i.e. not responding

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by smokinbls, Aug 13, 2004.

  1. smokinbls

    smokinbls the title thing is overrated

    ok here is the problem. when ever i try to search in I.E. it takes a long time for web pages to open and when they do open and i try to click on a link or a topic nothing happens for about 2 to 3 min. and when i try to close the window it says " not responding" the pages also seem to be frozen. after 2or 3 mins. i can close the window or try to click the link again. I still will not get redirected though.

    I do use mozila firefox but some of the web sites that i like to look at i can only find through I.E.

    FIREFOX works great very fast and i always get redirected.
    any help would be great
    i have run ad-aware and spy bot, ccleaner and about; buster just to let you know.

    TO THE MODERATOR please remove my thread in the lounge (off topic) it is the same post as this one
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I deleted your other thread in the Lounge!

    First please do the remaining steps as requested here: http://forums.majorgeeks.com/showthread.php?t=35407

    You indicated you already have some of these and have run them but I still want to click on the links in the above thread to double check your version to make sure you have the latest one and that you have any/all updates for the programs. This is very important.

    Questions:
    1) Are you saying the both FireFox and Internet Explorer are always redirected?
    2) What OS are we talking about?
     
  3. smokinbls

    smokinbls the title thing is overrated

    thanks for removing the thread. :)
    I have read the link you sent me to also and done it step by step a couple of times.
    i might add that i do not any anti-virus software on my computer, though i am goint to download avg. anti virus tonight..

    firefox works fine no problems at all always redirects me.

    the problem is only with I.E.
    I use windows xp home
    this all started after i installed firefox could that be the problem?

    also i just rememberd that some times i have to try 3 or 4 times to connect to the web ( dial up ) it gets at 38% connected and nothing more
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You keep saying the wrong thing. Saying "redirects me" sounds like you are being hijacked and sent to an incorrect location. You should have said FireFox works okay. Or FireFox does not get hijacked or FireFox is NOT redirected.

    Perhaps you simply meant to say FireFox alwyas connects me.

    So you have done all the steps in that thread? The online scans too? You ran every single tool including About:Buster and HSremove? There were no problems?
     
  5. smokinbls

    smokinbls the title thing is overrated

    i am going to run everything again later today so i will let you know what happens
    thanks for the help so far
    and yes firefox works just fine.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Tell us what you find while working thru those steps. We need feedback.
     
  7. smokinbls

    smokinbls the title thing is overrated

    hay chas.
    sorry i have not gotten back to you.
    my mom went into the hospital and i have had no time to run threw the stuff.
    i hope tonight or at least tomarrow i will be able to do the things you asked me to do.
    I HOPE YOU ARE STILL WILLING TO HELP ME OUT. :) :)
    THANKS
    BRIAN
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem Brian! Hope your mom is okay!
     
  9. smokinbls

    smokinbls the title thing is overrated

    chaslang i am on line

    hay chas.
    you were helping me with a problem with I.E. not responding...
    this is what i have found and done. I ran ccleaner, Ad-aware with vx2 plug-in & spybot, and cwshredder.
    this is what i found.


    ad-aware there was 8 registry values identified and 1 file id'd. this is what they said..
    vendor windows
    comment shell possibly compromised

    vendor possible browser hijack attempt ( 7 of them )
    comment possible browser hijack attempt

    vendor spyware nuker
    no coment



    SPYBOT
    PROBLEM

    SHOW BEHIND
    I.E. SEARCH URL
    I.E. SEARCH BAR
    I.E. SEARCH PAGE
    I.E. SEARCH URL.......

    PROBLEM

    COOLWWWSEARCH
    I.E. SEARCH URL
    I.E. SEARCH URL

    CWSHREDDER
    REMOVED 3 INFECTED I.E. REGISTRY VALUES.


    I HAVE ALSO NOTICED THAT IN WINDOWS TASK MANAGER
    I HAVE TO END 4 THING TO GET MY COMPUTER RUNNING A LITTLE FASTER
    AND THEY ARE ( YOU MIGHT HAVE TO DELEATE THEASE I DO NOT KNOW IF I CAN POST THEM )

    HCM.EXE
    TTKI.EXE
    RNRO.EXE
    DIRECTCD.EXE

    I HAVE ALOT OF .EXEs IN TASK MANAGER BUT THEASE 4 SEAM TO BE THE BAD ONES. MY COMPUTER RUNS MUCH BETTER WHEN I CLOSE THEM

    I ALSO AM CHECKING FOR WINDOWS UPDATES.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: chaslang i am on line

    Welcome back. It would have been better if you just continued in your old thread. Let me see if I can merge this into the old thread.

    Here is some info on two of those processes you were killing:

    hcm.exe - Browser search enahancer from NetZero or affiliates. (United Online includes NetZero, BlueLight and simular ISPs) Not sure what it does though. May be their toolbar.

    directcd.exe - is for Easy CD Creator (used to be Adpatec now it's Roxio). It is packet writing software to allow you to write directly to CD-R/W drives. Do you ever want to use this capability? You can most likely not have it load at startup and run it by hand if and when you need it.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: chaslang i am on line

    Got it! I merged your new thread into the old thread so we can pick up where we left off.

    I think it is time you posted a HijackThis log (as an attachment). Make sure you have the current HijackThis (ver 1.98.2). Also you should probably update your Ad-aware. It is now Ad-aware SE. Read this:


    NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.

    Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT
     
  12. smokinbls

    smokinbls the title thing is overrated

    i looked for my last thread on this topic, but i must have over looked it.
    any idea on what ttki.exe and rnro.exe are. where did you go to look for this stuff? (This computer came to me from a friend who looked at alot of porn)
    also just to let you know that i will be installing avast anti virus soon and doing all windows updates. I have like 12 updates to do.
    i will do all the updates and the anti virus first than rerun all the stuff that i did today. i will let you know when that is done. ( it will take awile to do. I have dial up.).
    thank for the help and for sticking around while i delt with my mom. :) she is doing much better now. she have a minor stroke and she broke her hip
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Happy to hear your mom is doing better! :)

    Not sure what ttki.exe and rnro.exe are? That is what I asked for a HijackThis log.

    DirectCD has been around for ages. That was a no brainer. You can look up stuff like this many places. Many times you can just go to google or excite and do a search. There are Startup Lists out there too like (to name only a few):

    http://www.answersthatwork.com/
    http://sysinfo.org/startuplist.php


    The first thing you need to do is get a virus scan application installed.
     
  14. smokinbls

    smokinbls the title thing is overrated

    tonight i will run "panda software" i think that is what you were talking about when you said a virus scan.
    i also deceided to use avg instead of avast. going to install it now.
    also i will go through the hijack this.
    once updates are loaded i'll let you know what is happening.
    i might need help with the log file and how to post it .
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When saving your HijackThis log just change the Save as type to All files (*.*) and then in the File name box change the default name from hijackthis.log to hijackthis.txt (or anything with .txt on the end).

    Then when posting your message Go Advanced mode and then click Manage attachments. In the window that comes up. Click Browse and locate the hijackthis.txt file on your PC. Select it and then click upload. Then close the Manage attachments window and save your message.

    The PandaSoftware link we gave you is an online scanner. It is not a virus scan application that you need to install.
     
  16. BeerMonkey

    BeerMonkey Master Sergeant

    Yes, i am forced to do this aswell.
    Some sites include: File Planet and Game Spy.
     
  17. smokinbls

    smokinbls the title thing is overrated

    can you link me to a virus scan application to install.
    i am not sure what you mean. :rolleyes:
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you do not already have a virus scan application, try Avast: http://www.majorgeeks.com/download1968.html

    Online scanners are tools we use that look for a variety of things but they are scanners that work after the fact. A full blown virus scan application like Avast, AVG, McAfee, Norton, etc can scan but they also prevent (block) viruses.
     
  19. smokinbls

    smokinbls the title thing is overrated

    i have a new problem now, i am unable to connect to the internet ( dial up )
    so this might get a little more tricky.

    virus scan application = anti virus
    undestood thanks
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you try to connect, what happens? Give exact error message of page displayed.

    I really need to see that HijackThis log I have been asking for.
     
  21. smokinbls

    smokinbls the title thing is overrated

    when i try to connect this is what happens

    i click on the net zero icon
    then when the net zero thing opens i hit connect
    i then disappears for about 5 seconds than the second part of the log in come up and b-4 i get connected that disappears and never comes back
    i then can click on net zero icon again and try it again. usualy it would say that "zeport is already" running but in this case it does not.

    i hope you can understand this

    i am trying to get the log file for you.
    i am trying to use my other computer to get all the software off the internet, and burn it to a disc.
    Than run it on my messed up puter
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know anything about netzero or their login process. But perhaps you need to un-install and then re-install that software.
     
  23. smokinbls

    smokinbls the title thing is overrated

    i hope this worked
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you have a bunch of issues one of which can sometimes be a real pain to resolve
    (that one is super-spider.com) the another is searchpage.html, another is a wmplayer.exe hijack. You also have a trojan keylogger. I think we need to try this in a few stages.

    But first you need to get HijackThis off your desktop and into its own directory where backups can be saved more safely. Right now you have it here:
    C:\Documents and Settings\bryan stadler\Desktop\software\HijackThis.exe

    Try putting it here:
    c:\Program File\HJT\HijackThis.exe

    Then bring up Task Manager using CTRL-ALT-DEL and click Processes. If you see any of the following, end them:
    netdc.exe
    wmplayer.exe
    matrixhere.exe
    95610.exe
    cymy531v43r.exe

    Then run these online scans and tell me there results (what they find, delete/fix, what they cannot fix):
    http://housecall.trendmicro.com/housecall/start_corp.asp <-- select Auto Clean
    http://www.ravantivirus.com/scan/ <-- select Auto Clean then click Scan My PC
    http://www.bitdefender.com/scan/license.php
    http://www.windowsecurity.com/trojanscan/

    And along with those results post a new HJT log attachment.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have done the stuff in my previous message and then do the below.

    Now since I do not know the results of the scans I asked you to run yet, I'm going to proceed like nothing changed in your log. So let's do the following:
    1) Click Start, Run, and in the open box enter sysedit
    then click OK
    2) In the System Configuration Window that comes up, click on the WIN.INI window and look for a line that has run=C:\WINDOWS\System32\services\wmplayer.exe on it. If you find it delete it (highlight the line and hit the delete key).
    3) Now click on the SYSTEM.INI window and look for a line with Shell=explorer.exe C:\WINDOWS\System32\netdc.exe on it. If you find it, delete it.
    4) Now click File and Save. And then Exit.
    5) Make sure you have enable viewing of hidden files and folders:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select: Show hidden files and folders.
    Uncheck the Hide extensions for known file types.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Apply
    Click OK.
    Now close that Window.
    6) Make sure you know how to boot in safe mode (because in the next step all browsers will be closed and must stay closed). Here is how to boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    7) Disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668
    But do not reboot when prompted to. We will do that in step 9 (but into safe mode).
    9) Now print or save the below information locally because you MUST SHUT DOWN (EXIT) all browsers (Internet Explorer, FireFox, etc) and do not run any again until I tell you to reconnect back here.
    10) Boot in safe mode now.
    11) Run HijackThis (called HJT from now on), select the below lines and click Fix (be sure no browsers are running)!!!
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1503
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1503
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1503
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/greg/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/greg/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/greg/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1503
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1503
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F3 - REG:win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\2uvjsp5d9eg1b.dll
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
    O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\95610.exe
    O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\cymy531v43r.exe
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file)
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=

    12) Now click Start > Run, and enter cmd and click OK. You should see a command prompt window.
    At the prompt type and enter: cd c:\windows\system32
    Now enter the following commands and keep track of the results for each step and let me know exactly what happens:
    attrib -h -r -s BRIDGE.DLL
    ren BRIDGE.DLL BRIDGE.BAD
    attrib -h -r -s D2KPAX.DLL
    ren D2KPAX.DLL D2KPAX.BAD
    attrib -h -r -s JAC.DLL
    ren JAC.DLL JAC.BAD
    attrib -h -r -s MSXSLAB.DLL
    ren MSXSLAB.DLL MSXSLAB.BAD
    attrib -h -r -s SYSTEM32.DLL
    ren SYSTEM32.DLL SYSTEM32.BAD
    attrib -h -r -s 2uvjsp5d9eg1b.dll
    ren 73yrg0079d.dll 2uvjsp5d9eg1b.bad

    If any of these will not rename look for them in your Process list and end them and then attempt to rename.

    13) Now reboot in normal mode and create a new HJT log.
    14) Come back here and post your results and the HJT log as an attachment.
     
  26. smokinbls

    smokinbls the title thing is overrated

    i will start doing everything tonight.
    also, i was able to connect to the internet with my "bad" computer
    i just uninstalled then reinstalled like you said and that seamed to work :)
    thank for the help on that one.

    i am not looking forward to this hijack problem.....
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Cool! One problem solved! A bunch to go!
     
  28. smokinbls

    smokinbls the title thing is overrated

    b-4 i leave for the day.
    should i just do what you said to do in post # 24, and wait to run threw post # 25. or is it alright to do # 24 then do # 25. then post my new log file after both of them are done.
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just do them in order #24 then #25. But don't bother giving me a HJT log after #24 and also after completing #24, reboot before starting #25. After you complete #25 come back with the info requested at that point.
     
  30. smokinbls

    smokinbls the title thing is overrated

    hay chas i think i missed something i could not find any type of auto clean in either housecall or ravantivirus.
    bit defender did not work either


    windows security said
    ERROR: It appears that your system does not meet the requirements needed to run this test:

    * Windows 2000, XP, .NET Server, NT 4, ME or 98 How to check your OS
    * Internet Explorer 5.0 or later with ActiveX enabled How to check/set your IE settings


    i have windows xp and i.e. 6.0 wtf
    should i scip this one and go on to the next one
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to work your way thru the housecall windows to get to that point. For example: you first select your location and then click go. Then a Securiuty Warning certificate pops up, click ok. Then they download some items required to your PC to do the scanning. Now select Auto Clean and then the drive you want to scan. Then click the scan button.

    Similar ideas on RAV. Sometime you just have to work your way thru the windows. It is a bit much for use to write this our all the time. Plus these websites do change and if we wrote out exact steps they would become incorrect.

    I don't know why you are having a problem with the TrojanScan. Could be part of your problems.

    What do you mean Bit Defender did not work? What did you get?
     
  32. smokinbls

    smokinbls the title thing is overrated

    sorry here is what bitdefender said

    The BitDefender ScanOnLine Service currently supports only the ActiveX enabled browsers.

    This makes it unavailable for the Netscape family browsers.


    is ther a place to download this or is it on my puter already, but just turned off maybe?
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This could be your problem with Trojanscan too. Do you have ActiveX disabled?
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you don't know how to do this:

    Internet Explorer 6.X
    1. Open Internet Explorer.
    2. Select Internet Options from the Tools menu.
    3. In Internet Options dialog box select the Security tab.
    4. Click Custom level button at bottom. The Security settings dialog box will pop up.
    5. Under Scripting category enable Active Scripting, Allow paste options via script and Scripting of Java applets
    6. Click OK twice to close out.
    7. Hit Refresh.
     
  35. smokinbls

    smokinbls the title thing is overrated

    good question i am looking now

    i can get it from trend



    HouseCall
    Download

    Trend Micro HouseCall Browser Plug-In button provides you with direct access to Trend Micro FREE on-line scanning services right on your browser. No popups are served by this plug-in. The button can be removed at any time.

    Add the Housecall Button to your Internet Explorer. Please note that this service will install an activeX .dll on your system.

    Install Trend Micro HouseCall Browser Plug-In:



    other than that i can not find it should i go ahead and download?
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That should not be necessary. Do what I said below. I did not want you to download anything from Housecall other than their security certificate and the items need for the online scan.
     
  37. smokinbls

    smokinbls the title thing is overrated

    forget the last post.....................


    i have enabled everyting you said
    1 more try than i gots to get to bed
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Me too! It's 3:00 am here.
     
  39. smokinbls

    smokinbls the title thing is overrated

    alright i am stupid
    i was trying to do the tests threw firefox not i.e. stupid stupid :rolleyes: :rolleyes: :rolleyes:

    rav antivirus is now updating so i should b able to do a scan soon.
    thank for you patience :)

    i will let you know what happens tomarrow
    goodnight
     
  40. smokinbls

    smokinbls the title thing is overrated

    should i just copy and paste what rav found?
     
    Last edited: Sep 5, 2004
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, it would be good to see the outputs of each scan if possible but only if they find anything. Otherwise just say that it did not find anything. Also, don't paste here, use an attachment.
     
  42. smokinbls

    smokinbls the title thing is overrated

    RAV found 25 trojans wow
    that seams like alot.

    where the hell is my attachment?
     
