i.e. not responding

With regards to: C:\WINDOWS\System32\netdc.exe
What do you mean you do not know where to find it? That tells you where to find it.
Is your problem that you do not know how to use Windows Explorer to locate and delete files? Or maybe you do not know what Windows Explorer is?

Right click on the Start button and select Explore. Then select your drive C and navigate thru the folders to c:\windows\system32. Scroll down until you locate netdc.exe, right click on it and select delete.


As far as this line I gave you:
Click Start\Run\All Programs\Startup if you see it in there, right click on it an delete it.

The 'Run' should not have been in there. Should have been:
Click Start\All Programs\Startup if you see it in there, right click on it and delete it


Note, in the list of process you gave me in message #49 you wrote isass. Are you sure it was isass and not lsass (the first begins with lower case i the second with lower case l (as in log). There is a big difference. isass.exe is a virus and lsass.exe is a windows process.

 

Okay this line apparently never got fixed:

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

Fix it with HJT this and then reboot and post a new log. Then maybe we can start to work on the other remaining problems.

 

Did you enable viewing of hidden file and folders?

 

I have to run out for an hour or so. I'll be back later. Just to keep you busy before I get back, I still need you to run this (I gave this to you in message #48):


Go here and download FindnFix.exe.
Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system (C:\FINDnFIX, do not move this folder or any files in it). Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information, so let it run until the information is collected and a log file is generated. Post the contents of Log.txt in this thread as a .txt file attachment.

 

Okay! It does take a while in some cases to run based on how many files on your system and the speed of your computer. Also, I should have mentioned but forgot, it is best to be completely disconnected from the internet when running it.

So if it does not complete its log. Reboot your PC and remain physically disconnected from the internet (for cable or ADSL that means unplug your ethernet cable from your PC) while running it.

 

OK! I may not make it that late tonight. I've been up since 5am and got to bed last night at 2 am. I'm running out of steam!

 

System Restore must be left off until you clean all these problems up. You are only going to be safing information for system configs that are full of problems. And you may have been adding to the difficulty in removing this. I don't think having system restore enable impacted FindNFix. I don't understand that problem at all. It has always worked before with no problems. I just tested it on my system and it ran in under a minute. What is the size the FindNFix.exe file that you downloaded?

Please post a new HJT log attachment and do not shutdown or reboot your PC after doing that. It is okay to disconnect from the Internet for security reasons but no reboots!

Also do the following:

1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

You said "c:\windows|system32|ctlbfdm.dll "

I hope you meant "c:\windows\system32\ctlbfdm.dll" ??

 

Make sure you have downloaded about:Buster

I want you to Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows highlighted as a light blue (some people call it light purple) folder in the left hand pane of reglite.

- Double Click "AppInit_DLLs" again and clear the data value:
c:\windows\system32\ctlbfdm.dll < delete this line , 'Apply' and 'ok' to set.

- Rename the NotWindows folder back to its original name Windows
- This should make the file visible.
- Restart computer in safe mode (WITH NO NETWORKING SUPPORT) so print the below instructions or save them locally before continuing.
- Look for c:\windows\system32\ctlbfdm.dll using Windows Explorer and when you find it right click on it and choose rename. Rename it to c:\windows\system32\ctlbfdm.bad.
Tell me how all that goes!

- Now run Ad-aware SE and click Scan Now, the choose the Scan volume for ADS. The click the underlined word 'Select'. Choose you harddisk drive (C) and then click Proceed. The click Next. If it finds anything tell me what it finds. And have it fix everything.
- Run about:Buster and save the log to ABlog1.txt
- Run HijackThis and have it fix the following lines
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {3705638D-0B54-4374-8F0A-833D3054CB21} - C:\WINDOWS\System32\gpd.dll
O18 - Filter: text/html - {CAFAF079-FE3F-4C62-AB85-81B6ED6636C1} - C:\WINDOWS\System32\gpd.dll
O18 - Filter: text/plain - {CAFAF079-FE3F-4C62-AB85-81B6ED6636C1} - C:\WINDOWS\System32\gpd.dll

I have know idea what this next line is. Do you? If not, fix it too. Let me know what you do.
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\5tcogm1pc98.exe

- Delete this file if found: C:\WINDOWS\System32\gpd.dll
- If you fixed the O4 line above then rename this file C:\WINDOWS\System32\5tcogm1pc98.exe to 5tcogm1pc98.bad
- Check one more time for C:\WINDOWS\System32\netdc.exe and delete if found.
- Reboot in normal mode
- Create a new HijackThis log and post it as an attachment.

