Help with my HJT log please.
- Thread starter PixieB
- Start date
- Status
I just found some instructions for editing the boot.ini file direct from microsoft, here they are - http://support.microsoft.com/kb/289022
The rem[space] command is one that I know that older versions of windows had no problem with. It's an instruction to ignore the command. Try it first of all as it allows preservation and later restoration of the command if it should be needed.
If the pc boots perfectly with no errors then you can delete the line. I'm just doing my best to be cautious as the last thing i want is for you to end up with a pc that wont boot.
If the pc boots perfectly with no errors then you can delete the line. I'm just doing my best to be cautious as the last thing i want is for you to end up with a pc that wont boot.
PixieB
Posts: 24 +0
Hi ,
I did it , first one with rem[space] and it booted fine and 2d time i deleted line and rebooted again.
Result : Windows loading fine straight to Windows XP home edition,
just have still 1 issue on loading ,that "RegRun PARTIZAN Greatis Software (c) 2006 ... " message appears right before desktop loads and it feels like some program working on background...or trying to.
Here are fresh logs attached, please kindly check.
Thank you
I did it , first one with rem[space] and it booted fine and 2d time i deleted line and rebooted again.
Result : Windows loading fine straight to Windows XP home edition,
just have still 1 issue on loading ,that "RegRun PARTIZAN Greatis Software (c) 2006 ... " message appears right before desktop loads and it feels like some program working on background...or trying to.
Here are fresh logs attached, please kindly check.
Thank you
momok
Posts: 2,127 +6
Thanks Rik for helping with the boot line thinggy. =)
PixieB:
I must admit I'm pretty stumped by that, because your logs show NO traces of any Greatis Software or even anything remotely related to RegRun. Have you installed it before?
I'd just like you to visit this site - http://virusscan.jotti.org/
Enter this into the field where it says 'File to upload and scan'
C:\WINDOWS\System32\npkcsvc.exe
Also, I wish to check if these folders were created by you, and if so, for what purposes. Also let me know the contents of the folder.
C:\bbackup
C:\Program Files\ping fast defy
C:\Documents and Settings\All Users\Application Data\STORE LESS JUGS SURF
C:\Documents and Settings\All Users\Application Data\64BendShimDraw
Regards,
momok =)
PixieB:
I must admit I'm pretty stumped by that, because your logs show NO traces of any Greatis Software or even anything remotely related to RegRun. Have you installed it before?
I'd just like you to visit this site - http://virusscan.jotti.org/
Enter this into the field where it says 'File to upload and scan'
C:\WINDOWS\System32\npkcsvc.exe
Also, I wish to check if these folders were created by you, and if so, for what purposes. Also let me know the contents of the folder.
C:\bbackup
C:\Program Files\ping fast defy
C:\Documents and Settings\All Users\Application Data\STORE LESS JUGS SURF
C:\Documents and Settings\All Users\Application Data\64BendShimDraw
Regards,
momok =)
PixieB
Posts: 24 +0
Hi,
I have a feeling that 'PARTIZAN Greatis software' is located somewhere on Administrator account. Because message pops up right before login screen in safe mode too. I decided not to wonder around anymore by myself and only do as you guys advise me. So, I wanted ask , if i need to check Administrator account or no?
C:\WINDOWS\System32\npkcsvc.exe - found nothing with online scan.
Folders:
C:\bbackup - created by me yesterday as folder for boot.ini back up ( should i delete it now?)
C:\Program Files\ping fast defy - empty , created by some malware ,contents deleted by SSD after scan while ago.
C:\Documents and Settings\All Users\Application Data\STORE LESS JUGS SURF - empty , created by web i believe , I don't really remember this folder being in my PC.
C:\Documents and Settings\All Users\Application Data\64BendShimDraw- contains thiseq.exe , I have no idea what it is and it shows only in 'show all folders....' mode.
I scanned thiseg.exe with online scan you advised me, here are scary results of scan in attached file , in note pad.
Any suggestions?
Edit: I use BT Voyager with whole AOL set. When i switched to AOL Broadband they sent whole setup with BT Voyager 105 USV ADSL Modem, so they working together pretty good.
Thank you.
I have a feeling that 'PARTIZAN Greatis software' is located somewhere on Administrator account. Because message pops up right before login screen in safe mode too. I decided not to wonder around anymore by myself and only do as you guys advise me. So, I wanted ask , if i need to check Administrator account or no?
C:\WINDOWS\System32\npkcsvc.exe - found nothing with online scan.
Folders:
C:\bbackup - created by me yesterday as folder for boot.ini back up ( should i delete it now?)
C:\Program Files\ping fast defy - empty , created by some malware ,contents deleted by SSD after scan while ago.
C:\Documents and Settings\All Users\Application Data\STORE LESS JUGS SURF - empty , created by web i believe , I don't really remember this folder being in my PC.
C:\Documents and Settings\All Users\Application Data\64BendShimDraw- contains thiseq.exe , I have no idea what it is and it shows only in 'show all folders....' mode.
I scanned thiseg.exe with online scan you advised me, here are scary results of scan in attached file , in note pad.
Any suggestions?
Edit: I use BT Voyager with whole AOL set. When i switched to AOL Broadband they sent whole setup with BT Voyager 105 USV ADSL Modem, so they working together pretty good.
Thank you.
momok
Posts: 2,127 +6
Hi,
Next, login with your administrator account and do a HJT scan followed by ComboFix scan. Post the logs back here.
Regards,
momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
Next, login with your administrator account and do a HJT scan followed by ComboFix scan. Post the logs back here.
Regards,
momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
PixieB
Posts: 24 +0
Hi,
Ok it is done , here are fresh logs.
Note: During ComboFix scan AVG message popped out "Threat Found" and it was Trojan located in hidden folder : C:\Documents and Settings\Andrew\Application Data\ping fast defy . AVG moved it into Virus Vault.
By the way, i have lots of files in Virus Vault. Do i need delete them all? Or leave them there?
thanks.
Ok it is done , here are fresh logs.
Note: During ComboFix scan AVG message popped out "Threat Found" and it was Trojan located in hidden folder : C:\Documents and Settings\Andrew\Application Data\ping fast defy . AVG moved it into Virus Vault.
By the way, i have lots of files in Virus Vault. Do i need delete them all? Or leave them there?
thanks.
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
PS. We'll leave the virus vault until later. Do you still get that RegRun message? If possible, please post a screenshot if it is still there. Thanks.
Regards,
momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {26D6D14C-85B6-42C6-D63F-1239DB18C2E4} - (no file)
Close HJT.
- Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Documents and Settings\Andrew\Application Data\ping fast defy
- Reboot into normal mode and rehide your protected OS files.
PS. We'll leave the virus vault until later. Do you still get that RegRun message? If possible, please post a screenshot if it is still there. Thanks.
Regards,
momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
Your logs look clean now.
Regarding the RegRun loading message, have you every installed that program before? RegRun itself is a safe program; since the loading message shows 2006, I presume it was installed quite some time back, so it would not show up in combofix logs. Could you conduct a search on your system for the following terms? Also check if it exists in your Add/Remove Programs list in Control Panel
PARTIZAN and RegRun
Let me know the results.
Regards,
Your friendly momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your logs look clean now.
- Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
- Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
- After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
- Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Regarding the RegRun loading message, have you every installed that program before? RegRun itself is a safe program; since the loading message shows 2006, I presume it was installed quite some time back, so it would not show up in combofix logs. Could you conduct a search on your system for the following terms? Also check if it exists in your Add/Remove Programs list in Control Panel
PARTIZAN and RegRun
Let me know the results.
Regards,
Your friendly momok =)
This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
PixieB
Posts: 24 +0
Hi momok and Rik ,
1.I did empties AVG virus vault and made new system restore point as you told to.
2.Searched all files and folders and found folder named " RegRun2" in C:\Documents and Settings\Andrew\My Documents\RegRun2
It contains following folders and file:
back06d_12m_06y_135851
back06d_12m_06y_135857
RegRun2.rr2
There are more folders inside these and contain some kind of back up files and MS-DOS Batch Files called "restore"
Do you think these bring that RegRun messege at Windows loading screen?
3. I use AOL software for connection , and AOL dialer was included automaticly in installation. I do use it sometimes for quick connection to play online games. I know this AOL dialer is unessesery program to AOL but I coudn't unistall it because it unistalls whole AOL thingy.
Thank you again for your time and help. Must say computer runs really fast now , I am so pleased!
1.I did empties AVG virus vault and made new system restore point as you told to.
2.Searched all files and folders and found folder named " RegRun2" in C:\Documents and Settings\Andrew\My Documents\RegRun2
It contains following folders and file:
back06d_12m_06y_135851
back06d_12m_06y_135857
RegRun2.rr2
There are more folders inside these and contain some kind of back up files and MS-DOS Batch Files called "restore"
Do you think these bring that RegRun messege at Windows loading screen?
3. I use AOL software for connection , and AOL dialer was included automaticly in installation. I do use it sometimes for quick connection to play online games. I know this AOL dialer is unessesery program to AOL but I coudn't unistall it because it unistalls whole AOL thingy.
Thank you again for your time and help. Must say computer runs really fast now , I am so pleased!
momok
Posts: 2,127 +6
I would like you to just open ccleaner and under "tools" check if there is any regrun/partizan/greatis entry under the uninstall list.
If there is, uninstall it, before proceeding to delete the entire RegRun2 folder and its contents. If there isn't go ahead and delete the folder.
Hopefully that solves your problem. Do let us know if this works.
Regards,
momok =)
If there is, uninstall it, before proceeding to delete the entire RegRun2 folder and its contents. If there isn't go ahead and delete the folder.
Hopefully that solves your problem. Do let us know if this works.
Regards,
momok =)
PixieB
Posts: 24 +0
Hi,
I did deleted the whole folder (there wasn't anything on ccleaner uninstall list), but the messege still there. I fail to understand how and why because it just appeared when i started having computer probllems week ago. Asked my husband too , he says he did restore one folder with registry back up of some kind ( he thought it will bring back shut down button and run button) . I don't know where to look anymore , its a mistery ...
thank you
I did deleted the whole folder (there wasn't anything on ccleaner uninstall list), but the messege still there. I fail to understand how and why because it just appeared when i started having computer probllems week ago. Asked my husband too , he says he did restore one folder with registry back up of some kind ( he thought it will bring back shut down button and run button) . I don't know where to look anymore , its a mistery ...
thank you
momok
Posts: 2,127 +6
Hi,
Let's give it a last shot. Run CCleaner and make sure it is up to date. Click on "registry" on the left hand side of the tabs.
Ensure all checkboxes are ticked before clicking on "Scan Issues". After the scan, select "Fix all selected issues" and when prompted to save your registry, select yes. Save a backup somewhere that you can remember.
There will be a second prompt asking you to fix the issues. Don't fix anything yet.
Go to start > run > type "regedit". Press Ctrl+f to bring up the search function and search for all instances of RegRun/Partizan/Greatis. Delete them and return to CCleaner.
Select "Fix all selected issues" before closing ccleaner and reboot your system.
Let me know the results, thanks.
Regards,
momok
Let's give it a last shot. Run CCleaner and make sure it is up to date. Click on "registry" on the left hand side of the tabs.
Ensure all checkboxes are ticked before clicking on "Scan Issues". After the scan, select "Fix all selected issues" and when prompted to save your registry, select yes. Save a backup somewhere that you can remember.
There will be a second prompt asking you to fix the issues. Don't fix anything yet.
Go to start > run > type "regedit". Press Ctrl+f to bring up the search function and search for all instances of RegRun/Partizan/Greatis. Delete them and return to CCleaner.
Select "Fix all selected issues" before closing ccleaner and reboot your system.
Let me know the results, thanks.
Regards,
momok
PixieB
Posts: 24 +0
Hi,
This Regrun becoming really painful... I did like you told me to and found registry Greatis folder and deleted everything , finished with CCleaner and restarted computer. The message appeared again and when i checked via regedit Greatis magicly reanimated itself ...Here is screenshot of my desktop in registry. Any ideas?
thank you for your help!
This Regrun becoming really painful... I did like you told me to and found registry Greatis folder and deleted everything , finished with CCleaner and restarted computer. The message appeared again and when i checked via regedit Greatis magicly reanimated itself ...Here is screenshot of my desktop in registry. Any ideas?
thank you for your help!
momok
Posts: 2,127 +6
Hi,
I must admit I'm pretty surprised myself.
However, since the Greatis registry entries were re-created, it should show up in a ComboFix scan. Please run ComboFix and attach attach the log in your next reply.
Also, I would like you to download and run this program here. When the program runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the autoruns and ComboFix log in your next reply.Thanks.
Regards,
momok =)
I must admit I'm pretty surprised myself.
However, since the Greatis registry entries were re-created, it should show up in a ComboFix scan. Please run ComboFix and attach attach the log in your next reply.
Also, I would like you to download and run this program here. When the program runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the autoruns and ComboFix log in your next reply.Thanks.
Regards,
momok =)
- Status
Similar threads
Latest posts
-
Ghost kitchens are vanishing due to mounting criticism and demand
- Tinderbox replied
-
Fallout TV show secures second season after stellar debut- Che Cazzo replied
-
Logitech thinks the computer mouse needs an AI upgrade- techstrike replied
-
Hackers attempted to trick LastPass employee with cloned voice of CEO- antiproduct replied
