System HiJacked...blank screen...scan logs attached - Help Plz

You have multiple antivirus applications installed (Kav and AVG). You must pick the one you prefer and uninstall the other. Do this before continuing.

Also please install HijackThis properly per our sticky thread instructions. You have it on your desktop:
C:\Documents and Settings\ToddJune\Desktop\SpyKiller\HijackThis.exe

Also go to Add/Remove programs and uninstall:
P2P Networking or P2P Networking
P2P Networking3
ViewMgr or Viewpoint or Viewpoint Manager <--- I'm assuming you do not use or need this junk from AOL. Most people do not.

Do you know what this process is: C:\WINDOWS\System32\CNDNDlg.exe

There are 2 registry keys that sometimes cause this problem with explorer.exe not loading. We are going to look for and delete these keys (if found).

Press CTRL-ALT-DEL to bring up Task Manager. And click File, New Task (Run..) and enter regedit and click OK. This will run the registry editor. Now look for the below registry keys (navigate thru the registry). Make sure you only look for and delete the exact keys listed below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

After deleting this keys the desktop and explorer.exe may reappear if this is your particular problem. There are many forms of problems with explorer.exe not loading at startup. You may need to reboot after doing this. Let me know the results.

Have HJT fix the below lines and then post a new HJT log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

 

Please provide answers to all my questions and feedback on the results and where things stand as requested.

I also still see:
O4 - HKLM\..\Run: [P2P Networking2] C:\WINDOWS\System32\P2P Networking\P2P Networking2.exe /AUTOSTART

 

Ok! So it still looks like explorer.exe is not loading at startup.

Does c:\windows\explorer.exe exist?

If you run it from Task Manager's, File, New Task(Run...) option, does it run and bring back your Desktop.

Do you have a c:\windows\i386 or a c:\i386 folder?

 

Do you have your original Windows XP cd? If so look on it. There should be an i386 folder on it. In this folder there should be an explorer.ex_ (yes it ends with an underscore. It is a compressed file.)

See if you can find this file.

Also see if you can open a command prompt from Task Manager but enterind cmd into New Task (Run...)

Let me know.

 

Where did you find i386? On the CD I assume?

What is the drive letter of your CD drive? I assumed drive D in the steps below.

In the command prompt Window enter the below commands each followed by the enter key:
cd c:\Windows
copy explorer.exe explorer.old
expand D:\i386\explorer.ex_ explorer.exe

If you get a message about overwriting an existing file just say OK.

explorer <---- hopefully this causes your Desktop and icons to come back.


Let me know.

 

There was not suppose to be an i386 folder in c:\windows
All we did was get a new copy of explorer.exe from your CD into the c:\windows folder.

Yes that last line was a command to startup explorer. All you need to enter is explorer the .exe extension is not necessary.

But if you still have a problem after rebooting, running the explorer command would not have helped. anyway (at least I doubt it).

Does the same problem exist in safe mode?

Do you have other user accounts on this PC? If so, does it happen on those accounts too?

Check this link out: Taskbar Is Missing When You Log On to Windows

 

You mean, after you used Selective Startup and unselected the options for the below:
Process System.ini File
Process WIn.ini File
Load Startup Items

that it booted up OK? What did you do with System Services at this point where it booted okay? And by saying " functioned properly" did you mean your Desktop and icons showed up and thus explorer.exe was running?

And then you went back and rebooted but this time allowed Win.ini to load and now it will not boot????

Post as attachments, copies of your win.ini and system.ini files (they are in your c:\windows folder).

I'm starting to wonder if any of your problems are due to the way this PC got WinXP on it. It looks like you upgrade the PC to WinXP from an older OS. Is that true? This is not always a very graceful thing to do.

 

If you just let Win.ini, System.Ini and all services run (no Startups), does your Desktop work properly?

Point Manager could be this: http://securityresponse.symantec.com/avcenter/venc/data/pf/adware.topsearch.html

You should look for an uninstall in Add/Remove programs and also see what the above link says about removing this.

If you look back at earlier messages you will see I had you uninstall P2P Networking stuff and fix lines with HJT. I'm not sure why they would still be showing in Startup since we already removed the,.

You did note post your win.ini and system.ini files as requested.

Also do the below:

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

 

You can make copies of the files in another folder and rename them to have a .txt file extension or you could put both of them into a ZIP file and upload the zip file.

 

Just disable leave all Startups disabled and all Services disable. Do you get a Desktop now?

If not, add to that by disabling System.ini. Do you get a Desktop now?

 

With you system set to load all runt the below tools and post their logs:


Download RunKeys and unzip it to your desktop. Then doubleclick to run it. It will generate a text file. Attach the text file to your next message.

Now download SilentRunners and save it to your desktop. Doubleclick it to run it. You may have to disable script blocking if your antivirus interferes. It will create a text file on your desktop. Also attach this text file into your next message.

Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

 

Still looks to me like msconfig is limiting something! Is see the below in the logs:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

This means msconfig is still running and restricting something.

Let's try this!

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixSU.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixSU.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

I'm also seeing the below which was not here before.
"nod32kui" = "C:\Program Files\Eset\nod32kui.exe /WAITSERVICE" [file not found]

Did you for some reason install NOD Antivirus?? Why? You aready had an AV installed and you must use only one. If you installed this, uninstall it.

I also still see these:
"P2P Networking2" = "C:\WINDOWS\System32\P2P Networking\P2P Networking2.exe /AUTOSTART" [file not found]
"P2P Networking" = "C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART" [file not found]
"AltnetPointsManager" = "c:\program files\altnet\points manager\points manager.exe -s" [file not found]

Let's fix these too:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixAuto.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixAuto.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Now look for the below with Windows Explorer and delete them if found:
C:\WINDOWS\System32\P2P Networking <-- the whole folder
c:\program files\altnet\points manager <-- the whole folder


Now reboot. And then rerun the three tools.

 

Okay if there is no uninstall for NOD we need to do another registry patch:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixNOD.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixNOD.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

And look for the below folder and delete it if found:
C:\Program Files\Eset

 

Probably because the contents are exactly the same and it is checking the file by a CRC or similar method.

Is your System Restore disabled? Double check!

 

I do not see any P2P stuff. What are you referring too?

It's strange that the below show up! Normally the minus sign cause the keys to be deleted.

"MSConfig"="-"
"nod32kui"="-"

Try the below again. Make sure you copy this one because I changed some spacing in the text

 

For the System Restore message, see: http://support.microsoft.com/?kbid=832323

Did you do what I requested in my last message?

Please answer my question about the P2P stuff?

 

Okay! We have eliminated some items from loading at startup. But for some reason the below two items:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig" = "-"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui" = "-"

Just will not go away completely (like the P2P stuff did when we used the same patch). This is not a major concern right now since as the keys appear, they are doing nothing.

So the question now remains what mode are you in right now? I assume the mode is that no msconfig is being used and that ALL items are being loaded. But what is the Desktop status. If there is no Desktop, we need to try to identify what Service is causing the Desktop issue because the Desktop problem appeard only when you allowed all services.

 

That's not what you would want to do with regedit. What you would want to do is delete the
MSConfig andnod32kui entries .

Try using msconfig and just go to the Services tab and select Hide all Microsoft Services. Then select Disable All . This will disable all non MS services. Let's see what affect this has.

 

Did you notice all the bad stuff that is back?

Post a new HJT log?

What was that Sandra Service for? I wonder if it was a cause for explorer.exe not loading.

On the other hand, I also wonder if the problem is that your explorer.exe file is actually infected and AVG may have been stopping it from loading. And now that AVG is gone, explorer will run but because it does run, the infections come back.

You should connect to the below site and use the browse button to locate your explorer.exe file and have this site use a whole bunch of scanners to test your explorer.exe file. Let me know the results.

http://www.virustotal.com/flash/virustotal_en.html

 

Okay! Is System Restore still disabled? And have you run that scan yet. Also do the below:

Click Search and the Select "All files and folders"
Enter explorer in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Let me know the fullpath to all matches that are found.


By the way, a software firewall should always be used even if you have a router with a firewall.

 

Note: Do not run hsremove anymore (or about:buster if you are) you do not need them.

Comments/questions (make sure you answer all questions):
C:\Documents and Settings\Marisa\My Documents\My Webs\_private\aim.exe <--- Why do you have aim here? This is not a normal installation.
C:\Program Files\Mozilla Firefox\firefox.exe <--- should not be running when using HJT
C:\WINDOWS\system32\taskmgr.exe <--- should not be running when using HJT. At least not now since your Desktop is ok.


I thought you said you uninstalled Stopzilla???

Do you have other user accounts on this PC?
Have you been using them?

Goto Add/Remove programs and uninstall if found:
P2P Networking
P2P Networking2
P2P Networking3
zangoclient or Zango or 180Solutions or N-Case
SearchUpgrader


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [nod32kui] -
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [mdU2KW6e] C:\WINDOWS\wmyps.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking2] C:\WINDOWS\System32\P2P Networking\P2P Networking2.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [zanu] c:\program files\zangoclient\zanu.exe

Is the below line valid?
O4 - HKCU\..\Run: [Spanish] C:\Documents and Settings\Marisa\Learn To Speak Japanese Demo V2.9\Study Conversation.exe


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\wmyps.exe
C:\WINDOWS\System32\P2P Networking <--- the whole folder
C:\Program Files\Common files\SearchUpgrader <--- the whole folder
c:\program files\zangoclient <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings ( Make sure you use www.majorgeeks.com for now while we are working your problems):
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.