HiJack log - Please Help

There's nothing wrong with running it from there. In fact this is where we prefer it to be.

One of your problems (you have a few) is that your explorer.exe shell is not loading at startup. That is why you have no desktop. There are 2 registry keys that sometimes cause this problem. We are going to look for and delete these keys (if found).

Press CTRL-ALT-DEL to bring up Task Manager. And click File, New Task (Run..) and enter regedit and click OK. This will run the registry editor. Now look for the below registry keys (navigate thru the registry). Make sure you only look for and delete the exact keys listed below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

After deleting this keys the desktop and explorer.exe should reappear. You may need to reboot after doing this. Let me know the results. After getting this problem fixed will will look at your remaining problems so post a new HJT log at this point.

 

Re: HiJack log - Please Help Again

Well you still have something preventing explorer.exe from loading.

First look in Control Panel, Add/Remove programs for AntivirusGold and uninstall if found.

Did you have the below items running when you ran HijackThis?
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe

I can understand having Task Manager running because of your problem getting explorer.exe to run. But why do you have regedit and iexplore running?

Have you tried just running explorer.exe from Task Manager.


Download Pocket Killbox and save it to its own folder where you can find it. Do not run it yet. Will will use it later in my next message.

 

Re: HiJack log - Please Help Again

Print the below steps or save them locally. Stay disconnected from the internet while doing them.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

If taskmgr.exe, regedit.exe, and iexplore.exe were not being run by you, use the below step to kill those processese. If you were running them, you must end them before continuing to use HijackThis below.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvzuuu.exe reg_run
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKCU\..\Run: [lmrt] C:\WINDOWS\System32\lmrt.exe
O4 - Global Startup: rnar.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AntivirusGold <--- the whole folder
C:\WINDOWS\System32\lmrt.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box (note some of these may not exist on your PC)
C:\WINDOWS\icont.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\system32\andpd.dll
C:\WINDOWS\system32\nrimin.exe
C:\WINDOWS\system32\vqwbw.dat
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\wmconfig.cpl
C:\WINDOWS\System32\uvzuuu.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnar.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot continue doing the below before you do anything else.
Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot one more time in normal mode and get a new HJT log.
Now reconnect to the internet and come back and post your new log. And tell us how things are working.

Do not reboot or power down at this point because if you are still infected it can mutate making any steps I would post a waste of time.

 

Re: HiJack log - Please Help Again

You did not get the below fixed:

O4 - HKCU\..\Run: [lmrt] C:\WINDOWS\System32\lmrt.exe

Repeat the procedure and follow all steps related to it.

If you still have problems with hal.dll, see this: http://www.kellys-korner-xp.com/xp_haldll_missing.htm

Or possibly download the file from: http://www.dll-files.com/dllindex/dll-files.shtml?hal

But you may not need the file. It could be just a problem with your boot.ini file.

 

Re: HiJack log - Please Help Again

After doing what is in my previous message, follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


You did not answer whether you can run explorer.exe from Task Manager.

Just in case you don't know how.

If you press CTRL-SHIFT-ESC to bring up Task Manager and then click File and select New Task (Run ...) and enter c:\windows\explorer.exe , what happens? Does your Desktop come back?


You may want to check the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

and see if the values for Shell is explorer.exe

To do that , use Task Manager again (like you did above) and enter regedit and click OK!

Then navigate your way to and select Winlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

then find the Shell in the right window pane and see what the Data entry is.

 

Re: HiJack log - Please Help--Logs x3

You must remember to exit browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before running HijackThis.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\hookdump.exe <--- if found! You may not find this running! Just continue to next steps.

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

After clicking Fix, exit HJT.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box (note some of these may not exist on your PC)
C:\WINDOWS\System32\OPMOO.DLL
C:\WINDOWS\System32\OZXOOON.DLL
C:\WINDOWS\System32\SUPDATE.DLL
C:\WINDOWS\System32\DBADDDX.EXE
C:\WINDOWS\System32\REDIT.CPL
C:\WINDOWS\System32\WI0499.EXE
C:\WINDOWS\System32\1803.DLL
C:\WINDOWS\System32\DELFIN.DLL
C:\WINDOWS\SYSTEM32\goldnew2b.dll
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\62lyuzb1jr.exe
C:\WINDOWS\del.tmp
C:\WINDOWS\System32\hookdump.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot continue with the below.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixgold.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixgold.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now reconnect to the internet and come back and post a new HJT log. And tell us how things are working.

Do not reboot or power down at this point because if you are still infected it can mutate making any steps I would post a waste of time.

 

Re: HiJack log - Please Help - Fixgold

Are you sure you saved it to a filename that ends with .reg

Try this:

Click Start, Run, and enter regedit then click OK. This will open the registry editor.
Now in regedit, click File, Import . Now navigate to the fixgold.reg file you saved to your desktop and select it. Tell me if that works.

 

Re: HiJack log - Please Help - Fixgold

Okay you're log is clean. Are you still have problems that you cannot attach files? Have you looked for the Go Advanced button and clicked it and then scrolled down to Manage Attachments?

How are things working now?

 

What do you mean additional options? Do you mean you clicked the Go Advanced button?

Do you see the below?

Code:

 
Attach Files
Valid file extensions: bmp doc gif jpe jpeg jpg log pdf png psd txt zip

But right below the Valid file extensions text you do not see a Manage Attachments button? Move your mouse there and click anyway. Any luck?

Are you logged in with Administrator priviledges?
Can you see IE, Tools, Internet Options, Advance tab stuff if you boot in safe mode and log into the Administrator account.

 

Re: HiJack log - Please Help - again

If you scroll down to the very bottom of this page (the one you are reading right now), there should be a box titled as below with the options shown. What are yours set to (you can see my settings in bold).

Posting Rules
You may post new threads
You may post replies
You may post attachments
You may edit your posts
vB code is On
Smilies are On
[/url] code is [b]On[/b]
HTML code is [b]Off[/b]

 

I'm not sure what is causing this. I'll keep thinking about it. But since your log is clean, you need to follow the steps in the below thread. Step 8 mentions using Mozilla Firefox. When you get to that step, install FireFox and import your favorites from IE. Then try to make an attachment using FireFox.


How to Protect yourself from malware!

 

Do you have any of the below folders on your PC:
c:\i386
c:\windows\i386
c:\windows\Driver Cache\i386


If so, look in them for a copy of explorer.exe and copy it to c:\windows and overwrite the explorer.exe file that is in c:\windows.

 

That copy is a compressed version. You need to uncompress it.

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter the following commands each followed by the enter key:

cd c:\i386
expand explorer.ex_ explorer.exe
exit

Now you should have a copy of explore.exe in i386. Before copying it to c:\windows and overwriting one that may be there, let's rename the c:\windows\explorer.exe file to explorer.sav

Then copy the c:\i386\explorer.exe file to c:\windows

Now reboot your PC and tell me if there is any change.

 

You should only do this if it is running the same version of Windows XP.
Your PC had Windows XP SP1 (WinNT 5.01.2600).

We have tried a variety of typical procedures to get explorer.exe to load again. I'm not sure right now what else we can try.

You could also try running sfc /scannow from a command prompt window. Not sure if that will fix the problem.

I think you are going to have to discuss this issue further in the Software Forum. It looks like you may have some other issues with your Windows OS installation. A boot to recovery console (from your WinXP CD) may be necessary to repair your installation.

 

Well we can try another item my friend Matacumbie pointed out. It adds a few more registry patches to some of the ones already tried. Perhaps we will have better luck with this one.


Download this VB script and save it to the root folder of your C drive.

http://www.kellys-korner-xp.com/regs_edits/xp_taskbar_desktop_fixall.vbs

Then with TaskManager running (and do not close TaskManager) click File, New Task(Run....) and in the open box type xp_taskbar_desktop_fixall.vbs and click OK. When it prompts you to run the fix click Yes.

Once the edit is merged, in Task Manager's Process list look for explorer.exe to be running. If it is, right click it and select End Process.

Leave the Task Manager open. click File, New Task(Run....) and in the open box type: explorer.exe

Does your Desktop come back, do icons appear, does explorer.exe remain running?

Check after a reboot too?

 

Re: HiJack log - Please Help -=VBS File

Save the below quoted text to a file somewhere that you can find it. Name it fixvbs.reg
Press CTRL-ALT-DEL to bring up Task Manager. And click File, New Task (Run..) and enter regedit and click OK. This will run the registry editor. Now in regedit click File and select Import. Locat the fixvbs.reg file and select it. Answer yes about to any prompts about adding it to your registry.

Now try to run that VBS script.

 

That's what we have been trying to fix since message number 5.

Where did you save the VBS file to? If you saved it to the root of drive C try using the below in Task Manager's run box:

C:\xp_taskbar_desktop_fixall.vbs

 

Did the registry merge from message 32 work? Were you able to save it to a file without any problems and merge it into the registry? Did you get any error messages? Try it again.

 

Can you see the c:\xp_taskbar_desktop_fixall.vbs file from Task Manager's browser. Make sure you select All Files for the Files of type selection box. Is it actually named correctly? Make sure it is not named xp_taskbar_desktop_fixall.vbs.txt

You may want to open a command prompt window and type:

cd c:\
dir

and look to see what the file is actually named.

 

Goto back to task managed and try running the following command

c:\windows\system32\cscript C:\xp_taskbar_desktop_fixall.vbs

Tell me if that works. cscript is the program that should be getting called inorder to run the VBS script. It seems you may have lost a bunch of your Windows file associations.

 

Okay perhaps it actually worked. Have you rebooted and checked to see if there is any change in your Desktop? Can you run explorer.exe now?

 

Did you ever try what I posted in message # 29?

 

Re: Solved!!!!

You're welcome. Make sure you complete the steps in the below thread ASAP to help protect you from future problems. You have to make sure you check for Windows Updates. It is step 1.

How to Protect yourself from malware!