Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System cache leak part II


  • This topic is locked This topic is locked
54 replies to this topic

#1 M332

M332

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 19 March 2010 - 11:44 PM

I also use Trend Micro's House Call scanner and Spyware Blaster and I have not been able to detect any infection or threat on the computer. I tend to believe it may be a hidden registry issue although no errors are reported with Ccleaner. Here is a HijackThis report that shows what is running. It shows IE processes but I mainly use Firefox.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:48 PM, on 3/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NetPal\NetPal.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.localnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 8
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT34.dll
O12 - Plugin for .ivr: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT34.dll
O15 - Trusted Zone: http://www.bluemountain.com
O15 - Trusted Zone: http://visitor.constantcontact.com
O15 - Trusted Zone: http://www.directv.com
O15 - Trusted Zone: http://www.gamedesign.jp
O15 - Trusted Zone: www.gty.org
O15 - Trusted Zone: http://www.gty.org
O15 - Trusted Zone: http://ak.imgag.com
O15 - Trusted Zone: http://www.ixquick.com
O15 - Trusted Zone: http://www.jacquielawson.com
O15 - Trusted Zone: http://start.localnet.com
O15 - Trusted Zone: http://*.mse360.com
O15 - Trusted Zone: http://www.regiftable.com
O15 - Trusted Zone: http://www..regiftable.com
O15 - Trusted Zone: http://marcus.tmb.state.tx.us
O15 - Trusted Zone: http://*.usgwarchives.org
O15 - Trusted Zone: http://www.whatiscardcheck.com
O15 - Trusted Zone: http://www.youtube.com
O15 - Trusted IP range: http://91.199.104.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A19A5C72-DDCA-420C-834D-8815BF4B2ECC}: NameServer = 64.136.173.4 64.136.164.76
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Moderator Edit ~ This is a split from this topic here http://www.bleepingcomputer.com/forums/t/303598/system-cache-leak/ ~Pandy

Edited by Pandy, 20 March 2010 - 01:34 AM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:02:01 AM

Posted 22 March 2010 - 10:23 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 22 March 2010 - 12:17 PM

Thanks for your reply. I do still need help.

First: I deleted 3 files from the Avast virus chest:

kernel32.dll
winsock.dll
wsock32.dll

They appeared in the chest again after restart. Could the system cache leak be caused by this kernel or the other drivers being in the chest? If so then please tell me how the files can be permanently deleted from the chest.

I will download DDS and GMER then post the logs as instructed.

#4 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 22 March 2010 - 04:17 PM

Original thread with question about files in Avast virus chest being a potential cause of this problem: http://www.bleepingcomputer.com/forums/top...ml#entry1683739

Here is the requested DDS info along with the Attach & ark attachments. I do not understand why Norton and PCPitstop are listed in the DDS info below since neither are no longer installed on the computer.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:31:00.35 on Mon 03/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2561 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100321-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Avast4\aswUpdSv.exe
C:\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.localnet.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = IE 8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {70F241F6-52AB-4D45-993E-C1C09920095B} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HostManager]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\avast4\ashDisp.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoActiveDesktop = 00000000
IE: Download with Free Download Manager - file://c:\free download manager\dllink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
Trusted Zone: att.com\www.wireless
Trusted Zone: bluemountain.com\www
Trusted Zone: constantcontact.com\visitor
Trusted Zone: directv.com\www
Trusted Zone: discovercard.com\www
Trusted Zone: gamedesign.jp\www
Trusted Zone: glennbeck.com\www
Trusted Zone: gmscorp.com\www
Trusted Zone: google.com\feedproxy
Trusted Zone: gty.org\www
Trusted Zone: imgag.com\ak
Trusted Zone: ixquick.com\www
Trusted Zone: jacquielawson.com\www
Trusted Zone: localnet.com\start
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: mse360.com
Trusted Zone: paypal.com\www
Trusted Zone: regiftable.com\www
Trusted Zone: regiftable.com\www.
Trusted Zone: state.tx.us\marcus.tmb
Trusted Zone: tigercreek.org\www
Trusted Zone: usgwarchives.org
Trusted Zone: whatiscardcheck.com\www
Trusted Zone: youtube.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ladole7.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://start.localnet.com/
FF - component: c:\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-3-10 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-6-9 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\avast4\ashServ.exe [2010-3-10 138680]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-1-20 10384]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [2007-9-17 3712]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-11-12 115312]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\avast4\ashMaiSv.exe [2010-3-10 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\avast4\ashWebSv.exe [2010-3-10 352920]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-2-23 23456]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\pcpitstopscheduleservice.exe --> c:\PCPitstopScheduleService.exe [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-03-13 15:15:56 198323 ----a-w- C:\SMagill.WAB
2010-03-11 03:20:57 0 d-----w- C:\Avast4
2010-03-11 03:04:07 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-11 03:03:54 0 d-----w- c:\docume~1\owner\applic~1\Spyware Terminator
2010-03-11 03:03:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2010-03-11 03:03:52 0 d-----w- c:\program files\Spyware Terminator
2010-03-11 02:33:13 0 d-----w- c:\docume~1\owner\applic~1\Spyware Terminator(3)
2010-03-11 02:15:31 0 d-----w- c:\docume~1\owner\applic~1\Spyware Terminator(2)
2010-02-26 02:40:20 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-02-25 03:19:07 319488 -c--a-w- c:\windows\HideWin.exe
2010-02-24 17:36:55 456536 -c--a-w- c:\windows\system32\XCEEDZIP.DLL
2010-02-24 17:36:54 224016 -c--a-w- c:\windows\system32\Tabctl32.ocx
2010-02-24 17:36:54 132880 -c--a-w- c:\windows\system32\Msinet.ocx
2010-02-23 23:49:47 3840 -c--a-w- c:\windows\system32\drivers\BANTExt.sys
2010-02-23 23:49:47 0 d-----w- c:\program files\Belarc
2010-02-23 22:20:33 0 d-----w- c:\program files\Gateway
2010-02-23 22:15:31 0 d-----w- C:\cabs
2010-02-23 21:42:06 23456 -c--a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-02-22 20:11:27 0 d-----w- C:\Registry Backups
2010-02-22 05:27:44 0 d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop

==================== Find3M ====================

2010-03-21 19:02:19 2864 -c--a-w- c:\windows\system32\winsock.dll
2010-03-17 23:15:26 5652 -c--a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-02-01 22:14:54 1247776 -c--a-w- c:\windows\RtlExUpd.dll
2010-01-19 11:57:59 38848 -c--a-w- c:\windows\system32\ava3.tmp
2010-01-19 11:57:59 38848 -c--a-w- c:\windows\system32\ava2.tmp
2010-01-19 11:57:39 152672 -c--a-w- c:\windows\system32\asw2.tmp
2010-01-19 11:57:39 152672 -c--a-w- c:\windows\system32\asw1.tmp
2005-10-25 05:52:09 2631680 -csha-w- c:\program files\ehthumbs.db
2009-03-28 02:34:18 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032720090328\index.dat

============= FINISH: 12:31:27.78 ===============

Attached Files


Edited by M332, 22 March 2010 - 04:26 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:01 AM

Posted 23 March 2010 - 10:24 PM

Hello,

I have merged your new topic to your previously existing topic. Please keep all posts regarding this issue to this topic by using the Add Reply button. Starting new topics causes confusion for everyone and delays the assistance you receive.

Back to you pwgib,

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 24 March 2010 - 12:10 PM

My apologies. I only posted a new topic per instructions posted above in the GMER link. If it would clear any confusion the other post could be deleted. I would do it myself but deleting is not allowed, only editing.

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 AM

Posted 25 March 2010 - 09:33 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* RKill log
* Combofix.txt
* Description of remaining problems

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 25 March 2010 - 02:26 PM

Ok here are the requested logs.

Problem description: The system cache will leak during big program use such as AV program scans until it surpasses the available amount listed around 2500000 and will max out at around 2700000, then the computer is useless and needs a restart. Picture included so you'll understand what I'm referring to. I suspect problem may be from some program or the registry instead of malware or a virus but my post was placed here because I included the HijackThis log info in my original thread.

Attached Files



#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 AM

Posted 25 March 2010 - 09:15 PM

I would like to continue to make sure your computer is clean. After I clear you from that standpoint then we can let the tech specialists help you otherwise.

Please copy and paste all logs unless otherwise directed!

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


==========

With your next post please provide:

* MBAM log
* ESET log
* OTL.txt
* Extra.txt
* How is your computer running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 26 March 2010 - 06:50 PM

Ok here are the requested logs.

The system cache leak remains.

Attached Files



#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 AM

Posted 27 March 2010 - 05:24 PM

Hi,

I see you have Crawler Spyware Terminator installed.
If you didn't buy it, I strongly recommend you uninstall it as it was on the blacklisted previously.
It now is delisted from the list, however, this doesn't always mean that the program is trustworthy enough.
In case you decide to uninstall Spyware Terminator, also uninstall the extra option WinClamAVShield, because that has been integrated in the Spyware Terminator.

Please also note....

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Spyware Terminator or Avast.

==========

We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\ShellBrowser: (no name) - {70F241F6-52AB-4D45-993E-C1C09920095B} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
    O3 - HKU\S-1-5-21-4079606604-2495815586-820721733-1006\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

==========

Your hard disk displays errors - Let's fix that!

* Click Start > Run and type chkdsk /f and the click OK.
o Note the space between the k and the /

* Allow the scan to run and when completed, reboot the system. It may not run until you reboot!

==========

Please defrag you hard disk next please.

==========

You may have corrupt critical system files. Let's see if we can fix that.

* Click Start > Run and type sfc /scannow and the click OK.
o Note the space between the c and the /
* You may need your Windows XP CD so have it ready.
o If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD. This can be done with a borrowed CD, if you don't have one.
* Allow the scan to run and when completed, reboot the system.

