I think my browsers have been hijacked
Solved/Closed
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
-
Jan 8, 2013 at 05:02 PM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jan 18, 2013 at 06:08 PM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Jan 18, 2013 at 06:08 PM
Related:
- I think my browsers have been hijacked
- How do i update my browser on my phone - Guide
- Browsers not working but internet connected - Guide
- Lg tv browsers - Guide
- How do i make opera my default browser - Guide
- Top browsers - Guide
24 responses
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 8, 2013 at 05:22 PM
Jan 8, 2013 at 05:22 PM
Greetings,
You have no doubt downloaded something which you should not have.
Lets start with this solution and then let me know. If the following does not work fully, we may need to go into surgery.
Download, install and run Malwarebyte which you can find on this site:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware
Ensure you make an update.
Boot your computer in safemode
Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.
If Malwarebyte restarts your system, launch it again to finish the Full scan.
When the scan is completed, delete all items found.
IF your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.
This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.
You have no doubt downloaded something which you should not have.
Lets start with this solution and then let me know. If the following does not work fully, we may need to go into surgery.
Download, install and run Malwarebyte which you can find on this site:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware
Ensure you make an update.
Boot your computer in safemode
Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.
If Malwarebyte restarts your system, launch it again to finish the Full scan.
When the scan is completed, delete all items found.
IF your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.
This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.
Hello Ambucias,
No success. After 1h and a half, Malwarebytes has detected 1 file; previously it had detected 11. I followed the instructions you gave in another thread that had a similar situation to mine.
The situation is still the same. You're right about the download, it all started searching for something to remove the DRM of an ebook I recently bought in the Penguin site which has modified all my previous settings in relation to file extensions.
And on top of that now when the computer starts a window appears with this notice: "error loading cmicnfg.cpl the specified module could not be found. In the top left hand side there is this name: RUNDLL
I hope all of this can be solved. Do you think is it serious?
No success. After 1h and a half, Malwarebytes has detected 1 file; previously it had detected 11. I followed the instructions you gave in another thread that had a similar situation to mine.
The situation is still the same. You're right about the download, it all started searching for something to remove the DRM of an ebook I recently bought in the Penguin site which has modified all my previous settings in relation to file extensions.
And on top of that now when the computer starts a window appears with this notice: "error loading cmicnfg.cpl the specified module could not be found. In the top left hand side there is this name: RUNDLL
I hope all of this can be solved. Do you think is it serious?
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 9, 2013 at 04:53 AM
Jan 9, 2013 at 04:53 AM
Hello,
I'm doing a new complete scan in my PC to see if it can detect something else. The situation is still the same: The computer is very slow and the browsers are still hijacked.
The rundll window is still appearing. Everything is painfully slow.
Can I get some help please.
Thanks in advance
PS:
I hope I had not been misunderstood about the ebook and DRM matter, I'm not a pirate. I only wanted to revert to my original settings on my computer. I searched online and unfortunately I clicked a download that seem perfectly legitimate, I did everything, maybe a bit hastily.
I'm doing a new complete scan in my PC to see if it can detect something else. The situation is still the same: The computer is very slow and the browsers are still hijacked.
The rundll window is still appearing. Everything is painfully slow.
Can I get some help please.
Thanks in advance
PS:
I hope I had not been misunderstood about the ebook and DRM matter, I'm not a pirate. I only wanted to revert to my original settings on my computer. I searched online and unfortunately I clicked a download that seem perfectly legitimate, I did everything, maybe a bit hastily.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 9, 2013 at 06:52 AM
Jan 9, 2013 at 06:52 AM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log.
1. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
4. Double click on the short cut ZHPDiag on your Destktop.
5. Click on the screwdriver icon and ensure all of the items are checked.
6. Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
7. Close ZHPDiag.
8. To transmit the report, click on this link :
https://authentification.site
9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
10. Select the file ZHPDiag.txt.
11. Click on "upload ยป
12. Copy the url and post it here.
Best regards
Ambucias
Moderator /Security Contributor
1. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)
2. Save the file on your Desktop.
3. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
4. Double click on the short cut ZHPDiag on your Destktop.
5. Click on the screwdriver icon and ensure all of the items are checked.
6. Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
7. Close ZHPDiag.
8. To transmit the report, click on this link :
https://authentification.site
9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
10. Select the file ZHPDiag.txt.
11. Click on "upload ยป
12. Copy the url and post it here.
Best regards
Ambucias
Moderator /Security Contributor
Didn't find the answer you are looking for?
