Jump to content


- - - - -

rundll32.exe missing


  • This topic is locked This topic is locked
45 replies to this topic

#21 Guest_v3rtige_*

Guest_v3rtige_*
  • Guests

Posted 02 December 2004 - 07:26 PM

The operating system is Windows XP Pro w/ SP1
Hijackthis wont run, it does the same as the .bat file.
When I tried to run the file from Dougknox i got "Windows cannot open this file: File: xp_exe_fix.reg
To open this file Windows needs to know what program created it. etc...."

Housecall did not work
Panda's worked and found + repaired some viruses' but i still have the same problem

#22 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 02 December 2004 - 07:28 PM

basically, Panda's did not solve the issue and i still have the problem

#23 Guest_v3rtige/Guest_*

Guest_v3rtige/Guest_*
  • Guests

Posted 02 December 2004 - 07:35 PM

:(

#24 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 02 December 2004 - 07:36 PM

Download this removal tool to desktop and try running it, if it won't run try running it in safe mode
Let me know if it helps, if it does please post a Hijackthis log
http://www.sarc.com/...ter/FixSirc.com

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#25 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 02 December 2004 - 07:39 PM

didnt work....going to safemode

do u have aim or msn or anything that u wouldnt mind givin me to try to solve this? my msn is qmncEmail Removed

#26 Guest_v3rtige_*

Guest_v3rtige_*
  • Guests

Posted 02 December 2004 - 07:45 PM

same thing happened in safemode...it does what the .bat file did
and when i run it through start > run and run it through there i get the message "windows cannot open this file....", the same one =[

#27 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 03 December 2004 - 12:59 AM

Does this help you out
http://windowsxp.mvps.org/exefile.htm

#28 Guest_v3rtige_*

Guest_v3rtige_*
  • Guests

Posted 04 December 2004 - 10:57 AM

rather than saying .exe it says .ink for every exe file

#29 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 04 December 2004 - 11:14 AM

i take that back...it only says it cannot run .ink when i use a shortcut or start menu option

#30 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 04 December 2004 - 12:56 PM

What did Panda find?
Did you keep not of the infections if any

Try one more Online Virus scan, then we can look in your folders for anything that was renamed
We can try a system restore from a command line, but try this first

Do a free Online AV scan at RAV's
http://www.ravantivirus.com/scan/
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the 'Scan my PC button'
Let it completely finish scanning
When it's complete, copy and paste the results back here

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#31 queenshawtii

queenshawtii

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 05 December 2004 - 01:23 PM

I'm having this same problem also, I can start a new thread if you would like but i'll post what i have so far because i have to leave for work soon.

i scanned with RavAV and here is the log.. it could not remove these viruses..

Scan started at 12/3/2004 2:27:00 PM

Scanning memory...
C:\pack3_exe.vir->(RARSfx)->40124.exe->(UPXW) - Backdoor:Win32/MoSucker.0_6 -> Infected
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\-indianv[1].htm->(SCRIPT0000) - JS/Exploit.ActiveXComponent* -> Suspicious
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\-indianv[1].htm->(SCRIPT0001) - JS/Seeker-based.gen* -> Infected
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\dtop[1].htm->(SCRIPT0000) - JS/Exploit.ActiveXComponent* -> Suspicious
C:\Documents and Settings\Fam\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q3I3IXUR\dtop[1].htm->(SCRIPT0001) - JS/Seeker-based.gen* -> Infected
C:\Documents and Settings\Fam\Application Data\hsap.exe - TrojanDownloader:Win32/PurityScan.O -> Infected

Scanned
============================
Objects: 38998
Directories: 2475
Archives: 951
Size(Kb): -218294
Infected files: 4

Found
============================
Viruses found: 3
Suspicious files: 2
Disinfected files: 0
Mail files: 82

and Here is the HJT log

Logfile of HijackThis v1.98.2
Scan saved at 5:54:30 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Documents and Settings\Compaq\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Documents and Settings\Fam\Desktop\fo-wss3spysweep\patched\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab
O20 - AppInit_DLLs: PAVWAIT.DLL

thanks..

#32 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 05 December 2004 - 02:19 PM

Exactly what problem are you having, you seem to be able to run .exe files
Let me know the exact error message

You must also post you Whole hijackthis log from Top to Bottom
Are you posting it all?

Includes all running processes and Operating system and date scanned
Include everything

If you can't view your task manager download this small utility
Process Viewer by SysInternals
http://www.sysintern...e/procexp.shtml

Open Process Viewer and click File>>Save as
Save the file and post it back here
along with a fresh hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#33 queenshawtii

queenshawtii

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 06 December 2004 - 09:17 AM

My problem is that when i try to run certain applications from thier shortcut i get the "open with.." window.. and also when i try to run anything from the Control Panel i get this error" rundll32.exe not found"..but i just tried to run add/remove programs and it worked! i don't know what happened but i'm still gonna post this because i don't know if it's gonna come back or not. Here you go..


Here is a fresh HJT log.. this is the entire log.
----------------------------------------------------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 10:09:14 AM, on 12/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Documents and Settings\Compaq\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Documents and Settings\Fam\Desktop\fo-wss3spysweep\patched\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsec...an/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
-----------------------------------------------------------------
And here is the Process Explorer log

-----------------------------------------------------------
Process PID CPU Description Company Name
System Idle Process 0 96
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
SMSS.EXE 300 Windows NT Session Manager Microsoft Corporation
CSRSS.EXE 404 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 432 Windows NT Logon Application Microsoft Corporation
SERVICES.EXE 480 2 Services and Controller app Microsoft Corporation
SVCHOST.EXE 652 Generic Host Process for Win32 Services Microsoft Corporation
ycommon.exe 1448 YCommon Exe Module Yahoo!, Inc.
SVCHOST.EXE 696 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 768 Generic Host Process for Win32 Services Microsoft Corporation
wscntfy.exe 1456 Windows Security Center Notification App Microsoft Corporation
SVCHOST.EXE 828 Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 936 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 1096 Spooler SubSystem App Microsoft Corporation
pavFnSvr.exe 1248 Panda Function Service Panda Software
PAVPROT.EXE 1268 PavProt Application Panda Software
PavPrSrv.exe 1528 Panda Process Protection Service Panda Software
PAVSRV51.EXE 1556 On-Access Antivirus Scanner Service. Panda Software
AVENGINE.EXE 1708 Enhanced On-Access Antivirus Scanner Process. Panda Software
Prevsrv.exe 1584 Panda Preventium+ service Panda Software
PSIMSVC.EXE 1736 Common Interface Manager Panda Software Internacional
WDFMGR.EXE 1876 Windows User Mode Driver Manager Microsoft Corporation
WANMPSVC.EXE 1932 Wan Miniport (ATW) Service America Online, Inc.
ALG.EXE 764 Application Layer Gateway Service Microsoft Corporation
LSASS.EXE 492 LSA Shell (Export Version) Microsoft Corporation
CSRSS.EXE 3264 Client Server Runtime Process Microsoft Corporation
WINLOGON.EXE 2864 Windows NT Logon Application Microsoft Corporation
wscntfy.exe 3612 Windows Security Center Notification App Microsoft Corporation
ycommon.exe 3020 YCommon Exe Module Yahoo!, Inc.
EXPLORER.EXE 3932 Windows Explorer Microsoft Corporation
YBRWICON.EXE 568 YBrwIcon Yahoo!, Inc.
realsched.exe 2156 RealNetworks Scheduler RealNetworks, Inc.
msmsgs.exe 2456 Windows Messenger Microsoft Corporation
aoltray.exe 1840 AOL Tray Icon America Online, Inc.
Ymsgr_tray.exe 2300
EXPLORER.EXE 3352 Windows Explorer Microsoft Corporation
YBRWICON.EXE 1688 YBrwIcon Yahoo!, Inc.
msmsgs.exe 2356 Windows Messenger Microsoft Corporation
spydoctor.exe 3656 PCTools
aoltray.exe 2624 AOL Tray Icon America Online, Inc.
iexplore.exe 3124 Internet Explorer Microsoft Corporation
procexp.exe 1512 2 Sysinternals Process Explorer Sysinternals

Process: Procexp Pid: -2

Type Name
-----------------------------------------------------------------------------------

#34 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 06 December 2004 - 07:22 PM

I'm uploading a file
Rundll32.exe

Save that file to your C:\WINDOWS\SYSTEM32 folder

Allow it to overwrite if prompted
That file is from an Windows XP SP2 machine

If you have trouble with the link, just right click on it and copy the shortcut and paste it in IE's address bar and hit GO

Do another scan with Hijackthis and put a check next to these entries
Keep in mind that red.clientapps is red sheriff spyware

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing

O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - file://C:\WINDOWS\SexDownloader.cab


After you have ticked the above entries, close down all other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit hijackthis

RESTART your computer

Is everything running better?
Post back with another Hijackthis log

If .exe's are still not opening properly

Try download this registry fix
http://www.dougknox..../xp_exe_fix.zip

Save it and UNZIP it to your desktop
Double click on xp_exe_fix.reg and Allow it to merge to the registry

EDIT>>Getting this fix confused with another user in this thread
Try downloading rundll32.exe and do the fixes I suggested and post back a fresh hijackthis log after a restart

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#35 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 06 December 2004 - 07:33 PM

Forgot to add
Can you also set Windows to Show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Restart your computer into Safe mode
You can do this by tapping the F8 key on the keyboard and when the computer is booting up

Navigate to and delete this file if found
C:\Documents and Settings\Fam\Application Data\hsap.exe <--file

Also navigate to these folders
Delete the WHOLE contents, including subfolders, DON'T delete the Temp folders themselves
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Look for the other file found bad by Rav's and delete it

Restart back into Normal mode

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#36 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 07 December 2004 - 08:05 PM

This is Queenshawtii, i've been tryin to download tthe rundll32.exe but i'm getting the message that my settings don't allow for this type of file to be downloaded..so i'm trying to download it on another pc and put it in a zip file right now.. when i'm done doing all those things above i'll post a fresh log.

#37 queenshawtii

queenshawtii

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 07 December 2004 - 08:14 PM

Okay i tried and it won't let me download the .exe file at any pc do i have to change the security settings?

#38 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 07 December 2004 - 08:32 PM

If you have trouble with the link, just right click on it and copy the shortcut and paste it in IE's address bar and hit GO


Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#39 queenshawtii

queenshawtii

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 08 December 2004 - 02:47 PM

When i do that i still get the message that my security settings do not allow this file to be downloaded....I'll try on another PC that i have downstairs

#40 Guest_Guest_guest_*

Guest_Guest_guest_*
  • Guests

Posted 12 December 2004 - 08:04 PM

hey guestolo im haivng kinda the same problem...i have tried every thing that u have said earlier is tehre any way that i can do a system restory command line like u said u could do? but my computer cant find rundll32.exe or explorer.exe..please help