Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Google redirects & spybot,hijack this problems

Started by arfon.jones , Oct 11 2009 04:59 PM

  • Please log in to reply
133 replies to this topic

#91 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 18 November 2009 - 05:00 PM

Hi arfon,

While working with the serv.txt log you uploaded I noticed that it appears some essential service keys are missing from your registry, and I need to verify. Please load MiniXP and Registry Editor PE, no user hive necessary, then copy and paste the contents of the code box below into a command window.

@echo off
reg save HKLM\_REMOTE_SYSTEM\ControlSet005\services "%userprofile%\desktop\services.hiv"
exit
cls

A file named services.hiv should appear on the desktop.
Please upload that file to my submission channel.
Dave

    Advertisements

Register to Remove

#92 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 18 November 2009 - 05:21 PM

hi dave file has been uploaded arfon

#93 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 18 November 2009 - 05:49 PM

Received, thanks! This may take me a while. ;)
Dave

#94 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 18 November 2009 - 08:51 PM

I found only a couple of inconsistencies and have fixed them.
Please download this file to the MiniXP desktop.
Start Registry Editor PE, no user hive necessary.
Once loaded, double click the downloaded file on the desktop.
When it closes, exit the registry editor, wait for the All Finished message and restart to see if the machine will boot normally.
Dave

#95 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 19 November 2009 - 04:07 PM

Hi Dave sorry to say but the last updated file was not succesful .one thing i noticed on boot up that i havent seen before, just before the windows xp logo with strobing lights a mesage in top left corner . INVALID BOOT INI FILE BOOTING FROM C:\ WINDOWS\ dont know if that has any relevance Many thanks Arfon

#96 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 19 November 2009 - 09:15 PM

I'd like to make sure the hive was successfully imported. Please load MiniXP and Registry Editor PE, no user hive necessary, then copy and paste the contents of the code box below into a command window.

@echo off
reg save HKLM\_REMOTE_SYSTEM\ControlSet005\services "%userprofile%\desktop\services2.hiv"
exit
cls

A file named services2.hiv should appear on the desktop.
Please upload that file to my submission channel.

Next, lets check the boot.ini file. Paste the following into the command window then post the log that opens.

type c:\boot.ini>%temp%\boot.txt
start notepad %temp%\boot.txt
exit
cls

Dave

#97 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 20 November 2009 - 02:08 PM

hello dave i have posted a services2.hiv to your submission channel . i also ran the second boot ini file but the result in metapad came up blank.

#98 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 20 November 2009 - 02:53 PM

The hive appears to have been merged successfully. Please take a look in Local Disk C: using Windows Explorer and tell me what files are there who's name begins with boot (like boot.ini, boot.backup, boot.basevid, etc).

Edited by noahdfear, 20 November 2009 - 02:54 PM.

Dave

#99 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 20 November 2009 - 04:13 PM

hi there are 2 files 1 boot.backup 2 boot.basevid

#100 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 20 November 2009 - 04:21 PM

Please right click the boot.backup file and Rename to boot.ini Still working on the next attempt at normal bootup.
Dave

    Advertisements

Register to Remove

#101 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 22 November 2009 - 10:34 AM

Hi arfon, Just wanted to let you know that I haven't abandoned you. I expect to have a new test ready later today.
Dave

#102 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 22 November 2009 - 03:30 PM

Here we go B)

Boot into MiniXP and download this file to the desktop.

Double click the file to run it.
It will first make backups of several files, and if successful, will pause and instruct you to load Registry Editor PE.
If unsuccessful, it will exit and open a log that needs to be posted here.
It is not necessary to load any user hives.
Once Registry Editor PE is fully loaded and the registry editor opens, minimize it to the taskbar. Do NOT close the editor!
Press any key to allow the tool to continue running (it will ask you again if you're sure).
When complete, a log will open.
Post it's contents here.
Please do not attempt to start the computer normally until I've responded to the log.

