Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Spybot S+D would not start

  1. #1
    Junior Member
    Join Date
    Nov 2006
    Posts
    17

    Default Spybot S+D would not start

    I am posting here on the advice of Zenobia.
    Any help is greatly appreciated.
    For background on this issue, Please refer to:
    http://forums.spybot.info/showthread...light=diowrite
    Alot of people have read this thread already. Perhaps many others are having similar problems with Spybot.
    Maybe there is some nasty in my system but I will wait for advice from a Helper.
    Thank you again.
    Regards,
    diowrite

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Please go here and attach Winsock32.exe
    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    http://forums.spybot.info/showthread.php?t=288
    Post A Hijackthis log and an online scan report here in this thread.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  3. #3
    Junior Member
    Join Date
    Nov 2006
    Posts
    17

    Default HJT log and online scan

    Logfile of HijackThis v1.99.1
    Scan saved at 01:24, on 12/1/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Filseclab\xfilter\xfilter.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\FDF\FAST2.EXE
    C:\Program Files\Common Files\Filseclab\FilMsg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\T\Desktop\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
    O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O15 - Trusted Zone: *.amazon.com
    O15 - Trusted Zone: *.americansingles.com
    O15 - Trusted Zone: *.half.ebay.com
    O15 - Trusted Zone: *.scgi.ebay.com
    O15 - Trusted Zone: *.signin.ebay.com
    O15 - Trusted Zone: *.hotmail.com
    O15 - Trusted Zone: *.msn.com
    O15 - Trusted Zone: *.mypoints.com
    O15 - Trusted Zone: *.passport.com
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E47C5FC5-E607-4D55-925B-E68F9F81E808}: NameServer = 71.243.0.12 68.237.161.12
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: RunOnce - C:\WINDOWS\
    O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: General Network Service - Unknown owner - c:\windows\winsocks32.exe (file missing)
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
    O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe



    ONLINE SCAN:
    (sorry, could not get wordwrap to switch off)
    Incident Status Location

    Virus:Trj/Sfc.A.mod Disinfected Operating system
    Adware:adware/savenow Not disinfected Windows Registry
    Adware:adware/ncase Not disinfected Windows Registry
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\T\Cookies\t@go[2].txt
    Possible Virus. Not disinfected C:\fixwareout\FindT\swreg.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\smitRem\Process.exe
    Possible Virus. Not disinfected C:\Program Files\smitRem\swreg.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\smitRem.exe[smitRem/Process.exe]
    Possible Virus. Not disinfected C:\Program Files\smitRem.exe[smitRem/swreg.exe]
    Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@ccbill[1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@searchportal.information[1].txt
    Spyware:Cookie/Buydomains Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@www47.buydomains[1].txt
    Spyware:Cookie/Seeq Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@www48.seeq[1].txt

    Thanks,
    diowrite

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Delete these tools
    C:\Program Files\smitRem
    C:\fixwareout
    Then should only be used when instructed.

    Download SDFix
    Important save it to c:\ or to the root of whatever drive windows is installed on
    Double click SDFix.exe and choose Install to extract it to. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.

    • Open the extracted c:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Junior Member
    Join Date
    Nov 2006
    Posts
    17

    Default Done as asked

    Thank you sincerely LonnyR.
    I followed your instructions and post below the results.
    (Note: At the end of SDFix, I got the message: The System was unable to find the specified registry key or value: checkstart.txt) (I think it was checkstart?)

    SDFix: Version 1.44
    ********************

    Fri 12/01/2006 - 12:48:46.89

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Stage One - Safe Mode
    Checking Services...

    Service Name:

    General Network Service
    winsock32.exe

    File Path:

    c:\windows\winsocks32.exe
    "C:\WINDOWS\winsock32.exe"

    General Network Service Service Deleted...
    winsock32.exe Service Deleted...

    Starting Registry Repairs...

    Restoring Default Hosts File...

    Stage One Complete

    Rebooting...

    Stage Two - Normal Mode

    Checking For Malware:
    --------------------

    C:\WINDOWS\system32\ldinfo.ldr
    C:\WINDOWS\tcb.pmw
    C:\WINDOWS\winSock32.exe

    Backing Up and Removing any Files Found...

    Final Check:

    Services:
    ---------


    Authorized Applications Export:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List
    C:\Program Files\Internet Explorer\IEXPLORE.EXE REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer

    Files:
    ------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking for files with Hidden Attributes:

    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\uninst.dll
    C:\WINDOWS\system32\cdplayer.exe.manifest
    C:\WINDOWS\system32\logonui.exe.manifest
    C:\IO.SYS
    C:\MSDOS.SYS
    C:\pagefile.sys
    C:\WINDOWS\uccspecb.sys
    C:\WINDOWS\LastGood.Tmp\INF\oem38.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem38.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem39.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem39.PNF

    FINISHED!


    Logfile of HijackThis v1.99.1
    Scan saved at 01:04, on 12/1/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Filseclab\xfilter\xfilter.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\FDF\FAST2.EXE
    C:\Program Files\Common Files\Filseclab\FilMsg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\T\Desktop\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
    O4 - Global Startup: Filseclab Messenger.lnk = C:\Program Files\Common Files\Filseclab\FilMsg.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O15 - Trusted Zone: *.amazon.com
    O15 - Trusted Zone: *.americansingles.com
    O15 - Trusted Zone: *.half.ebay.com
    O15 - Trusted Zone: *.scgi.ebay.com
    O15 - Trusted Zone: *.signin.ebay.com
    O15 - Trusted Zone: *.hotmail.com
    O15 - Trusted Zone: *.msn.com
    O15 - Trusted Zone: *.mypoints.com
    O15 - Trusted Zone: *.passport.com
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - https://media.pineconeresearch.com/A...oadcontrol.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E47C5FC5-E607-4D55-925B-E68F9F81E808}: NameServer = 71.243.0.12 68.237.161.12
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: RunOnce - C:\WINDOWS\
    O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

    Thans for any help.
    Regards,
    diowrite
    Last edited by LonnyRJones; 2006-12-02 at 08:41. Reason: edited for width

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    "I think it was checkstart?"
    I would need to have know exactly which, there are several check....txt text's

    Start Hijackthis and place a check next to these items If there.

    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: RunOnce - C:\WINDOWS\
    O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
    ====================================
    Hit fix checked and close Hijackthis. (not to worry about the Hijackthis backup error)

    To fix this

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    Download this registry file to your desktop and double click, answer yes to the prompt.
    you should see a suceed message , if so it can be deleted
    http://downloads.subratam.org/Fix-Pr...nes-ranges.reg



    Although the infections dont look active you should run both
    Haxfix and Look2Me-Destroyer
    Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
    http://www.atribune.org/content/view/28/
    Close all windows before continuing.
    Double-click Look2Me-Destroyer.exe to run it.
    Put a check next to Run this program as a task.
    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
    When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    Once it's done scanning, click the Remove L2M button.
    You will receive a Done Scanning message, click OK.
    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.
    Wait about Four minutes, Turn your computer back on.
    Please post the contents of Look2Me-Destroyer.txt

    Download haxfix.exe. http://users.telenet.be/marcvn/tools/haxfix.exe
    Save it to your desktop.
    Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    Checkmark "Create a desktop icon".
    Click "Next".
    When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
    Click "Finish".
    A red "dos window" (dos box) will open.
    Select option 1. Make logfile by typing 1 and then pressing Enter.
    Haxfix will start scanning the computer. When it is finished a logfile will open.
    Copy the contents of that logfile and paste it into this thread.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  7. #7
    Junior Member
    Join Date
    Nov 2006
    Posts
    17

    Default Thanks

    Thanks LonnyR. For all that you do to help.
    I am going to do what you suggested. I just haven't had a chance yet.
    By the way, what wiped out all my Bearshare downloads?
    Regards,
    diowrite

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    p2p is probaly what brought in the nasties, it might be a good idea to uninstall your p2p programs and delete the downloaded programs.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    diowrite Post back
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  10. #10
    Junior Member
    Join Date
    Nov 2006
    Posts
    17

    Default sorry

    Hi LonnyR.
    I have been so busy I just did not complete my assignment from you.
    Will do it today.
    Thanks,
    diowrite

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •