Curse

Ravex · Apr 21, 2006, 01:10 AM // 01:10

my old computer is pretty messed its got viruses, tons of spyware and addware, it used to be able to play another MMORPG i dont know if i can say the name or not but it has about the same requirements as guild wars, and i want to play guild wars on it. i dont mind reformating it and dumping everything but when i click to start the format it says"windows was unable to complete the format". any 1 kno how i can dump everything some other way? or tell me how to get it to let me format. i also tried system restore but the date doesnt go back far enough to when the computer worked.

Tarun · Apr 21, 2006, 01:24 AM // 01:24

I can walk you through the process to clean and fully repair your computer to as good as new, if not better than new.

If you'd like to accept this offer, let me know and I'll be more than happy to guide you through the process.

Formatting is always a last resort, so perhaps we can really pimp your machine!

Ravex · Apr 21, 2006, 01:37 AM // 01:37

ok cool thnx how do u want to do that? on yahoo messenger or somthing or a step by step thing on the forum.

Tarun · Apr 21, 2006, 01:45 AM // 01:45

We can handle this step by step either on these forums or my own.

First I'll direct you to my website, Lunarsoft. Navigate to the Download section, Anti-Malware Packages, and download the Anti-Malware Pro package. (It's now recommended to use the Anti-Malware Toolkit)

Next, you can follow my PC Cleanup guide that will tell you the exact settings and process to follow to clean your computer.

If you need any help, please don't hesitate to ask.

Ravex · Apr 21, 2006, 01:52 AM // 01:52

ok thanx ill do that

Tarun · Apr 22, 2006, 12:50 AM // 00:50

Any updates?

Ravex · Apr 22, 2006, 01:31 AM // 01:31

ya, thnx its running almost as fast as when i got it one of the programs didnt download thou it gives me a message ime not on that computer right now so cant tell u what it is. and there is also a runtime error message it still sends me. but other then that that stuff helped out alot.

Tarun · Apr 22, 2006, 03:22 AM // 03:22

Let me know what errors you get from what applications. I'll be more than happy to help diagnose and fix any issues you have.

Also, post a HijackThis log here and I'll clean it up for you.

Ravex · Apr 22, 2006, 04:56 AM // 04:56

ok cool thnx i wont be able to do it until sunday or monday thou

Tarun · Apr 22, 2006, 03:35 PM // 15:35

That's no problem. I'll be around if you need any help. Please don't hesitate to ask. :P

Tarun · Apr 24, 2006, 05:22 PM // 17:22

Hello Ravex,

It has been over 24 hours since a reply from you.

Have you encountered any further issues or do you require any further assistance?

Ravex · Apr 24, 2006, 09:12 PM // 21:12

ya srry i just havnt been home to get the information i needed to tell u that message says "runtime error program big fix has encountered a problem that needs to close these windows" or somthing like that when ime on reguler sites like this one. here is the hijack list ill post it on this next post.

Ravex · Apr 24, 2006, 09:40 PM // 21:40

ime not really sure how much u want so ill do this much and u can tell me if u want more
(3)microsoft\internet\explorer
(1)URL search hook(no name)
(2) REGsystem ini Shell,user Inet
(5) BHO (noname) (no name) band class, CUrlCliObj Object, best offers shopping,
toolbar best offers shopping
HKLM msmc
HKLM microsoft windows file protection service
HKCU quartz
HKCU win tools
HKCU auyiff
Global startup date manager

more on next post.

Ravex · Apr 24, 2006, 09:48 PM // 21:48

DPF counter.cab
winlog notify igfix cui
winlog notify fastload
(8) service

i didnt post some of the ones i thout were ok like the services and ewido anti malware thing but let me kno if i need to

Tarun · Apr 24, 2006, 10:20 PM // 22:20

You should be able to copy/paste the entire HijackThis log into your post, from there I can help you with your log.

Ravex · Apr 25, 2006, 12:09 AM // 00:09

Scan saved at 7:07:17 PM, on 4/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\i386\services.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\m?iexec.exe
C:\DOCUME~1\xx~1\APPLIC~1\SKS~1\regedit.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\xx\Desktop\Anti-Malware Pro\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {22439E68-058E-532F-8B75-2D27C6E2EFC1} - C:\WINDOWS\System32\muwqhfc.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\i386\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\i386\services.exe
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll (file missing)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msfnpo.dll
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\mskkk.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows File Protection Service] C:\WINDOWS\i386\services.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [quartz] C:\WINDOWS\System32\quartz.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Auyiff] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\JIMBER~1\APPLIC~1\SKS~1\regedit.e xe" -vt rbnd
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows File Protection Service (fps) - Unknown owner - C:\WINDOWS\i386\services.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINDOWS\System32\RpcSs.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ravex · Apr 25, 2006, 12:15 AM // 00:15

i deleted the parts were it said my name and replaced them with xx and AOL isnt my service provider anymore

Tarun · Apr 25, 2006, 12:27 AM // 00:27

Don't be alarmed, you have a lot of trojans/viruses and adware/spyware.

Generated by Tarun's HijackThis Converter v0.50 Beta.

Default-color items are optional, bold are known to be malicious.

From your process list
C:\WINDOWS\i386\services.exe
C:\WINDOWS\System32\m?iexec.exe
C:\DOCUME~1\xx~1\APPLIC~1\SKS~1\regedit.exe

Created registry value
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.xosearchox.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cust...//my.yahoo.com

Changed registry value
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Created extra registry value where only one should be
R3 - URLSearchHook: (no name) - {22439E68-058E-532F-8B75-2D27C6E2EFC1} - C:\WINDOWS\System32\muwqhfc.dll

Changed *.ini file value forced into registry
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\i386\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDO WS\i386\services.exe

Enumeration of existing IE's BHO's
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll (file missing)
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msfnpo.dll

Enumeration of suspicious auto-loading registry entries
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\mskkk.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows File Protection Service] C:\WINDOWS\i386\services.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Auyiff] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\JIMBER~1\APPLIC~1\SKS~1\regedit.e xe" -vt rbnd
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Disabling of "Internet Options" Main tab with Policies
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Broken Internet access. To fix these you will need LSPFix
To fix these you will need LSPFix
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing

IE plugins for file extensions or MIME types
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Changing of IERESET.INF
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

Downloaded Program Files item
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

Tarun · Apr 25, 2006, 12:50 AM // 00:50

Expanded information:

You should highly consider updating to Windows XP Service Pack 2. This can be done at Window's Update.

[msmc] C:\WINDOWS\System32\mskkk.exe is [url=http://research.sunbelt-software.com/threat_display.cfm?name=ClientMan&threatid=3754&se arch=ClientMan]ClientMan[/url adware/plugin.

[Microsoft (R) Windows File Protection Service] C:\WINDOWS\i386\services.exe is a malicious trojan that can be found with most virus scanners. See below for suggestions.

[WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe is part of Wintools Adware. See below.

[Auyiff] C:\WINDOWS\System32\m?iexec.exe is part of PurityScan/Clickspring adware. See below.

[Usrr] "C:\DOCUME~1\JIMBER~1\APPLIC~1\SKS~1\regedit.e xe" -vt rbnd is also a part of PurityScan/Clickspring adware which is listed above.

Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe is spyware/adware based provided by The Gator Corporation. See below.

GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe is also part of Gator spyware/adware. See below.

Suggestions:

Get Avast! antivirus, you're going to need it. Definitely use Avast to scan and remove all found viruses. After all the viruses have been removed, scan with the items below.

Microsoft's Window's Defender (Only works on SP2 of Windows XP), Ad-Aware, Spybot, and ewido can remove a majority of adware, spyware and ewido can also usually remove trojans and viruses.

Once you have scanned with the items above you should update Windows to SP2. Then scan again with everything listed above. Be sure to follow the Lunarsoft.net PC Maintenance guide as it will help improve your system's performance overall.

If you have any questions or need help, do not hesitate to post. I will say that college finals are going on so my replies may take time; but I won't leave you in the dark.

Best of luck,
Tarun

Ravex · Apr 25, 2006, 01:16 AM // 01:16

thnx alot for all the time you have spent helping me ill get those updates and stuff, srry for another question but i cant figure out how to delete those procceses thier only on the save log i had to copy and paste they dont appear on the reguler scan list can u tell me how to delete those? thnx agin and i dont mind about the delay you have been alot of help.