i.e. not responding

Where was the system32.dll file and see if you can right click on it and get properties information. I want company info and version etc. For an example of what I mean on a file that will give you this info.
Goto c:\windows\system32 and right click on wsock32.dll and select Properties, then the version tab. Look at each of the items in the box labeled Item name:

You can use Windows Explorer to copy files. Just run it and go to c:\windows find notepad.exe and right click on it and select 'Copy'. Now with Windows Explorer highlight (select) the c:\windows\system32 directory and then in the right window right click the mouse and select paste. This will copy notepad.exe into your c:\windows\system32 folder. Now right click on this copy of notepad.exe and select 'Rename' and change the name to netdc.exe. Tell me if this rename works. If not, tell me the exact error message.

 

Configure Windows XP Search properly. Click Start, Search, All files and folders, enter c:\windows\system32\ctlbfdm.dll in the file name box provided, then click More advanced options and make sure you have checked:
- Search system folders
- Search hidden files and folders
- Search subfolders

The click the Search button. Tell me if you find any matches at all and where they are.

Then I want you to Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
c:\windows\system32\ctlbfdm.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows
- Restart computer in safe mode
- This should make the file visible if we could not find it before. So run that Search for c:\windows\system32\ctlbfdm.dll I gave you above again and see what you get now.
- Also while in safe mode. Run HijackThis again and have it fix:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\BRYANS~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O18 - Filter: text/html - {48F64383-91E5-4BBA-B06B-93813F5C39B9} - C:\WINDOWS\System32\eppaeja.dll
O18 - Filter: text/plain - {48F64383-91E5-4BBA-B06B-93813F5C39B9} - C:\WINDOWS\System32\eppaeja.dll

C:\Documents and Settings\bryan stadler\Local Settings\Temp\sp.html
c:\windows\system32\ctlbfdm.dll
C:\WINDOWS\System32\eppaeja.dll
C:\WINDOWS\system32\aekpn.dll
C:\WINDOWS\system32\pjb.dll

Now click Start > Run, and enter cmd so you should see a command prompt.

At the prompt type and enter: cd c:\windows\system32

Now enter the following commands and keep track of the results for each step and let me know exactly what happens (you had a problem doing this back in message #47, we need to get this to work. Make sure you type lines properly and if you get an error, tell me what line you just typed and the exact error message.)
attrib -h -r -s BRIDGE.DLL
ren BRIDGE.DLL BRIDGE.BAD
attrib -h -r -s D2KPAX.DLL
ren D2KPAX.DLL D2KPAX.BAD
attrib -h -r -s MSXSLAB.DLL
ren MSXSLAB.DLL MSXSLAB.BAD
attrib -h -r -s SYSTEM32.DLL
ren SYSTEM32.DLL SYSTEM32.BAD

Reboot normal

Also let me know the resuluts of all the above steps.
Also post another HijackThis attachment .

 

And by the way,

net1.exe
net.exe

are okay. They are part of Windows.

 

Not according to the log from FINDnFix in message #103. Take a look in there and you will see references to ctlbfdm.dll in the area with AppInit_DLLs.

 

Sorry! I left out a line. The below were to be deleted in safe mode.

C:\Documents and Settings\bryan stadler\Local Settings\Temp\sp.html
c:\windows\system32\ctlbfdm.dll
C:\WINDOWS\System32\eppaeja.dll
C:\WINDOWS\system32\aekpn.dll
C:\WINDOWS\system32\pjb.dll

 

Yes, you must be doing something wrong. These also show in FINDnFIX's log.

Are you sure you are entering the commands exactly as I gave with spaces as given. Try using cut and paste. Where you able to do this command correctly:
cd c:\windows\system32

Did your prompt now show that you are in the c:\windows\system32 directory?

 

Delete c:\windows\system32\ctlbfdm.bad

For the command prompt stuff, you are not getting the error message you told me before. You are getting:
The system cannot find the file specified.

And you only received this error for the bridge.dll file which was probably due to the fact that it was already renamed to bridge.bad previously.

Where is this confusion coming from? The commands worked okay. Why did you say they did not?

Yes, I saw your PM. I take a look at that link when I can.

 

Okay, so now let's use Registrar Lite to search your registry for netdc (without the .exe). Tell me what matches you get.

 

There is nothing in that registry key that shows netdc.exe and that is why Registrar Lite showed no matches. I don't know why regedit would show a match because there isn't any according to what you posted.

 

That's the same basic place I had you look for AppInit_DLLs.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

If you double click on netdc what kind of info do you see for value.

 

Sorry! I misunderstood you. You don't need to look in the folders yourself. You need to use the search function built into Registrar Lite and let it look for matches. But before doing that make sure when Registrar Lite first opens that you click in the left window to put the cursor on the top of the registry where the two little computer appear next to the word Registry.

But I thought you already did this in message # 118

 

Post it the fastest and easiest way you can. Unless it is exactly the same as what you gave before with regedit.

 

Don't you mean (my changes in bold):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon.......shell..........explorer.exe ;C\WINDOWS\System32\netdc.exe

And it does not make sense to have two listings at the same registry key of:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\Winlogon

Are you sure one of them wasn't really
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\Current Version\Winlogon

At anyrate the Value data for HKLM should just be Explorer.exe
and for HKCU there should not even be a Winlogon entry.

You should also take a look at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\IniFileMapping\system.ini\boot//shell
to see what it has for Value. It should be SYS:Microsoft\Windows NT\CurrentVersion\Winlogon

The same goes for:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current Version\IniFileMapping\win.ini//winlogon

The MRU and ACMRU entries with netdc.exe should just delete the netdc.exe entry.

