1
Tech Clinic / spysheriff-can't run ewido
« on: August 18, 2005, 01:00:17 PM »
Thank you - I will re-run what was in your last instructions and post.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Tech Clinic / spysheriff-can't run ewido
« on: August 02, 2005, 01:28:40 PM »
I was out of town since Friday - didn't get to try this until this morning...
1. Navigate to C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Delete mmcndmgr.dll
Restart your computer
DONE
2.Go to the run command again copy and paste the following in bold
regsvr32 C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Hit OK
GOT ERROR MESSAGE:
LoadLibrary("C:\WINDOWS\SYSTEM32\mmcndmgr.dll") failed - This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
3: Restart again into safe mode
try entering services.msc again
ERROR MESSAGE:
MMC failed to initialize because it was installed incorrectly or because a portion of the registry has become corrupted. Make sure the file mmcndmgr.dll is registered by running "regsvr32 %SystemRoot%\SYSTEM32\mmcndmgr.dll
4. Disable svchost.exe (moto) if possible
COULD NOT
5. Boot back to normal mode
Back in Normal mode
Could you also Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/
Trojanhunter.exe won't run. SAME MESSAGE: "This application has failed to start because the application configuation is incorrect. Reinstalling the application may fix this problem"
------
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 1:12:18 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you
1. Navigate to C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Delete mmcndmgr.dll
Restart your computer
DONE
2.Go to the run command again copy and paste the following in bold
regsvr32 C:\WINDOWS\SYSTEM32\mmcndmgr.dll
Hit OK
GOT ERROR MESSAGE:
LoadLibrary("C:\WINDOWS\SYSTEM32\mmcndmgr.dll") failed - This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
3: Restart again into safe mode
try entering services.msc again
ERROR MESSAGE:
MMC failed to initialize because it was installed incorrectly or because a portion of the registry has become corrupted. Make sure the file mmcndmgr.dll is registered by running "regsvr32 %SystemRoot%\SYSTEM32\mmcndmgr.dll
4. Disable svchost.exe (moto) if possible
COULD NOT
5. Boot back to normal mode
Back in Normal mode
Could you also Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/
Trojanhunter.exe won't run. SAME MESSAGE: "This application has failed to start because the application configuation is incorrect. Reinstalling the application may fix this problem"
------
HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 1:12:18 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you
3
Tech Clinic / spysheriff-can't run ewido
« on: July 28, 2005, 02:08:02 PM »
1. Microsoft RegClean 4.1.7364.1
2. I ended both processes
3. Can you delete any backups made by Hijackthis 1.99.1 Also remove your version of Hijackthis 1.99.1 Redownload it from my signature below Save to a different folder on your drive
Don't get rid of Hijackthis 1.98.2
DONE
4. Could you also delete your version of SmitRem folder. I need you to redownload it, let's make sure it's the latest version
DONE
5. But first Open the Run command and type in services.msc Hit OK
In the next window, look on the right hand side for this service
name---- svchost.exe (moto)
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
ERROR message:
(Window Title- Microsoft Management Console)MMC failed to initialize because it was installed incorredtly or because a portion of the registry has become corrupted. Make sure the file Mmcndmgr.dll is registered by running "regsvr32%SystemRoot%\sytem32\mmcndmgr.dll".
----------
6. Run Pocket KillBox.exe DONE
7. RunThis.bat DONE
8. Try running Ewido again, let's see if it will work now
WON'T RUN = same message as always
9. Try running Hijackthis 1.99.1 again
If it will run can you try fixing these entries please
hijackthis 1.99.1
These files were not in the list
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
NO ERRORS were generated
-----
10. Open Misc tools section>>Open "Delete an NT service">>type the following into the box and then hit OK
moto
ERROR message:
The service 'moto' is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window.
I tried to disable it with HijackThis, but same message.
11. Jotti's Online Malware scan - scan results
------
File: soproc.exe
Status: OK
MD5 df0f13ebfc629ed43b66fe391f3b8e28
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
12.
I've never opened a HT log on the infected computer - I copy it to my flash drive and bring it to another computer.