Now, so that you know what we're doing;

The tool will configure your system to do a diagnostic startup.
In doing so, it's necessary to re-write the system.ini and win.ini files.
It is also necessary to disable most services and startup items.
The tool does this by creating the necessary registry keys to re-enable them later, and modifying the Start value of the associated registry values for those services.
As mentioned above, backups will first be made of all files and registry hives.
Dave

#103 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 22 November 2009 - 04:47 PM

Hi dave im in the proces of runing the diagnostics file and have a question. it has ended with - 'the operation completed succesfully' Value key exists, overwrite (Y/N) ? Just checking in case i answer wrongly

#104 noahdfear

noahdfear

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 465 posts
  • MVP

Posted 22 November 2009 - 04:51 PM

Yes, and the same if prompted any more.
Dave

#105 arfon.jones

arfon.jones

    Authentic Member

  • Authentic Member
  • PipPip
  • 71 posts

Posted 22 November 2009 - 05:02 PM

Hi Dave here is my latest log many thanks. Arfon ---- System.ini ---- ;msconfig ; for 16-bit app support [drivers] ;msconfig wave=mmdrv.dll ;msconfig timer=timer.drv ;msconfig [mci] ;msconfig [driver32] [386enh] ;msconfig woafont=app850.FON ;msconfig EGA80WOA.FON=EGA80850.FON ;msconfig EGA40WOA.FON=EGA40850.FON ;msconfig CGA80WOA.FON=CGA80850.FON ;msconfig CGA40WOA.FON=CGA40850.FON [ScreenTime] ;msconfig Password Value=0 [TTFontDimenCacheDBCS] ;msconfig 0 10=6 10 ;msconfig 0 11=7 11 ;msconfig 0 12=7 12 ;msconfig 0 13=8 13 ;msconfig 0 14=8 14 ;msconfig 0 15=9 15 ;msconfig 0 16=10 16 ;msconfig 0 18=11 18 ;msconfig 0 20=12 20 ;msconfig 0 22=13 22 ---- Win.ini ---- ;msconfig ; for 16-bit app support ;msconfig [fonts] ;msconfig [extensions] ;msconfig [mci extensions] ;msconfig [files] [Mail] ;msconfig MAPI=1 ;msconfig CMC=1 ;msconfig CMCDLLNAME=mapi.dll ;msconfig CMCDLLNAME32=mapi32.dll ;msconfig MAPIX=1 ;msconfig MAPIXVER=1.0.0.1 ;msconfig OLEMessaging=1 [MCI Extensions.BAK] ;msconfig aif=MPEGVideo ;msconfig aifc=MPEGVideo ;msconfig aiff=MPEGVideo ;msconfig asf=MPEGVideo ;msconfig asx=MPEGVideo ;msconfig au=MPEGVideo ;msconfig m1v=MPEGVideo ;msconfig m3u=MPEGVideo ;msconfig mp2=MPEGVideo ;msconfig mp2v=MPEGVideo ;msconfig mp3=MPEGVideo ;msconfig mpa=MPEGVideo ;msconfig mpe=MPEGVideo ;msconfig mpeg=MPEGVideo ;msconfig mpg=MPEGVideo ;msconfig mpv2=MPEGVideo ;msconfig snd=MPEGVideo ;msconfig wax=MPEGVideo ;msconfig wm=MPEGVideo ;msconfig wma=MPEGVideo ;msconfig wmv=MPEGVideo ;msconfig wmx=MPEGVideo ;msconfig wpl=MPEGVideo ;msconfig wvx=MPEGVideo ;msconfig m2v=MPEGVideo ;msconfig mod=MPEGVideo [IRIS_IPE] ;msconfig menu=1 [drawdib] ;msconfig vga.drv 1024x768x32(BGR 0)=15,23,1,31 [Readiris] ;msconfig Scanner32=Twaino38,23 [annie] ;msconfig FrameRate=333333 ;msconfig CaptureFile=C:\Documents and Settings\Arfon Jones\My Documents\carwyn\Photos\fi4 ;msconfig VideoDevice2=@device:cm:{860BB310-5D01-11D0-BD3B-00A0C911CE86}\SoC PC-Camer@ (VFW) ;msconfig AudioDevice2= ;msconfig