Ask a question
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 9, 2013 at 07:10 AM
Jan 9, 2013 at 07:10 AM
Thank you very much Ambucias for your inestimable help.
As I said in my previous post I re-run another Malwarebytes scan, this time it found 1 issue, I deleted it, restarted the computer. I changed the home pages in the browsers and everything seems alright now.
The only thing that is still appearing is the RUNDLL window. Do you still need a diagnose for the RUNDLL issue or there is another solution to that.
Maybe with yesterday's anxiety I deleted something I shoudn't have done.
I'm waiting for your reply.
Once again thanks for your help.
As I said in my previous post I re-run another Malwarebytes scan, this time it found 1 issue, I deleted it, restarted the computer. I changed the home pages in the browsers and everything seems alright now.
The only thing that is still appearing is the RUNDLL window. Do you still need a diagnose for the RUNDLL issue or there is another solution to that.
Maybe with yesterday's anxiety I deleted something I shoudn't have done.
I'm waiting for your reply.
Once again thanks for your help.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 9, 2013 at 07:16 AM
Jan 9, 2013 at 07:16 AM
That would be nice, just to ensure that we have everything.
I will not be able to reply to you for at least 8 hours as I am now login off.
Regards
P.S. I suggest that you don't play around with the machine until we know exactly what the issue is.
I will not be able to reply to you for at least 8 hours as I am now login off.
Regards
P.S. I suggest that you don't play around with the machine until we know exactly what the issue is.
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 9, 2013 at 08:23 AM
Jan 9, 2013 at 08:23 AM
Here is the link:
http://speedy.sh/mQ4uk/ZHPDiag.txt
Regards,
PS: Sure I'm going to be careful with the machine!!!
http://speedy.sh/mQ4uk/ZHPDiag.txt
Regards,
PS: Sure I'm going to be careful with the machine!!!
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 9, 2013 at 11:06 AM
Jan 9, 2013 at 11:06 AM
Hello Ambucias
I'm afraid things have not changed. Below is the new url on the home page of my browsers:
http://ww12.certified-toolbar.com -->new url with the same popups.
How frustrating!
I hope you have received the file well.
Regards
I'm afraid things have not changed. Below is the new url on the home page of my browsers:
http://ww12.certified-toolbar.com -->new url with the same popups.
How frustrating!
I hope you have received the file well.
Regards
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 9, 2013 at 05:05 PM
Jan 9, 2013 at 05:05 PM
Hold on a minute. Producing a log does not change anything.
I will look at your log now.
Stand-by
I will look at your log now.
Stand-by
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 9, 2013 at 06:01 PM
Jan 9, 2013 at 06:01 PM
Dear Montserrat
Here it is as I am studying it :
You hard drive memory is at a critical point, you only have 4% memory left. You system may crash.
You Windows must be updated.
