Problems Cleaning Home XP PC

Major Geeks Folk -

First, Happy Holidays and a safe Happy New Year to you!

I am new to your website, and altho I'm an Army helo pilot, I have spent the past week fighting a war on my home PC with virii, adware, and malware to no success. My PC is Windows Home XP with mediacom cable modem, and I use Norton Antivirus updated frequently. Plan on switching to BidDefender (on my laptop) when the PC is cleaned up. I'm using my laptop with remote connection to avoid more problems on the main PC.

I have performed the READ ME FIRST AND RUN procedures and series of software, as well as the SpySheriff/Smitfraud/PSGuard procedure and related software. Ended up buying Spy Sweeper as it appeared to find more stuff and had to subscribe for it to clean it all out. I had also installed SpyBot and bought and installed RegRun prior to finding your most wonderful site.

I continue to have resident (or newly generating) ones, as after running all the procedures, Panda Activescan informed me I had 5 virii and 5 adware. BTW, the free scan no longer provides a remove option, and I didn't buy it. Seems whenever I reconnect the cable modem more stuff gets generated on the PC.

Can you please provide some further guidance and advice? Attached are the SpySweeper log and most recent HijackThis log.

Much appreciated, and thanks for the great website - Bob

 

Download L2MeFix Tool and save it where you will be able to find it.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.

Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message.

Now open your browser and come back here and post the above two logs as attachments to your message. Also indicate your current status.


NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Hello, BJ

I ran the l2mefix.exe tool as directed, and the logs are attached.

The computer has a white background, and I tried the two fixes that were posted in another SpySheriff thread for repairing the background. Neither one worked - when trying the "fixadt.reg" file, I got a message that said it "could not be imported, some data was missing". Also that "some keys are open by the system or other processes". When I tried the right click on desktop, properties select, I get a "not available" connection not encrypted, and it lists a URL file://C\WINDOWS\warnhp.html

Please note all the above was done with the browser off but I had not disabled Norton antivirus, spy sweeper, nor RegRun. Also, I checked and my System Restore was in "monitoring" vs. off. With all the previous activities trying everything, I overlooked that. Would that make a difference, and should I re-run the above with antivirus, etc. off and System Restore off?

Thanks again for the assist! Bob

 

Please see the below thread on how to install and run Ewido Security Suite.

Running Ewido Security Suite ...

 

Hello again, BJ

I downloaded and ran Ewido Suites as directed. It found several hundred items, mostly cookies. File is attached. Also ran HijackThis and log is attached.

Background on my PC is still white with all icons showing; haven't experimented with any other functions yet.

Please advise if more work is needed. Thank you, and again, have a wonderful and Happy New Year this weekend!

Bob

 

Fixing Locked Desktop
Right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.

Next, please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper
(If you bought this, leave it)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - (no file)

O4 - HKLM\..\Run: [Userinit] C:\Program Files\Common Files\system\lsass.exe

O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\system\lsass.exe

C:\WINDOWS\SYSTEM32\dvd4free.dll

C:\WINDOWS\SYSTEM\blank.htm

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

After you complete the above REBOOT to Normal Windows and procede with the below...

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Now, I would like you to Flush your System Restore Points. Please follow the instructions in this link --->Disable and Re-enable System Restore

• First, turn OFF System Restore to flush any bad Restore Points.
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete this fix, reboot and attach a fresh HJT log.

 

Hi BJ

I ran the Fix procedures per your last email with these final results, and HijackThis log attached:

1. When right click on desktop, General tab states "Not Available"...."Protocol" states "file protocol" and "Address" has listed "file://C:\WINDOWS\warnhp.html". So desktop background still white.

2. All HiJackThis files you listed were found and fixed via HijackThis.

3. lsass.exe was not in CommonFiles\system nor was blank.htm in \SYSTEM, but dvd4free.dll was present in SYSTEM32. Would not allow delete...."cannot delete dvd4free: access is denied, check disk full or write protected and file not in use". I was able to rename it and did so by adding some underlines and letters and changing the dll extension to txt.

4. AdawareSE and Spybot found nothing.

5. Upon reboots at the end, got message "Files not identical"
Tested: C:\WINDOWS\system32\shdocvw.dll size 1492480
and date 30.11.2005
Orig File: C\DOCUM~1\ROBERT~1.LAN\MYDOCU~1\RegRun2\
Files\Shdocvw.dll size 1483776 date 02.09.2005

6. Also upon reboots I get Spy Sweeper detect warning box listing this:
Startup item "Title"
Registry or folder is HKLM: Run Once
Location: regrun ii secure start

7. PC seems to boot up slow, though could be all the antispyware, etc.
and seems to react slower than I recall before all the problems.

Please advise between New Year celebrations, and thanks for sticking with me!

Bob

 

Have HJT fix the below entry...

O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)

After you complete the above, navigate to and see if you can find the below file:

C:\WINDOWS\warnhp.html

If you find it, delete it and reboot. Let me know if problem remains.

 

BJ -

HJT took care of the dvd4free.dll. But desktop still white.

Could not find C:\WINDOWS\warnhp.html visually or through search, using exact spelling and short versions.

Does is matter that the message during right click on desktop that lists this has it listed under "Address (URL) exactly like this: file//C:\WINDOWS\warnhp.html

Other things to try? Thanks - Bob

 

When you right click on your desktop and go to the WEB tab, I requested you uncheck everything in there. Delete the "file//C:\WINDOWS\warnhp.html" from the web tab and reboot.

It should be gone, if it is not let me know.

 

Hi BJ

My apologies for not explaining the situation better in previous emails. I tried to follow your directions, but when I right clicked on my white desktop, the only options I had available are select all, view source, encoding, print, refresh, and properties. When I select Properties, the only tab shown is "General" with the "Not Available" info and Address(URL) file: //c:\WINDOWS\warnhp.html info. No other options from there.

I could not find warnhp.html looking in C:WINDOWS (I do have "show hidden files" selected). I did a search under regedit, and found the subject file under H_KEY_CURRENT USER\software\microsoft\Internet Explorer\desktop\components\0\source with the name "source" of type "RG_SZ" and data "C:\WINDOWS\warnhp.html". I double clicked on "source" and deleted the "C:\WINDOWS\warnhp.html" from the "value data" field. In the same "0" folder there is another RG_SZ type name called "FriendlyName" with the data value of "warning homepage". I deleted that value as well. Then rebooted. This time when I right click on desktop, I got all the options you mentioned and was able to restore my desktop. Good news!

I also uninstalled Norton and bought BitDefender9 and installed it, plus got Sygate firewall installed. All scans per the fixes show nothing. I think the PC is about clean, however.....

ONLY TWO ITEMS REMAINING:

(1) Upon reboots, File Comparison gives me the message "Files not identical"
Tested: C:\WINDOWS\system32\shdocvw.dll size 1492480
and date 30.11.2005
Orig File: C\DOCUM~1\ROBERT~1.LAN\MYDOCU~1\RegRun2\
Files\Shdocvw.dll size 1483776 date 02.09.2005
RegRun is a software registry sentry I bought before contacting you folks. Is this something to worry about, and is RegRun worth keeping?

(2) Also upon reboots I get Spy Sweeper (which I bought) detect warning box listing this:
Startup item "Title"
No Product name, Company not provided, and Copyright info not provided
Registry or startup folder: "HKLM: Run Once Ex"
Location: "regrun ii secure start"
Is this anything to worry about? Again, this seems associated with RegRun

Please let me know on the above two items.

Thanks again for your patience BJ, and have a very Happy and safe New Year.... Bob

 

Click Start > Run > type in desk.cpl

When this comes up, can you see the Desktop Tab?

As far as the Reg program, I havnt ever used it so I cant say if its worth keeping or not. I use Reg Supreme and sometimes Registry Mechanic and those 2 do a good job.

 

Hi BJ

Thanks for the additional info. Yes, when I type "desk.cpl" in RUN I get the destop properties tab. I don't know if this would have worked before I got rid of the warnhp.html file through the "find" search in RUN: regedit as I mentioned.

The desktop appears to be back to normal.

What do you think of the other two issues I mentioned (the "shdocvw.dll" file size issue and the "Title" wanting to add to the startup menu issue)? Are these remaining concerns?

Is there a thread somewhere that I can use to find out what outgoing/incoming messages are legitimate to allow through Sygate? I am getting requests for various things in and out. Those I recognize I allow (i.e., BitDefender), but there are some I don't know about.

Thanks again, and Happy New Years this eve day!

Bob

 

The file "shdocvw.dll" is a legit Microsoft file, it should be ignored. The entry adding to startup is the Registry program have so I belive its ok to allow it but I wouldnt let it run at startup because it may slow down your boot.

If something comes up requesting access to the internet, if you know it allow it, if you dont know it deny it.

You should see this article on How to Protect yourself from malware!