 

Damn cut & paste! I left out some info. I fixed it. Go back and see if it makes sense now.

 

Yes! At least go back and check. Sometimes if you erase that file name before renaming it just come back.

Gotta sleep now! We'll Talk later!

 

Okay! Hopefully it makes sense now. Let me know what happens. These hijackers can be really tough to remove. But we like challenges! Right!

 

You tell me! With Windows Explorer, go to c:\windows\system32 and look for ctlbfdm.dll .
Is it there? If so rename as stated but also right click on it and get properties info, version, company etc.

 

You're saying that when you do this:

- Run Registrar Lite, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
- Click the "go" tab

You get no matches in the right hand side?

Did you inadvertantly delete have AppInit_DLLs selected and hit delete?
You did not want to Delete anything, you just wanted to just Erase the value field for AppInit_DLLs.

Make sure you start out by clicking at the top of the registry. In the left window scroll to the top and click on the very top item that says "Registry"

 

If you did delete the AppInit_DLLs entry, don't worry we should be able to fix it. Just let me know.

Did you complete those other steps?

 

Why are you using About:Buster 2.0? You are way out of date! Are all of your other applications up to date? Please check by all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > and check the links given.

Also you need to answer messages #81 & #82

 

Did you do the steps in the wrong order? Why is this still in your HJT log?
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\system32\5tcogm1pc98.exe

You said you renamed it?

 

Where did this come from all of a sudden?
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\system32\cymy531v43r.exe

 

Okay let's catch up! Answer 85, & 86!

 

I think you are doing this wrong!

Let's try this a little differently! Follow these steps exactly!

1) Disconnect from the Internet & close all browsers
2) Run Registrar lite again
3) Copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

4) Rename the Folder Windows to NotWindows highlighted as a light blue (some people call it light purple) folder in the left hand pane of reglite.

5) Exit Registrar Lite (leaving that registry key named NotWindows)
6) Reboot into safe mode
7) First check to see if you can find that file (c:\windows\system32\ctlbfdm.dll) , if so, rename as I asked before. Tell me what happens here and skip to step 13. If you do not find it or cannot rename it goto step 8.
8) Run Registrar lite again
9) Copy the following into the address bar or expand the same key by hand (notice the name change 'NotWindows'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows\\AppInit_DLLs
10) Double Click "AppInit_DLLs" again and tell me what the data value is now
11) If it is still c:\windows\system32\ctlbfdm.dll, clear that data value. Click 'Apply' and 'ok' to set.
12) Now see if you can find and rename the file
13) If you have now succeded in finding and renaming the file, use Registrar Lite to change that NotWindows key back to Windows . If you have not succeded in finding and renaming the file, do not change the NotWindows key back to Windows
14) Now reboot normal and tell me the results of all this.

 

Fix these three lines using HijackThis:
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\system32\cymy531v43r.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\system32\5tcogm1pc98.exe

Reboot in safe mode and delete:
C:\WINDOWS\system32\cymy531v43r.exe
C:\WINDOWS\system32\5tcogm1pc98.exe which has been renamed to 5tcogm1pc98.bad
just double check to make sure you don't have both the 5tcogm1pc98.exe and 5tcogm1pc98.bad. If so, delete both.

Reboot normal tell me results of deleting files and post new HJT log!

 

No! Still here but leaving immediately after this.
So you finally found it an renamed it. What a pain this one was!!

See if you can do the stuff in my last post before this one too. Then run AB and then post a new log.

Good night or should I say good morning!

 

Okay so we are making some more progress! That's good.

Did you do the stuff I requested in message #92 yet?

 

Looks like about:blank is showing again. Also about:Buster keeps showing an error with a file called system32.dll and also you hosts file always seems to be infected. See if you can actually find this system32.dll file on your computer.

See if you can get the procedure I gave you a while back with FindNFix to work now.

Do you know how to copy files from one directory to another (not move, I mean copy)?