winsync / kavsvc

Are you sure you ran all steps in the READ ME FIRST including the BitDefender and RavAntivirus online scans in safe mode?

 

After running ALL steps in the READ ME FIRST, do the below.

Download RKFiles Tool and extract the files from it into its own folder named - C:\Program Files\RKTOOL.

Then, Please boot to SAFE MODE and navigate into the above folder and doubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt .

Now reboot in normal mode and post the C:\Log.txt file and then also do the below steps exactly.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Your Windows OS and IE versions are way out of date and represent a major security risk. You must get updated after we fix your current problems.

If you do not use Viewpoint Manager (unrequested stuff from AOL that most people do not use) uninstall it via Add/Remove programs.



If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\rbrlna.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\rbrlna.exe reg_run
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\rbrlna.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Thanks PP! Yes I know they are related and that RKFiles does not locate the problem files. I had a couple of these and just like KavSvc problems, some went away easily with no special steps and some did not.

Still looks like finding the file in C:\Documents and Settings\All Users\Start Menu\Programs\Startup can be the key but they do not always show up at first.

I have also been finding some baddies right in c:\Program Files and it looks like you did too.

 

Post as an attachment the log from Panda. It can be useful for these problems. Also make sure you complete the steps in my previous post and attach the followup HJT log.

If you are still having problems at this point, complete the below steps too.

Download Autoruns and extract it to its own folder. Then locate the autoruns.exe file and double click on it. It will immediately do a scan which can take a minute or so. But I want to configure some options first to eliminate some know good items from Microsoft. Otherwise the log can be too long.

So when it opens, first make sure the Everything tab is selected and then click on Options and make sure the below two items are checked:
Verify Code Signatures
Hide Signed Microsoft Entries

Then hit your F5 key or click the Refresh button which is right under the Entry menu selection. Give it a minute or so (watch the bottom of the Window - it will tell when it is Ready which means done scanning). Then click File and Save As and save the autoruns.txt file. Then upload it here as an attachment.

 

Before running Panda again, please do the below.

You must disable SpybotSD TeaTimer or it could cause us problems.
To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Run Ccleaner again and make sure that under the System check box that Temporary Files is checked (in fact all boxes here should be checked). Then run the cleaner.

Then try finding the below files and delete them (from safe mode if necessary):

C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\LastGood\ceres.dll
C:\WINDOWS\SYSTEM32\akayu.dat
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\ghgwsfd.dll.tmp
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\nsa183.dll
C:\WINDOWS\SYSTEM32\supdate.dll

Also look for an delete the file you mentioned previously. Look for it here:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kikc.exe

Then run Panda and post the new log.

 

We do not use Task Manager for things like this for a reason. Basically it is simple, not very useful.

See my previous message and complete those steps which includes a new Panda scan.


Did you find:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kikc.exe

 

Post a new HJT log with it and do not fix anything or stop any of the processes.

 

Try doing the below:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixreg.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixreg.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Now find and delete the below files (from safe mode if necessary):
C:\WINDOWS\System32\ghgwsfd.dll
C:\WINDOWS\System32\nanka.dll
C:\WINDOWS\System32\datadx.dll
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\ghgwsfd.dll
C:\WINDOWS\SYSTEM32\nanka.dll
nmnqacb.exe <--- whereever you found it delete it.

Let me know if you cannot find any of these files.

Then get a new Panda Scan and a new HJT log and post them. Let me know how things are working.

 

You seem to be getting this IEBAR back again even though we fix it. You may have something else hidden on your PC.

Find and delete: C:\WINDOWS\abiuninst.htm
Also look for c:\windows\system32\IEBAR.DLL or c:\windows\IEBAR.DLL and delete if found.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixreg2.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixreg2.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

At this point, your log is clean and we need to get you updated and better protected. You need to run ALL the steps in the below but let's start by first running step 1 to get your Windows OS updated and then run step 3 to get a firewall installed. These are critical steps to keeping your system safe.

How to Protect yourself from malware!

 

You're welcome.

Panda is a good program. Personally I would use it over Norton.

However just a word of caution, every program can find things others may miss. Some of the items being detected can often be trivial non-issues (just left overs that really have no impact). In fact if you now ran Ewido or MicroWorld scans and maybe a SpySweeper scan, chances are you would find even more things.