Getting rid of Winupdates

Status
Not open for further replies.

Jellybean

Posts: 10   +0
Hey im new here but that isn't really as important as my computer's safety :(
Right now i have 2 li'l Virus or i think they're trojans / keyloggers on my computer known as winupdates.exe and p2pnetworking.exe (executable files)
I have read on your site multiple times for info on removing it but i couldn't :(
Anyone know how to remove them
i used AVG
SE personal
antispy.info
Diskeeperlite

But when i removed them they still affected my computer . My computer is much slower then before and there are plenty other problems like pop ups .
Other problem is that my task manager has been disabled by winupdates
 
Thanks for the info :angel: Ill be sure to do so and i have to do quick though because this virus or w/e is starting to annoy me :knock:

Oh no i've followed the procedure but i still get the winfixer2006 and all thsoe stupid pop up ads .
A problem i have done is that i deleted the source of this (programfiles\winupdates\winupdate.exe)
And it says to delete this on safew mode and i didnt do that :[
I still have all the problems a bit more help would be needed
 
here

Here are the following i deleted off my comp

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:23:13 PM, 3/18/2006
+ Report-Checksum: F52D5EEC

+ Scan result:

HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Adware.SaveNow : Cleaned with backup
HKU\S-1-5-21-2416043488-3258225091-2533144545-1006\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup


::Report End

I still have pop up ads problem -.-"

Also have this , I have this virus on my comp :

Information about p2pnetworking.exe file
File: p2pnetworking.exe
Name: (p2pnetworking.exe)
Product:
Manufacturer:

User feedback
There were 4 user requests for that file. 2 users classify it as little bit dangerous. 2 users classify it as dangerous and recommend to remove p2pnetworking.exe. 1 user didn't classify it ("don't know").

Rating Opinion From
It is a very dangerous worm that hijacks any file sharing apps you have and turns your machine into a server for someone elses files. REMOVE IMMEDIATELY Fraktos Nirvana
Backdoor.Win32.Rbot.pd!!! link for more info h2k.nl
its part of Kazaa, its stays on your computer even if you remove it. im not sure what it does but i tried to remove it with no luck. [BR]™
Panda Antivirus (titanium) says unknow virus, please send to panda. It runs in background hidden, and does something over the net. Bdawg
If you know more about p2pnetworking.exe, share your knowledge and help other users.

