There's my sign! But I need help

Please follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You HJT log does not indicate that RAVantivirus was run. Are you sure it ran?

Post the BitDefender log so I can see what was found and not removed.

You HJT log shows no real major problems. Just the below minor items can be fixed.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0947a60179396111f720/netzip/RdxIE601.cab

After clicking Fix, exit HJT.

Can you explain in more detail the exact problems you are having? When do they occur? Is it all the time or only sometimes? Do they also occur if you boot in safe mode?

 

First a note: you have no reason to be running HSremove (or about:buster if you have been). You do not have any HSA hijacker issues. HSremove has a bug and always reports 8 items found.

RAV should leave a foot print in your HJT log and I did not see one.

Are you sure your regedit.exe file exists? Use Windows Explorer to look for c:\windows\regedit.exe

There are not problems in your log but you can fix the below (left over from running HSremove):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Open a command prompt by clicking Start, Run and enter cmd and click OK. Then enter the below command and tell me what happens.

sfc /scannow

This will scan your PC for missing/corrupted system files and attempt to replace them. You may need your Windows XP CD.

 

Try it this way:

Start, Run and enter sfc /scannow and click OK.

Now what happens!

 

That's what it may do if it find no problems or if it finds then and can immediately fix them without needing a CD. Is there any change to your problems?

You did not answer my question from message # 6 about regedit.exe.

 

Well that's why you cannot run regedit from the Star, Run box. You need to replace this. Either search your harddisk for another copy or get it from your CD. Itmay be named regedit.ex_ because it is a compressed file. When you find a copy we can put it back in c:\windows. If it is the compressed form, we will have to expand it to regedit.exe.


Let's see if we can find and cleanup any other hidden baddies.

Let's see if we can cleanup some more hidden baddies.

- First run CCleaner before doing the below.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems. This log could get quite large and you may need to compress it into a ZIP file to upload it.

Post this Ewido log.

 

You did not follow step 3 of the READ ME FIRST. Please go back and follow it exactly.

You do have regedit.exe exactly where it is supposed to be.

 

Try this registry patch to fix your regedit problem.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file enableRE.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the enableRE.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Does regedit work now?

Did you run the Ewido scan? Post the log!

 

Do you have Administrator priviledges?

At this point I would say your problem is not related to malware and you may have to work this in the Sotware Forum.

But try it this way:

Start, Run and enter msconfig and click OK.

Does msconfig come up and stay up!

How about this one:

Start, Run and enter services.msc and click OK.

Does the Services windows open and stay open.

 

But neither regedit or cmd will open and stay open? Correct?

Are there any others like that?

Also you said you can run regedit.exe from Windows Explorer....right?

What about c:\windows\system32\cmd.exe

 

Not normally. It may exist if a person like me had suggested that you make a copy of cmd.exe and call it cmd.com (or even if you renamed the original to cmd.com and that put a new copy of cmd.exe in place. sfc may have even done this.)

Are they both the same size and do they have the same file dates?

Rename cmd.com to cmd.old

Does cmd.exe execute from Explorer?

Will it now run from the Start, Run box?

 

Did you try running cmd from the Start, Run box now? It probably works now.

I have a feeling that you have the same problem with regedit.exe. You probably have a regedit.com file. If so, rename it to regedit.old.

Let me know what you find and what happens with the above.

 

Don't forget according to your snapshot taken awhile back, you also had a regedit in c:\windows\system32. You did not have extensions showing but it could be a .com file and it does not belong there.

 

See my message posted just before you posted yours.

Are you having anymore problems? Are you unhappy with PC Cillin or was it just a trial.

See: How to Protect yourself from malware!

 

Only the one that you just renamed that was in c:\windows\system32 not any others. And do not touch REGEDT32.EXE either.

 

Did you uninstall all of PC Cillin yet? This could be part of the reason your PC is slow. You had two firewalls running. The one from PC Cillin and Zonealarm. Only one software firewall should be used.

 

Not according to your HJT log:

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

The firewall service is still actuall running!

 

That's good! Is it running any better now?

Did you leave the below on your system on purpose?
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Not sure what the conflict is! I have never heard of it. Unless you installed the version of Avast with a firewall??

You should not lose any new files just because the computer restarted. If it restarted before the files were saved, then you could lose them.

We can remove the Symantec Service is you want! Just say the word!

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to SymWMI Service (or if not found look for SymWSC) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SymWMI Service

If that does not work try entering the short name: SymWSC

Now exit HJT but and reboot. Post a new HJT log.

 

It worked anyway. The Symantec program is gone.

Is the problem with updating Avast still occurring?

Lines like:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

occur when you have had some kind of Windows system error. They create memory dumps used for debugging purposes. You can disable these by:
- right clicking on My Computer, selecting Properties and then the Advanced tab.
- Click on the Settings button in 'Startup and Recovery'.
- In the bottom pane under 'Write debugging information', click on the down arrow and then select 'None'
- OK your way out of these screens.

 

What Symantec file? It's gone!

Check to make sure it has permission thru your firewall (you can even disable the firewall - only temporary....do not leave it disabled after checking for updates to Avast).

 

Yes! That way it will always automatically update. Autoupdates for your AV are a good idea.