• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
colin_m_elliott

Windows Error service and more

13 posts in this topic

Hi, I am living in Japan and have a friend here whos computer was almost unuseable because of viruses, spyware etc. I ran adaware and search and destroy many times and found and fixed almost 200 problems! I also cleaned about 80 viruses out. The computer is starting to work properly but there are still a few problems. As this is a japanese computer there are a few funny things.. no apostrophe that I can find, and in the log instead of the backslash for use in directories it uses the yen symbol etc. Here is the hijack this log, thanks for your help! Oooh now that I have pasted it here, the backslash is back!!

 

Logfile of HijackThis v1.97.7

Scan saved at 15:43:37, on 2004/06/08

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\winampa.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINDOWS\system32\inetsrv\services.exe

C:\WINDOWS\System32\wupdate.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NetLink] netlink32.exe

O4 - HKLM\..\Run: [Video Process] sysconf.exe

O4 - HKLM\..\Run: [Windows Login] winlog.exe

O4 - HKLM\..\Run: [WinDNS] windns32.exe

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\Run: [Nt System Kernel] ntsyskrnl.exe

O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe

O4 - HKLM\..\Run: [ccStart] ccStart.exe

O4 - HKLM\..\Run: [winampa] winampa.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [wupdate] wupdate.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [lsass] c:\program files\my app\lsass.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [NetLink] netlink32.exe

O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

O4 - HKLM\..\RunServices: [Windows Login] winlog.exe

O4 - HKLM\..\RunServices: [WinDNS] windns32.exe

O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe

O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe

O4 - HKLM\..\RunServices: [ccStart] ccStart.exe

O4 - HKLM\..\RunServices: [winampa] winampa.exe

O4 - HKLM\..\RunServices: [wupdate] wupdate.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38132.188599537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

Share this post


Link to post
Share on other sites

Hi,

Wow! ... what a mess! :whistle:

Note: print this out, as it's going to be rather long ... and you don't want to miss any steps if you want to save the machine. Your best shot is to whack this all at once.

 

sysconf.exe = WORM_AGOBOT.HW :alarm:

winlog.exe = W32/Agobot-LF :alarm:

windns32.exe = WORM_AGOBOT.WN :alarm:

ntsyskrnl.exe = WORM_AGOBOT.IK :alarm:

smssv.exe = W32/Agobot-ZY :alarm:

ccStart.exe = WORM_AGOBOT.PG :alarm:

wupdate.exe = WORM_SPYBOT.GEN :alarm:

netlink32.exe = WORM_AGOBOT.JW :alarm:

 

Take a few minutes and read all the above, as you can see most if not all are caused by not patching the machine and not running a Firewall. So the 1st step is to turn on the XP firewall.

http://www.microsoft.com/security/protect/firewall.asp

 

Most of the above worms disable your AV via a HOSTS file, so delete that.

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button.

 

Next download the HOSTS file (see below)

 

Navigate to: C:\WINDOWS\SYSTEM32\DRIVERS\ETC (folder)

Right-click on "HOSTS" and select: Delete (note: there is no 3-letter extension)

Unzip the hosts.zip and place in the above folder.

 

Next: Start | Run (type) Services.msc

 

Scroll down to the WinTools for IE service

Highlight, right-click and select: Properties

Select "Service Status" option to "Stop"

Select: "Startup type" set it to "Disabled", click Apply, OK

Close the Services Editor.

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O4 - HKLM\..\Run: [NetLink] netlink32.exe

O4 - HKLM\..\Run: [Video Process] sysconf.exe

O4 - HKLM\..\Run: [Windows Login] winlog.exe

O4 - HKLM\..\Run: [WinDNS] windns32.exe

O4 - HKLM\..\Run: [superBar.Component] C:\WINDOWS\system32\inetsrv\services.exe

O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

O4 - HKLM\..\Run: [Nt System Kernel] ntsyskrnl.exe

O4 - HKLM\..\Run: [Audoi Device Loader] smssv.exe

O4 - HKLM\..\Run: [ccStart] ccStart.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [wupdate] wupdate.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [lsass] c:\program files\my app\lsass.exe

O4 - HKLM\..\RunServices: [NetLink] netlink32.exe

O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

O4 - HKLM\..\RunServices: [Windows Login] winlog.exe

O4 - HKLM\..\RunServices: [WinDNS] windns32.exe

O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe

O4 - HKLM\..\RunServices: [Audoi Device Loader] smssv.exe

O4 - HKLM\..\RunServices: [ccStart] ccStart.exe

O4 - HKLM\..\RunServices: [wupdate] wupdate.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Open Windows Explorer locate and delete the following:

 

C:\Program Files\TV Media <--this folder

C:\Program Files\Common files\WinTools <--this folder

C:\WINDOWS\system32\inetsrv\services.exe <--this file

C:\WINDOWS\System32\wupdate.exe <--this file

netlink32.exe <--this file

sysconf.exe <--this file

winlog.exe <--this file

windns32.exe <--this file

C:\WINDOWS\system32\drivers\csrss.exe <--this file

C:\WINDOWS\system32\wbem\svchost.exe <--this file

Note: do not delete > C:\WINDOWS\system32\svchost.exe

ntsyskrnl.exe <--this file

smssv.exe <--this file

ccStart.exe <--this file

wupdate.exe <--this file

c:\program files\my app\lsass.exe <--this file

Note: do not delete > C:\WINDOWS\system32\lsass.exe

 

Restart normally and see if you can get AVG to run.

 

Then visit Windows Update and install all the Critical Updates.

 

Reboot, run Ad-Aware and SpyBot, reboot and post a fresh log ...

 

That ought to keep you busy for a while! :D

Share this post


Link to post
Share on other sites

Okay, I did most of what you told me... I had already updated XP.. am just going to check again now. And will post a log soon. Thanks for all your help. Here are the problems:

 

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

 

I couldn't delete them.. it was unable to delete

 

netlink32.exe <--this file

sysconf.exe <--this file

winlog.exe <--this file

windns32.exe <--this file

 

I didn't delete these 4 files.. I wasn't sure what directory to delete them from and wanted to be sure before deleting them.

 

Thanks again!

(log to follow soon!)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:36:05, on 2004/06/09

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [winampa] winampa.exe

O4 - HKLM\..\RunServices: [winampa] winampa.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38132.188599537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

Share this post


Link to post
Share on other sites

Last note, I noticed that it lists: C:\WINDOWS\System32\winampa.exe but this computer does not have winamp on it.. maybe it is unrelated, but just in case

Share this post


Link to post
Share on other sites

Hi,

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

I couldn't delete them.. it was unable to delete

I never said to delete those files, it's just odd that they would show up in the "Startup" entry. It may be a language version problem?

I didn't delete these 4 files.. I wasn't sure what directory to delete them from

Start | Search (type desired file)

 

Anyway ...

 

Next: Start | Run (type) Services.msc

 

Scroll down to the WinTools for IE service

Highlight, right-click and select: Properties

Select "Service Status" option to "Stop"

Select: "Startup type" set it to "Disabled", click Apply, OK

Close the Services Editor.

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Start | Run (type) Regedit

Navigate to the following location:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

 

Expand the "+Services" key (left pane)

Highlight the "WinTools" key, right-click and select: Delete, Ok the prompt, close Regedit.

 

Open Windows Explorer, locate and delete the following:

 

C:\Program Files\Common files\WinTools

netlink32.exe <--this file via Start | Search

sysconf.exe <--this file

winlog.exe <--this file

windns32.exe <--this file

 

Restart normally ...

 

Does AVG run now? If so "Flush System Restore" (see "How To" below)

 

Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point.

 

After the above post a fresh log ...

 

but this computer does not have winamp on it

It should be listed in Add Remove

Share this post


Link to post
Share on other sites

Sorry, I didn't explain clearly... I don't think this computer has ever had winamp on it. On my way to do the rest.. sorry some of it is such a pain trying to match up the japanese on his computer to the english on mine. I hope it seems clear.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:51:21, on 2004/06/09

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [winampa] winampa.exe

O4 - HKLM\..\RunServices: [winampa] winampa.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38132.188599537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

 

the latest log.. still cant find those four files...

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:51:21, on 2004/06/09

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\System32\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\uemuratakuya\デスクトップ\HijackThis.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [winampa] winampa.exe

O4 - HKLM\..\RunServices: [winampa] winampa.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38132.188599537

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D44B52B9-7D35-4278-ABAE-037A084A0CE5}: NameServer = 192.168.11.254

 

This is the latest log, still havent found those 4 files

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... good job!

 

I think the below is language related, so ignore for now ...

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O4 - Startup: NTUSER.DAT

O4 - Startup: NTUSER.DAT.LOG

O4 - Startup: ntuser.ini

 

Is AVG up and running?

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

Share this post


Link to post
Share on other sites

Great! Thanks a lot, the only question I have left is that Adaware is freeking out about that hosts file you had me put on.. is it okay? Should I just ignore it?

Edited by colin_m_elliott

Share this post


Link to post
Share on other sites

Hi,

Adaware is freeking out about that hosts file

See here: Attention Ad-Aware users

Ad-Aware has decided to include a new detection when scanning the HOSTS file. This now creates a "Bad hosts file entry" in the log file generated at the end of a scan. The best thing to do is to place a check in each entry, right-click and select: "Add selection to ignorelist". Otherwise if you let AWW "fix" these items it will trash the HOSTS file! Even if you have it "locked" by [example] SpywareBlaster or Winpatrol. It does not return the attributes and renames the HOSTS file incorrectly to hosts.

[more info - Lavasoft article]

Several HOSTS File Entries Indicated By Ad-aware Despite No Other Items Being Indicated

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0