Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Redirect bug!


  • Please log in to reply

#76
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Finally. Run Farbar again and let's see what it says.
  • 0

Advertisements


#77
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
It says it isn't running. I tried to start it from services.msc and it gave me the same answer. I may be at fault here: I copied the downloaded file "Bits.reg" to C instead of merging it. So that may be the problem...Shall I merge it and see what happens?



Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 15-09-2012 at 21:41:02
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS.0\system32\qmgr.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#78
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Well, I merged it, and rebooted and it didn't help. I also received a notice that not all of the legbits file could be merged when I tried to merge it ....

Edited by crossbow66, 15 September 2012 - 07:55 PM.

  • 0

#79
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
If you are getting tired of "bits" (and me) and would rather take it up again tomorrow sometime or later, don't hesitate to say so. You have been magnificent! I am absolutely awestruck with the amount of work you have done to help untangle my computer, and free it from the clutches of that virus!! :notworthy:
  • 0

#80
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
I think I see the problem (Thanks to OldTimer). Your system uses Windows.0 instead of Windows. Most of the bits.reg uses %systemroot% which automatically picks up on that but there is one entry that refers to c:\windows\system32. Probably easiest for you to change it in regedit:

Start, Run, regedit, OK

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters

Find HKEY_LOCAL_MACHINE and click on the + in front of it.

Now look for SYSTEM and click on the + in front of it.

Now look for CurrentControlSet and click on the + in front of it. (Careful - there are several ControlSets)

Now look for services and click on the + in front of it.

Now look for BITS and click on the + in front of it.

Click on Parameters

Double click on ServiceDLL in the right pane and it should open.

Add .0 (zero) after the windows so that it now says:

c:\windows.0\system32\qmgr.dll

then hit OK.

Close regedit and reboot.

See if BITS will start now.
  • 0

#81
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Also while in regedit there is another thing we need to fix:

Go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters

Change ServiceDll of wuauserv: from C:\WINDOWS\system32\wuauserv.dll to C:\windows.0\system32\wuauserv.dll
  • 0

#82
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
That is all I have time for tonight.
  • 0

#83
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
It worked!!! Woo Hoo! :thumbsup: :thumbsup: :beer: :beer: :cheers: :cheers: I'll fix that other thing... and say good night!!
  • 0

#84
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Now that's done!
  • 0

#85
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Well! Whenever you feel like getting back to it (and I'm in no hurry whatever) I guess we'll need to (1) fix wuauserv problem (2) let me know how I can avoid getting my computer contaminated in the future (as you can imagine, I've got my desktop littered with a good dozen anti-virus/anti-malware apps - none of which able to see this virus, and, most importantly, (3) figuring out how I can repay you for your patience, kindness, and amazing expertise!

(Here's the most recent Farbar):

Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 16-09-2012 at 14:48:59
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS.0\system32\wuauserv.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

Advertisements


#86
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
OK. Let's look at the registry entries for windows updates.

Copy the next 4 lines:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv /s > \junk.txt
dir /a \windows.0\system32\wuauserv.dll >> \junk.txt
net start wuauaserv >> \junk.txt
regsvr32 \windows.0\system32\wuauserv.dll >> \junk.txt

Start, Run, cmd, OK then right click and Paste or Edit, paste and the copied lines should appear. Hit Enter.

Then type:
notepad  \junk.txt
Copy and paste the text.
  • 0

#87
crossbow66

crossbow66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I got the message saying that the wuauserv.dll file was loaded but the DllRegisterServices entry point was not found, so the file can't be registered.


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
Type REG_DWORD 0x20
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs
DisplayName REG_SZ Automatic Updates
ObjectName REG_SZ LocalSystem
Description REG_SZ Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters
ServiceDll REG_EXPAND_SZ C:\WINDOWS.0\system32\wuauserv.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Security
Security REG_BINARY 010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Enum
0 REG_SZ Root\LEGACY_WUAUSERV\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1
Volume in drive C has no label.
Volume Serial Number is 1CE7-9C30

Directory of C:\windows.0\system32

04/14/2008 05:42 AM 6,656 wuauserv.dll
1 File(s) 6,656 bytes
0 Dir(s) 122,845,175,808 bytes free
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP