TechSpot

Getting rid of Winupdates

By Jellybean
Mar 18, 2006
Topic Status:
Not open for further replies.
  1. Hey im new here but that isn't really as important as my computer's safety :(
    Right now i have 2 li'l Virus or i think they're trojans / keyloggers on my computer known as winupdates.exe and p2pnetworking.exe (executable files)
    I have read on your site multiple times for info on removing it but i couldn't :(
    Anyone know how to remove them
    i used AVG
    SE personal
    antispy.info
    Diskeeperlite

    But when i removed them they still affected my computer . My computer is much slower then before and there are plenty other problems like pop ups .
    Other problem is that my task manager has been disabled by winupdates
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  3. Jellybean

    Jellybean TS Rookie Topic Starter

    Thanks for the info :angel: Ill be sure to do so and i have to do quick though because this virus or w/e is starting to annoy me :knock:

    Oh no i've followed the procedure but i still get the winfixer2006 and all thsoe stupid pop up ads .
    A problem i have done is that i deleted the source of this (programfiles\winupdates\winupdate.exe)
    And it says to delete this on safew mode and i didnt do that :[
    I still have all the problems a bit more help would be needed
     
  4. Jellybean

    Jellybean TS Rookie Topic Starter

    here

    Here are the following i deleted off my comp

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 9:23:13 PM, 3/18/2006
    + Report-Checksum: F52D5EEC

    + Scan result:

    HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Adware.SaveNow : Cleaned with backup
    HKU\S-1-5-21-2416043488-3258225091-2533144545-1006\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup


    ::Report End

    I still have pop up ads problem -.-"

    Also have this , I have this virus on my comp :

    Information about p2pnetworking.exe file
    File: p2pnetworking.exe
    Name: (p2pnetworking.exe)
    Product:
    Manufacturer:

    User feedback
    There were 4 user requests for that file. 2 users classify it as little bit dangerous. 2 users classify it as dangerous and recommend to remove p2pnetworking.exe. 1 user didn't classify it ("don't know").

    Rating Opinion From
    It is a very dangerous worm that hijacks any file sharing apps you have and turns your machine into a server for someone elses files. REMOVE IMMEDIATELY Fraktos Nirvana
    Backdoor.Win32.Rbot.pd!!! link for more info h2k.nl
    its part of Kazaa, its stays on your computer even if you remove it. im not sure what it does but i tried to remove it with no luck. [BR]™
    Panda Antivirus (titanium) says unknow virus, please send to panda. It runs in background hidden, and does something over the net. Bdawg
    If you know more about p2pnetworking.exe, share your knowledge and help other users.

    Hijackthis:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:32:16 PM, on 3/18/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system\sysctrl.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AgentSpyware] C:\Program Files\SoftwareDoctor\AgentSpyware\AgentSpyware.Exe -boot
    O4 - HKLM\..\RunServices: [csr] csrrs.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
    O4 - Global Startup: wmplayer.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
    O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
    O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

    ~~~~~~~~~~~~~~~~~~~~~~~

    Problem: CANNOT USE TASK MANAGER ( ALT + DELETE +CTRL )
     
  5. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    you have to turn off system restore after booting in safe mode to remove viri. Most new viri self-regenerate from restore files. After removing them successfully you can turn it back on.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19


    Which of the above instructions are you having trouble following?

    Go back and follow all the instructions I gave you. In addition, go HERE and follow the instructions as well.

    Regards Howard :)
     
  7. kirock

    kirock TS Rookie Posts: 1,598

    I wonder if someone here should update RBS's instruction and put the the SAFEMODE and TURN OFF SYSTEM RESTORE in caps and bold? And/or a statement like " IMPORTANT!, THIS MUST BE DONE" Everyone misses that.

    just a thought.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I think you could put the instructions in flashing lights and people would still miss them lol.

    Regards Howard :)
     
  9. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    it still amazes me people don't bother reading stickys when the title of sticky is obvious to their problem.
     
  10. Jellybean

    Jellybean TS Rookie Topic Starter

    Guys the problem , You guys have told me how to recover it ? Well i have gone on safe mode and all and restore thingy was off then i ran ewido and i deleted 23 infections although i still have another probleme i think it is p2pnetworking's doing how o i remove that?
     
  11. Jellybean

    Jellybean TS Rookie Topic Starter

    I got back winupdates virus help :'( i got rid of p2p though
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Post a fresh HJT log as an attachment.

    Regards Howard :)
     
  13. Jellybean

    Jellybean TS Rookie Topic Starter

    Logfile of HijackThis v1.99.1
    Scan saved at 5:37:32 PM, on 3/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system\sysctrl.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Hijackthis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [csr] csrrs.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\Wtablet\TabUserW.exe
    O4 - Global Startup: wmplayer.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
    O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
    O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
    O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I asked you twice, to post your HJT log as an attachment. I also asked you to go and follow the instructions in all the links I gave you.

    You have not done any of that, or if you have, you`ve not done it properly.

    I am going to give you some more instructions. If you don`t follow them this time, I won`t help you any further.

    Go HERE and follow the instructions exactly.

    Then follow the instructions below.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel. Uninstall anything to do with(if there).

    MyWebSearch
    Network Monitor

    Close control panel.

    Open your task manager, by pressing the ctrl/alt/delete keys together.

    Click on the processes tab and end process for(if there).

    sysctrl.exe
    sysctrl.exe /a
    xdticjzA.exe
    csrrs.exe <Not to be confused with csrss.exe which is legit
    command.exe

    Close task manager.

    Click start/run and type regsvr32 /u C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL into the run box and press the enter key.

    Again Click start/run and type regsvr32 /u C:\WINDOWS\system32\mljgh.dll into the run box and press the enter key.

    Make sure you type the above exactly, or clear the runbox and copy and paste.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Locate these services(if there) and double click on them one at a time. Select stop is they are running. Set the startup type to disabled.

    csr
    Command Service (cmdService)
    Network Monitor
    Diskeeper
    Windows Overlay Components
    WMDM PMSP Service

    Click apply/ok.

    Run HJT with no other programmes open. have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

    O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\mljgh.dll

    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

    O4 - HKLM\..\Run: [System] C:\WINDOWS\system\sysctrl.exe /a

    O4 - HKLM\..\Run: [xdticjzA] C:\WINDOWS\xdticjzA.exe

    O4 - HKLM\..\RunServices: [csr] csrrs.exe

    O4 - Global Startup: wmplayer.exe

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...arch.jhtml?p=ZU

    Fix all 016 DPF entries.

    O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)

    O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (file missing)

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)

    O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold folders and/or files(if there).

    C:\WINDOWS\system\sysctrl.exe
    C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    C:\WINDOWS\system32\mljgh.dll
    C:\WINDOWS\system\sysctrl.exe /a
    C:\WINDOWS\xdticjzA.exe
    csrrs.exe You will have to search your system for this one.
    C:\WINDOWS\UGF1\command.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\xdticjz.exe


    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log as an ATTACHMENT.

    Regards Howard :)
     
  15. Jellybean

    Jellybean TS Rookie Topic Starter

    My task manager doesn't work so this process won't work ( because of winupdates ) I cannot use task manager because its been disabled by winupdates ..
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You keep saying you`ve got winupdates, but I can`t see it in your HJT log.

    How can I help you to get rid of something, that`s either not there, or invisible.

    Try typing taskmgr.exe into the run box and press the enter key.

    If that doesn`t work, forget the task manager part at the moment and follow the rest of the instructions.

    Regards Howard :)
     
  17. Jellybean

    Jellybean TS Rookie Topic Starter

    Network Monitor wont remove from the add remove program thingy is that something wrong? Because it wont get uninstall
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You are doing all this from safe mode aren`t you?

    Regards Howard :)
     
  19. Jellybean

    Jellybean TS Rookie Topic Starter

    Yup all of it i just got off cause i thought maybe i could remove it on normal mode so yea...
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Well I`m scratching my head here. I don`t know what else to suggest.

    Either you`re doing or not doing something. Or, you`ve got some kind of infection that can`t easily be got rid of.

    Maybe you should consider doing a reformat and reinstall, after backing up your important data of course.

    Regards Howard :)
     
  21. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Try this:
    http://www.bleepingcomputer.com/forums/topic18610.html

    If you have winfixer, you need the removal tool, which is the vundofix I believe. Remember, do ALL in Safe Mode! Log in to your administrator user account.

    2nd, the winupdates is usually a service or notify entry that can't be removed even from safe mode. These are the entries from your HJT log:

    O20 - Winlogon Notify: mljgh - C:\WINDOWS\system32\mljgh.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF1\command.exe (file missing)
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\xdticjz.exe (file missing)
    O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

    All these need removed. And why do I see Symantec if you use AVG? Those leftovers should be removed also.

    What needs to happen here is that you need to write down the name and path of these bad files, and then boot to Recovery Console and DELETE those files. Once they are all deleted, you can then delete the registry keys, services, notify entries and they won't come back.

    This is getting into advanced stuff, if you have enough patience to do it, then we can help. Otherwise consider a reload as Howard said. By booting from Safe Mode, to recovery console, back to safe mode, and removing these files and reg keys, once they are all gone, ewido and all the rest of the tools, will be able to remove the rest of the traces. But so long as the notify key and services are loading, you cannot remove them even from Safe Mode.

    You will need your XP CD to get to Recovery Console, and you'll need to be somewhat familiar with the command line and using the ATTRIB command. You'll also need to be familiar with editing the registry.

    Well, are you game?

    (p.s. Of course HJT says the files are missing for some of those, which is likely true, but the keys themselves still need to be gone)
     
  22. Jellybean

    Jellybean TS Rookie Topic Starter

    "Are you sure you wish to remove Network Monitor? Removing this application may cause dependent applications to stop functionings ? "
    [Yes] [No]
    ( i click yes: An error has occured removing Network monitor . Network Monitor has not been removed [Ok])

    Other then that what is that Console removing thingy and Vundofix freezes my comp what am i supposed to do about that?
    I am remove that file that starts with an mljgh.dll that is part of winupdates as the last post has said .
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  24. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    The fixers can't delete the files because they are in use. Have to go in Recovery Console and delete them in command line.

    The funky file is a random name, if you try to remove it, it will create another one. You basically have to just write down the name, DON'T try to remove it, then restart into recovery console and delete the files. Then boot back into Safe Mode, the services and notify entires won't be able to run, and can be deleted.

    To get into Recovery Console, you have to boot off your XP CD. At the first menu, press R to get there, then follow the prompts.
    Once in RC you'll be at a command line such as:
    c:\>windows\
    or something like that. You have to change directory to system32 or wherever, and delete those files with the del command. If they have access denied, you'll have to use attrib to remove read only, system, and hidden attributes.

    Ok howard, I wasn't sure if those were in your links, I didn't follow them :)

    But it is getting more and more common for malware to insert itself into notify and services, where they run even in safe mode and can't be removed without deleting the files in recovery console. Because they latch onto winlogon.exe.
    Nasty little buggers.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.