Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infuriating Spontaneous IE Popups [resolved]


  • This topic is locked This topic is locked

#31
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh, I don't doubt that you ran the fix.reg, I was just wondering if you had already tried to "Fix Checked" with HiJackThis after running fix.reg.

The program I need you to download is Registrar Lite:
http://www.resplendence.com/download

The 3rd program on the page Registrar Lite 2.00 download it, then install, then I'll give you the instructions here in a little bit.

Michelle :tazz:
  • 0

Advertisements


#32
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Installed and ready to go.

-Chris
  • 0

#33
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, Chris, I sure hope this works!

Open Registrar Lite, and click on "Search" at the top, then click "Search Registry" - make sure you're searching the whole registry. It will pull up a box that says "Text to search for:" Put the below item in that box (you can just copy and paste it in there):

5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993

Then click the magnifying glass in the bottom corner to search. It will load everything it finds on the right side. Hopefully, there will only be one but if there are more than one do this for all of them. Double click the item it found and it will put it into the main Registrar window. Go to the main window and click the item. Go to "Security" at the top, then click on "Edit Permissions". It will pull up a box that has all of your computer's accounts. Click on the first account, then checkmark "Full Control" under Allow. Do this for each account, so that they all have full control.

Then run HiJackThis again and trying "fixing" that entry.

Michelle :tazz:
  • 0

#34
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Michelle,

I followed the directions but the application didn't open up a window to allow me to edit the permissions.

I'm wondering if i downloaded a demo version that has some features turned off.

-Chris
  • 0

#35
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You clicked on "security" at the top of the main registry page the clicked "edit permissions"?

The version you downloaded is not a trial, it's freeware and I checked it out myself and works fine.

Michelle :tazz:
  • 0

#36
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
That is odd. Yeah, I clicked on security and then edit properties, a hourglass would flash for a second on the screen, and then nothing.

-Chris
  • 0

#37
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Strange! Ok forget that, we're going to try something else (does that surprise you after 2 weeks of working on this? :tazz: )

Ok, I need you to uninstall Spybot! Go into Start > Control panel > Add/Remove programs and remove Spybot Search & Destroy.

Then I need you to go into Windows explorer and delete the following directory (in bold):

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

Run HiJackThis again and put a checkmark next to this entry and "fix checked":

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

Restart your computer, run HiJackThis again, and post the new log (I'm crossing my fingers that this works!)

We will reinstall Spybot after seeing whether or not this works!

Michelle ;)
  • 0

#38
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
The crossed fingers didn't help.

HijackThis logfile below.

-Chris

Logfile of HijackThis v1.99.1
Scan saved at 9:27:09 PM, on 3/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
  • 0

#39
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh my gosh!

I'm determined...

Ok, next step...
Please open HiJackThis. Click on "None of the above, just start the program" then click on "Config" (bottom right), the go to "Misc Tools". There will be a button that says "Generate StartupList Log" - put a checkmark next to:

list also minor sections (full)
list empty sections (complete)

Then click the "Generate StartupList Log" button, click "yes" when prompted - a notepad will pop up. Please copy the contents of the notepad and paste them here.

Michelle :tazz:
  • 0

#40
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, it was late last night and I think I should have had you restart after uninstalling Spybot, then fix the entry from HiJackThis. So, before you do any work, try "fixing" that entry in HiJackThis again just to make absolutely sure before we move onto something else.

Michelle :tazz:
  • 0

Advertisements


#41
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
OK. I just tried to remove it with HJT again. Its always there after i run "fix checked".

Can this be removed by manually editing the registry?

-Chris
  • 0

#42
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
OK, let's try this:

Open Notepad, copy the code below and paste it into notepad. Go to file > save as, then change the drop down box to "all files" (instead of txt) then save it as Unreg.bat on your desktop:

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll

Then, locate Unreg.bat on your Desktop and double-click on it.

Try fixing the entry again in HiJackThis.

Michelle
  • 0

#43
kk7tz

kk7tz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Michelle,

I get three pop-up error messages:

LoadLobrary ("C:\Windows\isrvs\msfiltis.dll") failed - the specified module could not be found.

LoadLobrary ("C:\Windows\isrvs\msdbhk.dll") failed - the specified module could not be found.

LoadLobrary ("C:\Windows\isrvs\sysupd.dll") failed - the specified module could not be found.

I still ran HJT and its still there.

Thank you for your persistence 8^D.

-Chris
  • 0

#44
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, so the reg file doesn't exist which is awesome, it's just the entry in HiJackThis that won't go away for some reason! :tazz:

I will be back asap!

Michelle ;)
  • 0

#45
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Let's check to see if there are any leftover files/folders from this or previous infections.

Please run this online virus scan:
ActiveScan

Copy the results of ActiveScan and paste them into this thread.

Michelle
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP