Unsolved
This post is more than 5 years old
3 Posts
0
2924
June 20th, 2004 03:00
Files won't open
I recently had the blaster type worm infected on my computer, and I am still in the process of trying to get rid of it.
I downloaded "stinger" from Mcafee website, and when i click on that file or any file for that matter I receive the error message: "C:\stinger.exe is not a valid win32 application"
I get this message on all my files, WHAT DOES IT MEAN? and how can i fix the problem,
Please help!!!!!!!!!
No Events found!
pskelley
933 Posts
0
June 20th, 2004 21:00
Hi, Please follow the directions below, and let us have a look at your HijackThis log, and we will be able to help you. Thanks....pskelley
http://209.133.47.12/~merijn/files/HijackThis.exe
Stay in this thread for continuity. Reply to this message.
In Training at TomCoyote.com and Spywareinfo.com
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
TheGirlQQ
3 Posts
0
June 21st, 2004 01:00
Logfile of HijackThis v1.97.7
Scan saved at 9:19:44 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\abghpm.exe
C:\Program Files\PeoplePC Accelerated\propelac.exe
C:\WINDOWS\System32\wudmate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Rebecca\MYDOCU~1\WCBOWL~1.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Common Files\GMT\GMT.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=145872
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=145872
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - (no file)
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [xsybhjvwycl] C:\WINDOWS\System32\abghpm.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\PeoplePC Accelerated\propelac.exe
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\axiwah.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wcbowl.exe] C:\DOCUME~1\Rebecca\MYDOCU~1\WCBOWL~1.EXE /r
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/p3a23a.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A68FA2-1F6F-474E-A577-CB9B7CB0CBC4}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{50A68FA2-1F6F-474E-A577-CB9B7CB0CBC4}: NameServer = 207.69.188.187 207.69.188.186
TheGirlQQ
3 Posts
0
June 21st, 2004 01:00
StartupList report, 6/20/2004, 9:26:45 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\smsc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\abghpm.exe
C:\Program Files\PeoplePC Accelerated\propelac.exe
C:\WINDOWS\System32\wudmate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Rebecca\MYDOCU~1\WCBOWL~1.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Common Files\GMT\GMT.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\DIALER.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
StorageGuard = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DVDSentry = C:\WINDOWS\System32\DSentry.exe
PCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 USB2 Driver = smsc.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update = wudmate.exe
Win32 USB2 Driver = smsc.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sonic RecordNow! =
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Wcbowl.exe = C:\DOCUME~1\Rebecca\MYDOCU~1\WCBOWL~1.EXE /r
MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
Win32 USB2 Driver = smsc.exe
Microsoft Update = wudmate.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 USB2 Driver = smsc.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\System32\ATPART~1.DLL - {00000EF1-0786-4633-87C6-1AA7A44296DA}
(no name) - C:\WINDOWS\twaintec.dll - {000020DD-C72E-4113-AF77-DD56626C6C42}
NavErrRedir Class - (no file) - {269B6797-664E-48AA-B283-B012BDF6E525}
(no name) - C:\Program Files\ISP50\bin\BandObject.dll - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD}
(no name) - (no file) - {549B5CA7-4A86-11D7-A4DF-000874180BB3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
--------------------------------------------------
Enumerating Task Scheduler jobs:
McAfee.com Update Check ().job
McAfee.com Update Check (D540LW31-Owner).job
McAfee.com Update Check (REBECCA-Chad).job
McAfee.com Update Check (REBECCA-Jordan).job
McAfee.com Update Check (REBECCA-Mariah).job
McAfee.com Update Check (REBECCA-Rebecca).job
--------------------------------------------------
Enumerating Download Program Files:
[F1 Organizer Class]
InProcServer32 = C:\WINDOWS\System32\ATPART~1.DLL
CODEBASE = http://www.addictivetechnologies.net/DM0/cab/p3a23a.cab
[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\System32\mcinsctl.dll
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
[CWDL_DownLoadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CWDL_DownLoad.dll
CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
[WebHandler Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\dlhelper.dll
CODEBASE = http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\System32\McGDMgr.dll
CODEBASE = http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 8,767 bytes
Report generated in 0.078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Texruss
2 Intern
•
3.4K Posts
0
June 22nd, 2004 02:00
You've got these at first glance...Agobot worm, Backdoor Rbot worm, CWS infection, random-named Trojans, IST Service, Gator foistware, Incredifind, and FavoriteMan Hostile ActiveX. Quite a collection...but I have seen a lot worse.
Get rid of the most serious first. You are short on critical security patches that has led to the worm infection.
Boot to Safe Mode by pressing F8 repeatedly while restarting and selecting start in Safe Mode.
Hit Control-Shift-Escape keys at same time and in Task Manager stop these processes:
smsc.exe
wudmate.exe
Run Windows Explorer (type the word explorer at Start/Run button). Navigate with your mouse through the folders in the left hand window and cascade out to this folder:
C:\WINDOWS\System32 delete smsc.exe and wudmate.exe
If it resists deletion right button click on it and left button on Properties. Uncheck ReadOnly box. Then delete the file.
Exit Explorer and immediately empty the Recycle Bin.
Reboot to normal Windows.
Next....Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere.
See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm
Run Hijackthis and check these boxes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=145872
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=145872
O1 - Hosts: 12.129.205.209 search.netscape.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [xsybhjvwycl] C:\WINDOWS\System32\abghpm.exe
O4 - HKLM\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\axiwah.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Wcbowl.exe] C:\DOCUME~1\Rebecca\MYDOCU~1\WCBOWL~1.EXE /r
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/p3a23a.cab
With no other windows open click on fix checked button in Hijackthis.
Exit Hijackthis.
Reboot to SAFE MODE and Show HIDDEN FILES and folders (VERY IMPORTANT!)
FAQ 8 and 9 on this page:
http://www.russelltexas.com/malware/faqhijackthis.htm
Press Control-Shift-Escape keys at same time and stop these processes if present:
istsvc.exe
abghpm.exe
PrecisionTime.exe
GMT.exe
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Navigate with your mouse through the folders in the left hand window and delete the following files and/or folders: (some may not be present)
Files:
C:\WINDOWS\twaintec.dll
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\abghpm.exe
C:\WINDOWS\System32\axiwah.exe
C:\Documents and Settings\Rebecca\My Documents\WCBOWL~1.EXE (longer filename and if you don't recognize this file.
Folders and/or folder contents:
C:\WINDOWS\System32\ATPART~1.DLL folder...will be longer name
C:\Program Files\Incredifind folder
C:\Program Files\Common Files\CMEII folder
C:\Program Files\ISTsvc folder
Exit Explorer and empty the Recycle Bin.
Reboot to normal mode and run Windows Live Updates. Pull down Tools in IE 6 to Windows Updates. Install all critical security updates or the worms will return.
Next...Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.
Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:
1. Latest version
2. Configured correctly for running options
3. New definitions from update feature
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
http://www.cjwd.demon.co.uk/spybot-adaware.html
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
If you have any problems with Disk Cleanup completing...XP users can fix it here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812248
Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
Reboot and browse a bit and post a new Hijackthis log.
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are
one of our classmates and not on this list email me for an addition to this
list...we need all the help we can get *;-)