==========

With your next post please provide:

* OTL fix log results
* Did you uninstall Crawler?
* Did sfc prompt you for an install disc?
* Clear description of current problems.

Kind regards,
~t





Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 28 March 2010 - 12:08 PM

Ok the requested OTL fix log is attached below.

About Spyware Terminator, I don't have clam AV installed with it. It is optional and I have the option disabled since I'm running Avast so I'd like to keep ST. If you know of a great freeware spyware program that offers real time protection without a required purchase to enable that option, and it has not caused problems for a lot of users then please tell me because I'm not aware of one better than ST and I've researched them all within the past month on cnet.

About the corrupt critical system files, I don't have the XP cd and I don't know anyone who has one, so are the needed files available to download from somewhere online like windrivers or driverzone without charge? I did not run SFC yet because of this. If you believe I can run it and it will not ruin the computer when it requests the XP cd and I don't have it, then I will run it.

Check Disk found and cleaned some unused index entries but I don't know if these were the errors you were referring to. Here's the event log:

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 3/28/2010
Time: 10:26:27 AM
User: N/A
Computer: M16641332
Description:
Checking file system on C:
The type of the file system is NTFS.
Volume label is Local Disk.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up 332 unused index entries from index $SII of file 0x9.
Cleaning up 332 unused index entries from index $SDH of file 0x9.
Cleaning up 332 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

190458607 KB total disk space.
17919876 KB in 58184 files.
22656 KB in 5186 indexes.
4 KB in bad sectors.
459771 KB in use by the system.
65536 KB occupied by the log file.
172056300 KB available on disk.

4096 bytes in each allocation unit.
47614651 total allocation units on disk.
43014075 allocation units available on disk.

Internal Info:
90 a0 02 00 95 f7 00 00 03 34 01 00 00 00 00 00 .........4......
d7 1d 00 00 00 00 00 00 7b 0c 00 00 00 00 00 00 ........{.......
ea b0 5c 03 00 00 00 00 70 13 b7 2e 00 00 00 00 ..\.....p.......
6e 71 19 39 00 00 00 00 00 00 00 00 00 00 00 00 nq.9............
00 00 00 00 00 00 00 00 50 89 1c 73 00 00 00 00 ........P..s....
60 b9 d3 b2 00 00 00 00 18 3e 07 00 48 e3 00 00 `........>..H...
00 00 00 00 00 10 be 45 04 00 00 00 42 14 00 00 .......E....B...

Windows has finished checking your disk.
Please wait while your computer restarts.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Attached Files


Edited by M332, 28 March 2010 - 12:15 PM.


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 AM

Posted 28 March 2010 - 12:36 PM

Running sfc without an install disc poses no risk. Please proceed. If it prompts you for a disk exit and tell me about it. We can redirect the program to search for clean versions of the corrupt files that already reside on your computer. cool.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 M332

M332
  • Topic Starter

  • Members
  • 211 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 AM

Posted 28 March 2010 - 02:01 PM

It requested the XP disk, I selected cancel to see if it could keep scanning which it did but it gave me the notice that the program may ask me to insert the XP disk after reboot so I quit the program.



#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 AM

Posted 28 March 2010 - 04:41 PM

Ok. Let's fix that!!

I need to see the reg entry that points sfc to an install disc. I will then safely modify the path.

First..........
  • Create a new folder on your Desktop by right-clicking and selecting New > Folder.
  • Name the folder SWRegfolder.

Next.............
  • Download SWReg by Bobbi Flekman
  • Save it to the SWRegfolder on your Desktop.

Finally.........
  • Launch Notepad, (Start > Run, type in: notepad)
  • Copy/paste all the text inside the code box below to Notepad:

CODE
@echo off
swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup" /s >>log.txt
Notepad log.txt

  • In Notepad, go to File (upper menu bar), and select: Save as
  • Save in: SWRegfolder
  • File Name: SWReg.bat
  • Save as Type: All files
  • Click: Save
  • Exit out of Notepad.
Note: Both SWReg.exe and SWReg.bat must be in the same folder for this to work.
  • Locate SWReg.bat in the SWRegfolder and double-click on it.
  • When done, a log opens in Notepad.
  • Please post the contents of the log in your reply.

==========

You need all the files........

Download the standalone windows XP SP3 package from here:
http://www.microsoft.com/downloads/details...;displaylang=en
and save it to your desktop.

You are not installing this. We just need to download to have access to the files. Do not run it after downloaded!!!!!!!!!!

==========

Then extract the files from the package by going to Start -> Run and copy the contents of the code box into the start window and press ok:

CODE
"%userprofile%\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe" -x:C:\xpsp3


This will place the service pack 3 files into your C drive under the folder named "xpsp3".

==========

Then I will use your SWReg results to write a script pointing sfc to xpsp3

==========

Then you can run sfc and it should replace the files

==========

We can leave it like that or we can reverse it back to its original registry settings. You will have to let me know what you want to do.

===========

With your next post please provide:

* SWReg log
* Please confirm that c:\xpsp3 now exists
* Copy and paste all logs. Do not attach!

Kind regards,
~t





Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users