My AVG removed the following--Trojans file o
" " mgxfebsq
" " media tube codec
" " smchk.exe
" " a0049213.exe
" fake " "
" fake " "

Supposedly nothing is on the computer but the Desktop has changed leaving me only a few icons and no way to get to 'computer,pictures.control panel, etc.-- from Start, I cannot get to any programs so cannot use Accessories or anything else. Downloaded SmitFraudFix to Desktop and rebooted into Safe Mode but cannot get any icon to start the program---guess I should just 'shoot the machine' or maybe myself--at 86 yrs old I am out of touch with these creatures--Please help and old vWW2 vet--thanks

Hi there,

Welcome to GeeksToGo.


I take it that you can do some things with the computer, like getting on line, or did you post from another computer?

It is kind of difficult to see what is affecting you without any logs, so lets give this a go, assuming that you are able to get on line and use the internet:

• Go to http://support.f-secure.com/enu/home/ols.shtml
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
• Click Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

Also could you tell me whether you can use the Run command? To do this go to Start, then click Run, type in Explorer and hit Enter.

Let me know if this allows you do do anything.

Regards,
RatHat

Thanks for th answer----cannot get 'run', 'regit' or anything from Start but an abbreviated desktop with few of my original icons---just enought to allow me to go to internet, mail, microsoft word, ccleaner----also having trouble getting the FSecure scan you suggested to work--goes dead after box comes up with no further actions?---ran Stopzilla free scan and my Screensaver came back that was previously a 'white screen'--some mess---thanks for your reply

Try this and see if it works:

Hit Ctrl, Alt and Delete at the same time. It should bring up Task Manager. Click on New Task, then type in Explorer and hit Enter.

Let me know if:

1. Task Manager comes up
2. New Task brings up the Create New Task dialog box
3. If running Explorer works

Regards,
RatHat

RatHat---you taught me something new---1--yes
2---yes
3--yeas
my documents,etc came up
my computer " "
my recycle bin
my desktop " "
also found HijackThis file and did scan----how do I get it to you? paste, etc.---how do I do that?

Also Downloaded SmitFraudFix but cannot fimd it on the lists---when it loaded I hit Run and it came up on screen in 'computer language' (symbols, letters, etc) ?????

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:26 PM, on 10/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\CyberPower PowerPanel Persoanl Edition\pppeuser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mycopper.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: fqbewlna - {94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0} - C:\WINDOWS\fqbewlna.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Persoanl Edition\pppeuser.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai.net/7/248/9286/200309...g2/download.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163824449875
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBFC9743-8BF3-4C04-A378-63B6CD0ECB23}: NameServer = 67.211.172.29 67.211.172.30
O20 - AppInit_DLLs: C:\program,files\relevantknowledge\rlai.dll,C:\program,files\relevantknowledge\rlai.dll,C:\program,files\relevantknowledge\rlai.dll,C:\program,files\relevantknowledge\rlai.dll,C:\program files\relevantknowledge\rlai.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Persoanl Edition\ppped.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8775 bytes

here is HijackThis log for you---Sarah showed me how to do this---thanks to all you kind folks

OK, we are getting somewhere now

Now it would be best to save this post to your desktop so you can refer to it while in Safe Mode.

Right, lets start by using HijackThis to remove some registry entries that are bad.

Using Task Manager, open Hijackthis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: fqbewlna - {94E952A4-FAE1-40E5-BBE1-8199D8CF7FD0} - C:\WINDOWS\fqbewlna.dll
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai.net/7/248/9286/200309...g2/download.cab
O20 - AppInit_DLLs: C:\program,files\relevantknowledge\rlai.dll,C:\program,files\relevantknowledge\r lai.dll,C:\program,files\relevantknowledge\rlai.dll,C:\program,files\relevantkno wledge\rlai.dll,C:\program files\relevantknowledge\rlai.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Hit Ctrl, Alt and Delete again to bring up Task Manager

• Click on New Task, then click Browse in the Create New Task dialog box
• Click on the Desktop icon on the left hand side of the window
• Locate SDFix.exe and click on it, then click Open, then OK in the next dialog

This will now extract the SDFix files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Using Ctrl Alt and Delete, bring up Explorer, the navigate to and delete this folder:

C:\program files\relevantknowledge

Now while still in Safe Mode, lets run SDFix .

• Using Crtl, Alt and Delete again, open a new task and browse to C:\SDFix
• Open the extracted SDFix folder and choose RunThis.bat Open and OK to start the script.

Now in the CMD window that starts

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

Note, if your desktop icons are still not back, use task manager to open the report and post it here.

Regards,
RatHat

could not find 'relevant knowledge' on C (did not show up in Safe Mode)----did the SDFix and here is report??---you folks are fantastic to help your fellow man this way---if only we coud only work together with all peoples in friendship and help as you have done with me--aside--are you Thai?--- if so,are there many troubles in your country these days---I pray for all peoples who are just trying to live out their lives in peace?

Icons not back ??? did report come through?

The SDFix report did not come through. I think the best way will be to open task manager again, then start explorer and navigate through to C:SDFix

Inside that folder you should see a file named Report.txt

Use New Task to open that file, then click inside it and hit Crtl and A at the same time. This will highlight all the text. Next hit Ctrl and C at the same time, which will copy that text.

Open a new post here and use Ctrl and V at the same time to paste the text into your reply.

I am English, but my wife is Thai, hence my living in Thailand. We do have a few problems over here, but nothing to serious, just the politicians messing things up as usual. But that happens all over the world.

Regards,
RatHat

can't seem to do this job???---having terrible time getting anything to happen after getting the report to show up???old age, I guess----now, my 'firewall' won't work---"unidentified problem, etc, etc---maybe best to leave it alone and live with the situation---my fault, I know---at least I have half the stuff back although the control panel has no icons just like the desktop

Hi there,

Well I don't want to give up yet, so if you are up for it lets try this:

Download ComboFix from Here or Here to your Desktop.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, if you can.

Hit Ctrl, Alt and Delete again to bring up Task Manager

• Click on New Task, then click Browse in the Create New Task dialog box
• Click on the Desktop icon on the left hand side of the window
• Locate ComboFix.exe and click on it, then click Open, then OK in the next dialog

Agree to the disclaimer and allow Combofix to run.

When the tool is finished, it will produce a report for you. With the log still open, come back here and copy/paste the complete log in your next reply.
(Note: Combofix will also save the report to C:\Combofix.txt)

Regards,
RatHat

Don't know what happend but 'notepad' of Sdfix comes up blank----I could not seem to get it to copy and paste and many have deleted it somehow??-----no icons and now my xp firewall won't work---(unidentified problem, so it says)

Did you manage to run Combofix?

tried 3 different places to download---hangs up each time (cannot download--try different sites)---will keep trying other sites---I believe it times out as my kps connection speed is only 26.4---downloads speeds go up and down as low as 1.1 and then the hangups start---on a rotten Verizon phoneline system that only has to give a connection spoeed of 19kps (voice quality they tell you)---what a mess