  43. smokinbls

    smokinbls the title thing is overrated

    first scan more to come this is the ravanti virus scan
    25 wow
     

    Attached Files:

  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just complete all the scans before posting. And try to post the logs as .txt file rather than .doc files.
    You have a bunch of scans to go and then that procedure I gave you in step 25 too.
     
  45. smokinbls

    smokinbls the title thing is overrated

    hay chase
    well 6-12 hour days is to long to do any thing else.
    anyways i have done 3 scans but, i can not do 1 of them.when i open the page to the links the page just freezes up and does nothing for at least 15 minutes. Then i just close the page. it is the trend micro scan. the other ones at least update my puter b-4 i start the scan.
    should i just move on to the other post # 25.
    i will try 1 more time ( 4th time tonight )

    log files so far
    the other log file is in a earlier post of mine
     

    Attached Files:

  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, move on to post #25 steps and complete those steps. As I said back in #24, you have a bunch of problems (as you can see from the scans).
     
  47. smokinbls

    smokinbls the title thing is overrated

    alright did everything you said.
    asfor the last part in post #25 ( number 12 )i think i did it right. I typed in everything you said to type this is what they all said
    either
    is not recognized or external command, operable program or batch file
    or
    the system cannot find the file specified.
    DID I DO SOMETHING WRONGE?

    HERE IS A UPDATED HJT LOG FILE

    would it be alright to install service pack 2 now or should i wait till this is all done
     

    Attached Files:

    Last edited: Sep 13, 2004
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No do not install SP2 until we have gotten all issues fixed.

    Okay! We have taken care of quite a few problems (trojans, super-spider hijack, searchpage hijack etc) but you still have other problems that now show their ugly heads. You have the about:blank hijack and a winlogin.exe W32.Randex.E trojan (note this is not winlogon.exe which is valid). See this link for more info in this:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html

    Before fixing any more problems you need to put HijackThis in its own directory and stop running it from the ZIP file as per the HijackThis tutorial I referred you to. Extract it from the ZIP into its own directory. You are not getting any backups the way you are running it.

    First let's fix the winlogin.exe problem.
    Shut down all windows (especially browsers) and run HijackThis and have it fix this line:
    O4 - Global Startup: winlogin.exe

    Then use Windows Explorer to goto the below path and delete the winlogin.exe file:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

    (make sure that you have the correct filename and filepath as winlogin.exe sounds very much like winlogon.exe which is a valid system file).

    Tell me the results of all this. I need to know whether you find this file and were able to delete it.
    If you find it, but could not delete it, try using Task Manager (CTRL-ALT-DEL) processes to locate winlogin.exe (note the exact filename) and end it. The try deleting the file. If still having a problem, try deleting after booting into safe mode.

    After that file has been successfully deleted and the line is gone from a HijackThis log, do the following:

    Go here and download FindnFix.exe.
    Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system (C:\FINDnFIX, do not move this folder or any files in it). Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information, so let it run until the information is collected and a log file is generated. Post the contents of Log.txt in this thread as a .txt file attachment.

    Also post a new HijackThis log attachment.
     
    Last edited: Sep 13, 2004
  49. smokinbls

    smokinbls the title thing is overrated

    i could not fix 04-Global Startup: winlogin.exe
    it was not in task mgr
    safe mood did not work either
    the mesage i got was

    unable to delete the file
    04-Global Startup: winlogin.exe


    the file may be in use. use the task mgr to shut down the program and run HJT again to delete the file.


    also how do i do this when the other part is done

    Then use Windows Explorer to goto the below path and delete the winlogin.exe file:


    task mgr screen ( when online )

    msmsgs
    directcd
    netdc
    explorer
    alg
    spoolsv
    svchost
    svchost
    svchost
    svchost
    isass
    services
    winlogon
    csrss
    firefox
    smss
    taskmgr
    exec
    exec
    system
    system idol process

    i don't see it anywhere
     
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay there is another problem in your log we need to fix first! But first make sure you have enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650

    Run HijackThis and have it fix the following line:
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

    Then immediately reboot into safe mode and delete:
    C:\WINDOWS\System32\netdc.exe

    Also in safe mode you must remove a hidden startup entry for 'netdc.exe'
    Click Start\Run\All Programs\Startup if you see it in there, right click on it an delete it.
    Tell me if you find this.

    Reboot normal and tell me how this worked and post a new HJT log attachment. We will need to go back and try to get rid of the winlogin.exe problem next.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds