At the end of my tether - please help!

Hi I'm running XPHome sp2 on home wireless network. Firewall is on router, so disabled on pc. Use Mozilla Firefox, not IE. I have started having lots of popup browser windows e.g. www. winantivirus. com and winantivirus pro 2006, systemdoctor, and some unsavoury ones. Also Winpatrol alerts me constantly to startup programs trying to install e.g dxc.exe and ixt1.dll. Son has been on some sites he shouldn't , and I was away for 6 weeks so couldnt use system restore as it was too late.
Have worked through "Read & Run me" which is beyond my comfort zone... but I persevered. I regularly run spybot, SE adaware and have winpatrol and Windows defender running. Used to have Norton but did not renew when it expired and foolishy did not replace with another antivirus so I know its my own fault.
Results: Spybot told me I had Smitfraud so first I followed the instructions on chaslang's SpywareStrike post 10/05/05, none of the files mentioned were present. Attached are smitfiles.txt and pandaactivescan.txt.
Back to read & run:
Stage 0: I removed Logitech desktop manager and messenger plus. Then downloaded registry booster which told me I had 130 errors but did not remove any of them (and has since plagued me with popups from Uniblue - have tried to remove it...no luck yet).
Stage 1:Uninstalled Norton as it was out of date. I dont want to renew and will replace with AVG when you advise me its the right time to do so. Ran ccleaner- removed over 500mb of junk mainly from son's account. computer started running very fast but still popups etc.
Stage 2 : already done
Stage 3: see above no anti-virus running to my knowledge
Stage 4: downloaded all the tools and updated and did settings
Stage 5: (Even in safe mode, with cable unplugged, had warnings about webpages not being available offline)
Ran ccleaner again, some files removed.
Full scan on MSwindows Malicious software removal - "no malicious software detected"
Spybot: 3 viruses found: smitfraud-c, Microsoft Windows Active Desktop, & Search Toolbar corp toolbar vision. I did the remove and immunize. Could not find the SD helper - please advise.report attached.
Windows Defender would not run in safe mode
Stage 6A: got latest Sunjava in normal mode. When i went into IE I got the following popups: "Spyware Quake", "System alert - Trojan-Spy Win32@mx", and "spyware.cyberlog-x." Ran Bitdefender then Panda Active after downloading the Active X controls. File in next post
Stage 6B: Whilst running getrunkey.bat computer completely seized up, mouse & keyboard disabled. Had to reboot and try again. Also ran Windows Defender - it wanted to shut down the system all the time. newfiles and runkeys attached in next post.
Stage 6C: I went to Special removal procedures, and followed instructions for "Qoologic" "Spywarequake" and "Trojan Vundo". None of the files listed for spyquake were present despite the earlier popup, so by now I'm really nervous as I had pasted the fixquake into the registry. Realised I'm way beyond my limits so called it a day and now desperatley need your help and advice please guys.
Stage 7: Ran HJT and attach log in third post. Winpatrols warning window re DXC.exe was on the screen at the time - thats the only way I can use the pc, by dragging these windows to the side otherwise they pop up at rate of 3+ per minute. I really am desperate. Happy to follow clear instructions but have little understanding of the processes I am going through.

You'll see from the logs that this has taken me 48 hrs elapsed time to complete - I have tried to keep the system stable during that time, except for the deletions I mentioned above. Hence the decision not to instal an antivirus yet, - I assume that may change all these records and make your job harder? Sorry if this is idiotic, I'm trying my best. I intend to get AVG free version is that a good idea and if so should I do that now or wait until the system is cleaner?

Finally, not sure if its of use to you but the computer is now much slower again than immediatley after ccleaner and all I have done since then is your stuff. Also this website logged me out twice during the drafting of this post. Is that normal?

Apart from Ccleaner, I only ran the other files once, not sure if they would cover all users - there' s probably loads of rogue stuff on my son's user area.

 

2nd post - attach 3 files.

One more to come!

 

final part of my log files. I hope I have followed the instructions Ok and that you can advise me.

Many thanks - I've learnt a lot already from this process and from the other stuff on your website, and am very grateful that you are here to at least listen! This is a lonely place!

 

Hi further to my above posts, after a few hours sleep I found these notes which i omitted before. Hope they are of help.

From the Special procedures lists I looked at the following:
Malware Wipe removal - I'm not absolutely sure I had this so did not follow the procedure as nervous I'd do more harm than good.

Vundo - ran vundofix 6.2.1. The scan found lots of files, and removed them. See attached vundofix1.txt
Could not delete wvuut.dll, so checked "remove on reboot". Rebooted. ran again - found no files. Ran it again, it found 7 files, removed. reboot. Ran again in safe mode, found 1 file, reboot. See attached vundofix.txt.

Qoofix.exe - it found infected files. checked delete on reboot.

I did all this before running the HJT log sent previously.

Current symptoms are lots of popup browser windows, e.g. ripetv.com, debt-solution co.uk, runbox.com - i.e. all junk that I do not want on my computer, and to my knowledge no-one has ever accessed these intentionally on this computer. Also constant warnings from Winpatrol about auto startup programs being detected: dxc.exe twice every minute or so. I read the winpatrol advice on recurring threats, but am not confident enough to know which of the active tasks to select for kill. The only program that does not have a company associated with it is update.exe, which is dated 10 August, which seems to be a crucial date I've spotted with other troublesome files on this computer. The other date my son was messing around was 5th October and it is since then that the computer has been almost unusable and I have been full-time trying to sort out this mess.
The other thing I did not mention before is that all my spyware applciations/defenders etc are free versions form downloads. I'm careful where I download them from and have not had any problems like this before.

Please advise, I'm desperate!

 

Using add/remove programs which can be accessed from the control panel, uninstall the following:

Download and install Sun Java Runtime Environment 5.0 Update 9



Download

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)


Run HijackThis. Click the 'Do a system scan only' button.


Once the scan has completed click Config

Click Misc Tools

Click Open Process Manager

Terminate the following processes by selecting them from the list and clicking Kill Process

Click back to return to the scan results.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Let me know how things are running now

REBOOT to Normal Mode.

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.[/QUOTE]

 

Good Morning matt.chugg!

Many thanks for getting back to me with very clear instructions - scary to contemplate but ok in execution! I have followed your instructions as best I can and these are the results:

First..... Whilst sitting in panic waiting for a reply, I ran Spybot and adaware and the following were revealed:
Spybot: Mediaplex, Microsoft.Windows.Active.Desktop, Smitfraud-c. , Smitfraud-c.Toolbar888, and Zlob downloader.
Adaware: Adware Safety Bar, Win32.Trojanclicker, SpywareQuake, and Win32. Trojan Downloader.

In both cases I clicked to fix and both programs reported they had but of course they're still there. Looks like I've got the full set, so desperately in need of your continued care please.

Then, I had an urgent job to do so had to install Lotus Suite to do this, so you'll see this popping up all over the place on the logs. (Its loading up automatically on start which I dont want but dont konw how to stop it). Apart from that the system was as it was last log. Sorry if this has made your job harder.

Following your instructions:
Add/remove programs from control panel: all fine except ToolBar888 which was not listed. [I noticed that Deluxe communications IS present but did not delete as you didnt tell me to]

I had previously downloaded the correct sunjava but it was on my desktop so deleted that and then rebooted.

Downloaded java again from your link and put it somewhere sensible this time(5.0 Update 9), but its not showing as a new program from Start programs. (?)

Downloaded killbox

Printed instructions, copied the file names to notepad on c drive. Reboot in normal, with cable unplugged. Tried to close everything I could find but i dont know what system tray is. I closed everything I could from the taskbar, including Winpatrol, which may have let in some more bad stuff? (DXC is constantly trying to load).

System scan on HJT. The update.exe file was not there so could not terminate process.
back to scan results:
Checked all the files except the O2 wvuut.dll one. It was not there. Selected the "Fix checked" for the others.
Ran Killbox, pasted each of the files from the notepad one by one, and red cross.
Reboot to safe mode
Explorer deletions:
C:\Program Files\Deluxe Communications - could NOT delete the folder. Had error message "cannot delete Dxc.exe: it is being used by another person or program etc...." This is a surprise as I had not had any popups since reboot. So its still there.
Wvuut.dll was not there
Deleted the two folders with long numeric names
the U2.........vbs Was not there
temp file: only one file and deleted it OK despite it being today's date
online security guide.url not there, nor the remaining 4 files.
Deleted preftech ok
Reboot to normal and reconnected. PandaActive Scan took 90 minutes to run and I lost internet connection during this time but managed to rescue the report.

Attach activescan.log, new HJT log and fresh newfiles log. I see from the panda that its getting worse - more spyware than before. Please let me know what to do next or if its irretrievable? I'm in despair.

What's the computer like now?

Winpatrol is constantly barking at me, warning me about various java programs wanting to start automatically on the computer. I dont know what java is or why I need it - do I tell Winpatrol to allow these files?

Ditto Lotus suite - I dont want it to load automatically as I only use it for one job, so need to get it off my startup (i dont even know how to do this, sorry)

As soon as I go in to IE (for Pandascan) I get loads of popup browser windows from Dxc, also virtualexperience.amd.com, plus a game one ending in de. But since I've returned to Firefox no browser popups, just the winpatrol mesages re Dxc.exe.

The computer is extremely slow on startup, returning a black screen for some minutes before XP Login page appears. However have still got internet connection and can use my usual programs - just very concerend about all the viruses/trojans that are turning up. The only other major difference is that 95 % of my emails are junk/muck - not sure if this is related to the trojans?

I am way out my depth on all this so trying not to do anything inbetween your instructions, in case I wipe a trail of files you are expecting to see (as above perhaps following my activity in paras 2-4 - really sorry if this has made your job harder but I've been paralysed for nearly a week now and had to do that job).

Should I be running the CCleaner every day? It seems to work miracles in terms of speed but I dont want to mess up your plan of cleaning my machine.I'm also thinking I should download AVGfree - do I do this now or wait until you have finished your diagnosis?

Please tell me what I can/should/shouldn't do to the system. Also please tell me if I am giving you too much detail - I dont know the relevance of many of the tasks i am doing so just trying to make sure you can interpret the logs OK.

Many thanks indeed matt.chugg ( I'm a fellow brummie - well Walsall - but dont hold that against me lol). Look forward to the next episode, and very grateful to have your help. Thank you very much.

Best wishes,

 

Print out these instructions, as you will need to close all browser windows to continue.

Close all browser windows (Including the one you are reading this in)

Goto Add/Remove Programs in Control Panel

Find DeluxeCommunications in the list and double click on it to invoke the uninstaller.


If there is no Add or Remove Programs entry for this program, Goto Start-->Run, type in C:\Program Files\DeluxeCommunications\Dxc.exe /u and hit enter.


The DeluxeCommunications uninstall program will load and you will ask you to enter a security code. Do as instructed and enter the security code it displays and click ok.

The uninstaller will then Display a dialog saying that all browser windows will be closed if you continue. Click Yes to continue.

Finally, It will display a dialog asking you if you want to reboot. Click Yes and let your computer boot.

Boot into Normal Mode

Download the FixDC.zip attached to this post and save it on your desktop.

Extract the contents of FixDC.zip to your desktop.

Run FixDC.reg from your desktop by double clicking on it and click yes to allow it to merge with the registry.

Now to cleanup some remaining files.

Click Start and select Search
Now Select All files and folders
Enter the Dxcknwrd.dll in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

If the search finds the file then Delete it by right clicking on them and selecting Delete

Repeat the same search and delete procedure for Dxccwrd.dll instead of Dxcknwrd.dll

You still have other issues but we will get to those next. Once you have completed this please upload a new HJT log.

 

Hi Matt.chugg

Many thanks for getting back to me - followed the instructions just fine, it was a lot quicker today! Results:

DXc removed from Add/remove programs, uninstalled fine with security code
Boot into Normal, added the FixDC.reg to registry.
Found two copies of Dxcknwrd.dll, searching on C drive, with options ticked as stated. Deleted them fine.
No copies of Dxccwrd.dll found.
Did additional search for dxc*.dll - only stuff was in recycles etc. so left them there.
Ran new HJT, attached.

Ready for more...........

The very good news is I havent had any popups on this (brief) browser session, but computer still very slow to reboot. Also Lotus smartsuite has gone from autostartup too (hooray)... but cant find it on Start programs...

Many thanks for your continued help, Matt, really appreaciated.

 

Please can you upload a new shownew log and a new runkeys log. We still have a couple of infections left but i'd like newer logs before we procede.

 

Hi Matt, Great to hear from you again - I thought I'd slipped off the list! Here are the two new logs.
What's happened since last post: I noticed there were two folders called spybot in the c:\program files folder, but no .exe files amongst them,so I deleted both (could not uninstal as Spybot was not listed in Add/remove programs) then reinstalled Spybot from majorgeeks website. Updated and ran again, it found: Mediaplex, Network Monitor, Win32.small.ddx, andWinsoftware.WinAntiVirusPro2006 (3 copies) .
I clicked Fix, it reported they were deleted but dont know if they have really?

I ran Adaware, it found 1 tracking cookie (no details) plus Adware.ToolbarDeepdive with a TAC rating of 8.

I have not had any popups all day yesterday, which is great news. Only obvious concerns now are computer is still slow to boot, plus lots of warnings within Outlook that a program is trying to access my address book - I click no each time but it keeps popping up.

Have just run getrunkey and shownew as instructed, and enclose logs, plus a new HJT as previous one is now out of date.

Hope you can help - awaiting your latest advice/instructions. Many thanks

 

Run HijackThis. Click the 'Do a system scan only' button.


Once the scan has completed click Config

Click Misc Tools

Click Open Process Manager

Terminate the following processes by selecting them from the list and clicking Kill Process (They may not be running but we need to check.)

close HijackThis.

Run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.


REBOOT to Normal Mode.

Empty your recycle bin by right clicking on it and selecting empty.

Let me know how things are running now

Post a fresh HijackThis log, a fresh newfiles log and a fresh activescan log.

 

Hi

Thanks for getting back on that scan.

Am now sobbing in frustration.........

Here's what I did:

HJT: did everything you said OK, none of the 3 processes were there to be killed.

Did all the pocket killbox stuff (incidentally it does not ask me to confirm deletion of files, only the reboot yes/no option).

Into safe mode: the only 3 I could find to delete were the system32\components\ flx 1, 2, 3.

Sian\local settings\temp: deleted all 36 files one by one, there is an empty folder called VBE left within temp - I left it there - please advise if I should delete this too?

Deleted Oracle folder

Did NOT delete Adobe folder - it contains a number of folders, some of which I'm pretty sure I need: Please advise:

3 empty folders with long random number names
Acrobat 4 dated 11 Oct 2006
Acrobat 7 dated 7 Sept 2006
Photoshop 6 dated August 2003 (v expensive full version of photo editing software - I dont have the original disc any more)
Photoshop Album Starter Edition dated 29 Sept 2006
Plus a file called adberdr66_enu_full.exe dated 23 Oct 2003.

I did have trouble with Acrobat reader in September before all this malware stuff happened & may have reinstalled reader incorrectly - if you could advise me which bits I need to keep, I'm happy to delete the rest & reinstall if necessary.

Deleted Vundofixbackups folder and contents of Prefetch

Reboot to normal and ran the scans EXCEPT:

Pandascan - have spent over 2 hours trying to get this to run. My default browser is Firefox, and when I open the Panda page in this browser, I can see the button to scan the computer, but a window pops up telling me the browser is not supported. (which I already knew... but just to let you know I can see the button this way). So back into IE, and the button to scan the computer is not there, only a blank box with a red cross in it. Wherever I click (top right of screen, or where the button should be) I only get the "page not available" screen so cannot run a pandascan. So I tried in safe mode with networking and got same result, then back to normal mode and downloaded the scan software to desktop and still it wont work as I believe it requires an online connection, so it took me back to the "page not available" screen. I have drawn a blank but have done everything I can do to get this to run, so please, please dont ask me again! Is there anything else I can run that will give you the information you need?

How is the computer running now?

Very good news is still no pop-ups, including in IE!!!!!!!!

Bad news is that computer is still taking ages to boot, hence why it took so long on the abortive Pandascan. The computer just hangs, with blank screen, there are no sounds from hard disc, its just quiet and still, then all of a sudden just continues to boot. Takes AGES though!

Also computer just seized up altogether twice during this session, had to switch it off at the plug. (once in Windows Explorer, once when I ran getrunkey) Hence the sobbing.

Enclosed please find HJT, newfiles, and just in case, getrunkey. Look forward to your next advice and thanks again for sticking with me. Please dont desert me now..........

BTW, not sure if need to be doing these scans/running the various things you send on all XP profiles or just mine? I'm pretty sure the source of all this malware is my son, so will the bad stuff be lurking on his sign-on/account?

 

Hi chaslang,

Many thanks for getting back to me.

I explained in post#12 that I could not run the Pandascan after 2 hours trying every which way to launch it. Anyway.............

I removed morpheus fine, with the other 2 I had the error message that it may already have been uninstalled, so i clicked yes to remove from the list anyway.
Ran Killbox, deleted all backups
Vundofix I deleted already as per post#12
This time I DID manage to run pandascan (hurray!) and enclose log, along with shownew, and HJT for luck.

Hows it going since last post? my daughter's sign-on still has Dxc pop-ups, so I searched for dxc* and found 2 entries: Dxc.exe in c:\program files\common files\misc002 and sian @dxcdirect[1].txt on my cookies folder. Cant delete these (cannot read from the source file or disc)

Ran spybot on 16th -It found 8 entries which it sorted. Enclose report on next post.

Generally I havent had any problems with almost constant internet use - no pop-ups on my sign on, just loads of spam emails. Please advise if I should be running scans while logged into the other user accounts on this computer or will that come later?

Thank you very much for your advice, I do appreciate what you're doing for us all, and await the next set of instructions!

 

...........and here's the HJT log

Thanks for your help. Look forward to hearing your advice.

 

Hi chaslang,

Many thanks for the reply and very clear instructions. And thanks for the "do not worry"....I did all the instructions in Normal mode.

Killbox: all went fine. Did not get the pending prompt, just rebooted fine.
Deleted the 3 folders fine, and apologies I didnt read your instructions properly first time re Adobe. I expected a telling off for that, so thanks for your patience.

So here are the 2 new logs.

Hows it going?
No pop ups, tons of spam email, including suspicious ones that look like they're cloning my address book entries???
I'm still running spybot and adaware frequently, they found: (on 19th Oct)

Adaware: Adware.My Tollbar, Virtumonde (x2), Fakealert
S&D: Win32.small.ddx, Winsoftware.WinantivirusPro2006 (x2)
So I ran Vundofix v 6.2.1 but it found no files.

the only other thing to report was whan I was browsing other logs in here, ( in the new posts section) I noticed tribalfusion loading at bottom left of the screen (???) this was in a post which the adminstrator had identified as spam... so not sure if there's something nasty lurking in there?.

Many thanks again for your help, it is really appreaciated. Look forward to next instructions. Shall I download AVG yet?

 

Many thanks again chaslang.

I have downloaded spamfighter as per Major Attitude's thread. Thanks for reassurance on tribalfusion - paranoia rearing up!

Followed your instructions fine. Service status was already stopped for SymWMI Service. Then in the HJT section, delete an NT service, I had the message "the service you entered is system-critical! It can't be deleted" So I pressed OK. Completed other instructions and then exited HJT and closed all browsers.

Did the reset web settings, but kept homepage at google, soz. I'm not sure what this was doing but after this my internet links kept opening in IE which I hate but I have now got it back to Firefox.

Uninstalled ewido free, and also deleted from Program Files afterwards. Did the killbox, the only fix*.reg files I could find were in fixquake, including fixdc.reg. I deleted them. Did the system restore. then worked through "protect from malware", installing both AVG free and Zonealarm.

Finally I attach new HJT - hope all is in order! From here the computer is running fine now thanks, no pop-ups and not too slow to boot either. I am so grateful for your help. Thank you so much.

Before we leave this account, can I just clarify 2 things please?
1. There's lots of debris on my desktop: Qoofix folder, Qoofix.zip, Vundofix.exe, smitrem folder and smitrem.exe, MRT.exe - I dont think I need any of these ??? Can I delete them?
2. Can you just confirm I've got this right in terms of going forward/general maintenance/defence: I've got Winpatrol, Windows Defender (runs daily), AVG, Zonealarm, and spamfighter all running in the background. On top of that I periodically run Adaware and Spybot , and can use Ccleaner too. Is this a good mix/too much/anything missing? I used to have Microsfot Anti Virus Beta and although I have the install on the desktop the icon has gone from tray so assume it has been wiped at some stage of my geeks process? Do I need to reinstall or will it conflict with AVG? I also have Registry mechanic ready on desktop - is this of any use to me or is it for advanced users (which I'm not!) . Also can the killbox/HJT be used for anything by me or do they require expert input? If I cant use them on my own then I'll delete them too now? ditto newfiles and getrunkey?

I'm just trying to keep the system clear and also make sure I make best use of what you've given & taught me over last few weeks.

Finally.... what happened to my wallpaper - at what point did that get reset to plain blue and why? (just curious)

Hopefully now you can give me some advice on the other accounts (the kids) which is where I think most of these problems came from. An advance word of warning though - there is an error in user accounts on this computer and I cant adjust the settings for user accounts, so cannot see my daughter's in safe mode. Hers has a lot of errors on her account set-up, but she muddles through - e.g. she can access internet but not play sims 2. I cant create or change any user accounts.

I know.......... what a mess. Hopefully you can advise on cleaning up the remaining users so this computer is nice and clean all through.

 

Many thanks for all this advice and information. I'm getting a bit hopeful now and not dreading sitting at the computer! Before we leave my account altogether - I have uninstalled registry mechanic, it was a free version. Had an alert that the shared file c:windows\system32\STKIT432.dll would be deleted but not sure if other programs needed it etc. Nor am I so I have not deleted that file. Should i?

Second, ZoneAlarm keeps popping up with security alert that Symantec Netdetect is trying to access the internet. You'll recall I have recently uninstalled a lapsed norton 2004 antivirus program, and I see from google that this files is part of norton. Although I went through add/remove programs, I still have a folder c:\program files\symantec and in this is folder is liveupdate. So it looks like the uninstall isn't complete? Advice please? should i just delete the symantec folder? or is some more robust action needed?

Right, over to my daughter's account. She was set up as a user not administrator. I suspect my son tried to upgrade her without success. Symptoms are that her account is not visible at all in safe mode, and when she logs on you get an error message ; "Error. Access is denied OK" you get this 10 times each time she logs on, and just click OK. She can access internet and most other stuff she needs but Sims2 needs to be administrator I think so she logs on as her bro or me to play this. (! Yes, I know.......)

When logged on as me, I go to user accounts and get:
"Internet Explorer Script Error:
Line: 76
Char: 13
error: Expected ','
Code: 0
URL: res://c:\Windows\system 32\nusmgrcpl/nusrmgr.hta
Do you want to continue running scripts on this page? I click Yes
A mini-window appears - User Accounts: object expected. i click OK and then just get an empty User accounts window. If I click the back or forwards arrows I get another small error window:
g-Navigator is undefined.
And I cannot proceed at all on user accounts so cant create a new one for her or change/delete the damaged one.

I had a number of errors running the logs for you too - not sure how much you'll see from the logs but what I saw was:

getrunkey.exe: the DOS window showed:-
c:\runkeys.txt
Access is denied (21 times)

then I got a registry error message -
Cannot export c:\xrkey01.txt: error opening the file. There may be a disc or system error. OK

Got same message for xrkey 02,05,06,07,08,10 plus the following files - xmscfg.txt, xmodul, xcupolexp, xlmpolexp, xlmpolsys, xlmbr10, xlmshared, xlmshell, xlmssod1. Then I couldnt save on the c root drive "you do not have permission to save in the C directory. Save in My Documents instead?" so i did. Also errors on HJT. I pasted the HJT error at the bottom of the HJT log under the line - hope this is OK.

The errors on this account pre-date by many years the malware issues you have helped me with - I assume this is a software problem but my local IT helper guy cannot do anything to mend this. Any suggestions would be very welcome. But if not then hope you can work with what I've sent. But I assume this will restrict what I can access on her account to mend her malware?

Her symptoms are that she gets the Dxc pop-ups on the internet still. Apart from that she's OK, though undemanding of the computer except for Sims2!

Hope this is all clear.

Attached 1 log - I cannot attach the newfiles/runkeys - I get a message from the majorgeeks manage attachmnets that I have already attached these files to this thread! Have tried renaming the files but no luck. Will try again on next reply and if that fails I will have to open a new thread called "cowbagger" to get them to you. [ please advise how to get round this?]

Look forward to next instalment. Many thanks again for sticking with me through this nightmare.

 

I have tried renaming the logs - both the file names and the file extensions but always get the message from the forum that I have already posted this log on this thread! Please advise , anybody who knows how to get round this problem? Chaslang won't be able to help me unless I get the logs uploaded! they are newfiles.txt and runkeys.txt
Many thanks

 

Have just run ccleaner and rebooted and still cant attach the logs. Please advise.

 

Hooray! Have finally attached the logs within a zip file. Hope all is well with the logs.

 

hi chaslang

This really has me beat. Apologies - I didnt read or open the previous logs I attached in the zip, but I have now and can see the dates you mention, but in Windows explorer they were showing as 24th October files that is why I attached them. I assume that the programs saved the previous logs over the failed new ones. Anyway.......(filed under "stuff I dont understand")

Have logged in as my daughter again and run a new HJT, attached. I had the following messages: " looks like you're running this from a read-only drive, you must copy to Hard drive first and run from there". I pressed OK, and it produced the attached, I hope. On saving, it said "for some reason your system denied write access to the hosts file....... save the files as "hosts". Pressed Ok and saved it with normal name to her documents. Hope it is OK, and a genuine new log.

Runkeys - I reran this via Start, Run. I had exactly the same errors as detailed 5 posts ago (24 Oct 02:46) So first of all 21 x "access is denied", then the registry error messages starting cannot export c:\xrkey01.txt etc . However I think I may have saved a new log, attached. It says the right date so hopefully it is the one I just ran on her sign on.

Newfiles - ran this from Start, Run. First of all got 36 X "access is denied", then "scanning please wait", then at least 60 "access is denied". Then got registry error warning: "cannot export c:\xlmuninstall.txt: error opening the file etc. Terminate batch job?" I pressed No, then it showed the newfiles report, but this time I read it and could see it was displaying the same file date as before, ie dated october 20 so I didnt attach this again.

I have drawn a blank now. Hope you have enough information to begin sorting this one out but I suspect not. Please advise.

Also please could you advise re the netdetect message on my sign on as per my post of 24th? Many thanks. Look forward to your further advice.

 

Many thanks for your reply.

I think we've drawn a blank on my daughter's account - as I explained in paras 3 &4 of post # 21, the "user accounts" on this pc is totally knackered, and I can't alter the status of her account or anyone else's. nor add new accounts. Perhaps this is one for the software forum? Is this something they may be able to advise me on? Or will I need to reinstall Windows XP?

Given your reassurance that there probably isn't much malware on her account, and also my understanding of what she does on the computer I'm relaxed if we leave her account. By far the biggest issues are the ones caused by her user account being "broken". She no longer gets the Dxc popups.

However, I have used my initiative (! amazing I know!) and turned to my son's account. This is much "busier" and also I suspect the original source of the malware. He is more adventurous in what he does and where he goes........

One symptom on his account, (not sure if this is malware related) is that browser window is not showing in full on the screen - can't access the up/down arrow to the right, nor see the whole screen. Also lots of graphics are missing - this site appears as plain white with text on it but no graphics.
Can you help on this or is it a software issue?

I ran Adaware (nothing found) Spybot (found Advertising.com x3, Advisa, Avenue A.inc, Double Click, Statcounter x2) Fixed these. Then ran ccleaner, removed 65mb.

I updated newfiles, and attach the 3 logs from my son's account. Please advise on next steps.

And thank you as always for your time and help.

