RunTime error in Explorer and IExplorer

How did you run the READ ME FIRST it iexplore always terminates? Or did you use a different browser?

Make sure the below guidelines for installing and running HijackThis are followed and post your log as an attachment:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You really need to evaluate where you are spending your time surfing. You are badly infested. This is going to take some time. And we will have to do this in stages. I'm trying to look at your log now.

In the meantime, look in Add/Remove programs for any of the below and uninstall if found. Tell me if you find any of them:
Windows
kalvsys
Internet Optimizer
AutoLoaderAproposClient

The below items have long been on a rogue tools list at: http://www.spywarewarrior.com/rogue_anti-spyware.htm They should be removed too.
SPYWATCH
POPUPWATCH

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Local Security Authority Service or lsass

Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for the below two services:
NTLOAD
NTSVCMGR

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Local Security Authority Service

If that does not work, use the short name: lsass

Now repeat the above steps with HJT to delete the below two services:
NTLOAD
NTSVCMGR

You may be told to reboot at this point. Do not reboot just exit HijackThis when finished and post the results of doing this. Any problems? Then move on too the next message.

 

Did you see my message before the one you just post?

 

Hopefully my previous message took care of the three bad services but I'm leaving them in the steps below just incase.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\mui\721w\cache\srunner.exe
C:\WINDOWS\system32\mui\721w\cache\srunner.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

You should consider changing user names and passwords. The below RFA.dll is PWSteal.Bankash.F It is a Trojan horse program that attempts to steal user names and passwords. Make sure you fix this.
O2 - BHO: ReadFile Class - {811ABD55-9D94-4892-AB46-11D7DA29B8AE} - C:\WINDOWS\system32\RFA.dll

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [yncnqrov] C:\WINDOWS\yncnqrov.exe
O4 - HKLM\..\Run: [u35X3sX] nvrci.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [nvsvca32] C:\WINDOWS\nvsvca32.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvewz32.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\Spyware Remover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\Spyware Remover\PupupWatch\PopUpWatch.exe /STARTUP
O4 - HKCU\..\Run: [f0u7Rib8V] nvmelper.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: Local Security Authority Service (lsass) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Windows AdStatus <--- the whole folder
C:\Program Files\Internet Optimizer <--- the whole folder
C:\Program Files\Spyware Remover <--- the whole folder
C:\temp <--- delete all files in this folder unless you know you saved something here you need but anything you need should not be in a temp folder.
C:\WINDOWS\system32\mui\721w\cache\srunner.exe
C:\WINDOWS\yncnqrov.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\nvsvca32.exe
C:\WINDOWS\system32\RFA.dll
C:\windows\system32\nvrci.exe
C:\windows\system32\kalvewz32.exe
C:\WINDOWS\system32\ap9h4qmo.exe
C:\WINDOWS\system32\nvmelper.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're welcome. One of the items we were trying to fix still remains.

O23 - Service: Microsoft Printer Spooler Service (ssv) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe (file missing)

First just try to simple fix this entry using HijackThis. If that does not work, use the steps from message # 6 again (using services.msc and HJT to delete the NT service).

 

You're welcome. Now to help keep you clean, you should see the steps in the below link:

How to Protect yourself from malware!

 

Your HJT log is clean.

I'm not sure that Spybot is correct about that being a problem. Do you have a program like Radmin installed. See: http://www.majorgeeks.com/download1927.html

 

I'm back!

I still do not believe there are any problems. The last thing mentioned was a Haxdoor-H problem found using Spybot. The below registry was given:

HKEY_LOCAL_MACHINE\System\RAdmin\v2.0\Server\Parameters\DisableTrayIcon!=B=0


I think this is a valid registry key for RAdmin. The program must either be installed on the system or it previously had been installed. It is not malware. If we delete that registry key and you have this program installed, we will break the program. You must be sure that the program is not actually install and never has been installed on this PC by any user.