Please help!! All "Read Me First" Instructions Followed!!:)

Re: Post, Part 2.....

Spam filter caught it, I validated the post.

 

Welcome to Majrogeeks!

It does not sound to me like you are having malware problems. It sounds more like your problems are due to running an outdated operating system on an old PC with insufficient resources (memory and harddisk space) to properly run the OS.

Questions:

1. How large is your hard disk? And how much free space is there?
2. What is using most of your hard disk space?
3. How much RAM do you have?
4. What is your processor speed and type (AMD, Intel )?

You have a few things to fix and I have added some other general comments about your security status.

Your Windows version is way out of date and represents a major security risk to you. After we fix any malware issues, you MUST get updated ASAP.

Also why are you running this PC with no protection software? You have no antivirus and no firewall and probably had no antispyware application at all until running the READ ME. This is like swimming with sharks without using a cage.


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O20 - AppInit_DLLs:


NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

If you are low on disk space, you should not keep stuff like below:
C:\Documents and Settings\IBM\Desktop\ftpsurfer107.exe
C:\Documents and Settings\IBM\Desktop\FullTiltSetup.exe

You should also delete the below folders for software that is no longer installed.
C:\Documents and Settings\IBM\Application Data\Kazaa Lite
C:\Documents and Settings\IBM\Local Settings\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec

Now run Ccleaner .

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. HJT

Make sure you tell me how things are working now!

 

Are you referring to the processes running from this folder: C:\WINDOWS\MWW32

If so, they are for your IBM Thinkpad and they are just probably installed incorrectly which may be why BitDefender thinks they are malware.

That is a Hardware or Software/Driver issue which is not a topic for this forum. Try the Hardware or Software forum. You may need to download and install new drivers for the built in sound card.

A 4 gig drive is too small to be useful. You did not answer my questions about how much RAM and what processor speed. It could also be that you are running Windows XP on a system that cannot adequately support it.


Based on your ShowNew log, you only have 167,153,664 bytes free on your harddisk! Windows (especially Win XP) cannot run with only that much free space available.

 

Just right click on My Computer and selcted Properties. This should give you the info and will also include the RAM.

The longer you use Windows and the more times you have booted, the more disk space will be used up because Win XP is creating System Restore points. Thus you are running out of free disk space and this will affect ALL Windows system perfomance. In addition since you have a very small amount of RAM, Windows needs to use disk space for Virtual Memory, but you don't have much disk space.....thus another problem.

I'm not sure exactly what you mean. You would have to give us the exact error message but again it could just be due to the low disk space. This could also be another hardware problem like overheating or a hard disk going bad.

Again I have no idea what this means. You have not provided any supporting information. But again I doubt whatever you are referring to is related to malware.

C:\windows\system32\svchost.exe is a valid and required Windows process that will be seen running multiple times (4 to 8 times is typical) and you MUST not be blocking it.


Complete the other directions I gave you and attach the new HJT log, but don't expect it to improve your problems. Your PC problems are physical in nature.

 

As I said, it is a file for your Thinkpad. Do you see other files in that folder with names like:
MWMDMSVC.EXE
MWSSW32.EXE

These are required files for your modem.

What is "it" that that I highlighted above in your quoted text. And also what is "this file" and also what is "the backups"

Do you actually see the below files you mentioned:
c:\windows\system\winlogon.exe <--- this is bad but don't confuse it with c:\windows\system32\winlogon.exe which is valid
c:\windows\system32\x.exe

If you see those two EXACT files, delete them. Use safe boot mode if necessary. THIS IS NEW MALWARE THAT SHOWED UP. You did not have this previously. I will give you a fix for your new problems in my next message.

Then you have just used up all the space that your drive has by installing and running programs and storing various things. Also Windows still requires a lot of temporary disk space for normal everyday operations. The lower the amount of free disk space when you startup, the slower you PC will run. And some operations will require more space than others. With such limited diskspace, you should be careful running multiple applications at once and even be careful opening multiple browser windows.

 

You are going to have a hard time keeping this PC clean with the Windows XP version you are running being so out of date and without using other protection tools that you still need (like a firewall, antispyware). But each will require more diskspace and more RAM. Your PC is very susceptible to a whole range of malware problems (some of which you just picked up). It is good that you now install an antivirus.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows NT Logon Application
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteWINLOGON into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [Intec Services Driverrs] winrvc.exe
O4 - HKCU\..\Run: [Intec Services Driverrs] winrvc.exe
O4 - HKCU\..\RunServices: [Intec Services Driverrs] winrvc.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system\winlogon.exe
c:\windows\system32\winrvc.exe
c:\windows\system32\x.exe

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.