* Restart the computer
* At the first beep or on the blue Dell screen, tap the F8 key or the F5 key
* At some point, the Advanced Options menu will appear
* Select Safe Mode with Networking [Press the Enter Key]
* Select the first or only operating system listed [Press the Enter Key]
Chris, I will also try what you have suggested. I had to copy Hijackthis onto a disk from work & load it on my computer @ home. At the moment, I am unable to connect to the internet from home due to the virus.
Let's use HiJackThis and see how much we're going to be able to get cleaned off your system. We're going to need other programs to help with the cleanup, so hopefully we can regain internet access - if not, are you able to download files from where your at, then install them on the 'sick' pc?
-
Let's get started...
Go to
Add/Remove programs and remove(uninstall) the following, if present:
Web Related WildTangent Virtual Bouncer
anything with 'search' in the entry. anything with 'toolbar' in the entry.
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Thanks Mike. I'll complete these steps tonight. I am able to download items from work & load onto my computer @ home. Hopefully, I will be able to gain access to the internet again.
Good! - glad to hear it! Are you using broadband or dialup? Do you have AdAware SE, Spybot S&D and a software firewall yet? I would also suggest that keep disconnected from the internet (or your computer turned off), if using broadband, then as you begin the fix (again, if broadband), disable that internet adapter to keep from any 'baddies' calling for help. Then, enabling it again when you need to download any of the cleanup programs.
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "
Auto Clean".
3. Click "
Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
If you don't already have it, download, install and run
AdAware SE Personal.
-
Next, check for, and download any available updates:
1. click "
Check for updates now".
2. Click "
Connect".
3. If updates(definitions) are available click "
Ok", otherwise, click "
Ok".
4. Click "
Finish".
-
Next, configure
AdAware to be as effective as possible:
1. Click the '
gear' in the upper-right hand corner of the
AdAware Window.
2. Click Scanning, and check(tick) the following:
Scan within archives Scan active processes Scan registry Deep-scan registry Scan my IE Favorites for banned URLs Scan my Hosts file
3. Click "
Tweak".
4. Click "
Scanning Engine", then check(tick) the following:
Unload recognized proceses & modules during scan
5. Click "
Cleaning Engine", then check(tick) then following:
>
Always try to unload modules before deletion During removal, unload Explorer and IE if necessary Let Winodws remove files in use at next reboot Delete quarantined objects after retoring
6. Then click "
Proceed"
-
Now, let
AdAware locate and remove anything it finds, by:
1. Click "
Start".
2. Check(tick) "
perform full system scan".
3. Click "
Next".
-
Exit the program.
If you don't already have it, let's go to
Lavasoft'sVX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run
AdAware SE Personal, then:
1. Click "
Add-Ons".
2. Double-click "
VX2 Cleaner"
3. Click "
Ok", to "
Execute this tool".
4. If nothing is found, click "
Ok", then exit the program.
(or)
4. If
VX2 has been found on your system, click "
Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
Download
LSPFix and unzip to your desktop, then run it. Now, we need to:
1. check(tick) "
I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:
aklsp.dll
3. then click "
>>", moving each one, individually, to the 'Remove' pane.
4.
(double-check, and make sure that only the above files are in the 'Remove'pane.) 5. click "
Finish >>"
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
Okay Mike, below are two logs. The first one is the file names that could not be cleaned/deleted from the trendmicro scan. The second log is the hijackthis log.