You system is full of adware
1. Go to your control panel add/remove program tool and open it:
2. Delete from there all the toolbar applications that you see : crawler, babylon, etc.
3. ZHP Diag created on your desktop an icon ZHP Fix, it looks like a seringe. Open ZHP Fix.
4. Copy the following lines:
O43 - CFD: 19/12/2012 - 00:47:30 - [0] ----D C:\Program Files\BT Broadband Desktop Help => BT Broadband
O43 - CFD: 21/02/2011 - 14:35:27 - [3.270] ----D C:\Program Files\Spybot - Search & Destroy => Spybot - Search & Destroy
O47 - AAKE:Key Export SP - "C:\WINDOWS\system32\rundll32.exe" [Enabled] Orphean Key
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\crawlersrch.xml => Toolbar.Crawler
R3 - URLSearchHook: (no name) - {5E34052D-4D61-4BE4-9B6E-93836198886C} . (.Conduit Ltd. - Conduit Toolbar.) (6.4.0.0) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O2 - BHO: PPCBully - {5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O3 - Toolbar: PPCBully Toolbar - [HKLM]{5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
[HKCU\Software\AVG Security Toolbar] => Toolbar.AVGSearch
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\Conduit] => Toolbar.Conduit
[HKCU\Software\Instant Buzz]
[HKCU\Software\Smartbar] => Toolbar.Agent
[HKCU\Software\YahooPartnerToolbar] => Toolbar.Yahoo
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Conduit] => Toolbar.Conduit
[HKLM\Software\Instant Buzz]
O43 - CFD: 20/02/2010 - 09:53:54 - [1.824] ----D C:\Program Files\Conduit => Toolbar.Conduit
O69 - SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} - (WiseConvert Customized Web Search) - http://search.conduit.com => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201f27d4-3704-41d6-89c1-aa35e39143ed}] => Toolbar.Ask
[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}] => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}] => Toolbar.SweetIM
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}] => Toolbar.Conduit
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine] => Toolbar.Conduit
[HKLM\Software\Classes\Conduit.Engine] => Toolbar.Conduit
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\instant buzz]
[HKLM\Software\instant buzz]
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Classes\Toolband.EB_ExplorerBar] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.IPM_PrintListItem] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_Launcher] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_PrintManager] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_BindStatusCallback] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_CancelButtonEventHandler] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.TBToolband] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.UserOptions] => Toolbar.Agent
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{4B3803EA-5230-4DC3-A7FC-33638F3D3542} => Toolbar.Crawler
C:\Program Files\Conduit => Toolbar.Conduit
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\AVG Security Toolbar => Toolbar.AVGSearch
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\Conduit
[HKLM\Software\Integral4
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} -- C:\Program Files\Instant Buzz\IBBar.dll (.not file.) => Infection BT (InstantBuzz.Adw)
[HKCU\Software\AppDataLow\SProtector] => Infection PUP (PUP.AdvancedSystemProtector)
[HKCU\Software\PriceGong] => Infection BT (Adware.PriceGong)
O43 - CFD: 20/12/2012 - 20:56:48 - [0.435] ----D C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong => Infection BT (Adware.PriceGong)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkDS", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.keyword.URL", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.enable", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] - (WebSearch) - http://websearch.just-browse.info => Infection PUP (PUP.Mocaflix)
[HKLM\Software\Microsoft\Internet Explorer\extensions\{066040f0-5018-4e15-8aa0-81d36136d989}] => Infection BT (Adware.InstBruzz)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}] => Infection BT (Adware.ShopperReports)
[HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}] => Infection BT (Adware.SearchSettings)
C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong
5. Click on the Clipboard button at the top and a GO button will appear at the bottom. Click on Go and close ZHP Fix
6. Download the following tool, run it and click on deletion.
https://toolslib.net
(The English text is in the second part of the page)
7. Delete the previous ZHP Diag log, produce a new one and uploaded on Speedyshare for me to check.
Good luck
Here it is as I am studying it :
You hard drive memory is at a critical point, you only have 4% memory left. You system may crash.
You Windows must be updated.
