Still having problems after I did all of READ THis FIRST

Make sure that you have system restore disable and keep it disable until all problems are fix.

Download Pocket KillBox but do not run. Now print or save these instructions locally because you must exist ALL browsers now and stay disconnected until I have you reboot.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

After clicking Fix, exit HJT.

Run Pocket Killbox. Select the following options to Delete on Reboot and End Explorer Shell While Killing File.

Now, Copy and Paste C:\Documents and Settings/repclient1/Start Menu/Programs/Startup/netdb.exe into the box.Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No


Now, Copy and Paste C:\windows\system32\netda.exe into the box.Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No

Now, Copy and Paste C:\windows\prntsvr.dll into the box.Check the Unregister .dll Before Deleting option. (Note: you may not find this file or have a problem with this dll option not being active, just ignore and continue.) Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No

Now, Copy and Paste C:\windows\system32\netdc.exe into the box.Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

Now run Internet Explorer and select Tools, Internet Options, and then the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now exit Internet Explorer and get a new HJT log. And then reconnect back here and post your new HJT log.

 

Did you have this PC connected to the Internet overnight?

We have to ignore the HSA problem until we fix the other problems.
Follow my previous steps again, but this time when you click Yes to reboot, if you get the "Pending File Rename Operations Registry Data....." message again. Just ignore it and then reboot the PC yourself and when it comes back up continue my instructions except getting the HJT log will get a new one after the below steps.

After reboot see if you can find the below file or not: C:\WINDOWS\System32\netdc.exe

Then run HJT and put checks on the following lines but do not click Fix until you exit all browsers (including the one you are reading in right now):
O4 - HKLM\..\Run: [5.tmp] C:\DOCUME~1\Libby\LOCALS~1\Temp\5.tmp.exe 5 10001
O15 - Trusted IP range: 206.161.125.149 (HKLM)

After clicking fix, reboot in safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Libby\Local Settings\Temp <--- delete all files and subfolders in thise folder (some may not be deleteable - tell me which ones)

Now reboot normal mode, and post a new HJT log and answer all questions.

 

Run Windows Explorer. Can you see this file: C:\WINDOWS\System32\netdc.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} (CounterX Class) - http://t058.com/cabtest/counter.cab
O21 - SSODL: MSTskMgr32 - {61DF24BA-7CA9-4A0A-B4EC-82E263AC959F} - C:\WINDOWS\System32\kbduuery.dll

After clicking Fix, exit HJT.
Run Internet Explorer and click Tool, Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

 

Boot into safe mode and do the below:

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\svchost.exe <--- note: this is not c:\windows\system32\svchost.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe


After clicking Fix, exit HJT.

Use Windows Explorer to delete:
C:\WINDOWS\svchost.exe
C:\WINDOWS\dltime.dll
:\WINDOWS\st.exe

Open a command prompt Window by clicking Start, Run and enter cmd and click OK.
In the command prompt window enter the following commands each follow by the enter key (tell me the results):
cd c:\windows\system32
attrib -a -r -s -h netd*.exe
dir netd*.exe
del netdc.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please do the following:

- download Registrar Lite

- Run it, click on the magnifier glass to do a search and then enter the following string to look for netdc (yes without the .exe) and hit Enter

Copy back here all the matches you get.

 

Yes Sygate is good. Did it provide anymore info? Like port # and an application name.

I need you to run RegistarLite again and when it comes up paste the below into the address bar and hit return:

HKEY USERS\S-1-5-21-276092-7193-759139758-765018439-1011\Software\Microsoft\Internet Explorer\Explorer Bars
That should bring you right to the reg key in question. Now right click on the Explorer Bars and then select Export. Save it to a file called exp-bar.reg where you can locate it. By default it will have a .reg extension after saving. You now need to go and chang the filename to exp-bar.txt .

Now upload the exp-bar.txt file back here as an attachment.

 

Read what I said again. I said rename it to exp-bar.txt not exp-bar.txt.reg

 

That is not what I was looking for! You need to export the registry key. It will have the full registry key path info in it and all the data and parameters under it. Did you not export this properly? I have attached an example of what this could look like. Obviously yours should have something include the netdc.exe stuff.


If you had to do what jarcher stated in message # 27, then you never did step 3 of the Getting Prepared section in the READ ME. We assume that our directions have been followed while making various procedures up for you to try. If that was why you could not save the file with the proper extension type then you see why following directions is important. If that was not the problem you were having, what was the problem.

 

OK! That's more like it.

The first thing I want you to do is download this: Erunt
Install it, and use it to create a registry backup. After doing that continue with the below:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixshell.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixshell.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

After doing the above, exit browsers, and get a new HJT log. Then come back here and post that log.

Then reboot your system, and when it comes back up, get another HJT log. Then come back here and post that log.

Make sure you tell me which of the two logs is which.

 

That's good so far. At least concerning netdc.exe.

But where did these come from all of a sudden.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=204
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll

Where have you been surfing? And do you have all the protections mentioned in How to Protect yourself from malware! in place.

Those two lines need to be fixed (with browsers closed) and the C:\WINDOWS\System32\MTC.dll should be delete in safe mode.

 

It came back! Okay! Here is what I want you to do. Repeat the step where you merged in the registry patches. Take a quick look at your HJT log yourself to verify it is not in the log (like last time).

Now do not reboot via normal methods. Physically pull the power plug that goes into your PC (yes that's what I said). Now wait a minute and power up in safe mode.

See if you can locate the netdc.exe file and delete it. (let me know the results).

EDIT to add this step: click Start, Run and enter notepad c:\windows\system.ini and then click OK. Look for a line that has the netdc.exe stuff on it and delete it. Then save the file and exit notepad.

Get a HJT log in safe mode (call it hjtsafe.log).

Now reboot in normal mode and get a new HJT log (call it HJTnormal.log)

Post your logs and tell me results from the steps.