 

Many thanks for getting back to me. Sadly my son is an administrator so I can do all the stuff you asked! and as per post #21 I can't downgrade him to user so that's where all the problems came from I think.

I followed all the steps listed, and enclose 3 logs. Only thing was the Deluxe comms folder isn't there, so couldn't delete.

How's it going? Well his browser is still weird - all pages are just plain white with text, including this one - no colours or logos displayed. Also web pages are too big to fit on screen so cant access up/down arrow to the right and therefore can't navigate properly. The google homepage has thick black lines round the boxes. I have looked at all the tabs/options on display and internet options in control panel and cannot see anything to change. Please advise on this - it is a serious handicap.

On a quick browse, there were no pop-ups, so it seems like we're nearly there?

Many thanks for your continued help and patience with this lot. Much appreciated. Look forward to next instalment.

 

Chaslang
Many thanks for this very detailed reply. It all looks very frightening. So I need to ask a coupla Q's before I start, please:

1. Presume I do all this logged in as my son?
2. Am I going to be without Winpatrol and Defender for long? - I've come to rely on these for peace of mind
3. I do have the original CD but its not SP2, it dates back before then. What will I have to do exactly? Will I have to download SP2 again from the windows website? Will they let me download it again cos they'll have records I've already downloaded it? Is this a reinstall of Windows entirely? What sort of settings am I going to lose - I'm really shaky on this stuff and it has taken me years to configure it how I want it. Any hints on how to make this part as painless as possible?
4. Why is the registry fix so long? Is it because there's a lot of malware on son's account?
5. Will the Windows re-install have any impact on the user accounts problems I listed on post #21?

Sorry to be a wuss but I'm reliant on this computer and terrified in case I'm left with no access to the world if I cant do the windows thing - have never installed it before - it came already loaded. Needless to say, I'm not questioning your instructions, just doubting my own abilities here! This whole correspondence has been a great adventure into the unknown for me and I think I've just hit my wall.

So there - I've come clean I'm a total wimp and need my hand held! Please be gentle in your response and sorry to be so irritating.

Many thanks

 

Many thanks Chaslang for clarification and reassurance. I see I need to make more effort to understand these processes myself. I'll get back in the bunker now and do this stuff.

 

Right I got into trouble here, and couldn't complete the process. Please can you advise?

I did the three uninstalls OK.
Copied the black text to a FixME.reg on son's desktop. Then I rebooted.
Double clicked on the fixME.reg and got the following error message:
"cannot import c:\Docs& settings.....\desktop\fixme.reg: error accessing the registry".

Not sure what to try next. (to confirm... son IS an administrator)

Is the FixME.reg something I could run from my own sign-in? (I dont know if registry changes are specific to users?? - I'm not being deliberately stupid here, I just dont know how these things work)

2. Looking ahead to the next bit - the CD I have is still sealed in its cellophane and has a green cover: Microsoft Windows XP Home Edition 2002 and on the CD itself it says MESH computer Recovery CD-ROM - do not open or attempt to use this CD without the specific instruction to do so from MESH tech support dept." Obviously I want to proceed with you guys and dont want to start from scratch with MESH, but just wanted to check that insertion of this CD will be the right thing to do if so prompted? Is it the right CD? The only other system type CD I have is the Microsfot Office XP Small Business, complete with Product key (I dont see one for the Mesh CD - will that be a problem?)

3. Not sure what this CD contains - but once I've opened it is the repair part of the CD able to help me sort out the user accounts issues I have? (post #29) or is that addressed by your code as well?

4. Re "look and compare the logs" - sorry i am trying to be intelligent on this especialy after your alert that I'd posted old logs before so i do open them now and at least check the dates to make sure they have run. The logs from son's account did have the right date on them - what else do I check? I wasn't aware that they hadn't worked - I can read them Ok but they don't mean a lot to me and dont know what I am looking for? -Trying my best to make sure I learn from this, please give me some specific things to look for.

Many thanks. Awaiting your instructions and still very grateful for your patience on this.

 

Hi Chas is taking a much deserved vaction right now.

You need to run the fixme reg from your sons account as Chaslang specified. It contains fixes to HKCU which is specific to the user logged in.

Have you temporarily given your sons account admin priveliges as chas suggested about your daughters account, the problem here is probably just priveliges.

Lets try and get this sorted first and then we will look at the next step.

 

hi matt nice to see you again _ I thought I'd frightened you off with my insanity. I saw chaslang was on hols so thanks for rescuiing me.

to re-cap - we've put daughter's account aside and decided to leave it. Son is and always has been an administrator. I saved the fixme.reg to his desktop but when I clicked on (whilst signed in as son) it got the following error message:
"cannot import c:\Docs& settings.....\desktop\fixme.reg: error accessing the registry". So I cant move on at all.

Please advise.

 

Hi chaslang, lovely to hear from you again and hope you had a good break!

I booted into safe mode and logged on as my son, clicked on the fixme.reg and got exactly the same error message - "cannot import c:\Docs& settings\sonsname\desktop\fixme.reg: error accessing the registry".

I then did start run regedit and the registry fixer window opened - it looked like an explorer window, with My computer at the root and 5 HKEYS folders underneath.

I closed it and here I am awaiting further instructions. Many thanks for getting back to me.

 

Hi,

I logged in as my son in normal mode and for both Administrators and System, the Permissions were already set to allow Read and Full Control for all 5 HKEY folders.
I clicked File Import fixme.reg open and got the same error message, i.e. "cannot import c:\Docs& settings\sonsname\desktop\fixme.reg: error accessing the registry". I closed the registry editor.

Other stuff I saw which I'm not sure if they are of relevance are:

under current configuration: there was an "account unknown" (S-1-5-32-547), this, plus "Users" was read only, not Full Control. Dont know what the account unknown is, maybe the faulty daughter's one?

Under current user, my sons account allows both Read and Full control

Under local machine and users, "everyone" is read only

Under Classes root, "users" is read only.

These may be standard or irrelevant but thought I'd mention it in case it helps.

Doesnt look good does it? Hope you can suggest something else, please chaslang.

Many thanks once again for your help.

 

Hi chaslang

Sorry for delay in getting back to you - as usual I've had a lot of problems following the procedures.

I've had AVG free installed since last month and run daily.Did the update anyway. However, nowhere could i find the Scanner, settings, recommended actions, quarantine tabs. Believe me i looked everywhere, went to online help etc but cant find where to set the settings - presume i did this on initial installation but cant remember what I selected - it could well have been fix all problems. Please can you tell me how to access these options and settings? I have tried my best. The upshot is that i ran AVG in safe mode, full system scan including all files, the result that i read was that no threats found. i did not get the option to save a report as there was none. Have done a trawl of the computer, but not sure what Iam looking for - there's certainly no logs in the AVG progfiles folder. Can only find the attached which i hope includes what you want.

Rebooted into normal mode, ran the sophos application exactly as instructed and it reported no hidden items. Log attached is empty.

Whilst browsing I noticed a new folder in the c root drive dated 15th Nov. i have no idea what it is and dont know if it is of relevance - I have done little else on the computer this week except this spyware stuff. The folder is called
e61d6fd291c0fbcb977be4221bc454 and contains a file called msxml4-KB927978-enu.log. Any ideas on what this is? Dont want to post it as it contains lots of text details about the computer. It is 284kb in size. May be a windows update?

I suspect you're going to refer me to the software forum at this stage - if so then do i refer them to this post as otherwise not sure what details to give them.

As for son's account - well there are no pop-ups, he has solved ths issue of the window not loading fully - it was to do with a mozilla add-on he had. However what is still wrong is that there are no colours or proper logos on internet pages. We've looked everywhere at all the settings on internet and display but cannot solve this.

Thanks again for your help

 

further to my post and logs above, in case its of help i enclose a new HJT log. Look forward to your advice. Many thanks

 

Ok I got this morning's stupid prize! I'm so sorry.
Have now put on my reading glasses and done what you asked - it all makes sense now!
Log attached. Please advise

Thanks for your patience

 

Many thanks Chaslang for your persistence and patience on this long correspondence. I am very grateful. I will post on the software forum and hope the user accounts issues can be sorted out too. However your instructions on removal of the malware have been a great education and I have the greatest of respect for what you do on this forum. Thank you so much. Feel slightly traumatised that this has come to an end - I'll add you to my Christmas card list!

Before I take my leave, please could you clarify best way forward on keeping the pc protected in future:

I have adaware, Spybot and Spywarebalster which I update and run weekly.
I recently uninstalled Winpatrol and Windows Defender on your instructions - do I reninstall these now?

Since our correspondence I also have AVG antivirus, Zonealarm, AVG antispyware, spamfighter and ccleaner installed.

Zonealarm and AVG antispyware run in the background and I just respond to them.
AVG antivirus is updated and run daily
Ccelaner i run periodically.
Spamgfighter unfortunatley has stopped working, just as the free period ended- it just somes up with error messages and I can no longer block new spam addresses - I need to uninstall it - can you recommend a replacement?

Is this about right - do I need to do or install something else or do I have any conflicts?

Finally I have the following on my desktop - dont think I'll use these without hand holding from youguys so is it Ok to delete/uninstall them?

Qoofix, Qoofix.zip, smitrem, smitrem.exe, MRT.exe, Vindofix.exe.

Many thanks again.

 

Many thanks indeed chaslang - have done the final tidy up and everything running fine now. Cannot thank you guys enough for your brilliant advice, clear logical plan of attack, and great patience with a novice over many months. I am so grateful. I will leave you in peace now! Thank you.