You system is full of adware
1. Go to your control panel add/remove program tool and open it:
2. Delete from there all the toolbar applications that you see : crawler, babylon, etc.
3. ZHP Diag created on your desktop an icon ZHP Fix, it looks like a seringe. Open ZHP Fix.
4. Copy the following lines:
O43 - CFD: 19/12/2012 - 00:47:30 - [0] ----D C:\Program Files\BT Broadband Desktop Help => BT Broadband
O43 - CFD: 21/02/2011 - 14:35:27 - [3.270] ----D C:\Program Files\Spybot - Search & Destroy => Spybot - Search & Destroy
O47 - AAKE:Key Export SP - "C:\WINDOWS\system32\rundll32.exe" [Enabled] Orphean Key
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\crawlersrch.xml => Toolbar.Crawler
R3 - URLSearchHook: (no name) - {5E34052D-4D61-4BE4-9B6E-93836198886C} . (.Conduit Ltd. - Conduit Toolbar.) (6.4.0.0) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O2 - BHO: PPCBully - {5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
O3 - Toolbar: PPCBully Toolbar - [HKLM]{5e34052d-4d61-4be4-9b6e-93836198886c} . (.Conduit Ltd. - Conduit Toolbar.) -- C:\Program Files\PPCBully\prxtbPPC1.dll
[HKCU\Software\AVG Security Toolbar] => Toolbar.AVGSearch
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\Conduit] => Toolbar.Conduit
[HKCU\Software\Instant Buzz]
[HKCU\Software\Smartbar] => Toolbar.Agent
[HKCU\Software\YahooPartnerToolbar] => Toolbar.Yahoo
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Conduit] => Toolbar.Conduit
[HKLM\Software\Instant Buzz]
O43 - CFD: 20/02/2010 - 09:53:54 - [1.824] ----D C:\Program Files\Conduit => Toolbar.Conduit
O69 - SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} - (WiseConvert Customized Web Search) - http://search.conduit.com => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201f27d4-3704-41d6-89c1-aa35e39143ed}] => Toolbar.Ask
[HKLM\Software\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}] => Toolbar.Conduit
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}] => Toolbar.Crawler
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}] => Toolbar.SweetIM
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] => Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] => Toolbar.Skype
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}] => Toolbar.Conduit
[HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine] => Toolbar.Conduit
[HKLM\Software\Classes\Conduit.Engine] => Toolbar.Conduit
[HKCU\Software\ConduitSearchScopes] => Toolbar.Conduit
[HKCU\Software\instant buzz]
[HKLM\Software\instant buzz]
[HKLM\Software\AskBarDis] => Toolbar.Ask
[HKLM\Software\Classes\Toolband.EB_ExplorerBar] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.IPM_PrintListItem] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_Launcher] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PM_PrintManager] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_BindStatusCallback] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.PR_CancelButtonEventHandler] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.TBToolband] => Toolbar.Agent
[HKLM\Software\Classes\Toolband.UserOptions] => Toolbar.Agent
[HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]:{4B3803EA-5230-4DC3-A7FC-33638F3D3542} => Toolbar.Crawler
C:\Program Files\Conduit => Toolbar.Conduit
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\AVG Security Toolbar => Toolbar.AVGSearch
C:\Documents and Settings\Montserrat Arda\Local Settings\Application Data\Conduit
[HKLM\Software\Integral4
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} -- C:\Program Files\Instant Buzz\IBBar.dll (.not file.) => Infection BT (InstantBuzz.Adw)
[HKCU\Software\AppDataLow\SProtector] => Infection PUP (PUP.AdvancedSystemProtector)
[HKCU\Software\PriceGong] => Infection BT (Adware.PriceGong)
O43 - CFD: 20/12/2012 - 20:56:48 - [0.435] ----D C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong => Infection BT (Adware.PriceGong)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkDS", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0); => Infection BT (Toolbar.Babylon)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.previous.keyword.URL", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: prefs.js [Montserrat Arda - sc4grwwf.default] user_pref("sweetim.toolbar.searchguard.enable", ""); => Infection PUP (PUP.SweetIM)
O69 - SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] - (WebSearch) - http://websearch.just-browse.info => Infection PUP (PUP.Mocaflix)
[HKLM\Software\Microsoft\Internet Explorer\extensions\{066040f0-5018-4e15-8aa0-81d36136d989}] => Infection BT (Adware.InstBruzz)
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}] => Infection BT (Adware.ShopperReports)
[HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}] => Infection BT (Adware.SearchSettings)
C:\Documents and Settings\Montserrat Arda\Application Data\PriceGong
5. Click on the Clipboard button at the top and a GO button will appear at the bottom. Click on Go and close ZHP Fix
6. Download the following tool, run it and click on deletion.
https://toolslib.net
(The English text is in the second part of the page)
7. Delete the previous ZHP Diag log, produce a new one and uploaded on Speedyshare for me to check.
Good luck
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 9, 2013 at 07:47 PM
Jan 9, 2013 at 07:47 PM
Hello Ambucias,
I followed all the steps you gave me and here is the link:
http://speedy.sh/TExSS/AdwCleaner-R1.txt
I'm amazed; the majority of things have been installed from my telephone and Broadband provider! I didn't know I had all that stuff from them!
I followed all the steps you gave me and here is the link:
http://speedy.sh/TExSS/AdwCleaner-R1.txt
I'm amazed; the majority of things have been installed from my telephone and Broadband provider! I didn't know I had all that stuff from them!
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 10, 2013 at 04:29 AM
Jan 10, 2013 at 04:29 AM
How is your computer behaving now ?
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 10, 2013 at 07:45 AM
Jan 10, 2013 at 07:45 AM
Very, very slow. Yesterday after several attempts to log off normally I had to shut it down forcefully. I decided to give it a rest longer than normal and when I switched it on today it took ages to open FF and IE
The RUNDULL window still appears at the beginning of the session.
Apart from that everything seems fine.
Did you receive the log alright? What did you see?
Thanks again for your help.
The RUNDULL window still appears at the beginning of the session.
Apart from that everything seems fine.
Did you receive the log alright? What did you see?
Thanks again for your help.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 10, 2013 at 04:36 PM
Jan 10, 2013 at 04:36 PM
Yes I did get the log which was the Adwcleaner log, however if you recall and read back, I did I ask you to delete the previous ZHP Diag log, to produce a new one and to upload it on Speedyshare. I still need that log for verification.
Before you do another log...
1. Click on run
2. Type cmd and click ok, a black window will appear
3. Type chkdsk and press enter.
4.Watch carefully and tell me what are the results.
5. Tell me if you still get the rundll error
6. Upload a brand new ZHP Diag log.
Take care
Before you do another log...
1. Click on run
2. Type cmd and click ok, a black window will appear
3. Type chkdsk and press enter.
4.Watch carefully and tell me what are the results.
5. Tell me if you still get the rundll error
6. Upload a brand new ZHP Diag log.
Take care
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 10, 2013 at 06:17 PM
Jan 10, 2013 at 06:17 PM
I just uploaded the ZHP Diag log and the "CHKDSK" report. I hope everything is fine now. I don't know yet if I still have the rundll error, this only appears when I switch on the machine.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 11, 2013 at 06:39 AM
Jan 11, 2013 at 06:39 AM
So you uploaded it! Where ?
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 11, 2013 at 08:47 AM
Jan 11, 2013 at 08:47 AM
I'm so sorry! I was so tired that I forgot to copy the links ; :(silly me). Here are the links:
http://speedy.sh/6uScN/CHKDSK.txt
http://speedy.sh/adD7R/ZHPDiag.txt
http://speedy.sh/6uScN/CHKDSK.txt
http://speedy.sh/adD7R/ZHPDiag.txt
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 11, 2013 at 05:13 PM
Jan 11, 2013 at 05:13 PM
Dear Silly You;-)
You have overstepped the critical threshold, there is only 5% free space on your hard disk. Do you realize what this means?
In your log, I found a parasite type virus
Please launch ZHP Fix, copy the following, click on the clipboard button and then on the GO button :
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\Web Search.xml
There is a lot of stuff which I would get rid of, but I am not you and I don't know what is the main use of the computer for you. Certainly, there is no room for games. Your harddisk capacity is only 12 Gb.
Chkdsk recoved some system files.
If you still get the rundll error Window, try this:
Click on Run, type cmd click ok
Type sfc/scannow
Press enter, let it run
Close the window
Let me know the results
Best regards
P.S. I will send you my personal address for you to send me a case of stout. God save the Queen !
You have overstepped the critical threshold, there is only 5% free space on your hard disk. Do you realize what this means?
In your log, I found a parasite type virus
Please launch ZHP Fix, copy the following, click on the clipboard button and then on the GO button :
M3 - MFPP: Plugins - [Montserrat Arda] -- C:\Program Files\Mozilla FireFox\searchplugins\Web Search.xml
There is a lot of stuff which I would get rid of, but I am not you and I don't know what is the main use of the computer for you. Certainly, there is no room for games. Your harddisk capacity is only 12 Gb.
Chkdsk recoved some system files.
If you still get the rundll error Window, try this:
Click on Run, type cmd click ok
Type sfc/scannow
Press enter, let it run
Close the window
Let me know the results
Best regards
P.S. I will send you my personal address for you to send me a case of stout. God save the Queen !
askatu
Posts
13
Registration date
Thursday September 16, 2010
Status
Member
Last seen
January 18, 2013
Jan 11, 2013 at 07:05 PM
Jan 11, 2013 at 07:05 PM
Yes, I'm not fully conscious of what it means, but I've been struggling for quite a while with this mater. I even remember having posted here in Kioskea something about this. I realize that I have to get rid of a lot stuff, but it happens that every time I do that it seems as if the computer were eating memory, and I got back to the low disc space again.
I wonder if I can remove some windows material that I do not use and also the service packs that have a huge volume. Today I did some cleaning I'm now with 1.27Gb I did the defragmentation and some of the files that could not be defragmented where the ones below and I wonder if I can remove for instance the 3rd one:
...
1,676 114 MB \WINDOWS\Installer\12fd2ce.msp
7,171 167 MB \WINDOWS\Installer\MSI102.tmp
1,370 210 MB \WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
....
I didn't get today the rundll error, but I did what you suggested and this is what it came out:
"Files that are required for Windows to run properly must be copied to the DLL cache.
Insert your Windows XP Home edition CD-Rom now". I didn't do that because I heard that if you do that all your stuff is removed.
Thanks one more time, take care.
PS: Of course you deserve not only a case of stout but two at least!
I wonder if I can remove some windows material that I do not use and also the service packs that have a huge volume. Today I did some cleaning I'm now with 1.27Gb I did the defragmentation and some of the files that could not be defragmented where the ones below and I wonder if I can remove for instance the 3rd one:
...
1,676 114 MB \WINDOWS\Installer\12fd2ce.msp
7,171 167 MB \WINDOWS\Installer\MSI102.tmp
1,370 210 MB \WINDOWS\SoftwareDistribution\DataStore\DataStore.edb
....
I didn't get today the rundll error, but I did what you suggested and this is what it came out:
"Files that are required for Windows to run properly must be copied to the DLL cache.
Insert your Windows XP Home edition CD-Rom now". I didn't do that because I heard that if you do that all your stuff is removed.
Thanks one more time, take care.
PS: Of course you deserve not only a case of stout but two at least!
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,168
Jan 12, 2013 at 05:37 AM
Jan 12, 2013 at 05:37 AM
The stout is very much appreciated, thanks.
The rundll error is probably due to a trace of malware left in the registry. We may need to do some delicate surgery in the registry. To avoid the operation, I would like you to run a full scan with Malwarebyte. Tell me if you get any hits.
As for space, I suggest you run CCleaner:
I would not delete the files you mentioned, perhaps some other time the .tmp file
As I said, I don't know what you use the computer for, so I can't suggest to you what to remove. The service packs are now essential to run some applications, removing them may also cause crashes.
You have Google Chrome and Firefox, do you need and use both ? What about Netscape ?
What about Silverlight ? Do you use it ?
After you run Malwarebyte, you can remove it, you can also delete AdwCleaner
Let me know and take care.
P.S. With the delivery, please add a dozen scones. Thanks
The rundll error is probably due to a trace of malware left in the registry. We may need to do some delicate surgery in the registry. To avoid the operation, I would like you to run a full scan with Malwarebyte. Tell me if you get any hits.
As for space, I suggest you run CCleaner:
I would not delete the files you mentioned, perhaps some other time the .tmp file
As I said, I don't know what you use the computer for, so I can't suggest to you what to remove. The service packs are now essential to run some applications, removing them may also cause crashes.
You have Google Chrome and Firefox, do you need and use both ? What about Netscape ?
What about Silverlight ? Do you use it ?
After you run Malwarebyte, you can remove it, you can also delete AdwCleaner
Let me know and take care.
P.S. With the delivery, please add a dozen scones. Thanks
