Redirect bug!
Started by
crossbow66
, Sep 13 2012 06:15 AM
#76
Posted 15 September 2012 - 07:39 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
#77
Posted 15 September 2012 - 07:45 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
It says it isn't running. I tried to start it from services.msc and it gave me the same answer. I may be at fault here: I copied the downloaded file "Bits.reg" to C instead of merging it. So that may be the problem...Shall I merge it and see what happens?
Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 15-09-2012 at 21:41:02
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS.0\system32\qmgr.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 15-09-2012 at 21:41:02
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS.0\system32\qmgr.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
#78
Posted 15 September 2012 - 07:54 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
Well, I merged it, and rebooted and it didn't help. I also received a notice that not all of the legbits file could be merged when I tried to merge it ....
Edited by crossbow66, 15 September 2012 - 07:55 PM.
#79
Posted 15 September 2012 - 08:12 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
If you are getting tired of "bits" (and me) and would rather take it up again tomorrow sometime or later, don't hesitate to say so. You have been magnificent! I am absolutely awestruck with the amount of work you have done to help untangle my computer, and free it from the clutches of that virus!! 
#80
Posted 15 September 2012 - 08:17 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
I think I see the problem (Thanks to OldTimer). Your system uses Windows.0 instead of Windows. Most of the bits.reg uses %systemroot% which automatically picks up on that but there is one entry that refers to c:\windows\system32. Probably easiest for you to change it in regedit:
Start, Run, regedit, OK
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters
Find HKEY_LOCAL_MACHINE and click on the + in front of it.
Now look for SYSTEM and click on the + in front of it.
Now look for CurrentControlSet and click on the + in front of it. (Careful - there are several ControlSets)
Now look for services and click on the + in front of it.
Now look for BITS and click on the + in front of it.
Click on Parameters
Double click on ServiceDLL in the right pane and it should open.
Add .0 (zero) after the windows so that it now says:
c:\windows.0\system32\qmgr.dll
then hit OK.
Close regedit and reboot.
See if BITS will start now.
Start, Run, regedit, OK
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters
Find HKEY_LOCAL_MACHINE and click on the + in front of it.
Now look for SYSTEM and click on the + in front of it.
Now look for CurrentControlSet and click on the + in front of it. (Careful - there are several ControlSets)
Now look for services and click on the + in front of it.
Now look for BITS and click on the + in front of it.
Click on Parameters
Double click on ServiceDLL in the right pane and it should open.
Add .0 (zero) after the windows so that it now says:
c:\windows.0\system32\qmgr.dll
then hit OK.
Close regedit and reboot.
See if BITS will start now.
#81
Posted 15 September 2012 - 08:21 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Also while in regedit there is another thing we need to fix:
Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters
Change ServiceDll of wuauserv: from C:\WINDOWS\system32\wuauserv.dll to C:\windows.0\system32\wuauserv.dll
Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters
Change ServiceDll of wuauserv: from C:\WINDOWS\system32\wuauserv.dll to C:\windows.0\system32\wuauserv.dll
#82
Posted 15 September 2012 - 08:22 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
That is all I have time for tonight.
#83
Posted 15 September 2012 - 08:29 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
It worked!!! Woo Hoo! 
I'll fix that other thing... and say good night!!
I'll fix that other thing... and say good night!!
#84
Posted 15 September 2012 - 08:32 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
Now that's done!
#85
Posted 16 September 2012 - 12:50 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
Well! Whenever you feel like getting back to it (and I'm in no hurry whatever) I guess we'll need to (1) fix wuauserv problem (2) let me know how I can avoid getting my computer contaminated in the future (as you can imagine, I've got my desktop littered with a good dozen anti-virus/anti-malware apps - none of which able to see this virus, and, most importantly, (3) figuring out how I can repay you for your patience, kindness, and amazing expertise!
(Here's the most recent Farbar):
Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 16-09-2012 at 14:48:59
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS.0\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
(Here's the most recent Farbar):
Farbar Service Scanner Version: 06-08-2012
Ran by Mark V. Sanderford (administrator) on 16-09-2012 at 14:48:59
Running from "C:\Documents and Settings\Mark V. Sanderford\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS.0\system32\wuauserv.dll".
Windows Autoupdate Disabled Policy:
============================
File Check:
========
C:\WINDOWS.0\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS.0\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS.0\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS.0\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS.0\system32\netman.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\srsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS.0\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS.0\system32\qmgr.dll => MD5 is legit
C:\WINDOWS.0\system32\es.dll => MD5 is legit
C:\WINDOWS.0\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS.0\system32\svchost.exe => MD5 is legit
C:\WINDOWS.0\system32\rpcss.dll => MD5 is legit
C:\WINDOWS.0\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000056000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****
#86
Posted 16 September 2012 - 02:04 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
OK. Let's look at the registry entries for windows updates.
Copy the next 4 lines:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv /s > \junk.txt
dir /a \windows.0\system32\wuauserv.dll >> \junk.txt
net start wuauaserv >> \junk.txt
regsvr32 \windows.0\system32\wuauserv.dll >> \junk.txt
Start, Run, cmd, OK then right click and Paste or Edit, paste and the copied lines should appear. Hit Enter.
Then type:
Copy the next 4 lines:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv /s > \junk.txt
dir /a \windows.0\system32\wuauserv.dll >> \junk.txt
net start wuauaserv >> \junk.txt
regsvr32 \windows.0\system32\wuauserv.dll >> \junk.txt
Start, Run, cmd, OK then right click and Paste or Edit, paste and the copied lines should appear. Hit Enter.
Then type:
notepad \junk.txtCopy and paste the text.
#87
Posted 16 September 2012 - 03:07 PM
crossbow66
- Topic Starter
-
- Member
-
- 55 posts
Member
I got the message saying that the wuauserv.dll file was loaded but the DllRegisterServices entry point was not found, so the file can't be registered.
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
Type REG_DWORD 0x20
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs
DisplayName REG_SZ Automatic Updates
ObjectName REG_SZ LocalSystem
Description REG_SZ Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters
ServiceDll REG_EXPAND_SZ C:\WINDOWS.0\system32\wuauserv.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Security
Security REG_BINARY 010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Enum
0 REG_SZ Root\LEGACY_WUAUSERV\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1
Volume in drive C has no label.
Volume Serial Number is 1CE7-9C30
Directory of C:\windows.0\system32
04/14/2008 05:42 AM 6,656 wuauserv.dll
1 File(s) 6,656 bytes
0 Dir(s) 122,845,175,808 bytes free
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
Type REG_DWORD 0x20
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs
DisplayName REG_SZ Automatic Updates
ObjectName REG_SZ LocalSystem
Description REG_SZ Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Parameters
ServiceDll REG_EXPAND_SZ C:\WINDOWS.0\system32\wuauserv.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Security
Security REG_BINARY 010014807800000084000000140000003000000002001C000100000002801400FF000F000101000000000001000000000200480003000000000014009D00020001010000000000050B00000000001800FF010F000102000000000005200000002002000000001400FF010F00010100000000000512000000010100000000000512000000010100000000000512000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv\Enum
0 REG_SZ Root\LEGACY_WUAUSERV\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1
Volume in drive C has no label.
Volume Serial Number is 1CE7-9C30
Directory of C:\windows.0\system32
04/14/2008 05:42 AM 6,656 wuauserv.dll
1 File(s) 6,656 bytes
0 Dir(s) 122,845,175,808 bytes free
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
