kaspersky scan said 9 virus's

Welcome to Majorgeeks!

Please read the sticky threads before posting logs. No logs are to be posted inline and you need to run standard cleaning procedures if you are having malware problems. I would just suggest that you boot into safe mode and then delete the below folder:
C:\WINDOWS\bundles

If that does not resolve your problems then please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

If you have run ALL of the READ & RUN ME, yes you can attach ALL of the logs I requested to be sure all malware has been removed.

 

Why are you attaching copies of GetRunKey.zip and ShowNew.zip with different names? We need the logs that they create ( c:\runkeys.txt and c:\newfiles.txt )

 

You also MUST follow the directions in step 7 of the READ ME for installing and renaming HijackThis.exe.

You have it here:
C:\Documents and Settings\cory\My Documents\HijackThis.exe

That is exactly where the directions indicate not to install it and you also did not rename the executable file.

 

I also see you are running:VCOM Fix-It Utilities

Doesn't it contain an antivirus, antispyware, and maybe even a firewall?


Is your copy of ewido anti-spyware 4.0 guard a free version or paid version?

Did you install the below and what is its purpose?

NPDOR File Monitor Service (NFMService)

I consider them to be spyware. I would not give them any info. I quote from their site:

 

Did you see message # 10?

Also the below is not the correct place to install or run ShowNew or GetRunKey from:

C:\Documents and Settings\cory\Local Settings\Temporary Internet Files\Content.IE5\OJWRYKR4\ShowNew[1]

DO NOT USE the TIF folder. It will work but it is a bad idea. When I tell you to clear your cache later or if you run CCleaner, they will all be gone!

 

Please see step 3 of the READ ME. If VCOM has an antivirus and you plan on keeping it, you must uninstall AVG. Why are you using ZoneAlarm instead of VCOM's firewall?

Uninstall NPdor.


YOUR PC IS IN SELECTIVE STARTUP MODE using MSconfig, which we tell you not to use in step 7 of the READ ME.
Did you knowingly install WeatherBug and do you use it?

You need to properly install HJT, GetRunKey and ShowNew. I only need a new log from HJT right now though (after complete the above and other steps).

 

Did you install this PC Pitstop Optomize stuff. Did you purchase it? If not, you should uninstall it to avoid getting the reminders.

 

You will not necessarily see the conflict. They are however conflicting and the are slowing your PC down. They also can make it difficult for each program to properly detect and remove malware. Decide which one you want to keep and uninstall the other. You need to do this before we continue.

I saw it listed in the Uninstall list that appears in the ShowNew log. That does not necessarily mean it will have an uninstall. But we can easily do that ourselves. This is another reason not to use their software. Any program that requires an install and then does not have an uninstall is not reputable. They are purposely trying to force you to keep their software. This is the same as malware.

You now have TWO HijackThis processes running:
C:\hjt\HijackThis.exe
C:\hjt\analyse.exe

Delete the first file above!!!!

The below should not be running when you are using HijackThis:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

Did you get out of selective startup mode?

Have you installed GetRunKey and ShowNew properly yet? Attached new logs when you are in normal startup mode and they are installed properly.


You did not answer my question about Ewido from message # 10!!

 

Okay that's better. Now while you are uninstall one of the antivirus programs also uninstall the below:

ewido anti-spyware 4.0
Java 2 Runtime Environment, SE v1.4.2 <--- this is an old version and you already have the new one
Viewpoint Media Player
WildTangent Web Driver


After doing the above (and uninstalling one of the antivirus programs) attach a new HJT log.

 

Would you like to get rid of npdor while we are fixing remaining things?

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to NPDOR File Monitor Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

NFMService

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - http://www.peoplepc.com/ppcos/isp60/download/ppcwebi.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\npdor <--- the whole folder
C:\Program Files2\PCPitstop <--- the whole folder if found
C:\WINDOWS\realtime.exe
c:\windows\system32\unPPC.exe
c:\windows\ss3unstl.exe
c:\windows\system32\FLEOK
c:\program files\QuickSearch

Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s dm.inf
del dm.inf
attrib -r -h -s pcpowerscan.EXE
del pcpowerscan.EXE
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I forgot one more thing I wanted to do!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then attach a new log from GetRunKey.

 

The registry patch works just fine for me! You must not be saving it properly. Also the commands from the command prompt should also work but you must enter them correctly with the proper spaces or the will not work or be recognized. So try the registry patch and the stuff to remove files in the Downloaded Program Files folder again.

How is everything working at this point?

 

You highlight the text and copy it to a notepad file and then save that file to your Desktop (or anyplace you like) but you MUST change the Save As Type to All Files and make sure that you name the file with a .reg extension.

It is very possible that these are not due to malware. It is more than likely due to corrupted or missing system files. Yes the problems may have initiated due to malware, but at this point I would say they are not due to any still remaining malware.

 

From a command prompt window, enter the below command:

sfc /scannow

If this finds any system files to be missing or corrupted it will ask you for you Windows XP CD (if it needs it). So be prepared to supply your CD.

How is everything working now?

 

This is not useful to me but a log from Kaspersky could be.

Refesh my memory. What is the exact problem? All I seem to remember is something about kernel32.dll which is not a malware problem.

Let's work thru the below anyway!

Go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

That's not a big problem! Either do a Reset of Web Setting which should delete all those files in the Temp Internet Files folder or you can delete the file yourself.

That NPDORFM.sys is part of that junk you had installed. Remember this NPDOR File Monitor Service

Basically you got 20 bucks from them to allow them to screw up your PC.

My same comment applies to your Trojan remover comments. A log could be more useful. appmgmts.dll is a valid file from Microsoft. It is Software installation Service

You should not be missing this and if you are, I don't understand why sfc /scannow did not detect it. You could just download it from the below link and put it back in your system32 folder:
http://www.dlldump.com/download-dll...es/A/appmgmts.dll/5.1.2600.2180/download.html

 

You're welcome. Surf safely!