Toseeka won't go away

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Documents and Settings\Stephen\Application Data\FlashGetBHO\FlashGetBHO3.dll (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

This is not a message that it is locking up. That message tells you that it already finished compressing the HijackThis log and that it compressed it by 67%. It is somewhere after this that the process is not able to finish.

I can see from your MGlogs.zip file that some of the logs are not getting updated due to this. Some logs are still from 8/11/2009 since your previous thread was never completed. This may e due to the same thing I mentioned to you last time that was about various required Windows Services not running properly (not a malware problem). It is is due to your Windows installation being messed up. Your system thinks some of your Windows OS files are to be found on drive D. You must have installed a second copy of Windows at some point onto a new drive to cause this. You can see the below to services referring to drive D:

O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - D:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - D:\WINDOWS\system32\sessmgr.exe (file missing)


And I believe you have other services like WMI doing the same and this may be why the MGtools scans cannot complete. Again this is not a malware problem, it is your Windows installation.

There is a required system file missing that we will replace now, and I will also have ComboFix delete the current MGlogs.zip file so that old information is removed.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please download and run the below special version of MGtools. This new version is named MGtoolsSF.exe

MGtoolsSF

After running it, attach the new C:\MGlogs.zip file. Let me know if you still notice a hang after the HijackThis log is deflated.

 

Happy NY!

See what I said at the beginning of message # 5. This is one of the services I mentioned that is messed up in your Windows installation. This is not a malware problem but it is part of all you troubles. Toseeka does not appear to be your problem but since some of the scans cannot run properly due to your Windows installation being broken, we cannot see everything we need to see.

Please do the following.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to NetMeeting Remote Desktop Sharing
• Then right click the entry, select Properties
• On the next form you will see the Path to executable: setting set to D:\Windows\System32\mnmsrvc.exe change this so that it says C:\WINDOWS\System32\mnmsrvc.exe
• Make sure Start-up Type is Disabled
• Make sure Service status: is Stopped
• Now click Apply and OK to get back to the list of Services
• Scroll down to Remote Desktop Help Session Manager
• Then right click the entry, select Properties
• On the next form you will see the Path to executable: setting set to D:\WINDOWS\system32\sessmgr.exe change this so that it says C:\WINDOWS\system32\sessmgr.exe
• Make sure Start-up Type is Manual
• Make sure Service status: is Stopped
• Now click Apply and OK to get back to the list of Services
• Scroll down to Windows Management Instrumentation
• Then right click the entry, select Properties
• On the next form you will see the Path to executable: setting. I'm not sure what it is currently set to but make sure it is set to the C:\WINDOWS\system32\svchost.exe -k netsvcs
• Make sure Start-up Type is Automatic
• Make sure Service status: is Started
• Now click Apply and OK to get back to the list of Services
• Click OK until you get back to Windows.

There could be other services that are also messed up and set to drive D or to the wrong state. That was part of the reason for giving you the new MGtoolsSF which was trying to list services for me. But since you have too many things broken, it would not run. Let's see if the above helps and find out exactly what happens.

Click Start, Run, and enter cmd and click OK. This will open a command prompt. In the command prompt Window enter the below black bold print commands. The purple text is only comments to help you follow what should be happening. Observe the spaces in the commands.

cd C:\MGtools <<-- if this works, the prompt should change to C:\MGtools>
processdll << if this runs, a list of process should scroll by and a file name procdll.txt should appear on your Desktop. I expect you may get an error. Tell me exactly what happens.
ServiceFilter.vbs << if this runs, the prompt will quickly return to just C:\MGtools but a few log files should be created. I expect you may get an error. Tell me exactly what happens.
GetLogs.bat <<-- should run a full scan of all MGtools. Tell me exactly what happens and what error messages you get if/when it hangs.


Attach the new C:\MGlogs.zip file. Along with a description of what happened

 

No since I'm not sure at this point this is your problem and you have major issues in your Windows installation that you need to fix.

 

I suggest that you reboot into safe mode and repeat my previous instructions. Also if it still does not allow you to change the D: into a C: then stop and then disable the service first. Then retry the change to the Path. Then set the Startup Type and Status back to the proper states. You need to get these problems with your Windows services fixed. This is not a malware problem. If you cannot fix it, you will need to may need to do a Windows repair or a reinstall as this is the cause of many of your problems.

 

You can use MSconfig to select safe boot mode for the Win XP setup. I'm not too positive on thinking this will work. Make sure you have no browsers or other processes open when you repeat those steps. If this does not work, then I suggest you figure out how to back up what you need (CD/DVD, flashdrive...etc) and then reinstall XP if you need it.

Not something I can help you with.

Why do you need a new HD? Windows reported the below in your logs 261,361,229,824 bytes free

Okay since you are saying you had Windows installed on drive D at one time that may have something to do with the messed up services. How it got like this would mean someone installed/reinstalled incorrectly.

 

You're welcome.

You could ask specific questions in the Software Forum.