TrendMicro
1) TROJ AGENT.BT Not Cleanable C:\WINDOWS\SYSTEM\akrules.dll
2) TROJ AGENT.BT Not Cleanable C:\WINDOWS\TEMP\akrules.dll
Okay Mike, below is the Hijackthis log from the Dllcompare download:
* DLLCompare Log version() Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________
C:\WINDOWS\SYSTEM\ciyptnet.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iwnpstub.dll Sat Dec 18 2004 1:08:28p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dzskcopy.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\tyd32.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mfincp16.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rncrt4.dll Mon Jan 3 2005 9:21:32p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\jvmd400.dll Sun Jan 2 2005 6:44:56p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dbraw.dll Sun Jan 2 2005 2:27:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wxascr.dll Wed Dec 22 2004 3:53:32p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cirpol.dll Tue Dec 21 2004 8:56:50p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ssrrun.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rucltspx.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mzacm.dll Mon Dec 20 2004 8:22:44p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dpip32.dll Sun Dec 19 2004 11:42:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ekset16.dll Sat Dec 18 2004 2:30:58p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ozbcbcp.dll Sat Dec 18 2004 2:09:06p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mqcn30.dll Sat Dec 18 2004 1:51:58p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ijmp.dll Sat Dec 18 2004 1:36:14p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\eunp.dll Sat Dec 18 2004 1:33:58p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\jldwmie.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mppwl32.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ardenc32.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rncltccm.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\bbowsewm.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wr2thk.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iemupg.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\eyusbci.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mijdbc10.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mijava.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mzvbvm60.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dhnlobby.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\maencode.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ix50_qc.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K ________________________________________________
867 items found: 867 files (33 H/S), 0 directories. Total of file sizes: 162,882,339 bytes 155.34 M
Mike, below are the results from the second DLLCompare log:
* DLLCompare Log version() Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________
C:\WINDOWS\SYSTEM\eyusbci.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K ________________________________________________
867 items found: 867 files (1 H/S), 0 directories. Total of file sizes: 162,882,339 bytes 155.34 M
From a command line, run "regedit" then go to the following registry key:
1. HKEY_LOCAL_MACHINE 2. SOFTWARE 3. Microsoft 4. Windows NT 5. CurrentVersion 6. Winlogon 7. Notify
Look for an entry that says:
DLLName="c:\\windows..."
It's have a randomly named file where the "..." is. Post back the name of that file and close the registry editor, without changing any of the data.
Let me know when your done with that, and post back a new log - let's see if anything is left.
If you don't already have it, download, install and run
AdAware SE Personal.
-
Next, check for, and download any available updates:
1. click "Check for updates now". 2. Click "Connect". 3. If updates(definitions) are available click "Ok", otherwise, click "Ok". 4. Click "Finish".
-
Next, configure AdAware to be as effective as possible:
1. Click the 'gear' in the upper-right hand corner of the AdAware Window. 2. Click Scanning, and check(tick) the following:
Scan within archives Scan active processes Scan registry Deep-scan registry Scan my IE Favorites for banned URLs Scan my Hosts file
3. Click "Tweak". 4. Click "Scanning Engine", then check(tick) the following:
Unload recognized proceses & modules during scan
5. Click "Cleaning Engine", then check(tick) then following:
>Always try to unload modules before deletion During removal, unload Explorer and IE if necessary Let Winodws remove files in use at next reboot Delete quarantined objects after retoring
6. Then click "Proceed"
-
Now, let AdAware locate and remove anything it finds, by:
1. Click "Start". 2. Check(tick) "perform full system scan". 3. Click "Next".
-
Exit the program.
If you don't already have it, let's go to
Lavasoft'sVX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run AdAware SE Personal, then:
1. Click "Add-Ons". 2. Double-click "VX2 Cleaner" 3. Click "Ok", to "Execute this tool". 4. If nothing is found, click "Ok", then exit the program.
(or)
4. If VX2 has been found on your system, click "Clean System" 5. Then when it's complelely done, reboot your computer. 6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
If you don't already have it, download, install and run
Spybot S & D. Next, update the current definitions by:
-
Next, check for, and download any available updates:
1. Click "Search for Updates". 2. Check(tick) all available updates. 3. Click "Download Updates". 4. Click "Search & Destroy". 5. Click "Check for Problems".
-
When the scan is completed:
1. Check(tick) everything that was found. 2. Click "Fix selected problems".
-
Click "Ok", then exit the program.
When your done, post back a new hjt log and i'll see what we have left. If you encounter any problems, just post back.
Mike, sorry I haven't posted back in some time. I had to go out of town unexpectedly on business, but back now. I accessed my computer last night & was going to perform the next step, but, all of a sudden, numerous web pages popped up, again & again. Everytime I tried closing them, more of them would appear. I shut down & restarted a couple of times, which seemed to fix the problem. However, the computer is running terribly slow now. My question is do I need to simply pick up where we left off & complete the next step or should I do something else?
Midnight Star
4.8K Posts
0
January 25th, 2005 15:00
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Now, let's do the following:
1. Click " Scan"
2. Click " Save log"
Notepad will pop-up with a copy of your system long, then:
1. " Edit | Select all"
2. " Edit | Copy"
Next, let's " Reply" back to this post, then:
1. Right-click on the message body.
2. Select " Paste"
Then just " Post" the message, and we'll analyze your log shortly, then post back any recommendation(s).
-
Mike.
salcosta
10 Posts
0
January 25th, 2005 16:00
Message Edited by salcosta on 01-25-2005 12:59 PM
DELL-Chris M
Community Manager
•
56.9K Posts
0
January 25th, 2005 19:00
* Restart the computer
* At the first beep or on the blue Dell screen, tap the F8 key or the F5 key
* At some point, the Advanced Options menu will appear
* Select Safe Mode with Networking [Press the Enter Key]
* Select the first or only operating system listed [Press the Enter Key]
Can you get online to do the fixes?
salcosta
10 Posts
0
January 26th, 2005 12:00
Chris, I will also try what you have suggested. I had to copy Hijackthis onto a disk from work & load it on my computer @ home. At the moment, I am unable to connect to the internet from home due to the virus.
Mike, below are the results of the scan:
Logfile of HijackThis v1.99.0
Scan saved at 6:00:37 PM, on 1/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\WINDOWS\SYSTEM\SAIE.EXE
C:\PROGRAM FILES\CSBB\CSV10P070.EXE
C:\WINDOWS\SYSTEM\TYAVUL.EXE
C:\PROGRAM FILES\DLSMGR\DLSMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\TKJC.EXE
C:\WINDOWS\SYSFIT.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HKHHKP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\2.BIN\S4BAR.DLL (file missing)
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\SYSTEM\SYSSFITB.DLL (file missing)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wvwwvo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [dbhqdwwgrwft] C:\WINDOWS\SYSTEM\tyavul.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [dwf] C:\WINDOWS\dwf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Odvuc] C:\WINDOWS\SYSTEM\tkjc.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O4 - Startup: hkhhkp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
Midnight Star
4.8K Posts
0
January 26th, 2005 14:00
salcosta,
Let's use HiJackThis and see how much we're going to be able to get cleaned off your system. We're going to need other programs to help with the cleanup, so hopefully we can regain internet access - if not, are you able to download files from where your at, then install them on the 'sick' pc?
-
Let's get started...
Go to Add/Remove programs and remove(uninstall) the following, if present:
Web Related
WildTangent
Virtual Bouncer
anything with 'search' in the entry.
anything with 'toolbar' in the entry.
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
Run HiJackThis then:
1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\WINDOWS\SYSTEM\SAIE.EXE
C:\WINDOWS\SYSTEM\TYAVUL.EXE
C:\PROGRAM FILES\DLSMGR\DLSMGR.EXE
C:\WINDOWS\SYSTEM\TKJC.EXE
C:\WINDOWS\SYSFIT.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HKHHKP.EXE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh",
check again, and repeat this step if any remain.
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u STLB2.DLL
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
...(Unless you've restricted the use of registry editing, have HiJackThis fix this.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
(file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\2.BIN\S4BAR.DLL (file missing)
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINDOWS\SYSTEM\SYSSFITB.DLL (file missing)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
O4 - HKLM\..\Run: [CSV10P70] \Progra~1\CSBB\CSV10P070.EXE
O4 - HKLM\..\Run: [dbhqdwwgrwft] C:\WINDOWS\SYSTEM\tyavul.exe
O4 - HKLM\..\Run: [dlsmgr] C:\Program Files\dlsmgr\dlsmgr.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [dwf] C:\WINDOWS\dwf.exe
O4 - HKCU\..\Run: [Odvuc] C:\WINDOWS\SYSTEM\tkjc.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
O4 - Startup: hkhhkp.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
Now, with all windows closed except HiJackThis, click "Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\PROGRAM FILES\VBOUNCER
C:\WINDOWS\SYSTEM\WSXSVC
C:\WINDOWS\SYSTEM\VMSS
C:\PROGRAM FILES\DLSMGR
C:\PROGRA~1\TOOLBAR
C:\PROGRA~1\WILDTA~1
C:\PROGRA~1\VBOUNCER
C:\PROGRAM FILES\AIM TOOLBAR
C:\Progra~1\CSBB
files...
C:\WINDOWS\SYSTEM\SAIE.EXE
C:\WINDOWS\SYSTEM\TYAVUL.EXE
C:\WINDOWS\SYSTEM\TKJC.EXE
C:\WINDOWS\SYSFIT.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HKHHKP.EXE
C:\WINDOWS\SYSTEM\STLB2.DLL
C:\WINDOWS\dwf.exe
C:\WINDOWS\Application Data\btws.exe
Search for...
stlb2.dll
E6F1873B.DLL
hkhhkp.exe
...using "Start | Search...".
Don't reboot your system just yet and post back a new log.
-
Mike.
Message Edited by Midnight Star on 01-26-2005 10:20 AM
salcosta
10 Posts
0
January 26th, 2005 14:00
Thanks Mike. I'll complete these steps tonight. I am able to download items from work & load onto my computer @ home. Hopefully, I will be able to gain access to the internet again.
I'll post my findings tomorrow morning.
Thanks,
Sal
salcosta
10 Posts
0
January 27th, 2005 13:00
Mike, the steps that I took last night allowed access to the internet again. Thanks! Following is the log:
Logfile of HijackThis v1.99.0
Scan saved at 8:07:58 PM, on 1/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\CSBB\CSV10P070.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wvwwvo.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
Midnight Star
4.8K Posts
0
January 27th, 2005 13:00
Good! - glad to hear it! Are you using broadband or dialup? Do you have AdAware SE, Spybot S&D and a software firewall yet? I would also suggest that keep disconnected from the internet (or your computer turned off), if using broadband, then as you begin the fix (again, if broadband), disable that internet adapter to keep from any 'baddies' calling for help. Then, enabling it again when you need to download any of the cleanup programs.
Let's keep picking away at this...
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
If you don't already have it, download, install and run AdAware SE Personal.
-
Next, check for, and download any available updates:
1. click " Check for updates now".
2. Click " Connect".
3. If updates(definitions) are available click " Ok", otherwise, click " Ok".
4. Click " Finish".
-
Next, configure AdAware to be as effective as possible:
1. Click the ' gear' in the upper-right hand corner of the AdAware Window.
2. Click Scanning, and check(tick) the following:
Scan within archives
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
3. Click " Tweak".
4. Click " Scanning Engine", then check(tick) the following:
Unload recognized proceses & modules during scan
5. Click " Cleaning Engine", then check(tick) then following:
> Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Winodws remove files in use at next reboot
Delete quarantined objects after retoring
6. Then click " Proceed"
-
Now, let AdAware locate and remove anything it finds, by:
1. Click " Start".
2. Check(tick) " perform full system scan".
3. Click " Next".
-
Exit the program.
If you don't already have it, let's go to Lavasoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run AdAware SE Personal, then:
1. Click " Add-Ons".
2. Double-click " VX2 Cleaner"
3. Click " Ok", to " Execute this tool".
4. If nothing is found, click " Ok", then exit the program.
(or)
4. If VX2 has been found on your system, click " Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
Download LSPFix and unzip to your desktop, then run it. Now, we need to:
1. check(tick) " I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:
aklsp.dll
3. then click " >>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click " Finish >>"
Let's download the Symantec VirtuMundo removal tool, and run it.
Download, unzip to your desktop CWShredder and run it, then:
1. Click " Check For Update"
( If an update isn't available, skip to step #4.)
2. Click " Click here to Download the upate".
3. When the new version has been downloaded, click " Save".
4. Click " Fix ->"
Next, Open a command prompt by:
1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).
-
Now, locate and ' stop' the following services, if present:
MOSEARCH.EXE
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wvwwvo.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
folders...
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH
C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH
files...
C:\WINDOWS\wvwwvo.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\FARMMEXT.exe
Post back a new log.
-
Mike.
salcosta
10 Posts
0
January 31st, 2005 12:00
Okay Mike, below are two logs. The first one is the file names that could not be cleaned/deleted from the trendmicro scan. The second log is the hijackthis log.
TrendMicro
1) TROJ AGENT.BT Not Cleanable C:\WINDOWS\SYSTEM\akrules.dll
2) TROJ AGENT.BT Not Cleanable C:\WINDOWS\TEMP\akrules.dll
3) TROJ AGENT.AE CanNotAccess C:\_RESTORE\TEMP\A0194346…
4) TROJ AGENT.AE CanNotAccess C:\_RESTORE\TEMP\A0170078…
5) BKDR SANDBOX.A CanNotAccess C:\_RESTORE\TEMP\A0172038…
6) BKDR SANDBOX.A CanNotAccess C:\_RESTORE\TEMP\A0172039…
7) BKDR SANDBOX.A CanNotAccess C:\_RESTORE\TEMP\A0172040…
8) BKDR B.A CanNotAccess C:\_RESTORE\TEMP\A0172042…
9) BKDR SANDBOX.A CanNotAccess C:\_RESTORE\TEMP\A0172043…
10) TROJ AGENT.AE CanNotAccess C:\_RESTORE\TEMP\A0172053…
11) TROJ SMALL.CB CanNotAccess C:\_RESTORE\TEMP\A0195372…
12) TROJ SMALL.CB CanNotAccess C:\_RESTORE\TEMP\A0199188…
13) TROJ SMALL.CB CanNotAccess C:\_RESTORE\TEMP\A0200627…
14) TROJ AGENT.AE CanNotAccess C:\_RESTORE\TEMP\A0201108…
15) TROJ ISTBAR.GM CanNotAccess C:\_RESTORE\TEMP\A0201109…
16) TROJ AGENT.BT CanNotAccess C:\_RESTORE\TEMP\A0201120…
17) TROJ AGENT.ALL CanNotAccess C:\_RESTORE\TEMP\A0201121…
18) TROJ VB.OD CanNotAccess C:\_RESTORE\TEMP\A0201122…
19) TROJ BRDUPDATE.E CanNotAccess C:\_RESTORE\TEMP\A0201123…
20) TROJ BRDUPDATE.D CanNotAccess C:\_RESTORE\TEMP\A0201124…
21) TROJ ENVOLO.B CanNotAccess C:\_RESTORE\TEMP\A0201125…
22) TROJ NARRATOR.A CanNotAccess C:\_RESTORE\TEMP\A0201126…
23) TROJ NARRATOR.A CanNotAccess C:\_RESTORE\TEMP\A0201127…
24) TROJ AGENT.BCA CanNotAccess C:\_RESTORE\TEMP\A0201128…
25) TROJ CHOPENOZ.B CanNotAccess C:\_RESTORE\TEMP\A0201129…
26) TROJ HIDEPROC.C CanNotAccess C:\_RESTORE\TEMP\A0201130…
27) TROJ ISTBAR.AM CanNotAccess C:\_RESTORE\TEMP\A0201131…
28) TROJ AGENT.AE CanNotAccess C:\_RESTORE\TEMP\A0201132…
29) TROJ BLOCKDROP.A CanNotAccess C:\_RESTORE|TEMP\A0201133…
30) TROJ SMALL.CB CanNotAccess C:\_RESTORE\TEMP\A0201134…
31) TROJ SMALL.CB CanNotAccess C:\_RESTORE\ARCHIVE\FS120…
32) TROJ STRTPAGE.Z CanNotAccess C:\_RESTORE\ARCHIVE\FS120…
33) TROJ SMALL.CB CanNotAccess C:\_RESTORE\ARCHIVE\FS121…
34) TROJ MULTIDRP.V CanNotAccess C:\_RESTORE\ARCHIVE\FS121…
35) TROJ BISPY.B CanNotAccess C:\_RESTORE\ARCHIVE\FS122…
36) TROJ IDLY.C CanNotAccess C:\_RESTORE\ARCHIVE\FS122…
37) TROJ SCNDTHOT.AV CanNotAccess C:\_RESTORE\ARCHIVE\FS122…
38) TROJ AGENT.AE CanNotAccess C:\_RESTORE\ARCHIVE\FS123…
Hijackthis Log
Logfile of HijackThis v1.99.0
Scan saved at 3:37:28 PM, on 01/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRAM FILES\SPYSPOTTER\SpySpotter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Midnight Star
4.8K Posts
0
January 31st, 2005 17:00
Download, unzip to your desktop CWShredder and run it, then:
( If an update isn't available, skip to step #4.)
3. When the new version has been downloaded, click " Save".
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
Now, with all windows closed except HiJackThis, click " Fix checked".
Next, let's 'look' where no-hijack has looked before:
2. click " Run locate.com".
When the scan is complete, you will see: Completed the scan, Click Compare to Continue
3. click "Compare".
In a few minutes it'll be Completed
4. click "Make a Log of what was Found".
5. Post that back as a reply to this post.Don't reboot your computer just yet, and post back a new log.
Message Edited by Midnight Star on 01-31-2005 01:03 PM
salcosta
10 Posts
0
February 1st, 2005 15:00
Okay Mike, below is the Hijackthis log from the Dllcompare download:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\ciyptnet.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iwnpstub.dll Sat Dec 18 2004 1:08:28p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dzskcopy.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\tyd32.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mfincp16.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rncrt4.dll Mon Jan 3 2005 9:21:32p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\jvmd400.dll Sun Jan 2 2005 6:44:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dbraw.dll Sun Jan 2 2005 2:27:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wxascr.dll Wed Dec 22 2004 3:53:32p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cirpol.dll Tue Dec 21 2004 8:56:50p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ssrrun.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rucltspx.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mzacm.dll Mon Dec 20 2004 8:22:44p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dpip32.dll Sun Dec 19 2004 11:42:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ekset16.dll Sat Dec 18 2004 2:30:58p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ozbcbcp.dll Sat Dec 18 2004 2:09:06p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mqcn30.dll Sat Dec 18 2004 1:51:58p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ijmp.dll Sat Dec 18 2004 1:36:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\eunp.dll Sat Dec 18 2004 1:33:58p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\jldwmie.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mppwl32.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ardenc32.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rncltccm.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\bbowsewm.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wr2thk.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iemupg.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\eyusbci.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mijdbc10.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mijava.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mzvbvm60.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dhnlobby.dll Fri Dec 3 2004 9:42:02p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\maencode.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ix50_qc.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
________________________________________________
867 items found: 867 files (33 H/S), 0 directories.
Total of file sizes: 162,882,339 bytes 155.34 M
--------------------End log---------------------
Midnight Star
4.8K Posts
0
February 1st, 2005 15:00
salcosta,
This will take us a few posts to resolve, so hang in there.
-
Let's get started...
Now, run KillBox, then:
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM\ciyptnet.dll, in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\WINDOWS\SYSTEM\iwnpstub.dll
C:\WINDOWS\SYSTEM\dzskcopy.dll
C:\WINDOWS\SYSTEM\tyd32.dll
C:\WINDOWS\SYSTEM\mfincp16.dll
C:\WINDOWS\SYSTEM\rncrt4.dll
C:\WINDOWS\SYSTEM\jvmd400.dll
C:\WINDOWS\SYSTEM\dbraw.dll
C:\WINDOWS\SYSTEM\wxascr.dll
C:\WINDOWS\SYSTEM\cirpol.dll
C:\WINDOWS\SYSTEM\ssrrun.dll
C:\WINDOWS\SYSTEM\rucltspx.dll
C:\WINDOWS\SYSTEM\mzacm.dll
C:\WINDOWS\SYSTEM\dpip32.dll
C:\WINDOWS\SYSTEM\ekset16.dll
C:\WINDOWS\SYSTEM\ozbcbcp.dll
C:\WINDOWS\SYSTEM\mqcn30.dll
C:\WINDOWS\SYSTEM\ijmp.dll
C:\WINDOWS\SYSTEM\eunp.dll
C:\WINDOWS\SYSTEM\jldwmie.dll
C:\WINDOWS\SYSTEM\mppwl32.dll
C:\WINDOWS\SYSTEM\ardenc32.dll
C:\WINDOWS\SYSTEM\rncltccm.dll
C:\WINDOWS\SYSTEM\bbowsewm.dll
C:\WINDOWS\SYSTEM\wr2thk.dll
C:\WINDOWS\SYSTEM\iemupg.dll
C:\WINDOWS\SYSTEM\eyusbci.dll
C:\WINDOWS\SYSTEM\mijdbc10.dll
C:\WINDOWS\SYSTEM\mijava.dll
C:\WINDOWS\SYSTEM\mzvbvm60.dll
C:\WINDOWS\SYSTEM\dhnlobby.dll
C:\WINDOWS\SYSTEM\maencode.dll
C:\WINDOWS\SYSTEM\ix50_qc.dll
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.
Mike.
salcosta
10 Posts
0
February 2nd, 2005 14:00
Mike, below are the results from the second DLLCompare log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\eyusbci.dll Fri Dec 3 2004 9:42:00p ..S.R 217,088 212.00 K
________________________________________________
867 items found: 867 files (1 H/S), 0 directories.
Total of file sizes: 162,882,339 bytes 155.34 M
--------------------End log---------------------
Midnight Star
4.8K Posts
0
February 2nd, 2005 15:00
Sal,
Hopefully, this will be the last DLLCompare we'll need to run. There's alot of steps in here, so try to take them one at a time.
Now, run KillBox, then:
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM\eyusbci.dll , in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.
Ok, now we need to fix some of the damage that garbage did to your system and do one more thing:
-
Run Killbox again, but this time just copy/paste the following names, one at a time, in the file name to delete field:
then click the red-x to delete these files.
Download and run VX2Finder, then:
1. Click "Restore Policy"
2. Click "User Agent$"
From a command line, run "regedit" then go to the following registry key:
1. HKEY_LOCAL_MACHINE
2. SOFTWARE
3. Microsoft
4. Windows NT
5. CurrentVersion
6. Winlogon
7. Notify
Look for an entry that says:
DLLName="c:\\windows..."
It's have a randomly named file where the "..." is. Post back the name of that file and close the registry editor, without changing any of the data.
Let me know when your done with that, and post back a new log - let's see if anything is left.
If you don't already have it, download, install and run AdAware SE Personal.
-
Next, check for, and download any available updates:
1. click "Check for updates now".
2. Click "Connect".
3. If updates(definitions) are available click "Ok", otherwise, click "Ok".
4. Click "Finish".
-
Next, configure AdAware to be as effective as possible:
1. Click the 'gear' in the upper-right hand corner of the AdAware Window.
2. Click Scanning, and check(tick) the following:
Scan within archives
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
3. Click "Tweak".
4. Click "Scanning Engine", then check(tick) the following:
Unload recognized proceses & modules during scan
5. Click "Cleaning Engine", then check(tick) then following:
>Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Winodws remove files in use at next reboot
Delete quarantined objects after retoring
6. Then click "Proceed"
-
Now, let AdAware locate and remove anything it finds, by:
1. Click "Start".
2. Check(tick) "perform full system scan".
3. Click "Next".
-
Exit the program.
If you don't already have it, let's go to Lavasoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run AdAware SE Personal, then:
1. Click "Add-Ons".
2. Double-click "VX2 Cleaner"
3. Click "Ok", to "Execute this tool".
4. If nothing is found, click "Ok", then exit the program.
(or)
4. If VX2 has been found on your system, click "Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
If you don't already have it, download, install and run Spybot S & D. Next, update the current definitions by:
-
Next, check for, and download any available updates:
1. Click "Search for Updates".
2. Check(tick) all available updates.
3. Click "Download Updates".
4. Click "Search & Destroy".
5. Click "Check for Problems".
-
When the scan is completed:
1. Check(tick) everything that was found.
2. Click "Fix selected problems".
-
Click "Ok", then exit the program.
salcosta
10 Posts
0
February 17th, 2005 12:00
Mike, sorry I haven't posted back in some time. I had to go out of town unexpectedly on business, but back now. I accessed my computer last night & was going to perform the next step, but, all of a sudden, numerous web pages popped up, again & again. Everytime I tried closing them, more of them would appear. I shut down & restarted a couple of times, which seemed to fix the problem. However, the computer is running terribly slow now. My question is do I need to simply pick up where we left off & complete the next step or should I do something else?
Thanks for your help,
Sal