Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Dr Watson PostMortem error opening control panel

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 2 posts
I am working with an end-user who has tried about 6 different spyware/adaware removal programs. He used Trend Micro PC Cillin. He is remote from me so I use gotomypc to connect to his system.

I found on google that other people had this problem and is caused by malware. Most people were submitting hijackthis logs and following a custom treatment program.

I have attached the log from his computer.

Thanks for your help.

Attached Files

  • 0




    Spyware Veteran

  • GeekU Moderator
  • 31,643 posts
Download and run CWShredder from:
Use the Fix button.

Download and run About:Buster from:
It usually takes two runs to get cleaned.

Copy the part in bold below into notepad and save it as winpup.reg




Doubleclick winpup.reg and confirm you want to merge it with the registry.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uoysa.dll/sp.html#22776

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://prosearching....//my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CAF26EC5-E0AD-49E5-5C3C-D6D5210B1C3D} - C:\WINDOWS\ipxd32.dll

O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe

O4 - HKLM\..\Run: [Windrv] C:\WINDOWS\System32\fld.exe
O4 - HKLM\..\Run: [APIMon] C:\WINDOWS\System32\123268.exe
O4 - HKLM\..\Run: [Wingraph] C:\WINDOWS\System32\wingraphsx.exe
O4 - HKLM\..\Run: [Winspool] C:\WINDOWS\System32\winspls.exe
O4 - HKLM\..\Run: [gjmmgl] C:\WINDOWS\System32\afnpie.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b

O4 - HKLM\..\Run: [19XFJ13R.exe] C:\WINDOWS\System32\19XFJ13R.exe

O4 - HKLM\..\Run: [borelitelicensemix] C:\Documents and Settings\All Users\Application Data\dent idol bore lite\real fork.exe

O4 - HKLM\..\Run: [ntpr.exe] C:\WINDOWS\ntpr.exe

O4 - HKCU\..\Run: [MSNAVPM] C:\WINDOWS\System32\WinSpool.exe
O4 - HKCU\..\Run: [NAV32sta] C:\WINDOWS\system32\3de43g.exe
O4 - HKCU\..\Run: [sixthsave] C:\DOCUME~1\MBERTE~1\APPLIC~1\FILMBO~1\defytrust.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.5.cab

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\atlbh32.exe" /s (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then post back with a new log.
You said you wanted to have a look for some fixes yourself.
You are looking at LOP. WebRebates, CWS, Winpup and a bunch of trojans/viruses using random filenames.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP