big problems

Discussion in 'Home Networking' started by Jim W, Mar 10, 2005.

  1. Jim W

    NBT Guest

    This basically means if you try to access any of the web-sites listed on the
    right you will in fact be sent to the MSN Address 213.199.154.54.
    Since you have Spybot working you can remove all of the above entries using
    it.
    Spybot->Advanced mode->tools->Hosts file
    highlight the 213.199.154.54 entries and click on remove selected entries.

    The only entry you need is 127.0.0.1 local host.
     
    NBT, Mar 11, 2005
    #21
    1. Advertisements

  2. Jim W

    Rob Morley Guest

    ITYM localhost
     
    Rob Morley, Mar 11, 2005
    #22
    1. Advertisements

  3. Jim W

    NBT Guest

    Yes one of the penalties of doing things by memory instead of actually
    checking.
     
    NBT, Mar 11, 2005
    #23
  4. Without starting an AV thread, I suggest you try NOD32. It isn't free but has a very
    good reputation for virii detection, including "unknown" ones. It uses a particularly
    efficient heuristic detection method. AVG isn't one of the better offerings (IMHO of
    course).

    I run NOD32 on the network at work and I'm very pleased with its performance.

    The link is:

    http://nod32uk.co.uk/ and click on "trial version".


    it also has a very small effect on your machine as regards slowing performance etc


    I hope this helps
     
    Andrew Sayers, Mar 11, 2005
    #24
  5. Jim W

    Jim W Guest

    Sorry Andrew but all links posted hear have failed, yours included

    but thank you for the advice

    Jim
     
    Jim W, Mar 11, 2005
    #25
  6. Jim W

    Jim W Guest

    NBT, here we go

    Spybot runs in safe mode, when I go to hosts, ALL the entries are
    2130199.154.54. and there is no 127.0.0.1 or should that be ITYM localhost,
    is it safe to delete them all.

    HJT? please remind me, tiring now

    Thanks for sticking with it

    Jim
     
    Jim W, Mar 11, 2005
    #26
  7. Jim W

    mikeFNB Guest

    just finished a 24hrs shift.

    where have you got to now?

    mike
     
    mikeFNB, Mar 12, 2005
    #27
  8. Jim W

    NBT Guest

    ITYM I Think You Mean


    localhost,
    When you look in a normal "Hosts" file the first entry is

    127.0.0.1 localhost

    I want you for the present to ignore this and use Spybot to remove all
    the 213.199.154.54 entries as previously explained.
    Then go to http://www.kaspersky.com/trials?chapter=146481750

    Download the Free 30 day trial period version of KAV PERSONAL .
    Disable your AVG s/ware and then install and run KAV(having 2 AV's
    running together can cause conflicts).Check updates for KAV and then run
    a scan.
    If any viruses/Trojans appear rescan until no more show up ,I want you
    to use KAV because it detects more than just viruses.

    When done post another HJT Log.

    I am being dragged off to Manchester this morning and will not be back
    until late afternoon so will not be able to reply till then.

    NBT
     
    NBT, Mar 12, 2005
    #28
  9. Jim W

    Jim W Guest

    NBT

    Used spybot to get rid of all 213.199.154.54 entries in the host file, link
    to kaspersky and all other AV and windows help sites still wont work, still
    can't open and install windows updates sitting in system tray.

    Jim
     
    Jim W, Mar 12, 2005
    #29
  10. Jim W

    Jim W Guest

    Hi Mike

    24hr shift, hospital? can you sow my daughters fingers back on please :)

    update, see last post Mike

    Jim
     
    Jim W, Mar 12, 2005
    #30
  11. Jim W

    NBT Guest

    Well just had one of the quickest shopping trips on record!

    Did you do this in "Safe Mode" .
    If not go to "Safe Mode" run HJT

    Put a check mark against these
    O4 - HKLM\..\Run: [DsmSer] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\System32\svosm.exe
    O4 - HKLM\..\RunServices: [DsmSer] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\System32\svosm.exe

    Click on "fix checked"

    Run HJT again to make sure they are not there.

    Reboot into safe mode again and recheck HJT to make sure entries are
    missing.

    If the 213 entries were again listed try deleting again and try the
    web-sites again.

    The worm prevents "System Restore" and your "Updates"

    NBT


    When, W32.Serflog.B is executed, it performs the following actions:

    1. Creates the following mutex so that only one instance of the worm
    is run on the compromised computer:

    '-F-u-c-k-'-Y-o-u-'

    2. Creates the following hidden copies of itself:

    * %System%\sysup.exe
    * %System%\msmpatch.exe
    * %System%\svosm.exe
    * %Windir%\msmpatch.exe
    * %Windir%\dsm.exe
    * %SystemDrive%\One Eye Granny pic!.pif
    * %SystemDrive%\Me drunk at The Sea!.pif
    * %SystemDrive%\Punk Lives! lol.pif
    * %SystemDrive%\Me Love You Long Time.pif
    * %SystemDrive%\Me pic.pif
    * %SystemDrive%\HillBilly Chick lol.pif
    * %SystemDrive%\Dumb Looking Goth Chick.pif
    * %SystemDrive%\Hot Blonde!.pif
    * %SystemDrive%\Modelling Her New Bikini.pif
    * %SystemDrive%\Crazy Japanese man kicks crazy frog!.pif
    * %SystemDrive%\Funny Hitler parody!.pif
    * %SystemDrive%\My birthday pic!.pif
    * %SystemDrive%\Funny Hitler parody.pif
    * %UserProfile%\Local Settings\Application Data\Microsoft\CD
    Burning\autorun.exe

    Notes:
    * %System% is a variable that refers to the System folder. By
    default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
    (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    * %Windir% is a variable that refers to the Windows
    installation folder. By default, this is C:\Windows (Windows
    95/98/Me/XP)or C:\Winnt (Windows NT/2000).
    * %SystemDrive% is a variable that refers to the drive on
    which Windows is installed. By default, this is drive C.
    * %UserProfile% is a variable that refers to the current
    user's profile folder. By default, this is C:\Documents and
    Settings\<Current User> (Windows NT/2000/XP).

    3. Drops the hidden file SystemDrive%\Crazy.Html.

    4. Adds the value:

    "[Value]" = "[File name]"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    policies\Explorer\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    policies\Explorer\Run

    so that the worm is executed every time Windows starts.

    Where [Value] is one of the following:

    * AvSer
    * DsmSer
    * rollbk

    and where [File name] is one of the following:

    * %System%\sysup.exe
    * %System%\svosm.exe
    * %System%\msmpatch.exe
    * %Windir%\dsm.exe

    5. Adds the registry values:

    "DisableConfig" = "0"
    "DisableSR" = "0"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
    NT\SystemRestore

    to disable system restore.

    6. Sends a copy of itself to all the contacts in MSN Messenger using
    one of the following file names:

    * Crazy frog gets killed by train!.pif
    * Annoying crazy frog getting killed.pif
    * See my lesbian friends.pif
    * My new photo!.pif
    * Me on holiday!.pif
    * The Cat And The Fan piccy.pif
    * How a Blonde Eats a Banana...pif
    * Mona Lisa Wants Her Smile Back.pif
    * Topless in Mini Skirt! lol.pif
    * Fat Elvis! lol.pif
    * Jennifer Lopez.scr

    7. Copies itself to the following folders, which are used by various
    file-sharing applications:

    * %SystemDrive%\My Shared Folder
    * %UserProfile%\Shared
    * %ProgramFiles%\Program Files\eMule\Incoming

    Note: %ProgramFiles% is a variable that refers to the
    program files folder. By default, this is C:\Program Files.

    The worm copies itself to the above folders using the
    following file names:
    * MSN Display picture stealer.exe
    * MSN Messenger 7.exe
    * MSN Avatar Creator.exe

    8. Adds the text:

    OPEN=autorun.exe

    to the following file:

    %UserProfile%\Local Settings\Application Data\Microsoft\CD
    Burning\autorun.inf

