Post by: djkwik on March 03, 2005, 10:54:56 AM
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
Post by: guestolo on March 03, 2005, 05:43:04 PM
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: djkwik on March 03, 2005, 06:50:39 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:43:29 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\dxconf.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s (http://\"http://clearsurfing.net/srch.php?qq=%s\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ (http://\"http://msn.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {9490C321-0534-2324-4502-13C8C4B64772} - runload32.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecustom32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SysEntry] prgsys0984.exe
O4 - HKLM\..\Run: [___] WhatsNewBot.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WhatsNewBot] xxtoolbar.exe
O4 - HKCU\..\Run: [sound64] PrcIdle.exe
O4 - HKCU\..\Run: [RtlFindVal] browsebar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.176.196,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
Post by: Guest on March 03, 2005, 07:01:32 PM
C:\RECYCLER\S-1-5-21-360472731-572273255-329551234-1005 C:\RECYCLER\S-1-5-21-515967899-1647877149-1801674531-1003 Ok, will leave you alone for now...I know you are helping a LOT of people. HACKERS SUCK!
Post by: djkwik on March 03, 2005, 07:21:42 PM
{9F1C11AA-197B-4942-BA54-47A8489BB47F} 4KB
I have been seeing that ActiveX controls can also cause a lot of problems and was just wondering if this is something I should be concerned with.
thanks again.
Post by: guestolo on March 04, 2005, 01:23:53 AM
Don't run this yet
Next: Please download Remv3.zip and UNZIP the folder inside to Desktop
[attachment=51:attachment]
Ensure you unzip the contents, this won't work if left within the zipped archive
Please print this out or save to a Notepad file on the desktop
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Look for and delete these files or folders if found,
C:\WINDOWS\system32\connmie.exe <--file, exact name
C:\WINDOWS\system32\dxconf.exe <--file
C:\WINDOWS\system32\iecustom32.dll <--file
Search for these next ones and delete them if found
prgsys0984.exe
WhatsNewBot.exe
xxtoolbar.exe
PrcIdle.exe
browsebar.exe
C:\Program Files\WareOut <--this folder
Stay in safe mode and do a Disk Cleanup
START>>RUN>>type in cleanmgr
Hit OK
Ensure Temp and Temp Internet files are selected
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s (http://\"http://clearsurfing.net/srch.php?qq=%s\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {9490C321-0534-2324-4502-13C8C4B64772} - runload32.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\system32\iecustom32.dll
O4 - HKLM\..\Run: [SysEntry] prgsys0984.exe
O4 - HKLM\..\Run: [___] WhatsNewBot.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [WhatsNewBot] xxtoolbar.exe
O4 - HKCU\..\Run: [sound64] PrcIdle.exe
O4 - HKCU\..\Run: [RtlFindVal] browsebar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.176.196,195.225.176.37
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, we'll need this later
Stay in safe mode and open just CWShredder and click Only the FIX button
Let it fix what it finds
Restart back to Normal Mode
Post back a Fresh Hijackthis log afterwards
Remv3 would of produced a log, can you also post this log please
C:\log.txt
If you find you cannot connect to the Internet later
Close all other windows
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
Restart your computer again and come back here and post a fresh hijackthis log
and log.txt
Post by: djkwik on March 05, 2005, 03:48:48 AM
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:41:41 AM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ (http://\"http://msn.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
remv3 log:
Files Found.................
----------------------------------------
run_dos.dll
sprmover.exe
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdyue.dll
msi.dll
Finished
Post by: djkwik on March 05, 2005, 11:26:38 AM
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> NOTHING has changed so far. Oh, except that everytime EZantivirus always states that mxbkup.exe is a win32.netmesser.F trojan yet today, i used the ez tree to see if it was in system32 fole, sure enough it was there, but this time not detected as that trojan!!! This is making NO SENSE! and as I am typing this, some damn gambling thing just started to download!!! some Carnival Casino thing!!! If anything, my computer has gotten worse! HELP!!!!!!!! I also need to know why is that when I open up the Windows System 32 folder via my computer, these things never list, even when I have unchecked the hide file extensions, etc, etc, etc, etc, etc!!!!! Yet they all list up for the EZ antivrus program. I go into Windows system 32 via that and there are 20 times more files listed! And regarding the RYCYCLER folder, those same two entries are still there. I was able to go into the recycler folder and one of them would delete, but the other one says it cannot be deleted because it is being used by another person or program! Then the second one always shows up again later! THIS IS BEGINNING TO PISS ME OFF SO BAD I'M ABOUT READY TO TAKE A SLEDGEHAMMER TO THIS COMPUTER!
/wacko.gif\' class=\'bbc_emoticon\' alt=\':wacko:\' />
Post by: guestolo on March 05, 2005, 03:32:00 PM
Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open
Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\hdyue.dll
Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select YES.
Please allow to Reboot, but reboot to safe mode
Find and delete any files found bad by EZTrust again
Stay in safe mode and run Remv3.bat again
Ensure your set to Show Hidden files and folders
Stay in safe mode and recheck to make sure that
Obtain DNS server address automatically is still selected
Restart back to Normal mode
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Post back a fresh hijackthis log afterwards too
along with the new C:\log.txt
Post by: djkwik on March 05, 2005, 09:53:50 PM
SO, i am thinking of just salvaging what I can to cdrom from files I know have never shown up as being infected (personal stuff...all the viruses seem to be in program or system files esp. system32) just save what I can, dump the core and just reload my windows xp from my start-up disc. Do you think THAT would finally get rid of this S--T?!
Oh, incidentally...as I am typing this right now, I am getting slammed with frikken pop-ups AGAIN! oh, and now the MWav has stalled out entirely! do you have any other ideas, or do you think I would just save myself a lot of time and all this irritation by dumping the core and starting over again like i just bought this computer!?
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
Post by: guestolo on March 05, 2005, 10:23:56 PM
Save the log to a Notepad file
Remember you have to Highlight the results and use the Ctrl + C keys on the keyboard to copy the results
Run RemV3.bat in safe mode also
Back in Normal mode
Return here with a fresh hijackthis log
Post the C:\Log.txt
and the results from eScan Mwav scan
Post by: djkwik on March 06, 2005, 01:05:19 AM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> WHEW. Ok, here are the log entires you requested. You didn't specify whether to do the final hijackthis scan in safe or normal mode, so I did both and they are both here. running the mwav in safe mode found all those trojans. the java trojans i mentioned in my last post...I wrote them all down and deleted them manually (have had to do those before...get alot of those java trojans and ad-aware usually finds them) anyways...here ya go...hope you can do something for me...I still think it would take a lot less time to dump the core and reload windows and all my programs from scratch.HJT log (safe mode):
Logfile of HijackThis v1.99.1
Scan saved at 11:45:39 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ (http://\"http://msn.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6:user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -
http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) -
http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
HJT log (normal mode):
Logfile of HijackThis v1.99.1
Scan saved at 11:54:36 PM, on 3/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ (http://\"http://msn.com/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96]-C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -
http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control)http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O17-HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
Mwav log (safe mode):
File C:\WINDOWS\system32\mslcy.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hdmoo.dll infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sprmover.exe infected by "Trojan-Downloader.Win32.Small.agg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hdmoo.dll infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sprmover.exe infected by "Trojan-Downloader.Win32.Small.agg" Virus. Action Taken: No Action Taken.
REMV3 Log (safe mode):
Files Found.................
----------------------------------------
run_dos.dll
connmie.exe
dxconf.exe
mxbkup.exe
sprmover.exe
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be
careful while deleting
-----------------------------------------------------------------
hdmoo.dll
msi.dll
Post by: tablante on March 06, 2005, 01:19:43 AM
Can you please start your own post
Tablante, thanks
~guestolo~
Post by: guestolo on March 06, 2005, 01:31:05 AM
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS
Name the file as Rootkit.bat
Save this file on the desktop
Quote
regedit /e Rootkit.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd"Double click on Rootkit.bat and a new reg file may be placed on your desktop called
Rootkit.reg
Right click on Rootkit.reg and select EDIT
Post the contents back here
One more thing too please
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Quote
@echo off
cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit
Double click to run it
Notepad will open with a long list in it
Can you copy and paste the whole contents please back here
I'll edit out what we don't need later
Post by: djkwik on March 06, 2005, 10:02:32 AM
Volume in drive C has no label.
Volume Serial Number is FC93-C619
Directory of C:\WINDOWS\system32
03/05/2005 08:06 PM 8,192 Thumbs.db
03/02/2005 06:14 PM 52,968 perfc009.dat
03/02/2005 06:14 PM 380,680 perfh009.dat
03/02/2005 06:14 PM 439,376 PerfStringBackup.INI
03/02/2005 04:39 PM 9,216 wosys32.dll
03/02/2005 04:39 PM 648,357 woinst.exe
03/02/2005 01:37 AM 20 date.dat
03/02/2005 01:37 AM 5,555 menu.txt
02/11/2005 05:08 PM 176,167 rmoc3260.dll
02/11/2005 05:08 PM 5,632 pndx5032.dll
02/11/2005 05:08 PM 6,656 pndx5016.dll
02/11/2005 05:08 PM 278,528 pncrt.dll
Post by: guestolo on March 06, 2005, 02:28:23 PM
You will want to edit the registry in safe mode
https://www-secure.symantec.com/avcenter/ve...an.flush.a.html (http://\"https://www-secure.symantec.com/avcenter/venc/data/trojan.flush.a.html\")
Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it
Add this to the list of files
sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll
Save the change and close it out
Can you download and save to desktop IEFix.zip
Unzip the contents so you will now have IEFix.reg on the desktop
Don't run it yet, we'll need it later
[attachment=52:attachment]
With Windows set to show Hidden files and folders
Print the rest out or save to a Notepad file on the desktop
RESTART to safe mode
Navigate to Remv3.bat and run it
Look for any of these files and delete them if they exist
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe
Navigate to this folder and delete the Whole contents
C:\WINDOWS\Prefetch <--delete the whole contents
If this folder exists remove it
C:\Program Files\Casino Online<---or similiar
Stay in safe mode
Go to START>>Run>>type in regedit
Hit OK
Navigate to this key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Highlight Run
On the right hand side look for this entry and delete it
sysobj.exe
Also look for the ones recommended by Symantec's for removal
In the registry, you may also want to highlight MyComputer
Click EDIT>>FIND
Look for this entry, remove or let me know if found
69.50.184.84
Exit the Reg Editor
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found
Go to START>>Run>>type in cmd
At the prompt type in
ipconfig /flushdns
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Navigate to and manually delete the Whole contents of your Temp folders
or whatever you can, it's safe to delete the Whole contents
C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Access Internet Options via Control Panel
Under the General tab---Delete files + offline content
Double click on IEFix.reg you unzipped earlier to desktop and allow to merge to the registry
Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab>> Reset home page if required
You may want to run one more Online Virus scan at Housecall's
Set to Autoclean
Post back a fresh hijackthis log afterwards
and the log from Remv3.bat
Post by: djkwik on March 06, 2005, 02:53:43 PM
Post by: guestolo on March 06, 2005, 03:04:14 PM
Quote
i don't have a symantec program i don't think. isn't that norton? I found a file, but it only contains a shared folder...don't know how to do a live update if I don't have the program???????????
I don't know what your talking about
I never asked you to install Norton's
I just supplied a link with additional information
I'm assuming by our past posts your ok editing the registry
Take a look at the link I supplied from Symantecs
and in safe mode remove the entries they recommend for removal
Post by: djkwik on March 06, 2005, 04:39:28 PM
I had problems with your last set of instructions:
Your instruction:
Navigate to Remv3.bat and run it
Look for any of these files and delete them if they exist
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe
I ran Remv3. Am I supposed to look for and delete these files directly on the notepad log? Or was I supposed to use start>>search and look for them (that is what I did...I only found two of them and deleted them)
Your instruction:
Look for this entry, remove or let me know if found
69.50.184.84
I did start>>search and found one similar...it was exactly as above but followed by: ,195.225.176.37 so I left it alone since it was not JUST the 69.50.184.84 by itself.
Your instruction:
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found
I don't have an option under the View tab that says Classic View. I have it set up as Icons..I double clicked the "my network connections" icon, and the folder is empty. I have a cable LAN set-up. When I go into Internet Properties , and click on the LAN settings tab at the bottom of the Connections page, "automatically detect settings is checked. Is this the same thing??????
Your Instruction:
Go to START>>Run>>type in cmd
At the prompt type in
ipconfig /flushdns
I got an error when I tried to do this.so i closed out the dos window and moved onto your next instruction.(however, once back in normal mode, I did it again so I could tell you the exact error message, but this time it worked and i got the message successfully flushed~ etc etc. did I screw something up doing it in normal mode? and why didn't it work in safe mode??..
Your Instruction:
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: Name - {1E92A794-FA67-415D-B3B3-F6724FFB84E1} - C:\WINDOWS\system32\mslcy.dll
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
O17-HKLM\System\CS2\Services\Tcpip\..\{1F8C4462-9923-4A6F-82A5-717491559883}: NameServer = 69.50.184.84,195.225.176.37
The second 017 entry above ( \CS2\ ) did not exist. my log had a \CS1\ so I left it alone, but the others were there and I checked/fixed them.
Your Instruction:
Navigate to and manually delete the Whole contents of your Temp folders
or whatever you can, it's safe to delete the Whole contents
C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
I did this and was wondering if I was supposed to also go into the Local Service-Temp internet files and delete them as well...I tried to but got a warning about deleting one of the files, so I played it safe and left it alone.
Your Instruction:
Restart back to Normal mode
The very second Windows tried to load back in normal mode, I got the following error window:
Generic Host Process for Win32
the error signature is as follows:
BC Code: a0 BCP1:00000101 BCP2:00000007 BCP3:F970D7A4 BCP4:00000000 OSVer: 5_1_2600 SP:0 2_0 Product: 768_1
I kept clicking "don't send" eventually windows opened into normal mode and I was able to run the HouseCall and it immediately found a MalWare trojan in the system files and deleted it.
I then ran another HJT and Remv3 and those logs are to follow:
Logfile of HijackThis v1.99.1
Scan saved at 3:15:08 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdguz.dll
msi.dll
Finished
Waiting anxiously for your next post...........
Post by: guestolo on March 06, 2005, 04:56:29 PM
That is what I wanted you to do, there in bold
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe
DELETE those files in bold
Also Quote++I did start>>search and found one similar...it was exactly as above but followed by: ,195.225.176.37 so I left it alone since it was not JUST the 69.50.184.84 by itself.
Again, I have no idea what you mean by this
Are you looking in the registry?????
Yes, as you can see by the Hijackthis log this is part of the problems
Look at the address in the Hijackthis log
that I asked you to remove
Example
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7420D7-D241-4731-A40D-69C2ECB429F0}: NameServer = 69.50.184.84,195.225.176.37
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
You may also want to click the Advanced tab>>DNS and edit out entries related if found
Ummm, if you open up Control Panel
On your left hand side you will see "Switch to Classic View"
Symantec's recommends that you navigate and remove some values in the registry
Did you do this?????
Did you look at the link I supplied to Symantec's carefully?
I'm sorry, I thought you were more confortable in the registry
Also, you have a new file in the system32 folder we must remove
hdguz.dll
P.S. Yes it's fine to run ipconfig /flushdns in Normal mode
Also, as mentioned, it's safe to delete EVERYTHING in the TEMP Folders
Did you delete the whole contents of the Prefetch folder???
If you see any entries with this ip address in hijackthis log
NameServer = 69.50.184.84,195.225.176.37
It's safe to remove
Post by: guestolo on March 06, 2005, 05:08:31 PM
Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it
Add this to the list of files
sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll
Save the change and close it out
Post by: djkwik on March 06, 2005, 11:35:02 PM
In the registry, you may also want to highlight MyComputer
Click EDIT>>FIND
Look for this entry, remove or let me know if found
69.50.184.84
.I TOLD YOU ABOUT IT...I DID CHECK IT IN THE HJT AND CLICKED FIX THOUGH SO IT SHOULD BE GONE.
SECOND: A LONG TIME AGO I SET UP MY XP TO BE LIKE CALSSIC WINDOWS...WHEN I OPEN MY CONTROL PANEL THERE IS NO LEFT SIDE TO THE PAGE THEREFORE NOTHING STATING CLASSIC VIEW...SINCE MY WHOLE WINDOWS IS SET UP TO CLASSIC STYLE!
I USED THE LINK YOU PROVIDED TO SYMANTEC AND READ THE ENTIRE PAGE AND LOOKED FOR THOSE THINGS IN MY REGISTRY...I COULD NOT FIND THEM!
I DID THE COPY AND PASTE OF THOSE FILES DIRECTLY TO THE DOCUMENT CALLED VER3.TXT. AND I SAVED THE CHANGES BEFORE EXITING IT. I DON'T KNOW WHAT ELSE TO TELL YOU! I MEAN REALLY....I TOLD YOU THREE TIMES NOW IT WOULD PROBABLY SAVE ME A HELL OF A LOT OF TIME AND FRUSTRATION JSUT DUMPING MY CORE AND RELOADING THE WINDOWS OPERATING SYSTEM FROM SCRATCH!
I HAVE TRIED TO DO EVERYTHING YOU SAY TO THE LETTER AND YET YOU SEEM TO THINK I'M NOT DOING IT?!
Post by: guestolo on March 07, 2005, 01:46:24 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I just realized you may have a Newer Rootkit infection
Download Rootkit Revealer here: http://www.sysinternals.com/ntw2k/freeware...kitreveal.shtml (http://\"http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml\")
Unzip it to a folder
Open the folder and launch RootkitRevealer.exe
Press the Scan button. Please give this time to run
When it's done
Go to FILE>>SAVE
Save the log and post it back here
Also post a Fresh Hijackthis log too
Can you also
Download the Registry Search Tool
from Here
http://www.billsway.com/vbspage/ (http://\"http://www.billsway.com/vbspage/\")
UNZIP it for now, we'll need it later
Post by: djkwik on March 07, 2005, 08:57:13 AM
logogdi.exe
ipv9x.exe
hostnameip.exe
unlodctl.exe
spnping.exe
sharenet.exe
scardsvrhr.exe
rsvph.exe
rdpclips.exe
rasaoutu.exe
qappsrvc32.exe
pentxpl.exe
openconf.exe
nlsfuncs.exe
hrlink.dll
nasll.dll
elswap.dll
dx9vbc.dll
dnsaquota.dll
dnsauth.dll
taskopen.exe
iecust.dll
iecust.exe
setvers.exe
ifcfg.exe
snnpapi.exe
snnpapi.dll
hlp32.exe
Microsoft.hta
chmredir.chm
winuptd.exe
servises.exe
tasknngr.exe
rpcnt4.dll
tksvr99.exe
w32sxp.exe
wncust.exe
tlntadmnx.exe
vwipxspnt.exe
winmsdc.exe
usrshutd.exe
tcpsvcss.exe
ms_update.exe
wmplayer.exe
amax.exe
CustIE32.dll
deski.exe
doul.exe
etile.exe
[censored]sex.exe
iesp1.dll
ipvcx6.exe
mspax.dll
nbtrstat.exe
netupd32.exe
od.exe
protect32.dll
rdspclips.exe
rexece32.exe
sethcd.exe
smbdins.exe
sprestrst.exe
tsmsetup.exe
upncont.exe
wmplayer.exe
wowdbe.exe
ywde.exe
iesp2.dll
sp2chek.exe
connmie.exe
dxconf.exe
iecustme.exe
iecustom32.dll
mxbkup.exe
truettf.exe
update.exe
sfcman32.dll
qwsxp.dll
winwiz32.exe
sp2chk.exe
sprmover.exe
msmkd.dll
sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll
OK..I have downloaded the RootKitReveal and its log is next:
C:\$AttrDef 11/1/2003 2:05 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 11/1/2003 2:05 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 11/1/2003 2:05 PM 37.27 GB Hidden from Windows API.
C:\$Bitmap 11/1/2003 2:05 PM 1.16 MB Hidden from Windows API.
C:\$Boot 11/1/2003 2:05 PM 8.00 KB Hidden from Windows API.
C:\$Extend 11/1/2003 2:05 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 11/1/2003 2:06 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 11/1/2003 2:06 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 11/1/2003 2:06 PM 0 bytes Hidden from Windows API.
C:\$LogFile 11/1/2003 2:05 PM 64.00 MB Hidden from Windows API.
C:\$MFT 11/1/2003 2:05 PM 48.28 MB Hidden from Windows API.
C:\$MFTMirr 11/1/2003 2:05 PM 4.00 KB Hidden from Windows API.
C:\$Secure 11/1/2003 2:05 PM 0 bytes Hidden from Windows API.
C:\$UpCase 11/1/2003 2:05 PM 128.00 KB Hidden from Windows API.
C:\$Volume 11/1/2003 2:05 PM 0 bytes Hidden from Windows API.
Next. When you wanted me to look for those files..you didn't specify to physically go into my System32 file to look for them. I copy and pasted each one into my start>>find and it looked in the System 32 folder and found 2 of that whole list. Lately, when I physically go into System 32, it doesn't list all of the files that appear on the EZ Antivirus' list for System 32, so I don't know what thats all about. I will go back to your post and physically look for those particular files again and delete them.
Regarding my Contol Panel....I guess you didn't realize that my entire Windows XP os was set up to be like classic windows when I very first got this computer...I hate the XP styling and did that first thing. But seriously, when I went into the network yesterday, the folder was empty...this morning, I just this second went into it and now I have:Local Area Connection under the heading "LAN or High Speed Internet" and two icons: New Connecton Wizard and Network Setup Wizard under the Wizard heading...will have to refer back to your previous post to see what you wanted done there again...the Obtain DNS server address automatically IS checked and in the advanced, under the DNS tab, the "Append primary and connection specific DNS suffixes" is checked as well as its sub category "Append parent suffixes of the primary DNS suffix"
Ok, you also wanted a fresh HJT log, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 7:52:24 AM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2
(6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", engine://C%3A%5CProgram%20Files%5CNetscape%5
CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall -
{2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/pr (http://\"http://uk.trendmicro-europe.com/enterprise/pr\")
oducts/housecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001 (http://\"http://a840.g.akamai.net/7/840/537/2004061001\")
/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_download (http://\"http://de.trendmicro-europe.com/file_download\")s/
common/housecall/HouseCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MS (http://\"http://autos.msn.com/components/ocx/survid/MS\")
SurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurroundObject) - http://autos.msn.com/components/ocx/exterior/ (http://\"http://autos.msn.com/components/ocx/exterior/\")
Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed AttachmentsControl) - http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMA
tchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
I went into System32 folder and looked for the files you told me to look for :
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe
The only ones I found in there were the first 2: date.dat and menu.txt and i deleted them both.
Is there a way of emptying ALL the tem/temp internet files/history from all users at once? I don't have any secondary users set up on this computer...but 've got folders that say Administrator, all users, default user, home, local service, network service, AND owner. Takes 4ever to go into al of these and try to delete everything...some don't even have a Local Settings folder. And the "local Service" user won't let me delte anything at all. HEY: is "index.dat" an important file...its always in my cookies folder and it shows up in all these other fodlers and refuses to be delted...says that windows is using it. Just wondering.
Just to let you know. I work third shift. I won't get a chance to check for your post until after 6pm tonight (monday march 7) Hope what I sent in this post helps you to help me....and i don't mind working in the registry..jsut nervous about it...I want to do whatever it takes to get my computer to a point where I can set a restore point....OH BTW... what about that virus that hides in the System Volume Info file????? I had that once and system restore became something that I don't even use anymore...took me forever to figure out how to get it out of htat folder, and now, my computer refuses to allow me access to the System Volume Information folder at all. Any ideas on that??? HAve a good one...and thanks for being patient with me.
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Post by: djkwik on March 07, 2005, 09:16:24 AM
Post by: guestolo on March 07, 2005, 08:25:17 PM
Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it
Add this to the list of files
hdguz.dll
Once that is done save it and close it out
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when prompted
Don't run a scan yet
When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
Follow the Manual update procedure
Again, don't run a scan yet
Print this out or save to a Notepad file for easy access
Disable System Restore, don't enable it until prompted
This link will explain how to disable it if unsure
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later
After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
Stay in safe mode
Run Remv3.bat again
Restart back to Normal mode
Re-enable System Restore
Post back a fresh Hijackthis log and the Scandump.txt
and the log from Remv3.bat
Please just copy and paste the Hijackthis log as it appears in Notepad
Don't alter it in anyway when posting it, thanks
Post by: djkwik on March 07, 2005, 09:59:12 PM
I ran the remV3 again...I don't know why, but it no longer is saving the files as ver1.txt, ver2.txt, or whatever. anyways, the scan I did just run I saved it to a notepad file on my desktop and the results are below (follows the scandump.txt)
I also ran a HJT again. I have never altered the notepad log before copying and pasting it here...I think what is happening is that I don't have the window fully maximized when I copy and past...this time I maximized the notepad window and then did a copy a paste below (the last thing posted below)
I turned back on System restore BUT DID NOT SET A RESTORE POINT YET...I am waiting for you to tell me to do that. Hope to hear back from you soon. I leave for work at 10:30 pm (cst) otherwise will log back on here again Tuesday morning about 730am. thanks again.
THREE LOGS:
SCANDUMP.TXT LOG:
Scan Control Dumped @ 20:38:06 07-03-05
Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe
REMV3 LOG:
Files Found.................
----------------------------------------
hdguz.dll
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
HIJACKTHIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 8:43:36 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft
Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia
Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -
http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -
http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) -
http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -
C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. -
C:\WINDOWS\System32\VetMsgNT.exe
(again, I did not do anything to the hijack this log. i maximized my notepad window, select all, copy, and came to this post window and pasted it...I don't know why it keeps splitting lines up and inserting blank lines...It doesn't look like this in the notepad window...sorry)
Post by: djkwik on March 07, 2005, 10:48:49 PM
Post by: guestolo on March 07, 2005, 11:17:12 PM
Can you try one at Panda's
Save the log afterwards, if it finds anything post it back here
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
Could you also Navigate too these directories
C:\WINDOWS folder and
C:\WINDOWS\SYSTEM32
Do you see Notepad.exe in both locations?
Don't delete them, just curious if they are both there
Post by: djkwik on March 08, 2005, 11:12:21 AM
At any rate... You asked me to see if Notepad.exe was in both Windows AND windows system 32....YES it is.
Here is the Panda scan...it said it found 2 viruses. (man that scan takes forever) here is the log from that scan:
Incident Status Location
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Spyware:Spyware/FastSearchWeb No disinfected Windows Registry
I would think its easy to just go in and manually delete the first one but I won't until you tell me how to do it, besides, when I did physically go into C:\WINDOWS\Downloaded Program Files to see if I could see it listed in there....the only thing in there were icons for ActiveX controls....I right clicked on each icon (individually), clicked properties, then "dependency" tab and not one of them lists that "dm.inf" file.
As for the Windows Registry...didn't we already look in there?
SO there are still 2 files on my sytem and I am getting to the point where Iam just fed the hell up with all of this hours and hours and hours of scanning and never getting my system completely clean. Of all the threads on this forum that I looked at before registering and starting my own, I've never seen anyone go through THIS many hoops and not have a final thank you post for having a totally clean system. Can't figure out why my computer is such a problem! I'm tired, I'm going to bed, hopefully you can figure this mess out because I don't know what to do.
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
Post by: guestolo on March 08, 2005, 08:45:09 PM
C:\Windows\System32\iecust.dll
Just in case, look for this one again and delete it too
C:\Windows\System32\menu.txt
I'll copy and paste these next set of instructions from Symantecs
Here's a link from what I'm referring too
http://securityresponse.symantec.com/avcen...tsearchweb.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/adware.fastsearchweb.html\")
Enter your Registry
Manually look for and delete the entries I have bolded below
Navigate to both these keys
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
In the right pane delete these values if they exist
"Search Bar" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
"Search Page" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6"
Navigate to the keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\
In the right pane, delete the value:
"SearchAssistant" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
Navigate to and delete the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
Navigate to the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
In the right pane, delete the values:
"Default_Page_URL" = "about:blank"
"Default_Search_URL" = "about:blank"
"Customize_Search" = "about:blank"
Navigate to and delete the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Freshbar" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {0EC7A55C-77D4-40E9-A4A0-9463B12B31E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E25DD9-89F9-49FD-A5FC-1B7862BB8167}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69063189-5F20-4361-BB5F-30EF8526284D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D825EF86-59BB-46EA-924F-12088D928D6C}
Exit the Registry
Once that is done
Go to START>>RUN>>type in cmd
Hit OK
At the prompt type the following
cd\WINDOWS\Downloaded Program Files (hit Enter)
del dm.inf (hit Enter)
Don't type (hit Enter) <<this indicates hitting Enter on your keyboard
also notice the single space between del and dm.inf
Exit out of the command prompt
Post back here a fresh Hijackthis log
If you have another user on the computer, post a log from their account too
Post by: djkwik on March 08, 2005, 09:33:03 PM
I looked for everything you mentiond in your very recent post and did not find ANY of the items you listed (a good thing?) I also did the cmd and deleted that "dm.inf" and when I ran one more Panda scan...it was gone!!! HOOORAH!!! But that damn GloboSearch is still sitting inmy system and as far as I can tell, its the only one left to get rid of (are we finally almost to a clean PC???) Oh, BTW I turned System Restore back off as it was suggested that I do so for the Panda Scan to run the most accurate and thorogh scan.
SO Globoearch is still on my system and I need help getting rid of it. SECOND...from what I can see of their advertisements, PandaScan offers the most comprehensive program for sale to actually protect and delete these things itself when it finds them....my question...I am not above paying for a system protection IF IT WORKS!!! - - - Would you recommend the Panda products????? I rally am spending WAY too much time doing all of this manually and would gladly pay $50 to have a program do all of this for me, but i want the BEST one...Panda claims to scan for over 90,000 viruses and updates DAILY...sounds good to me.
Here is the HJT log you requested and following it is the most recent Panda scan shwing NO dm.inf and the GloboSearch file that I could not find any of the registry values for but its still there. What next????
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:18:07 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ (http://\"http://www.emachines.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (http://\"http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php\") (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB (http://\"http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB\")
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab (http://\"http://autos.msn.com/components/ocx/survid/MSSurVid.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab (http://\"http://autos.msn.com/components/ocx/exterior/Outside.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email (http://\"http://by9fd.bay9.Email\") Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
PandaScan log:
Incident Status Location
Adware:Adware/GloboSearch No disinfected Windows Registry
PS, the HJT log shows all those Active X controls except for three..the one I am concerned about....whenI go into its properties, it says its damaged...here are the particulars:
This is the id for that ActiveX thats damaged. What are your thoughts on this??? {9F1C11AA-197B-4942-BA54-47A8489BB47F}
In the Dependency tab, it shows three files...one of them C:\Windows\system32\IUCTL.DLL is also damaged.
The other two have the following ID's:
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} YInstStarter Class
{D27CDB6E-AE6D-11CF-96B8-444553540000} Shock wave Flash Object
Should I be concenrned with any of this stuff at all?
Post by: guestolo on March 09, 2005, 12:55:04 AM
The one damaged can be removed, related to an old Microsoft Windows Update control
The Registry Search Tool
You Downloaded and unzipped earlier
Run "RegSrch.vbs"
Copy and paste this in the dialog box:
GloboSearch
Click OK
After a while a prompt will come up.(About 10 seconds or a bit longer)
Click OK to open in Notepad or Wordpad
Post back the results that are found
Do the same for this entry
popup_bl
Could you also look in your C:\WINDOWS\system32 folder
If
popup_bl.dll is found, delete it
Also look for
systr.dll in the same folder, if found delete it
One quick download
Download and save to Desktop
Silent Runners.vbs (http://\"http://www.silentrunners.org/Silent%20Runners.vbs\")
Double click to run it
Wait about 10 seconds to prompt you of it's findings, post the log it produces
Post by: djkwik on March 09, 2005, 11:44:58 AM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> There was no log created in either notepad or wordpad....I am assuming that is because it didn't find anything.I looked in the system32 folder for those two you told me to look for...neith one of them were there...One came close...there is a file called "popup.ocx" but not one with a .dll
The silent runner scan log follows:"Silent Runners.vbs", revision 32, http://www.silentrunners.org/ (http://\"http://www.silentrunners.org/\")
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"Default" = (no data)
"VetTray" = "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" ["Computer Associates International, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"LWBKEYBOARD" = "C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe" [empty string]
"FLMOFFICE4DMOUSE" = "C:\Program Files\Browser MOUSE\mouse32a.exe" [empty string]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ScsiAccess, ScsiAccess, "C:\WINDOWS\System32\ScsiAccess.EXE" [null data]
VET Message Service, VETMSGNT, "C:\WINDOWS\System32\VetMsgNT.exe" ["Computer Associates International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Post by: guestolo on March 09, 2005, 10:24:05 PM
=====Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Open CleanUp!
START>>ALL Programs>>CleanUp
Click the CleanUp button
Let it finish scanning for files, when it's done Restart your computer
EDIT>>Could you also
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Quote
cd\WINDOWS\Downloaded Program Files
dir /a /Q * >C:\dpflist.txt
start C:\dpflist.txt
Double click on Export.bat
and post back the log that produced
Let's get some extra protection on your computer
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Post by: djkwik on March 10, 2005, 10:31:25 AM
I already installed IE-Spyad yesterday and enabled maimum protection...quick question...does htis thing actually stop a webpage form opening if its one of the list? Its not the same thing as the windows firewall message bar that springs to life when a pop-up has been blocked....some of the download links you have sent me to, i have to "temporarily allow pop-ups" to get the page to open or to get the download to start.
I just finished installing SpywareBlaster, updated and enabled all protection. Lets hope this does the trick. Let me know if there is a problem with anything on the above log, or if you think my computer is finally clean. Any other scans to run to make sure?? PS: cna i start getting rid of all these things all over my desktop (killbox, rootkitreveal,regsrch, iefix, silent runner, etc) I know I can get rid of the shortcuts, but I saved a lot of the zipfiles directly to the desktop so i din't have to go hunting for them....which ones should i keep installed on my system and which ones can i get rid of if any?
Volume in drive C has no label.
Volume Serial Number is FC93-C619
Directory of C:\WINDOWS\Downloaded Program Files
03/08/2005 08:17 PM <DIR> BUILTIN\Administrators .
03/08/2005 08:17 PM <DIR> BUILTIN\Administrators ..
02/08/2005 10:52 AM 110,592 YOUR-KGOHY9AU97\home asinst.dll
02/08/2005 10:54 AM 525 YOUR-KGOHY9AU97\home asinst.inf
10/11/2000 03:49 PM 49,152 YOUR-KGOHY9AU97\home CPSurVid.dll
11/01/2003 03:23 PM 65 BUILTIN\Administrators desktop.ini
03/12/2004 05:24 PM 113,008 YOUR-KGOHY9AU97\home HMAtchmt.ocx
05/09/2003 08:15 AM 77,824 YOUR-KGOHY9AU97\home HouseCallButton.dll
03/21/2003 11:36 AM 3,276 YOUR-KGOHY9AU97\home HouseCallButton.INF
08/25/2003 06:12 PM 1,096 YOUR-KGOHY9AU97\home iuctl.inf
11/20/2003 12:22 AM 740 YOUR-KGOHY9AU97\home jinstall-1_4_2_03.inf
02/06/2001 10:30 AM 302 YOUR-KGOHY9AU97\home MSSurVid.inf
10/11/2000 03:49 PM 110,592 YOUR-KGOHY9AU97\home MSSurVid.ocx
02/06/2001 10:30 AM 189 YOUR-KGOHY9AU97\home Outside.inf
02/05/2001 03:50 PM 86,016 YOUR-KGOHY9AU97\home Outside.ocx
12/08/2003 01:58 PM 3,759 YOUR-KGOHY9AU97\home swflash.inf
06/09/2004 04:51 PM 1,777 YOUR-KGOHY9AU97\home xscan.inf
06/09/2004 04:56 PM 435,712 YOUR-KGOHY9AU97\home xscan53.ocx
01/26/2004 06:42 PM 856 YOUR-KGOHY9AU97\home yinst.inf
01/26/2004 06:40 PM 133,120 YOUR-KGOHY9AU97\home yinsthelper.dll
18 File(s) 1,128,601 bytes
2 Dir(s) 28,093,751,296 bytes free
Post by: guestolo on March 10, 2005, 11:54:23 PM
killbox,rootkitreveal,regsrch, iefix, silent runner, Remv3.zip . Rootkit.bat,Export.bat,
You can Manually delete the above
Hold onto TDS3 for the 30 days, before your time expires do a manual update again and run another scan
Then you can uninstall it
Post by: djkwik on March 11, 2005, 09:33:29 AM
Thanks again for all your help and patience. I have to say that it really does make me sick knowing how many sicko-thieving-nosey bastards are out there working so hard at trying to get into peoples' computers! Oh well...thats the world these days.
Post by: Guest on March 11, 2005, 11:16:22 PM
Post by: guestolo on March 13, 2005, 01:13:28 PM
I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread
Take Care