Go Back   Cyber Tech Help Support Forums > Software > Malware Removal


Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Topic Tools
Old January 14th, 2007, 01:22 AM
ohlab ohlab is offline
New Member
Join Date: Jan 2007
Posts: 3
Question Can't delete Microsoft.NET Framework 1.1 or the listed Hotfix KB886903

This is my first time posting. But there is not enough room here for the logs (I think they're called HJT logs) SDFix: Version 1.58, Sophos Anti-Virus or Silent Runners.vbs. Is there somewhere else to paste these results?

I can't delete Microsoft.NET Framework 1.1 or the listed Hotfix KB886903. When I try, I get the msg: "This action is only valid for products that are currently installed"

I can't figure out how to enable/repair/reinstall?? the Windows Installer.

I can't find out how to enable/repair/reinstall?? the JIT debugger. I tried enabling DrWatson, but still got the message that the debugger wasn't enabled.
OS Name Microsoft Windows XP Professional
Version 5.1.2600 SP2 Build 2600

"Fatal Execution Error (0x7927e03d)"

"Application has generated an exception that could not be handled.
Process id=0x97c (2428)
Thread id=0x984 (2436)"
[cancel] to debug

"Registered JIT debugger is not available. An attempt to launch a JIT debugger with the command resulted in an error code of 0x2 (2). Please check computer settings.
cordbg.exe !a 0x97c"

[Control Panel attempts to delete the following]
Microsoft.NET Framework 1.1
"The feature you are trying to use is on a network resource that is unavailable.
Click OK again, or enter an alternate path to a folder containing the installation package "tmp53.tmp" in the box below.
The path
Cannot be found. Verify that you have access to this location and try again, or try to find the installation package "tmp53.tmp" in a folder from which you can install the product"
"The installation source for this product is not available. Verify that the source exists and that you can access it."

[Control Panel attempts to delete the following]
Microsoft.NET Framework 1.1 Hotfix (KB886903)
No response - just a quick flash.

Attempts at installation (for instance, HP Photosmart R927 Digital Camera):
Reaches 100% progress, then:

VundoFix V6.2.13
"Done searching for files. No infected files were found"

SDFix: Version 1.58

Sat 01/13/2007 - 13:11:57.50
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
SDFix: Version 1.58
Sophos Anti-Virus
Quick Scanning
Could not open C:\Documents and Settings\HP_Administrator\Application Data\ispnews\ispn.ini
3 boot sectors swept.
43771 files swept in 55 minutes and 37 seconds.
8 errors were encountered.
No viruses were discovered.
4 encrypted files were not checked.
Ending Sophos Anti-Virus

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"EPSON Stylus CX7800 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI AFA.EXE /P26 "EPSON Stylus CX7800 Series" /M "Stylus CX7800" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"AlwaysReady Power Message APP" = "ARPWRMSG.EXE" ["Microsoft"]
"HPBootOp" = ""C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run" ["Hewlett-Packard Company"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"EPSON Stylus CX7800 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI AFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"" ["SEIKO EPSON CORPORATION"]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"RCSystemTray" = "C:\Program Files\Max Registry Cleaner\RCSystemTray.exe" ["Max Secure Software India Pvt. Ltd. www.maxpcsecure.com"]
"FastTVSync" = ""C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"" [empty string]
"WinDVR SchSvr" = ""C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"" ["InterVideo Inc."]
"ISUSPM" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler" ["Macrovision Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"F-Secure Manager" = ""C:\Program Files\WildBlue Security Center\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Program Files\WildBlue Security Center\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"F-Secure Startup Wizard" = ""C:\Program Files\WildBlue Security Center\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]
"News Service" = ""C:\Program Files\WildBlue Security Center\FSGUI\ispnews.exe"" ["F-Secure Corporation"]
"PCDrSmartMonitor" = ""C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" -r" [null data]
"RCAutoLiveUpdate" = "C:\Program Files\Max Registry Cleaner\LiveUpdateRC.exe -AUTO" ["Max Secure Software"]
"SystemTraySD" = "C:\Program Files\SpywareDetector\SDSystemTray.exe" ["Max Secure Software"]
"SDAutoLiveupdate" = "C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO" ["Max Secure Software"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DBFB267C-334F-4F19-A304-63B7130C20C7}" = "MediaCenter Property Page"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "arpower.dll" ["Microsoft"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{EDE89C5C-EC11-4714-9EFB-B0E5AE0CB039}" = "Max PC Safe"
-> {HKLM...CLSID} = "Max PC Safe"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellWindowSecure.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> SDNotify\DLLName = "C:\Program Files\SpywareDetector\SDNotify.dll" ["Max Secure Software"]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
Max PC Safe\(Default) = "{EDE89C5C-EC11-4714-9EFB-B0E5AE0CB039}"
-> {HKLM...CLSID} = "Max PC Safe"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellWindowSecure.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Max PC Safe\(Default) = "{EDE89C5C-EC11-4714-9EFB-B0E5AE0CB039}"
-> {HKLM...CLSID} = "Max PC Safe"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellWindowSecure.dll" [null data]

Default executables:
Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

DESKTOP.INI DLL launch in local fixed drive directories:

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

Startup items in "HP_Administrator" & "All Users" startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
"HP Photosmart Premier Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"InterVideo Scheduler server" -> shortcut to: "C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe" ["InterVideo Inc."]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\KEM.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Updates from HP" -> shortcut to: "C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe -startup" ["Hewlett-Packard"]
"WildBlue Security Center" -> shortcut to: "C:\Program Files\WildBlue Security Center\backweb\4247706\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "]

Enabled Scheduled Tasks:

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]
"Scheduled scanning task" -> launches: "C:\PROGRA~1\WILDBL~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\WILDBL~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

"ButtonText" = "IE Shield"
"MenuText" = "IE Shield..."
"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"
-> {HKLM...CLSID} = "F-Secure IE Shield COM button"
\InProcServer32\(Default) = "C:\Program Files\WildBlue Security Center\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]

"ButtonText" = "Connection Help"
"MenuText" = "Connection Help"
"Script" = "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlet t-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm " [null data]

"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

ARSVC, ARSVC, "C:\WINDOWS\arservice.exe" ["Microsoft"]
F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\WildBlue Security Center\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]
F-Secure Management Agent, FSMA, ""C:\Program Files\WildBlue Security Center\Common\FSMA32.EXE"" ["F-Secure Corporation"]
fsbwsys, fsbwsys, ""C:\Program Files\WildBlue Security Center\backweb\4247706\program\fsbwsys.exe"" ["F-Secure Corp."]
FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\WildBlue Security Center\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
IviRegMgr, IviRegMgr, "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe" ["InterVideo"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
SDService, SDService, "C:\Program Files\SpywareDetector\SDService.exe" ["Max Secure Software "]
WildBlue Security Center, BackWeb Plug-in - 4247706, "C:\PROGRA~1\WILDBL~1\backweb\4247706\Program\SERV IC~1.EXE" ["BackWeb Technologies Inc. "]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Keyboard Driver Filters:

HKLM\System\CurrentControlSet\Control\Class\{4D36E 96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "arkbcfltr" [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON Stylus CX7800 Series 2KMonitor5A\Driver = "E_FLMAFA.DLL" ["SEIKO EPSON CORPORATION"]
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

Last edited by ohlab; January 14th, 2007 at 01:29 AM.
Reply With Quote
Old January 16th, 2007, 03:25 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
Howdy ohlab,

Welcome to CTH. I cannot get a clear picture of what you are trying to accomplish there. You have posted some logs that so far I don't see infection in, and are discussing attempting removal of legitimate MS items (Microsoft.NET Framework and a HotFix) but I don't understand why. You can cause some corruption if you do that wrong, by the way. Post back some ideas on why you think the system is infected, what infection was found by what scan, and of course why you are trying to remove those MS items.
Reply With Quote
Old January 28th, 2007, 08:23 AM
ohlab ohlab is offline
New Member
Join Date: Jan 2007
Posts: 3
Originally Posted by Tom View Post
Howdy ohlab,

Welcome to CTH. I cannot get a clear picture of what you are trying to accomplish there. You have posted some logs that so far I don't see infection in, and are discussing attempting removal of legitimate MS items (Microsoft.NET Framework and a HotFix) but I don't understand why. You can cause some corruption if you do that wrong, by the way. Post back some ideas on why you think the system is infected, what infection was found by what scan, and of course why you are trying to remove those MS items.
Hello... I'm such a "newby" when it comes to these errors. I just "google" the error, and follow the suggestions to get rid of the problem. Many were to delete the .NET and so on. I didn't have enough room to copy the complete text, because there was a limit on characters, but I kept the document in WORD. I have MaxRegistry cleaner and ran that, and also have the ZoneAlarm virus protection, and did the "byte" level scan and it did find one virus that I had. But sometimes I still get the errors, and other times I go for a long time without getting any. At this point, it seems pretty rare. The only annoyance I have now, is that every time I open a Window or new Tab, I get a beep. I have been trying everything to get rid of it, but the only thing that worked was to have "No Sound" option. Thank you for your reply. I hope the other errors are becoming few and far between.
Reply With Quote
Old January 28th, 2007, 03:54 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
When you mention an error that repeats this nudges me to get in a second look through the logs there. You have a rogue antispyware there that does find infection, because it brings it with it. Let's act on that now and get things corrected.

Go to Start Settings Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.


I also personally don't recommend keeping the following, or anything that has been listed here, so if you want now go ahead and uninstall these as well.


Then Download the trial version of AVG Anti-Spyware 7.5 from here and install it.

If you have an exisiting copy of Ewido (which this software replaces), agree to the uninstall notification and uninstall Ewido. Reboot after. Then click the AVG download file again to install the software. (If you have a paid version of Ewido installed, go here to follow the steps to upgrade that now.)

After installation, double-click the icon on your Desktop to launch AVG Anti-Spyware 7.5.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware 7.5 to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware 7.5 (don't scan just yet).


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

Reboot to normal mode, and Download combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Then run and post back new HijackThis and Silent Runners logs, and post them along with the AVG log and the combofix.txt log please. You can use extra posts if needed to fit it all in here.
Reply With Quote
Old January 30th, 2007, 05:32 AM
ohlab ohlab is offline
New Member
Join Date: Jan 2007
Posts: 3
Thank you Tom. I will try everything you have suggested. There are limited characters for the forum, and I have the complete text in "Word" of all the test results. Is there any way to link to my Word document, or to possibly email the full test results to you? Thank you.
Reply With Quote
Old January 30th, 2007, 06:05 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
It is preferred you use Notepad instead of Word for posting back here. You can just break down the logs into separate parts and use separate posts.
Reply With Quote


Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Microsoft.net Framework Mamacat104 Applications 0 July 18th, 2013 07:01 PM
files listed in paint, how do I delete them??? perplexed Windows XP 3 July 5th, 2007 12:35 AM
Microsoft .net 2.0 framework help jclh Windows XP 2 June 8th, 2007 04:07 PM
microsoft .NET framework 1.1 ?? fast68 Windows XP 5 January 20th, 2007 07:25 PM
Microsoft .NET Framework 1.1 FSU Dude Windows XP 5 April 16th, 2005 03:50 PM

All times are GMT +1. The time now is 06:03 PM.