Computer Problems

[TurcoLoco]

I've downloaded it but everytime i try to run it all i get is the timer cursor come up for a split second then disappear, after that nothing happens. This also happened (& still does) with RogueScanFix.

As Jholland said it, please do not run any other utilities in conjuction with what we are asking you too. Do not install or uninstall or make any kind of changes unless you were asked to do so. This way we have a mutual understanding of where you are with the process, ok?

Another problem is, everytime i boot in to safe mode there is absoultely NOTHING on the desktop, right click or left click does nothing. the cursor moves & Alt+ctrl+del works but THAT is all. (There is also no start bar) I'm not sure why it started doing this, but obviously it prevents me from running anything in safe mode.

In Safe Mode, you have no desktop, taskbar or icons, right? Can you still do CTRL + ALT + DEL and open the Task Manager? If yes, then click on File > New Task (Run...) > Browse and try to run the AnalyzerXP that way.
Also under 'Processes' tab, see if there is Explorer.exe listed, if not then try this: File > New Task (Run...) > Explorer > OK to see if it brought missing things back up.
If the above doesn't work or not applicable, see if userinit.exe is listed under 'Processes' tab, and End Process it to see if that helped.

~TL

[Pokey86]

As Jholland said it, please do not run any other utilities in conjuction with what we are asking you too. Do not install or uninstall or make any kind of changes unless you were asked to do so. This way we have a mutual understanding of where you are with the process, ok?

OK, i apologise, i dind't actually run it, i just wanted to check if it would come up.


In Safe Mode, you have no desktop, taskbar or icons, right? Can you still do CTRL + ALT + DEL and open the Task Manager? If yes, then click on File > New Task (Run...) > Browse and try to run the AnalyzerXP that way.
~TL

^^That worked fine,the file has been attached

[TurcoLoco]

=====] Looking for suspicious file types in WINDOWS folder:

~ I would strongly recommend deleting the following files to be on the safe side IF you didn't install them yourself:

W32i - - - - 417,792 06-01-2004 c:\windows\photoshow.scr

^ A suspicious screensaver, do you know it?

W16 - - - - 64,608 05-04-2005 c:\windows\secrets.scr

^ Possibly a part of W32/Ronoper-G http://www.sophos.com/security/analy...2ronoperg.html and
http://www.symantec.com/security_res...631-99&tabid=2

W32i - - - - 122,880 12-08-2000 c:\windows\ungins.exe

^ Possibly a part of one of the following 2:
The Spyware Ace Club Casino program, it is recommended to remove it if you still have it installed. Please see this link for further info: http://www.spywaredb.com/remove-ace-club-casino/
or
Visual Zip Password Recovery Processor: http://www.scanspyware.net/info/Visu...yProcessor.htm

~ Delete the following as well:

21/09/2005 13:50 19,528 002607_.tmp

=====] Looking for suspicious file types in SYSTEM32 folder:

W32i - - - - 58,904 08-22-2006 c:\windows\system32\azipcontmn.dll

^ A suspicious, unknown file. Possibly malware related but research further.

W32i - - - - 43,520 04-30-2005 c:\windows\system32\cmdlineext03.dll

^ Extremely suspicious file, said to cause problem with right-click not working and certain executables not being able to run.
Start > Run > regsvr32 /u cmdlineext03.dll and then rename it (change its extension, whatever).

W32i - - - - 40,960 10-17-2003 c:\windows\system32\gbtgmt.dll

^ Likely to be malware related, possibly a part of Virtumonde infection.

W32i - - - - 212,992 04-23-2005 c:\windows\system32\hook.dll

^ hook.dll is a module which belongs to the Backdoor.Spymon Trojan. This Trojan allows attackers to access your computer from
remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
See this link for more info: http://www.symantec.com/security_res...016-99&tabid=2

W32i - - - - 692,276 11-01-2006 c:\windows\system32\jkklj.dll

^ This is a component of Virtumonde. Virtumonde is a spyware application that regenerates itself each time you try to terminate the
process and remove its files. It delivers ads to your computer screen continuously, interfering with your surfing habits and slowing down your usual computer activities.

W32i - - - - 72,192 11-03-2006 c:\windows\system32\njsywkb.dll

^ Likely to be malware related, possibly a part of Virtumonde infection.

W32i - - - - 58,904 08-22-2006 c:\windows\system32\sysfolderazipcnt.dll

^ Likely to be malware related, possibly a part of Virtumonde infection.

W32i - - - - 28,672 11-26-2002 c:\windows\system32\ungwum.dll

^ A suspicious, unknown file. Possibly malware related but research further.

W32i - - - - 28,672 12-27-2002 c:\windows\system32\uninstgmt.dll

^ A suspicious, unknown file. Possibly malware related but research further.

W32i - - - - 94,208 11-03-2006 c:\windows\system32\xobghic.dll

^ A suspicious, unknown file. Possibly malware related but research further.

W16 - - - - 11,776 03-25-2003 c:\windows\system32\zport4as.dll

^ A suspicious, unknown file. Possibly malware related but research further.


*** The following should be deleted, preferably to Recycle Bin to be on the safe side but unlikely that these temp and/or unknown files are needed:

03/11/2006 17:04 143 mcrh.tmp
27/02/2006 11:21 0 REN40.tmp
27/02/2006 11:21 0 REN41.tmp
24/03/2006 13:36 82,532 mlfcache.dat
02/11/2006 00:39 58 url.dat
30/01/2006 21:41 584,704 LTRVW14n.ocx
24/10/2006 16:44 606,293 wbocx.ocx
W32i - - - - 81,920 10-25-2006 c:\documents and settings\keith\application data\ezpinst.exe
W32i - - 8.0.0.1 shp 94,080 10-25-2006 c:\documents and settings\keith\application data\ezplay.sys
W32i - - - - 171,869 05-04-2006 c:\documents and settings\keith\application data\{36c74587-9c8d-4d87-afb8-8db4a4ca9906}\mia.dll
W32i - - - - 1,978,368 07-29-2004 c:\documents and settings\keith\application data\{36c74587-9c8d-4d87-afb8-8db4a4ca9906}\offline\ifrgmmgcveedol4estftgediffff ff0\pdfdll32.dll

*** I'd also suggest removing all downloaded programs (IE plug-ins, etc) if they are not identified to be safe, known products because if they are needed, they can always be re-downloaded and re-installed. Even the
legit yet no longer needed ones should be removed to keep IE and system lean and mean:

W32i DLL ENU 58.6.0.0 shp 141,424 08-24-2006 c:\windows\downloaded program files\asinst.dll
DOS - - - - 32 12-07-2004 c:\windows\downloaded program files\bdcore.dll
W32i - - - - 118,784 03-01-2005 c:\windows\downloaded program files\bdupd.dll
W32i DLL ENU 6.0.31.0 shp 356,352 03-12-2004 c:\windows\downloaded program files\inotes6.dll
W32i - - - - 53,248 03-01-2005 c:\windows\downloaded program files\ipsupd.dll
DOS - - - - 32 12-07-2004 c:\windows\downloaded program files\libfn.dll
W32i APP ENU 7.1.9502.1 shp 160,864 05-29-2003 c:\windows\downloaded program files\messengerstatsclient.dll
W32i APP ENU 7.1.9502.1 shp 77,408 05-29-2003 c:\windows\downloaded program files\msgrchkr.dll
W32i DLL ENU 1.0.0.3 shp 113,664 08-13-2005 c:\windows\downloaded program files\msnmessengersetupdownloader.ocx
W32i DLL ENU 1.2.0.7 shp 38,400 09-05-2002 c:\windows\downloaded program files\ntlsignup.dll
W32i DLL - 1.0.0.1 shp 475,136 03-09-2005 c:\windows\downloaded program files\oscan8.ocx
W32i APP ENU 7.1.9502.1 shp 86,112 05-29-2003 c:\windows\downloaded program files\solitaireshowdown.dll
W32i APP ENU 9.4.6479.1 shp 389,160 06-06-2006 c:\windows\downloaded program files\stagingui.ocx
W32i APP ENU 9.4.1227.1 shp 238,120 12-07-2005 c:\windows\downloaded program files\stproxy.dll
W32i APP ENU 1.13.969.0 shp 3,141,472 02-07-2006 c:\windows\downloaded program files\webcleaner.dll
W32i DLL ENU 2004.1.26.1 shp 133,120 01-26-2004 c:\windows\downloaded program files\yinsthelper.dll
W32i APP ENU 9.3.2846.1 shp 194,600 11-17-2004 c:\windows\downloaded program files\zbuddy.ocx
W32i APP ENU 9.3.4246.1 shp 117,800 01-31-2005 c:\windows\downloaded program files\zintro.ocx
W32i APP ENU 9.3.2846.1 shp 456,744 11-17-2004 c:\windows\downloaded program files\zpachat.ocx
W32i APP ENU 9.4.8295.1 shp 378,920 07-25-2006 c:\windows\downloaded program files\zpa_kqrp.ocx

=====] List of files located at the root of the C Drive:

31/10/2005 15:56 700,416 StubInstaller.exe

>> Baddie, delete it
!!
Delete the following 'log' files as well:

17/06/2004 13:14 25 csb.log
30/10/2006 00:00 132 ICSYSINF.log
26/06/2004 10:40 16,846 PkgClnup.log

I would like you to attach (zipped or unzipped) the following file to your next post (but do NOT run it, ok?):

26/01/2005 23:59 188 Delme.bat

=====] Directory Analysis - PROGRAM FILES:

01/11/2006 20:27 <DIR> InetGet2

^ Said to be malware related, unknown to me!

21/01/2006 04:36 <DIR> LimeWire

^ Possible cause of the infections in the first place, they should start calling this P2P program the 'MalWire'!

18/01/2006 18:18 <DIR> NoAdware4

^ YES, Adware. Should be removed!

21/05/2006 18:26 <DIR> RealVNC

^ This Free Virtual Networking software has too many security flaws but ofcourse the program itself is legit.

03/11/2006 01:54 <DIR> Roguescanfix

^ Was this is for the VirusBurst infection (if I am not mistaken). Was that problem resolved? When did you download and run this tool and was someone helping you with it?

05/11/2006 12:44 <DIR> Ultimate Defender

^ Ultimate Fake Spyware Remover, get rid of it at once! Check the following link for further info:
http://www.spywareremove.com/removeU...eDefender.html

01/11/2006 20:38 <DIR> VSAdd-in

^ Another Baddie, see the following link for further info: http://www.herongyang.com/win/adware_vsadd-in.html

29/10/2006 23:52 <DIR> WH GBP Casino

^ Another possible cause of infections...try say NO to Online Casino Games.

** When you use Explorer to browse the Program Files folder, is that how the following 2 folders appear? I think they are legit MS programs that were someone truncated/mislabeled since you are in Safe Mode perhaps:

01/11/2006 20:24 <DIR> ?icrosoft
01/11/2006 20:27 <DIR> ??crosoft

^ Can you browse to see what is in these folders? Very odd...my guess is to delete them an unknown to me!


=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):

The following entries are odd and suspicious too, please take a close look by browsing inside to judge for yourself:

01/11/2006 20:24 <DIR> {6851E07B-07D9-2057-1222-03050103002c}
03/11/2006 16:54 <DIR> {6851E07B-07DA-2057-1222-03050103002c}

Similar to the ??crosoft entries above, this is probably Symantec but somehow mislabeled, please confirm:

01/11/2006 20:25 <DIR> ??mantec

=====] Directory Analysis - WINDOWS folder:

25/02/2006 00:36 <DIR> BDOSCAN8

^ I believe this is belongs to BitDefender AV scanner, if you no longer have the program, you could delete this folder as well.

26/06/2004 14:24 <DIR> Cache

^ Should be safe but browse to see what is in it!

17/06/2004 15:20 <DIR> Downloaded Installations

^ Delete everything in this folder if you are not sure what it is or if you no longer need it.

01/05/2005 09:05 <DIR> LogFiles

^ Browse to see what is in it!

25/09/2005 14:52 <DIR> LQfix

^ When did you download and run this tool and was someone helping you with it?

20/02/2005 14:54 <DIR> Minidump

^ Browse to see what is in it!


*** All listed process were legit, however, you ran AnalyzerXP in Safe Mode so it is natural for the process list to be bare minimum plus the commands the script uses.



I analyzed the list to my best and also I included my suggestions/opinions but please check with jholland to see what her final suggestions are for you ok? I will let her decided if a custom removal tool is still needed for me to create.


Good Luck,

~TL

[jholland1964]

Ok, Pokey, give me a bit, I will write up what and how you need to manually delete these things. I have also asked ~TL to see if he can do a custom tool also. But we will begin with the manual delete first. I will get back here ASAP.
Judy

[Pokey86]

OK, i'll start doing this tomorrow, work has been tking alot of my time lately... thanks for all the help

[Joseph]

Try downloading SpyBot Search and Destroy. Update regularly, though.

[jholland1964]

Joseph, if you had read the entire post you will see this has already been recommended in post #4 on page #1. We have been working with Pokey on all of these problems for 17 days.

The problems on this computer will not be fixed by Spybot, though it is an excellent program and it is always one of our recommended programs that we recommend here and here. Also please note that Spybot is just one of several programs we use together to clean an infected computer and then to keep it clean.

The computer in question is so infected and over-ridden with spyware/malware/trojans, etc., that ~TL has created a special tool JUST FOR USE ON THIS PARTICULAR MACHINE and it is NOT for use on any other computer. This is the program that Pokey will be using later followed by the other two as directed by ~TL in his instructions.

We can always use the help here on this forum, that is for sure but please read an entire thread and note what has been tried before making a suggestion to be certain it has not been recommended or completed earlier.

[Pokey86]

OK done, it seems to be working out fine, i've attached a HJT log if you wish to make sure it's all clean

Thanks you for all the help, please let me know if there is anything else i should do

[jholland1964]

Pokey, I think this looks pretty good.
Just a few more fixes here should do it.
Run HiJackThis again and place checkmarks next to the following;
O2 - BHO: (no name) - {3612D66E-EB96-7524-37B5-040F0E8038BA} - C:\WINDOWS\system32\njsywkb.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {66B30261-9AF5-E170-D3FE-C16946FBDB94} - C:\WINDOWS\system32\ymnsd.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\klktrpej.dll (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames...p.cab48295.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)

Once you have placed all the checkmarks then click the FIX button.
Exit HJT.
Next you should set new restore points in System Restore.
Right Click My Computer. Choose Properties. Click the System Restore Tab. Place a checkmark in Turn Off System Restore. Click Apply. You will be asked if you are sure. Say yes. System Restore will then turn off. Wait a minute and then go back in and take the checkmark out. This will turn your System Restore back on and establish a new, clean restore point.
Now to keep this from happening again I recommend that you go to this link PROTECT YOURSELF FROM MALWARE: Tools & Tips
and read all the information there. I always recommend the regular usage of, Spybot, AdAwareSE and SpywareBlaster. All are free and all, along with your anti-virus program and firewall, will keep your computer clean and free of these nasties.
Does all seem ok now with the computer?
Judy

[jholland1964]

Items placed in start up unnecessarily generally will hog your resources and slow down the computer.
To easily keep a watch and a check on unnecessary start up items I recommend Mike Lin's Startup Control Panel
It is free and very easy to use.

These items can all be disabled at start by using Mike's program;
This patch only needed to run once:
HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe

All printer related startup entries for whatever print utility is a nuisance:
HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0C 2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

Diagnostics type programs is another pointless startup entry, since they could be run when needed manually:
HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\System32\PCLECoInst.dll",CheckUSBC ontr oller
HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"

This entry is placed by Windows but never gets removed even if it is no longer applicable/valid:
HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

...and none of the below needed in startup ALL can easily be run manually;
HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
HKLM\..\Run: [Vivanco Laser mouse] "C:\Program Files\Vivanco\Laser Mouse\Panel.exe"
HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvwac.dll,startup
HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr. exe
HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE







Judy