Hi, Im new to this forum and i think my computer just got infected..........I did check on the other post 'nt authority\system error' on this forum and attempted the "Viruses/Spyware/Malware, preliminary removal instructions. " but then before i could get to task 3 which was using the Micro Trend online virus scanner my computer restarts..........I used the "shutdown -a" command in run and it helps by delaying the restart time to maybe 15-20mins but its not enough time for the scanner to delete the items.......it shows the results of 10 infected items but before the items could be removed the computer restarts........i know disconnecting the computer to the internet would do but then i need to be online to use the program........so any advice would help....thanks in advance
NT Authority\System error message - Help plz
- Thread starter di3sel
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
Go and read this thread HERE and post a HJT log as an attachment into this thread.
Regards Howard :wave: :wave:
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Go and read this thread HERE and post a HJT log as an attachment into this thread.
Regards Howard :wave: :wave:
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Ok, post the HJT log from safe mode and I`ll see what`s there.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your system is very badly infected with a variety of malware.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
Let me know how you wish to proceed.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
Let me know how you wish to proceed.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Ok, follow these instructions exactly.
Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of cirywofylnvba.dll and rsvp32_2.dll in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer and reconnect to the net.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
KuGoo2
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
MSDN Driver (msdndr)<Disable the service name and/or the name in brackets.
Close the services window.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Fix all O1 - Hosts: Entries.
O2 - BHO: (no name) - {514CB15B-6CB4-6F10-5E9E-256DE8B02317} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {8731DA43-3A6B-DFC7-4924-B93ED9BA71EC} - (no file)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxchange.com/Control/IRCSharc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{105824B1-0655-4D30-990F-C7730AFC4EB4}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7C4F64-90F7-4511-8D63-E4C78D75AD69}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE34D40-FA1D-4CDB-948A-B363292C703E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD0BCDE-95F9-440F-BBB1-78956550D193}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34D7CB5-2F06-4350-9848-0FF3447ABC51}: NameServer = 151.11.169.10
Only fix the above 017 entries if they don`t belong to your ISP.
Fix all O18 - Protocol: Entries.
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst3.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\KuGoo2<Delete the entire folder.
Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode if you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of cirywofylnvba.dll and rsvp32_2.dll in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer and reconnect to the net.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Go to add remove programmes in your control panel and uninstall anything to do with(if there).
KuGoo2
Close control panel.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
MSDN Driver (msdndr)<Disable the service name and/or the name in brackets.
Close the services window.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Fix all O1 - Hosts: Entries.
O2 - BHO: (no name) - {514CB15B-6CB4-6F10-5E9E-256DE8B02317} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {8731DA43-3A6B-DFC7-4924-B93ED9BA71EC} - (no file)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxchange.com/Control/IRCSharc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{105824B1-0655-4D30-990F-C7730AFC4EB4}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7C4F64-90F7-4511-8D63-E4C78D75AD69}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE34D40-FA1D-4CDB-948A-B363292C703E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD0BCDE-95F9-440F-BBB1-78956550D193}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34D7CB5-2F06-4350-9848-0FF3447ABC51}: NameServer = 151.11.169.10
Only fix the above 017 entries if they don`t belong to your ISP.
Fix all O18 - Protocol: Entries.
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst3.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\KuGoo2<Delete the entire folder.
Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode if you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Download and install the Microsoft Malicious software removal tool. You`ll probably need to run it from safe mode.
Hopefully, it`ll allow you to get rid of whatever is causing your problem.
Let me know the results and post the requested logfiles, if you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hopefully, it`ll allow you to get rid of whatever is causing your problem.
Let me know the results and post the requested logfiles, if you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Can you post the logfiles I requested?
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Yes, those are the logfiles I want to see. It doesn`t matter if they`re from safe mode at this stage.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
just want to update you on my status currently
steps taken
1.Used LSPFIX in SAFE MODE
2.Used Avenger in SAFEMODE/NORMALMODE
3. Currently scanning computer in NORMAL MODE with micro trend house call online
it seems like After step 1,2 my computer stopped restarting so im scanning in NORMAL MODE right now, will post new HJT file right after this scan
the attached log is from avenger after reboot.
ok, my computer restarted once again before Micro Trend could finish scanning.....so what should i do now? continue following the post before?
steps taken
1.Used LSPFIX in SAFE MODE
2.Used Avenger in SAFEMODE/NORMALMODE
3. Currently scanning computer in NORMAL MODE with micro trend house call online
it seems like After step 1,2 my computer stopped restarting so im scanning in NORMAL MODE right now, will post new HJT file right after this scan
the attached log is from avenger after reboot.
ok, my computer restarted once again before Micro Trend could finish scanning.....so what should i do now? continue following the post before?
howard_hopkinso
Posts: 21,238 +17
You didn`t attach the HJT log I requested. Please do so in your next reply.
Skip the Trend scan and continue with the rest of the instructions HERE.
Post as many of the requested log files as you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Skip the Trend scan and continue with the rest of the instructions HERE.
Post as many of the requested log files as you can.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Yes, follow the instructions from safe mode if you can.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
MSDN Driver (msdndr)<Disable the service name and/or the name in brackets.
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
msdndr.pif
ntos.exe
spoolsvv.exe
Close task manager.
Run HJT and fix the following entries.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Fix all O1 - Hosts: entries.
O2 - BHO: (no name) - {514CB15B-6CB4-6F10-5E9E-256DE8B02317} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {8731DA43-3A6B-DFC7-4924-B93ED9BA71EC} - (no file)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm<Fix this and uninstall the programme.
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxchange.com/Control/IRCSharc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{105824B1-0655-4D30-990F-C7730AFC4EB4}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7C4F64-90F7-4511-8D63-E4C78D75AD69}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE34D40-FA1D-4CDB-948A-B363292C703E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD0BCDE-95F9-440F-BBB1-78956550D193}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34D7CB5-2F06-4350-9848-0FF3447ABC51}: NameServer = 151.11.169.10
Fix the above 017 entries, only if they don`t belong to your ISP.
Fix all O18 - Protocol: entries.
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst3.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\msdndr.pif
C:\WINDOWS\system32\syst3.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\spoolsvv.exe
Without rebooting your system, follow the rest of the instructions and post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Click start/run and type services.msc into the run box and press the enter key.
When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
MSDN Driver (msdndr)<Disable the service name and/or the name in brackets.
Close the services window.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
msdndr.pif
ntos.exe
spoolsvv.exe
Close task manager.
Run HJT and fix the following entries.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Fix all O1 - Hosts: entries.
O2 - BHO: (no name) - {514CB15B-6CB4-6F10-5E9E-256DE8B02317} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {8731DA43-3A6B-DFC7-4924-B93ED9BA71EC} - (no file)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm<Fix this and uninstall the programme.
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mlslink.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mlslink.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mlslink.mlxchange.com/Control/IRCSharc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{105824B1-0655-4D30-990F-C7730AFC4EB4}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A7C4F64-90F7-4511-8D63-E4C78D75AD69}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE34D40-FA1D-4CDB-948A-B363292C703E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AD0BCDE-95F9-440F-BBB1-78956550D193}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A34D7CB5-2F06-4350-9848-0FF3447ABC51}: NameServer = 151.11.169.10
Fix the above 017 entries, only if they don`t belong to your ISP.
Fix all O18 - Protocol: entries.
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst3.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif (file missing)
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\msdndr.pif
C:\WINDOWS\system32\syst3.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\spoolsvv.exe
Without rebooting your system, follow the rest of the instructions and post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Ok currently Ive fixed all the entries youve told me to fix in HJT except for
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif (file missing)
because I could not find it.as for the files in bold that you want me to delete
C:\WINDOWS\system32\msdndr.pif
C:\WINDOWS\system32\syst3.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\spoolsvv.exe
I could not find any of these files in the system32 folder.....except for this file which is kinda close "spoolsv.exe" and I want to confirm with you before deleting.....
and what you mean by Without rebooting your system, follow the rest of the instructions and post all the requested logfiles.
which instructions.?
O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif (file missing)
because I could not find it.as for the files in bold that you want me to delete
C:\WINDOWS\system32\msdndr.pif
C:\WINDOWS\system32\syst3.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\spoolsvv.exe
I could not find any of these files in the system32 folder.....except for this file which is kinda close "spoolsv.exe" and I want to confirm with you before deleting.....
and what you mean by Without rebooting your system, follow the rest of the instructions and post all the requested logfiles.
which instructions.?
howard_hopkinso
Posts: 21,238 +17
Do not delete the spoolsv.exe file as it is a legit file. Don`t worry that you couldn`t find some of the files I asked you to delete. I did say "if there".
Your HJT log is looking much better.
However, There`s still one entry we need to get rid of, plus one I want you to stop.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\KuGoo2<Delete the entire folder.
Reboot your system into normal mode, then follow the instructions HERE and post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your HJT log is looking much better.
However, There`s still one entry we need to get rid of, plus one I want you to stop.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O8 - Extra context menu item: ʹÓÃKugooÏÂÔØ - C:\Program Files\KuGoo2\KugooDownX.htm
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\Program Files\KuGoo2<Delete the entire folder.
Reboot your system into normal mode, then follow the instructions HERE and post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
ok it seems like something is still causing the restart on my computer.....the attached logfile from HJT is from NORMAL MODE.....not SAFEMODE
another thing is that before my computer restarts....Im having trouble connecting to the internet thru internet explorer. Could it have been something Ive deleted in HJT earlier?
another thing is that before my computer restarts....Im having trouble connecting to the internet thru internet explorer. Could it have been something Ive deleted in HJT earlier?
howard_hopkinso
Posts: 21,238 +17
Your HJT log is now clean.
However, it appears you`re not running any antivirus or firewall software. This is a huge security risk. You should download, install and run antivirus and firewall software asap. See link below for details.
I also suggest that you try using Firefox instead of IE as your browser and see if that helps.
Please go HERE and follow the instructions, then post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
However, it appears you`re not running any antivirus or firewall software. This is a huge security risk. You should download, install and run antivirus and firewall software asap. See link below for details.
I also suggest that you try using Firefox instead of IE as your browser and see if that helps.
Please go HERE and follow the instructions, then post all the requested logfiles.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
If that`s what you have to do, then yes.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Regards Howard
This thread is for the use of di3sel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