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:32:16 PM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system\sysctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AgentSpyware] C:\Program Files\SoftwareDoctor\AgentSpyware\AgentSpyware.Exe -boot
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

~~~~~~~~~~~~~~~~~~~~~~~

Problem: CANNOT USE TASK MANAGER ( ALT + DELETE +CTRL )
 
you have to turn off system restore after booting in safe mode to remove viri. Most new viri self-regenerate from restore files. After removing them successfully you can turn it back on.
 
howard_hopkinso said:
Hello and welcome to Techspot.

Go and have your computer scanned HERE.

Then, go and read both these threads by RBS. Follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Only post a HJT log, after doing the above.

Regards Howard :wave: :wave:


Which of the above instructions are you having trouble following?

Go back and follow all the instructions I gave you. In addition, go HERE and follow the instructions as well.

Regards Howard :)
 
I wonder if someone here should update RBS's instruction and put the the SAFEMODE and TURN OFF SYSTEM RESTORE in caps and bold? And/or a statement like " IMPORTANT!, THIS MUST BE DONE" Everyone misses that.

just a thought.
 
kirock said:
I wonder if someone here should update RBS's instruction and put the the SAFEMODE and TURN OFF SYSTEM RESTORE in caps and bold? And/or a statement like " IMPORTANT!, THIS MUST BE DONE" Everyone misses that.

just a thought.

I think you could put the instructions in flashing lights and people would still miss them lol.

Regards Howard :)
 
it still amazes me people don't bother reading stickys when the title of sticky is obvious to their problem.
 
Guys the problem , You guys have told me how to recover it ? Well i have gone on safe mode and all and restore thingy was off then i ran ewido and i deleted 23 infections although i still have another probleme i think it is p2pnetworking's doing how o i remove that?
 
Logfile of HijackThis v1.99.1
Scan saved at 5:37:32 PM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system\sysctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
 
I asked you twice, to post your HJT log as an attachment. I also asked you to go and follow the instructions in all the links I gave you.

You have not done any of that, or if you have, you`ve not done it properly.

I am going to give you some more instructions. If you don`t follow them this time, I won`t help you any further.

Go HERE and follow the instructions exactly.

Then follow the instructions below.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel. Uninstall anything to do with(if there).

MyWebSearch
Network Monitor

Close control panel.

Open your task manager, by pressing the ctrl/alt/delete keys together.

Click on the processes tab and end process for(if there).

sysctrl.exe
sysctrl.exe /a
xdticjzA.exe
csrrs.exe <Not to be confused with csrss.exe which is legit
command.exe

Close task manager.

Click start/run and type regsvr32 /u C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL into the run box and press the enter key.

Again Click start/run and type regsvr32 /u C:\WINDOWS\system32\mljgh.dll into the run box and press the enter key.

Make sure you type the above exactly, or clear the runbox and copy and paste.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Locate these services(if there) and double click on them one at a time. Select stop is they are running. Set the startup type to disabled.

csr
Command Service (cmdService)
Network Monitor
Diskeeper
Windows Overlay Components
WMDM PMSP Service

Click apply/ok.

Run HJT with no other programmes open. have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a

O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe

O4 - HKLM\..\RunServices: [csr] csrrs.exe

O4 - Global Startup: wmplayer.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...arch.jhtml?p=ZU

Fix all 016 DPF entries.

O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)

O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)

O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold folders and/or files(if there).

C:\WINDOWS\system\sysctrl.exe
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system\sysctrl.exe /a
C:\WINDOWS\xdticjzA.exe
csrrs.exe You will have to search your system for this one.
C:\WINDOWS\UGF1\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\xdticjz.exe


Reboot into normal mode and turn system restore back on.

Post a fresh HJT log as an ATTACHMENT.

Regards Howard :)
 
My task manager doesn't work so this process won't work ( because of winupdates ) I cannot use task manager because its been disabled by winupdates ..
 
You keep saying you`ve got winupdates, but I can`t see it in your HJT log.

How can I help you to get rid of something, that`s either not there, or invisible.

Try typing taskmgr.exe into the run box and press the enter key.

If that doesn`t work, forget the task manager part at the moment and follow the rest of the instructions.

Regards Howard :)
 
Network Monitor wont remove from the add remove program thingy is that something wrong? Because it wont get uninstall
 
Well I`m scratching my head here. I don`t know what else to suggest.

Either you`re doing or not doing something. Or, you`ve got some kind of infection that can`t easily be got rid of.

Maybe you should consider doing a reformat and reinstall, after backing up your important data of course.

Regards Howard :)
 
Try this:
http://www.bleepingcomputer.com/forums/topic18610.html

If you have winfixer, you need the removal tool, which is the vundofix I believe. Remember, do ALL in Safe Mode! Log in to your administrator user account.

2nd, the winupdates is usually a service or notify entry that can't be removed even from safe mode. These are the entries from your HJT log:

O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

All these need removed. And why do I see Symantec if you use AVG? Those leftovers should be removed also.

What needs to happen here is that you need to write down the name and path of these bad files, and then boot to Recovery Console and DELETE those files. Once they are all deleted, you can then delete the registry keys, services, notify entries and they won't come back.

This is getting into advanced stuff, if you have enough patience to do it, then we can help. Otherwise consider a reload as Howard said. By booting from Safe Mode, to recovery console, back to safe mode, and removing these files and reg keys, once they are all gone, ewido and all the rest of the tools, will be able to remove the rest of the traces. But so long as the notify key and services are loading, you cannot remove them even from Safe Mode.

You will need your XP CD to get to Recovery Console, and you'll need to be somewhat familiar with the command line and using the ATTRIB command. You'll also need to be familiar with editing the registry.

Well, are you game?

(p.s. Of course HJT says the files are missing for some of those, which is likely true, but the keys themselves still need to be gone)
 
"Are you sure you wish to remove Network Monitor? Removing this application may cause dependent applications to stop functionings ? "
[Yes] [No]
( i click yes: An error has occured removing Network monitor . Network Monitor has not been removed [Ok])

Other then that what is that Console removing thingy and Vundofix freezes my comp what am i supposed to do about that?
I am remove that file that starts with an mljgh.dll that is part of winupdates as the last post has said .
 
The fixers can't delete the files because they are in use. Have to go in Recovery Console and delete them in command line.

The funky file is a random name, if you try to remove it, it will create another one. You basically have to just write down the name, DON'T try to remove it, then restart into recovery console and delete the files. Then boot back into Safe Mode, the services and notify entires won't be able to run, and can be deleted.

To get into Recovery Console, you have to boot off your XP CD. At the first menu, press R to get there, then follow the prompts.
Once in RC you'll be at a command line such as:
c:\>windows\
or something like that. You have to change directory to system32 or wherever, and delete those files with the del command. If they have access denied, you'll have to use attrib to remove read only, system, and hidden attributes.

Ok howard, I wasn't sure if those were in your links, I didn't follow them :)

But it is getting more and more common for malware to insert itself into notify and services, where they run even in safe mode and can't be removed without deleting the files in recovery console. Because they latch onto winlogon.exe.
Nasty little buggers.
 
Status
Not open for further replies.
Back