Winfixer

I doubt it. Automatic parsers are far from perfect. We can get this fixed up for you but first some standard cleaning make sure no other problems are hiding in your PC.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at. Iit should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\ServicePackFiles\i386\pscr.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\ServicePackFiles\i386\rcsp.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\ServicePackFiles\i386\pscr.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: pscr - C:\WINNT\ServicePackFiles\i386\pscr.dll

​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
• Once your machine reboots please attach a new HJT log from normal mode.

 

Okay! The Virtumundo problems is gone. I assume you are not having anymore popups?

Do you know what the below is for:

O23 - Service: Parcipsx - Unknown owner - (no file)

 

See if HJT can fix! It may not be able to do so if the service is really running.

Are you saying you disabled autoupdates for MS AS and it keeps re-enabling them.

 

If you double click on the MS AS tray icon and do Help, About. Do you see the same as below for version and definitions?

Microsoft AntiSpyware Version: 1.0.615
Spyware Definition Version: 5755 (9/15/2005 10:49:58 PM)

 

I'm not sure why MS AS keeps disabling autoupdates. Are you sure when you enable them, they are actually getting enabled?


Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

 

Let's just try the below:

Run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Parcipsx

Now exit HJT and reboot if it asks you to do so. Then look at a new HJT log and see if that entry is gone.

 

The file name does not necessarily have to be anything like the Service name. And it could even be getting started via another process. The key is to figure out what & where. I have no info on this service.

If you know how to use regedit (or similar), look up the below registry keys and see if you can locate the service and any info on how it is starting:

Services that start when your computer starts:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Services that start with the svchost:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Svchost]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Svchost]

If you do not know how to use regedit, just let me know.

Also do the below:

Download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

Parcipsx

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Okay we are going to do a registry patch to try to remove this but first I would like to have you backup your registry to be safe.

Please download and install Erunt. Use it to create a backup of your registry. Then continue with the below.

First a question, did you save the output from regsrch to Parcipsx.txt on your Desktop as shown in the below two lines?

[HKEY_USERS\S-1-5-21-1606980848-2111687655-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\Documents and Settings\\Administrator.JK-1\\Desktop\\Parcipsx.txt"

[HKEY_USERS\S-1-5-21-1606980848-2111687655-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"b"="C:\\Documents and Settings\\Administrator.JK-1\\Desktop\\Parcipsx.txt"

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Then reboot into safe mode and run the below steps with HJT again (with no browsers running):

Run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Parcipsx

Now exit HJT and reboot (in normal mode). Then look at a new HJT log and see if that entry is gone.

 

Your welcome! I'll be waiting for the results.

 

Sorry about this but I neglected to put a minus sign at the beginning of each registry key to indicate that it is to be deleted. I also want to change the order of the strings so I'm rewriting the directions here to avoid any confusion (notice the difference with the minus sign):

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Then reboot into safe mode and run the below steps with HJT again (with no browsers running):

Run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Parcipsx

Now exit HJT and reboot (in normal mode). Then look at a new HJT log and see if that entry is gone.

 

Cool!!! You're welcome! Now to help keep you clean, check out the steps in the below:

How to Protect yourself from malware!