 

Okay! First let's backup your registry. You can use Erunt to do this. Get it here: http://www.majorgeeks.com/download1267.html

Then what I want you to do is this:

Delete this next registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Winlogon

Before doing this next step make sure that in the c:\windows directory there is a file named Explorer.exe and it should be approximately 981k in size and under the Properties, Version information the Company must be Microsoft Corporation.

Edit this next registry key so the Data just says "Explorer.exe":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Currentversion\Winlogon ( VALUE ) Shell (Data) C:\\WINDOWS\\System32\\netdc.exe\par

Also edit this next registry key so the Data just says "explorer.exe":
HKEY_USERS\\S-1-5-21-484763869-436374069-854245398-1004\\Software\\Microsoft\\SearchAssistant\\ACMru5603 (VALUE) 001 (DATA) netdc.exe\par

 

Looks like we finally got rid of this piece of crud. Hopefully it has not come back after some reboots. Let me know. One other item I noticed in your log now is that the helper DLL for SpyBot S&D is now missing. You should uninstall and then reinstall SpyBot S&D to fix this. The line I'm referring to is:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing).

Alternately you can go here and get the DLL: http://www.spywareinfo.com/~merijn/winfiles.html
Scroll down to the bottom. It will tell you were to copy the file to.

Other than that your log looks good. How is everything running?

 

Do you have your Windows XP CD? I want to try booting off the Windows CD into recovery console.

-You should get a "press any key to boot from CD" message, so do that.
-It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing R
-You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.
-Administrator password is next: is probably blank so just press enter, unless you set one in which case enter it.
-With all that done you'll end up with a C:\Windows>

I need to know the results of each step below:
- Type cd c:\windows\system32 and hit enter
- Type attrib -r -s -h netdc.exe and hit enter
- Type dir netdc.exe and hit enter
- Type ren netdc.exe netdc.bad and hit enter
- Type copy c:\windows\explorer.exe netdc.exe and hit enter
- Type attrib +r +h +s netdc.exe and hit enter

Take out the cd and reboot. Normal.
The run HijackThis and have it fix the F2 line. Scan again and make sure it actually fixed it.
Reboot and check to see if it comes back.

 

We don't discuss those things here. You should have your own official MS Windows XP CD.

The only alternative is to repeat those last steps we did where you located the registry entries with Registrar Lite and then delete the appropriate entries and change the others to be explorer.exe rather than netdc.exe. But this time when you get to the point where the HJT log was clear for the moment, locate and delete netdc.exe from your PC. Making sure c:\windows\Pretch does not have a copy and also empty the Recycle bin. You need to look for any files similar to netdc.exe. Like netdc.dll, netdc.dat. And also find things like netda.exe and netdb.exe.

Look for things similar to these:
C:\windows\prefetch\NETDC.EXE-00DA8B70.pf
C:\windows\prefetch\NETDB.EXE-006fa9bb.pf
C:\windows\prefetch\NETDC.EXE-00da8870.pf
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdcF01200
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_52cf307_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_netdbq_80411e_q
C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net6559200
C:\Documents and Settings\All Users\Application Data\SecTaskMan\-net65596
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netda.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netdb.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Netdc.exe
C:\Windows\pss\netda.exestartup
C:\Windows\pss\netdb.exestartup
C:\Windows\pss\netdc.exestartup

Look in your Startup Directory
Any file in C:\WINDOWS\Start Menu\Programs\StartUp will start when windows is booted.

Look thru your Registry

There are many registry entries that can be used to automatically invoke a program when the machine boots. These include:


Type 1
Here are the most common autostart keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
Type 2
If keys below don't have the "\"%1\" %*" value as shown, and are changed to something like "\"netdc.exe %1\" %*" then they are automatically invoking netdc.exe (or any other specified file).

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*"


Type 3
Additional autostart methods. The first two are used by SubSeven 2.2 HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders

 

There will be no difference between Stinger downloaded here or from McAfee since we keep current versions. And it will not fix this anyway. This is not one of the types of problems that Stinger is designed to look for.

I while ago I asked you to do this,

"Before doing this next step make sure that in the c:\windows directory there is a file named Explorer.exe and it should be approximately 981k in size and under the Properties, Version information the Company must be Microsoft Corporation."

You only told me the size. You need to get all of the Properties info. I want you to get the info for each of the below items:
On the General tab:
Size: in KB and in bytes

On the Version tab:
Company:
File Version:
Internal Name:
Language:
Original File Name:
Product Name:
Product Version:

 

Yes! Probably need to do it in safe mode. Also check for those netdc.exe ad netdb.exe etc files and delete any found. Have HJT fix that line again too.

 

This problem with no icons is on the same PC where you have been having this netdc.exe problem that would not go away? Right?

If so, I wonder if that is the problem. See if you can locate the netdc.exe program on the PC. It was actually set to be your shell before. Tell me if you can find it and where it is. Also, make a copy of c:\windows\explorer.exe called netdc.exe (you can do this by right clicking on explorer.exe and select copy. Now get into another directory with Windows Explorer (like c:\) and right click and select paste. Now right click on the new copy of explorer.exe and select rename. Change it to netdc.exe. Now double click on this fake netdc.exe. Tell me what happens.


With System Restore off, you are out of luck for going backwards to before the problem began.

 

Looks clean but you need to uninstall and reinstall SpyBot. One of its DLL's got removed by one of your problems. (usually a form of CWS). See this line:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)

 

Okay! Talk to you later!