WizYo Blog ! WizYo Sytes Net Tech Support
What a great place to share :) Here you will find flashes of brilliance caught for all the world to enjoy. .. Actually, these are brief articles describing how I fixed a problem. Every day, I find information online that helps me solve a mystery. So this is me giving back to the community. Thanks for stopping by.. and don't forget to tell your friends!

oh good.. more adware !

Windows XP Pro SP1a - Can log in, but no desktop icons or task bar appear.

Cleaned with CounterSpy and removed 600+ items. Reboot and issue persists. Load ewido security suite 3.0 and reboot. Desktop appears! Update Ewido and remove more detected spyware.

it was funny to see CounterSpy say system is clean of spyware and still see garbage using HiJack This.

ok, now there are three suspicious entries in HJT: 

C:\Windows\System32\gomf32.dll
C:\Windows\System32\rpunlm.exe
nicp.exe
the only one that i can find is rpunlm but it won't let me delete it. time to try recovery console !

Man that recovery console is aggrivating. It seems my ATTRIB command is disabled. The gomf32.dll file is marked --r-s--- I used Winternals ERD commander and removed the rpunlm.exe file, but it didn't display the gomf32.dll file at all.

ok, we're getting there. Couldn't locate attrib.exe on the hard drive and several folders gave me access denied. Boot to safe mode and check permissions. Verify attrib.exe is in the Windows\System32 folder. Copy it to the root of the drive for safe keeping. Boot to recovery console and use one parameter at a time: 

cd System32
attrib -r gomf32.dll
attrib -s gomf32.dll
del gomf32.dll
Boot and discover a second entry for WinLogon Notify: Reinstall with the file name C:\Windows\System32\mqcms.dll Boot to recovery console and perform the same delete steps as above. I even tried placing a fake file in place of this garbage DLL, but it was smart enough to detect the fake and establish a new file with another random name.

Locate and delete several entries in registry .. more on this later

discover oujsel.dll - the big boss himself !

reboot and the nancy thing returns ! Discover rpunlm.exe has reappeared and set to run next boot. Remove file and startup entry. Refresh list and notice nicp.exe is now set to start up. Remove startup entry, buf fail to locate file for removel. Create dummy files for both and reboot. Startup list looks good for now.

Installed Panda Antivirus trial and clean system very well. Reboot and clean more. System is in great shape. Possibly going to recommend Panda antivirus in the future.

( )

Thursday, June 30, 2005

0 Comments:

Post a Comment

Back to top.

Home
WizYo
Sytes Net

Links
~hot~ Links


this site !

GuestBook
Guests

Free Hit Counter

Blog!

Tell a friend about Tech Support available here !

Free Phone with iTunes
- Previous -
 
- Possible Aurora adware infestation now takes 30 mi...
 
- Citrix published application fails to start
 
- OD-EMU-100 modem driver
 
- Client Access broke on Friday
 
- Suave shampoo and conditioner cause rash
 
- Iomega USB HDD driver trouble on Win98
 
- Outlook Express not forwarding attachments
 
- AVG failing to update !
 
- Re: Microsoft Article on Winsock Corruption
 
- Can't receive mail using Outlook Express
 
- Search -
 

 


it's private

 

This page is powered by Blogger. Isn't yours?