UseFrameRate=1 ;msconfig CaptureAudio=0 ;msconfig CaptureCC=0 ;msconfig WantPreview=1 ;msconfig MasterStream=1 ;msconfig UseTimeLimit=0 ;msconfig TimeLimit=0 [DPE] ;msconfig Toolbar=1 ;msconfig SN75=43011702 ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini REG_DWORD 0x1 win.ini REG_DWORD 0x1 bootini REG_DWORD 0x0 services REG_DWORD 0x1 startup REG_DWORD 0x1 ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\4oD item REG_SZ 4oD command REG_SZ "C:\Program Files\Kontiki\KHost.exe" -all hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader item REG_SZ Adobe Photo Downloader command REG_SZ "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG8_TRAY key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ AVG8_TRAY hkey REG_SZ HKLM command REG_SZ c:\progra~1\avg\avg8\avgtray.exe inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CRBroadCasting item REG_SZ CRBroadCasting command REG_SZ C:\Program Files\CardReader2.0\CRBroadCasting.exe hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gutemokazi item REG_SZ gutemokazi command REG_SZ Rundll32.exe "C:\WINDOWS\system32\werukuwe.dll",s hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ hpcmpmgr hkey REG_SZ HKLM command REG_SZ "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ HPWuSchd2 hkey REG_SZ HKLM command REG_SZ "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ hpztsb10 hkey REG_SZ HKLM command REG_SZ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IntelliPoint key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ ipoint hkey REG_SZ HKLM command REG_SZ "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISTray key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ ISTray hkey REG_SZ HKLM command REG_SZ "c:\program files\spyware doctor\pctsTray.exe" inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ iTunesHelper hkey REG_SZ HKLM inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck item REG_SZ KernelFaultCheck command REG_SZ %systemroot%\system32\dumprep 0 -k hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mserv item REG_SZ mserv hkey REG_SZ HKEY_CURRENT_USER key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ NeroCheck hkey REG_SZ HKLM command REG_SZ C:\WINDOWS\system32\NeroCheck.exe inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task key REG_SZ Run item REG_SZ QuickTime Task hkey REG_SZ HKLM command REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl item REG_SZ RemoteControl command REG_SZ c:\windows\system32\rmctrl.exe hkey REG_SZ HKLM key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioDragToDisc key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ DrgToDsc hkey REG_SZ HKLM inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMan key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ SOUNDMAN hkey REG_SZ HKLM command REG_SZ SOUNDMAN.EXE inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ SunJavaUpdateSched hkey REG_SZ HKLM command REG_SZ "c:\program files\java\jre6\bin\jusched.exe" inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\swg key REG_SZ Run item REG_SZ swg hkey REG_SZ HKEY_CURRENT_USER inimapping REG_SZ 0 command REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe item REG_SZ TkBellExe command REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot hkey REG_SZ HKLM key REG_SZ Run HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ AdobeUpdateManager hkey REG_SZ HKCU command REG_SZ "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 inimapping REG_SZ 0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WMPNSCFG item REG_SZ WMPNSCFG command REG_SZ C:\Program Files\Windows Media Player\WMPNSCFG.exe hkey REG_SZ HKEY_CURRENT_USER key REG_SZ Run ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\Shared Tools\MSConfig\services Lavasoft Ad-Aware Service REG_DWORD 0x2 Winsock - Google Desktop Search Backup Before First Install REG_DWORD 0x3 Winsock - Google Desktop Search Backup Before Last Install REG_DWORD 0x3 ALG REG_DWORD 0x3 AppMgmt REG_DWORD 0x3 aspnet_state REG_DWORD 0x3 AudioSrv REG_DWORD 0x2 BITS REG_DWORD 0x3 Browser REG_DWORD 0x2 CiSvc REG_DWORD 0x3 ClipSrv REG_DWORD 0x4 clr_optimization_v2.0.50727_32 REG_DWORD 0x3 COMSysApp REG_DWORD 0x3 CryptSvc REG_DWORD 0x2 Dhcp REG_DWORD 0x2 dmadmin REG_DWORD 0x3 dmserver REG_DWORD 0x3 Dnscache REG_DWORD 0x2 Dot3svc REG_DWORD 0x3 EapHost REG_DWORD 0x3 ERSvc REG_DWORD 0x2 Eventlog REG_DWORD 0x2 EventSystem REG_DWORD 0x3 FastUserSwitchingCompatibility REG_DWORD 0x3 FontCache3.0.0.0 REG_DWORD 0x3 gupdate1c9b63b8cc7536e REG_DWORD 0x2 gusvc REG_DWORD 0x3 helpsvc REG_DWORD 0x2 HidServ REG_DWORD 0x2 hkmsvc REG_DWORD 0x3 HPZid412 REG_DWORD 0x3 HPZipr12 REG_DWORD 0x3 HPZius12 REG_DWORD 0x3 HTTPFilter REG_DWORD 0x3 IDriverT REG_DWORD 0x3 idsvc REG_DWORD 0x3 ImapiService REG_DWORD 0x3 JavaQuickStarterService REG_DWORD 0x2 lanmanserver REG_DWORD 0x2 lanmanworkstation REG_DWORD 0x2 LmHosts REG_DWORD 0x2 mnmsrvc REG_DWORD 0x3 MSDTC REG_DWORD 0x3 MSIServer REG_DWORD 0x3 napagent REG_DWORD 0x3 Netlogon REG_DWORD 0x3 Netman REG_DWORD 0x3 Nla REG_DWORD 0x3 NtLmSsp REG_DWORD 0x3 NtmsSvc REG_DWORD 0x3 PCTCore REG_DWORD 0x0 PlugPlay REG_DWORD 0x2 PolicyAgent REG_DWORD 0x2 ProtectedStorage REG_DWORD 0x2 RasAuto REG_DWORD 0x3 RasMan REG_DWORD 0x3 RDSessMgr REG_DWORD 0x3 RemoteAccess REG_DWORD 0x4 RSVP REG_DWORD 0x3 SamSs REG_DWORD 0x2 SCardSvr REG_DWORD 0x3 Schedule REG_DWORD 0x2 sdAuxService REG_DWORD 0x2 sdCoreService REG_DWORD 0x2 seclogon REG_DWORD 0x2 SENS REG_DWORD 0x2 SharedAccess REG_DWORD 0x2 ShellHWDetection REG_DWORD 0x2 Spooler REG_DWORD 0x2 sptd REG_DWORD 0x0 srservice REG_DWORD 0x2 SSDPSRV REG_DWORD 0x2 StarOpen REG_DWORD 0x1 stisvc REG_DWORD 0x2 SwPrv REG_DWORD 0x3 SysmonLog REG_DWORD 0x3 TapiSrv REG_DWORD 0x3 TermService REG_DWORD 0x3 Themes REG_DWORD 0x2 TrkWks REG_DWORD 0x2 upnphost REG_DWORD 0x3 vaxscsi REG_DWORD 0x3 VSS REG_DWORD 0x2 W32Time REG_DWORD 0x2 WebClient REG_DWORD 0x2 winmgmt REG_DWORD 0x2 WmdmPmSN REG_DWORD 0x3 Wmi REG_DWORD 0x3 WmiApSrv REG_DWORD 0x3 WMPNetworkSvc REG_DWORD 0x2 wscsvc REG_DWORD 0x2 wuauserv REG_DWORD 0x2 WZCSVC REG_DWORD 0x2 xmlprov REG_DWORD 0x3 all copy and rename procedures executed successfully

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·