietaire' and 'administrateur' (the only two available) but was not able to delete the folder it denies me access.
Thank you very very very much.:bigthumb:
please let me know also if you find something to delete the folder.
LonnyRJones
2006-08-22, 18:20
Im not worried about the folder.
Good you can get into safe mode now .
Your good to go .
Surf safe
Spiderman
2006-08-22, 18:44
Thanks again, in fact the folder is causing no harm but if u come about something pls let me know.
LonnyRJones
2006-08-23, 05:50
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).