    9. Terminates the following processes:

    * apvxdwin.exe
    * atupdater.exe
    * aupdate.exe
    * autodown.exe
    * autotrace.exe
    * autoupdate.exe
    * avconsol.exe
    * avengine.exe
    * vpupd.exe
    * avsynmgr.exe
    * avwupd32.exe
    * avxquar.exe
    * bawindo.exe
    * blackd.exe
    * ccapp.exe
    * ccevtmgr.exe
    * ccproxy.exe
    * ccpxysvc.exe
    * cfiaudit.exe
    * defwatch.exe
    * drwebupw.exe
    * escanh95.exe
    * escanhnt.exe
    * firewall.exe
    * frameworkservice.exe
    * icssuppnt.exe
    * icsupp95.exe
    * luall.exe
    * lucoms~1.exe
    * mcagent.exe
    * mcshield.exe
    * mcupdate.exe
    * mcvsescn.exe
    * mcvsrte.exe
    * mcvsshld.exe
    * navapsvc.exe
    * navapw32.exe
    * nisum.exe
    * nopdb.exe
    * nprotect.exe
    * nupgrade.exe
    * outpost.exe
    * pavfires.exe
    * pavproxy.exe
    * pavsrv50.exe
    * rtvscan.exe
    * rulaunch.exe
    * savscan.exe
    * shstat.exe
    * sndsrvc.exe
    * symlcsvc.exe
    * Update.exe
    * updaterui.exe
    * vshwin32.exe
    * vsstat.exe
    * vstskmgr.exe
    * cmd.exe
    * msconfig.exe
    * msdev.exe
    * ollydbg.exe
    * peid.exe
    * petools.exe
    * regedit.exe
    * reshacker.exe
    * taskmgr.exe
    * w32dasm.exe
    * winhex.exe
    * wscript.exe

    10. Adds the following text to the Hosts file to block access to
    various Web sites, some of which may be security-related:

    213.199.154.54 www.symantec.com

    213.199.154.54 www.sophos.com
    213.199.154.54 www.mcafee.com
    213.199.154.54 www.viruslist.com
    213.199.154.54 www.f-secure.com
    213.199.154.54 www.avp.com
    213.199.154.54 www.kaspersky.com
    213.199.154.54 kaspersky.com
    213.199.154.54 www.networkassociates.com
    213.199.154.54 www.ca.com
    213.199.154.54 www.my-etrust.com
    213.199.154.54 www.nai.com
    213.199.154.54 www.trendmicro.com
    213.199.154.54 www.grisoft.com
    213.199.154.54 f-secure.com
    213.199.154.54 securityresponse.symantec.com
    213.199.154.54 symantec.com
    213.199.154.54 sophos.com
    213.199.154.54 mcafee.com
    213.199.154.54 liveupdate.symantecliveupdate.com
    213.199.154.54 viruslist.com
    213.199.154.54 kaspersky-labs.com
    213.199.154.54 avp.com
    213.199.154.54 networkassociates.com
    213.199.154.54 ca.com
    213.199.154.54 mast.mcafee.com
    213.199.154.54 my-etrust.com
    213.199.154.54 download.mcafee.com
    213.199.154.54 dispatch.mcafee.com
    213.199.154.54 secure.nai.com
    213.199.154.54 nai.com
    213.199.154.54 update.symantec.com
    213.199.154.54 updates.symantec.com
    213.199.154.54 us.mcafee.com
    213.199.154.54 liveupdate.symantec.com
    213.199.154.54 customer.symantec.com
    213.199.154.54 rads.mcafee.com
    213.199.154.54 trendmicro.com
    213.199.154.54 grisoft.com
    213.199.154.54 sandbox.norman.no
    213.199.154.54 www.pandasoftware.com
    213.199.154.54 uk.trendmicro-europe.com
     
    NBT, Mar 12, 2005
    #31
  12. Jim W

    Clint Sharp Guest

    Jim, if you boot the PC to safe mode and run Spybot SD what does it
    find?
     
    Clint Sharp, Mar 12, 2005
    #32
  13. Jim W

    Jim W Guest

    NBT

    Did everything you said, links still wont work

    jim

     
    Jim W, Mar 12, 2005
    #33
  14. Jim W

    Jim W Guest

    Only "people on page" Chris

    Jim

     
    Jim W, Mar 12, 2005
    #34
  15. Jim W

    NBT Guest

    Just to be on the safe side in your "Messenger" options make sure that
    messenger does not run on windows start, hopefully this will stop your
    machine from receiving or sending any messages(worms) while we sort this
    out.

    Reboot in safe mode

    We will try another method of modifying the "Hosts" file.