BUT I downloaded your attached notepad and deleted the two existing and replaced it with yours. Same error as before
------
13. host text file - won't open in notepad, but the only listing is:
127.0.0.1 localhost
-------
-------
Logfile of HijackThis v1.99.1
Scan saved at 11:05:55 AM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------
-----------
SMITREM LOG FILE:
smitRem log file
version 2.2
by noahdfear
The current date is: Thu 07/28/2005
The current time is: 11:03:26.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
-------
Thank you
2. I ended both processes
3. Can you delete any backups made by Hijackthis 1.99.1 Also remove your version of Hijackthis 1.99.1 Redownload it from my signature below Save to a different folder on your drive
Don't get rid of Hijackthis 1.98.2
DONE
4. Could you also delete your version of SmitRem folder. I need you to redownload it, let's make sure it's the latest version
DONE
5. But first Open the Run command and type in services.msc Hit OK
In the next window, look on the right hand side for this service
name---- svchost.exe (moto)
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
ERROR message:
(Window Title- Microsoft Management Console)MMC failed to initialize because it was installed incorredtly or because a portion of the registry has become corrupted. Make sure the file Mmcndmgr.dll is registered by running "regsvr32%SystemRoot%\sytem32\mmcndmgr.dll".
----------
6. Run Pocket KillBox.exe DONE
7. RunThis.bat DONE
8. Try running Ewido again, let's see if it will work now
WON'T RUN = same message as always
9. Try running Hijackthis 1.99.1 again
If it will run can you try fixing these entries please
hijackthis 1.99.1
These files were not in the list
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
NO ERRORS were generated
-----
10. Open Misc tools section>>Open "Delete an NT service">>type the following into the box and then hit OK
moto
ERROR message:
The service 'moto' is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window.
I tried to disable it with HijackThis, but same message.
11. Jotti's Online Malware scan - scan results
------
File: soproc.exe
Status: OK
MD5 df0f13ebfc629ed43b66fe391f3b8e28
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
------
12.
Quote
I want to see why you can get a Hijackthis log to work, but not run Notepad from the run command
I've never opened a HT log on the infected computer - I copy it to my flash drive and bring it to another computer.
BUT I downloaded your attached notepad and deleted the two existing and replaced it with yours. Same error as before
------
13. host text file - won't open in notepad, but the only listing is:
127.0.0.1 localhost
-------
-------
Logfile of HijackThis v1.99.1
Scan saved at 11:05:55 AM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT1991\hijackthis-3.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------
-----------
SMITREM LOG FILE:
smitRem log file
version 2.2
by noahdfear
The current date is: Thu 07/28/2005
The current time is: 11:03:26.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
-------
Thank you
4
Tech Clinic / spysheriff-can't run ewido
« on: July 27, 2005, 09:36:38 AM »
1.Panda Active scan reported the "Your PC contains spyware that ActiveScan cannot disinfect. Then it suggests I use a Panda Solution capable of disinfecting spyware. The report is at the bottom of this post, after the HT log.
2. Was not able to run task manager from the Run window (same error as before) but was able to run it from HijackThis. I noticed that this was one of the processes:
WINDOWS\System32\l?ass.exe
But you did not ask me to remove it, so I did not
-------------------
3. Hijack This Errors: Same 5 as noted in an earlier post
Hijack This log: (in NORMAL mode, log saved after I "fixed Checked")
Logfile of HijackThis v1.98.2
Scan saved at 10:25:09 AM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\WINDOWS\Explorer.exe
C:\HJT3\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxSzNn
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
----------------------
ActiveScan Report
Incident Status Location
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/azesearch No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\LEISURE\Anime sites.url
Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
Adware:adware/cws.searchmeup No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Car Insurance.url
Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\!update.exe
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\Gambling
Adware:adware/spywareno No disinfected HKEY_CURRENT_USER\SOFTWARE\SNO
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\1906902093.exe
Virus:Trj/Pdpinch.Q Disinfected C:\WINDOWS\system32\abc.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\l?ass.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\vxgame1.exe
Virus:Trj/Downloader.DSV Disinfected C:\WINDOWS\system32\vxgame2.exe
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\system32\vxgame3.exe
Virus:Trj/Clicker.HA Disinfected C:\WINDOWS\system32\vxgame4.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\vxgamet1.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq1.exe
Virus:Trj/Downloader.DHI Disinfected C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Trj/Downloader.CRY Disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq8.exe
Virus:Trj/Downloader.DEW Disinfected C:\WINDOWS\system32\web.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\zolker005.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb005.dll
-------
Thank you...
2. Was not able to run task manager from the Run window (same error as before) but was able to run it from HijackThis. I noticed that this was one of the processes:
WINDOWS\System32\l?ass.exe
But you did not ask me to remove it, so I did not
-------------------
3. Hijack This Errors: Same 5 as noted in an earlier post
Hijack This log: (in NORMAL mode, log saved after I "fixed Checked")
Logfile of HijackThis v1.98.2
Scan saved at 10:25:09 AM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\WINDOWS\Explorer.exe
C:\HJT3\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxSzNn
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
----------------------
ActiveScan Report
Incident Status Location
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/azesearch No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\LEISURE\Anime sites.url
Adware:adware/quicksearch No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.INF
Adware:adware/cws.searchmeup No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Car Insurance.url
Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\!update.exe
Adware:adware/spysheriff No disinfected C:\winstall.exe
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\FAVORITES\Gambling
Adware:adware/spywareno No disinfected HKEY_CURRENT_USER\SOFTWARE\SNO
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\1906902093.exe
Virus:Trj/Pdpinch.Q Disinfected C:\WINDOWS\system32\abc.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\l?ass.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Virus:Trj/Downloader.DLH Disinfected C:\WINDOWS\system32\vxgame1.exe
Virus:Trj/Downloader.DSV Disinfected C:\WINDOWS\system32\vxgame2.exe
Virus:Trj/Agent.EY Disinfected C:\WINDOWS\system32\vxgame3.exe
Virus:Trj/Clicker.HA Disinfected C:\WINDOWS\system32\vxgame4.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Sachek.A Disinfected C:\WINDOWS\system32\vxgamet1.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq1.exe
Virus:Trj/Downloader.DHI Disinfected C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Trj/Downloader.CRY Disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Virus:Trj/Downloader.DOC Disinfected C:\WINDOWS\system32\vxh8jkdq8.exe
Virus:Trj/Downloader.DEW Disinfected C:\WINDOWS\system32\web.exe
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\zolker005.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolb005.dll
-------
Thank you...
5
Tech Clinic / spysheriff-can't run ewido
« on: July 26, 2005, 12:36:07 PM »
Just my luck - a new variant...
OK -
windows key - R brought up the Run window (yea!) but:
1. Could not run notepad - same message as before
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
2. Also, Could not run wordpad or or regedit or regedit.com - same message
3. BUT - the shutdown command WORKED.
4. I saved the fix.reg to another computer and brought it back over to the infected (I'm using a flashdrive) --Same message as above
5. I saved the fixreg.com executable to the desktop - when I double-click on it, a window with a black background flashes for a split second, then disappears. The window takes up the upper-left quarter of the screen. I clicked on it a few times so I could maybe get a persistant image as it flashed, and it appears that the window title is Commands and Settings.
PS. Microsoft Word, Excel, Pagemaker all open. Acrobat does nothing when clicked; Dreamweaver gives the "application failed to start" message Notepad, of course gives error message as well. (those are the only apps I tried)
6. when I launch Internet Explorer, it brings up a local page:
C:\WINDOWS\blank.mht
The content is for something called TNS SEARCH - TopNetSearch - "Let's begin Your Internet adventures!"
------------
harumph! adventures, Indeed...
---------------
My HijackThis log (in NORMAL mode)
Logfile of HijackThis v1.99.1
Scan saved at 1:25:33 PM, on 7/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you!
OK -
windows key - R brought up the Run window (yea!) but:
1. Could not run notepad - same message as before
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
2. Also, Could not run wordpad or or regedit or regedit.com - same message
3. BUT - the shutdown command WORKED.
4. I saved the fix.reg to another computer and brought it back over to the infected (I'm using a flashdrive) --Same message as above
5. I saved the fixreg.com executable to the desktop - when I double-click on it, a window with a black background flashes for a split second, then disappears. The window takes up the upper-left quarter of the screen. I clicked on it a few times so I could maybe get a persistant image as it flashed, and it appears that the window title is Commands and Settings.
PS. Microsoft Word, Excel, Pagemaker all open. Acrobat does nothing when clicked; Dreamweaver gives the "application failed to start" message Notepad, of course gives error message as well. (those are the only apps I tried)
6. when I launch Internet Explorer, it brings up a local page:
C:\WINDOWS\blank.mht
The content is for something called TNS SEARCH - TopNetSearch - "Let's begin Your Internet adventures!"
------------
harumph! adventures, Indeed...
---------------
My HijackThis log (in NORMAL mode)
Logfile of HijackThis v1.99.1
Scan saved at 1:25:33 PM, on 7/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Thank you!
6
Tech Clinic / spysheriff-can't run ewido
« on: July 25, 2005, 08:00:37 PM »
3 things:
1. I could not turn off SpyBot's TeaTimer, because i cannot launch the program. As I mentioned earlier, some programs give me the error:
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
SpyBot is one of the programs; ewido is another--same message whether I try to run the application or run the installer.
--------
2. When I start the computer, I get this message:
Windows cannot find "C:\WINDOWS\System32\Kernels32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, Click the Start button, and then click Search.
-------------
3. Also, remember that I cannot restart the computer - I have no Start button, and ctrl-alt-del has no effect. The power button has no effect. I must unplug the computer in order to "restart"
---------------------
I followed your instructions again, with these results:
1. When I ran smitRem, I followed the prompts, but I did not get the "up to 3 hours" disk cleanup. it was more like 2 seconds.
2. The 5 error messages that HijackThis gave all ENDED the same:
Please email me at [email protected], reporting the following:
*What you were trying to fix when the error occurred, if applicable
*How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE Version: 6.0.2800.1106
HijackThis version: 1.99.1
This message has been copied to your clipboard. Click OK to continue the rest of the scan.
(Note: I am not running Windows NT - I am running Windows XP Pro)
The 5 messages were:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9-Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nerInstall.cab)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing))
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing))
Error #5 - Invalid procedure call or argument
----
Then HijackThis gets to O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)and I get the warning:
HijackThis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer Windows AND all Windows Explorer windows before continuing for the best chance of success.
I clicked OK.
----------------------------------------------------
Here are my logs:
smitfiles.txt
------------
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
--------------------------------------------
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:55:20 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------------------------------------
Thank you!
1. I could not turn off SpyBot's TeaTimer, because i cannot launch the program. As I mentioned earlier, some programs give me the error:
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
SpyBot is one of the programs; ewido is another--same message whether I try to run the application or run the installer.
--------
2. When I start the computer, I get this message:
Windows cannot find "C:\WINDOWS\System32\Kernels32.exe'. Make sure you typed the name correctly, and then try again. To search for a file, Click the Start button, and then click Search.
-------------
3. Also, remember that I cannot restart the computer - I have no Start button, and ctrl-alt-del has no effect. The power button has no effect. I must unplug the computer in order to "restart"
---------------------
I followed your instructions again, with these results:
1. When I ran smitRem, I followed the prompts, but I did not get the "up to 3 hours" disk cleanup. it was more like 2 seconds.
2. The 5 error messages that HijackThis gave all ENDED the same:
Please email me at [email protected], reporting the following:
*What you were trying to fix when the error occurred, if applicable
*How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE Version: 6.0.2800.1106
HijackThis version: 1.99.1
This message has been copied to your clipboard. Click OK to continue the rest of the scan.
(Note: I am not running Windows NT - I am running Windows XP Pro)
The 5 messages were:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9-Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nerInstall.cab)
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing))
Error #5 - Invalid procedure call or argument
----
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing))
Error #5 - Invalid procedure call or argument
----
Then HijackThis gets to O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)and I get the warning:
HijackThis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer Windows AND all Windows Explorer windows before continuing for the best chance of success.
I clicked OK.
----------------------------------------------------
Here are my logs:
smitfiles.txt
------------
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
--------------------------------------------
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:55:20 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
-----------------------------------------
Thank you!
7
Tech Clinic / spysheriff-can't run ewido
« on: July 25, 2005, 05:28:43 AM »
There were some errors when I "fix selected" in HT - they seemed to be at the top of the list. I didn't write them down, because it was the first 4 or 5 items, and I thought "maybe that's how HT reports the fixing" Didn't know if I should go through the instructions again - decided to let you look at the results first.
On reboot, SpySheriff still seems to have my computer....
----------
Logfile of HijackThis v1.99.1
Scan saved at 10:16:17 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\winstall.exe
C:\WINDOWS\System32\l?ass.exe
C:\MivaMia\BIN\Mia.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
--------------------------
smitfiles.txt:
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Dating.lnk
SpySheriff
Install.dat
SpySheriff.lnk
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
On reboot, SpySheriff still seems to have my computer....
----------
Logfile of HijackThis v1.99.1
Scan saved at 10:16:17 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\winstall.exe
C:\WINDOWS\System32\l?ass.exe
C:\MivaMia\BIN\Mia.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
--------------------------
smitfiles.txt:
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Dating.lnk
SpySheriff
Install.dat
SpySheriff.lnk
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
winstall.exe
~~~ Wininet.dll ~~~
CLEAN!
8
Tech Clinic / spysheriff-can't run ewido
« on: July 24, 2005, 05:18:13 PM »
Thank you! Here is the new log:
Logfile of HijackThis v1.99.1
Scan saved at 6:15:29 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 6:15:29 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
9
Tech Clinic / spysheriff-can't run ewido
« on: July 24, 2005, 07:43:15 AM »
Can someone look at the hijack this log? I haven't used the infected computer since I posted the log.
If I can't run the programs suggested to get rid of this, is it safe to go to Add/remove programs and remove SpySheriff?
I'm kind of stuck until I get some advice...
Thank you!
If I can't run the programs suggested to get rid of this, is it safe to go to Add/remove programs and remove SpySheriff?
I'm kind of stuck until I get some advice...
Thank you!
10
Tech Clinic / spysheriff-can't run ewido
« on: July 22, 2005, 01:36:05 PM »
Would it be harmful to go into Add/Remove Programs and just remove SpySheriff without running Ewido first? (Or is this exactly what the SpySheriff wants me to do??)
I also saw an "uninstall SpySheriff" executable in SpySheriff folder, but I didn't fall for that!
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'
\' />
I'm kind of stuck, because I don't know what to do if my computer won't let me install the very programs I need to clean it. CleanUp! seems to be the only one I can run.
Thanks for any advice...
I also saw an "uninstall SpySheriff" executable in SpySheriff folder, but I didn't fall for that!
\' /> I'm kind of stuck, because I don't know what to do if my computer won't let me install the very programs I need to clean it. CleanUp! seems to be the only one I can run.
Thanks for any advice...
11
Tech Clinic / spysheriff-can't run ewido
« on: July 22, 2005, 11:07:14 AM »
Hi - I also caught SpySheriff and followed all the instructions from Cretemonster from a June 18 post:
-------
When I try to run Ewido, I get the message:
C:\Program Files\ewido\security suite\SecuritySuite.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
I get the same message when I try to reinstall the program.
My HiJackThis logfile (wouldn't open on infected computer - Same message as above - copied it to another computer):
Logfile of HijackThis v1.99.1
Scan saved at 11:43:49 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
I REALLY would like not to have to reformat - the computer seems to be working - just has the ugly SpySheriff shell running - (except I have no Start button and Control-Alt-Delete won't work; nor will the power button) I have to Unplug my computer to restart - Rebooted into Normal mode, but looks the same...
Thank you!!
-------
Quote
First, download and install CleanUp! but do not run it yet *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.-----
Download, install, and update Ewido Security Suite
Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido
Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Once in Safe Mode, Run Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
After you're done running Cleanup! follow the instructions below
Run Ewido.
When I try to run Ewido, I get the message:
C:\Program Files\ewido\security suite\SecuritySuite.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
I get the same message when I try to reinstall the program.
My HiJackThis logfile (wouldn't open on infected computer - Same message as above - copied it to another computer):
Logfile of HijackThis v1.99.1
Scan saved at 11:43:49 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\winstall.exe
C:\WINDOWS\System32\sgf.exe
C:\Program Files\saar\elat.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {8D0AF875-68EF-1F42-945B-49A6FEAA65B4} - C:\WINDOWS\System32\ysu.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\[email protected]
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\sgf.exe
O4 - HKCU\..\Run: [Lerm] C:\Program Files\saar\elat.exe
O4 - HKCU\..\Run: [Wcosvbwo] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Mia.exe.lnk = C:\MivaMia\BIN\Mia.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} (Xvidnc Class) - http://gate.x10.com/control/xvidnx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O21 - SSODL: WinZip - {83E58D3E-3768-258D-5A3F-48DC99E0DFFB} - c:\program files\winzip\wintrqq32.dll (file missing)
O21 - SSODL: System - {7EEA8018-9D5F-4A92-A5E9-CE7766CF6024} - vr_sys.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe (file missing)
I REALLY would like not to have to reformat - the computer seems to be working - just has the ugly SpySheriff shell running - (except I have no Start button and Control-Alt-Delete won't work; nor will the power button) I have to Unplug my computer to restart - Rebooted into Normal mode, but looks the same...
Thank you!!
Pages: [1]