    # Windows XP

    1. Click Start > Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

    hosts

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click More advanced options.
    6. Check Search system folders.
    7. Check Search subfolders.
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each Hosts file that you find, right-click the file, and then
    click Open With.
    11. Deselect the Always use this program to open this program check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. When the file opens, delete all the entries referring to
    213.199.154.54 (complete lines e.g. 127.0.0.1 213.199.154.54 grisoft.com)

    14. Close Notepad and save your changes when prompted.


    Open file again and confirm there are no 213.199.154.54.entries

    Hopefully you will only have 127.0.0.1 localhost

    If this is so run Spybot->advanced mode->tools->IE tweaks and put a
    check in the box "lock Hosts file"

    Run HJT and copy log here so I can see what it says.
     
    NBT, Mar 12, 2005
    #35
  16. Jim W

    Jim W Guest

    OK NBT

    Did search for hosts, these are files that hold 213.199.154.54 files, they
    are

    Hostscopy
    hostsbak
    host.20050310 233003.backup this one has
    "C:\WINDOWS\system32\drivers\etc\hosts.20050310-233003.backup" as the target
    in properties
    then there are about 14 more that start
    hosts.20050312-114539 backup C\WINDOWS\system32 drivers

    Basically, is it safe to delete ALL 127.0.0.1 213.199.154.54 files

    Cheers

    Jim
     
    Jim W, Mar 12, 2005
    #36
  17. Jim W

    NBT Guest

    If they are all copy ,bak or backup ignore we are only interested in the one
    labelled "Hosts" .
    If the "Hosts" file has no 213 entries lock it using spybot and run HJT and
    post a copy.

    NBT
     
    NBT, Mar 12, 2005
    #37
  18. Jim W

    Jim W Guest

    Turned off Messenger in all four accounts, daughter downloaded "crazy frog"
    from one of her pals, same night problems started
    Hosts is clear
    HJT results

    Logfile of HijackThis v1.99.1
    Scan saved at 16:55:40, on 12/03/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Jim\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
    Internet Explorer provided by Freeserve
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
    Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} -
    C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
    Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
    Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program
    Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common
    Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program
    Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program
    Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
    Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk =
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O8 - Extra context menu item: Search with Freeserve -
    res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
    C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links -
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
    C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Medion-UK - {E2FE0687-6D9A-4136-8B83-591878BF4C0E} -
    http://www.medion.co.uk (file missing) (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet
    Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: Yahoo! Bingo -
    http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Dominoes -
    http://download.games.yahoo.com/games/clients/y/dot4_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire -
    http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Tic-Tac-Toe -
    http://download.games.yahoo.com/games/clients/y/ft3_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags
    Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
    web_site.cab?1101155435965
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
    Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd -
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
    CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
    C:\WINDOWS\System32\nvsvc32.exe


     
    Jim W, Mar 12, 2005
    #38
  19. Jim W

    NBT Guest

    I want you to tick the boxes to the left hand side of these in HJT

    O4 - HKLM\..\Run: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\Run: [rollbk] C:\WINDOWS\System32\sysup.exe
    O4 - HKLM\..\RunServices: [AvSer] C:\WINDOWS\msmpatch.exe
    O4 - HKLM\..\RunServices: [rollbk] C:\WINDOWS\System32\sysup.exe

    Then click on "fix checked" and run HJT again.

    If these 4 items have disappeared I want you to open Internet Explorer and
    manually type in

    http://www.adslguide.org.uk/ ( do not click on this as a hyperlink)

    If it takes you to the web site type this location into IE

    http://www.kaspersky.com/trials?chapter=146481750

    Download the 30 day free trial .Disable your AVG (probably rt clicking on
    icon in system tray will give you the option) Install KAV ,run upgrade and
    then scan ,if it finds anything rescan until clear(It may say that Spybot
    has locked files and it is unable to scan but ignore this)

    Do you know anything about editing your Registry?

    NBT
     
    NBT, Mar 12, 2005
    #39
  20. Jim W

    Jim W Guest

    NBT

    Thank you for that, have now been able to download kaspersky, and I can open
    avg, will start scan but it may take some time

    Sorry no nothing about Registry, but I have a feeling I soon might

    Thanks again

    Jim

     
    Jim W, Mar 12, 2005
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.