Login 
 Search | |
| |
25-Jul-2004, 08:54 PM
#1 | |||||
| Home Search |
| |
25-Jul-2004, 10:14 PM
#2 | |||||
| Hi- You are using an older version of HJT the current one, with a hotfix, is this: http://www.lurkhere.com/forum/DCForumID6/684.html It may not be neccessary for you to get it right now, please wait for expert help. I just didnt want you to get pointed to the un-fixed version of 1.98 which may still be posted at some places, or you may have downloaded before the info came out and try to use.... Here's what to do first: IN SAFE MODE--stay offline until done! You should print these pages if you can- you will be in Safe Mode to do the work and will not have access to them, unless you have another computer to read them with. Please make sure that you can view all hidden files. Instructions on how to do this: 1. 1. On the Tools menu in Windows Explorer, click Folder Options. 2. Click the View tab. 3. Under Hidden files and folders, click Show hidden files and folders. Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer. NEXT:: These steps, stopping the services that the malware uses, appear to be needed, as well you should look for the Registry keys as explained below, in the proper sequence... I see a lot of the experts at other forums still using this method for XP/ so I have included them also! to stop the service that the malware uses: Step 1: Click on start, the control panel, then administrative programs, then services. Look for a service called Workstation NetLogon Service or Network Security Service or Remote Procedure Call (RPC) Helper Double click on those/ that service and click stop. Also write down the name and path of the file listed in the Path to executable field. OK< NEXT -- We need to End Task on any of these .exe processes that may be running: dailin.exe ns.exe wuamgrd.exe mfcch.exe NAVscan32.exe javand32.exe Just press CTRL+ALT+DEL once to get the Task Manager open. A HIGHLIGHTED ITEM is the one you are working with, either the down arrow OR a mouse click will move to any item you need to get to. Then, End Task on any that show, you may have to wait a bit until the End Task works At any time you feel you made a mistake ending a task, just hit the Cancel button and wait a bit, then open up Task Manager again... ....just do not hit CTRL+ALT+DEL more than once rapidly or you will reboot>> should it happen, F8 back to Safe Mode>>> and you will have to start all over again>> so work carefully, take your time, open and reopen the Task Manager until you do not see any of these guys there, then as your last move, hit CANCEL to close Task Manager. NEXT, Run HijackThis again, With only HJT open, all browser windows etc CLOSED, have these fixed-- they may not all show in your log but carefully put CHECKS IN BOXES NEXT TO ANT THAT ARE THERE , and have HijackThis "FIX" them. C:\WINDOWS\System32\dailin.exe C:\windows\system32\ns.exe C:\WINDOWS\System32\wuamgrd.exe C:\WINDOWS\mfcch.exe C:\WINDOWS\System32\NAVscan32.exe C:\WINDOWS\javand32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ymrms.dll/index.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129 O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe O4 - HKLM\..\Run: [NAV Scan Service] NAVscan32.exe O4 - HKLM\..\Run: [Micro Update] dailin.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [win32x] c:\windows\system32\ns.exe O4 - HKLM\..\Run: [javand32.exe] C:\WINDOWS\javand32.exe O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe O4 - HKLM\..\RunServices: [NAV Scan Service] NAVscan32.exe O4 - HKLM\..\RunServices: [Micro Update] dailin.exe O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe O4 - HKCU\..\Run: [Micro Update] dailin.exe O4 - HKCU\..\Run: [NAV Scan Service] NAVscan32.exe O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe NEXT STEP(5) In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 ---but may be called something differently on your computer. Navigate by clicking on the + signs, like Windows Explorer has---be very careful in the Registry and follow the steps exactly. Go to Start>Run and type regedit. Press enter. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 ( (- or whatever is there with _NS_Service)) If __NS_Service_3 exists , right click on it and choose delete from the menu. Now navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 ((or whatever LEGACY__NS__Service is showing)) If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu. Close the Registry Editor. STEP (6) Still in safe mode, run AboutBuster and COPY the log it makes and save it to put into your reply. NEXT do THIS::: Quote:
AboutBuster is used from Safe Mode, did you run it that way,and did you RE-BOOT TO Safe Mode and run it again???... there should be 2 logs, one made just before the other, both in Safe Mode, with a reboot back into Safe Mode between them.... the experts will need to see them. Please try again. You definitely should not be connected to the Net as much as possible, if you have another pc that can connect OK, use that to read the posts here if you like. looks like you will probably need this, too: This info is from this page: http://www.russelltexas.com/malware/HOSTS.htm The Hoster download may not be needed, it's just in case you do have a HOST file hijack, explanation below. "" Download the hoster from here: http://members.aol.com/toadbee/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself. You can CHECK FIRST if you have a hostfile hijacking >> Open Windows Explorer: type the word explorer at Start/Run box and click OK: Find this file: (XP systems) C:\Windows\system32\Drivers\ETC\HOSTS file The hijacked HOSTfile can display in HJT logs...but I think you have to put the checkmark in a box, you might have taken it out or something...check for a long list of sites in the HOST file this way: To open and view the HOSTS file to doublecheck for bad entries, left button double click on the HOSTS file. A message will appear saying Windows can't open the file. Check the circle at the bottom entitled: Select the program from a list. Now click OK. In the next window....Scroll down in programs until you see Notepad and select it and click OK. If you see this line below the header info: 127.0.0.1 localhost ....And nothing below it then you have not been hijacked. If you see many double column entries and most are antivirus and anti-malware sites then remove all the entries leaving only the 127.0.0.1 localhost entry."" NOTE> pros: -- I hope I got this right, please correct or advise if you spot anything else to "eject"  This post was assembled with of course, a quote from a previous reply by flrman1....some of my experience and a lot of reading.... and, some copy and paste work from a "canned fix" from a very good forum over at: http://www.dslreports.com/forum/rema...2998~mode=flat They have come up with several different methods... All in all, I don't think you have the type of infection that AboutBuster takes out, but it cannot hurt anything to use it far as I know...the main key seems to be killing the service, ending the processes, using HJT to fix the things, deleting the files, and AboutBuster...and in this case editing the Registry though I am not sure that would have to be done... I think a lot more of us are going to have to try fixing these types of infections. I need a canned something right about now  ...
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 26-Jul-2004 at 01:03 AM.. |
27-Jul-2004, 12:39 AM
#3 | |||||
|
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 27-Jul-2004 at 12:45 AM.. |
27-Jul-2004, 11:42 PM
#4 | |||||
| -- Scan 1 -------- About:Buster Version 1.32 Removed! : C:\WINDOWS\zpikjx.dat Removed! : C:\WINDOWS\msnk.exe Removed! : C:\WINDOWS\wfbbq.dat Removed! : C:\WINDOWS\reroa.dll Removed! : C:\WINDOWS\jungl.exe Error Removing! : C:\WINDOWS\wzwdyxsh.exe Removed! : C:\WINDOWS\lsasss.exe Removed! : C:\WINDOWS\avserve2.exe Removed! : C:\WINDOWS\ipeg32.exe Error Removing! : C:\WINDOWS\alchem.exe Removed! : C:\WINDOWS\crwq.exe Removed! : C:\WINDOWS\wjuvqn.exe Removed! : C:\WINDOWS\ipeg32.exe.bak Removed! : C:\WINDOWS\System32\zpikj.dat Removed! : C:\WINDOWS\System32\xspvz.dat Removed! : C:\WINDOWS\System32\iepr32.exe Attempted Clean Of Temp folder. Removed Uninstall Key (HSA) Removed Uninstall Key (SE) Removed Uninstall Key (SW) Pages Reset... Done! -- Scan 2 -------- About:Buster Version 1.32 Removed! : C:\WINDOWS\wzwdyxsh.exe Error Removing! : C:\WINDOWS\alchem.exe Attempted Clean Of Temp folder. Pages Reset... Done! Logfile of HijackThis v1.98.0 Scan saved at 9:36:59 PM, on 7/27/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Watkins\Desktop\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registrat...tomer&Lang=Enu R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe, O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing) O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp  "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe O4 - HKCU\..\Run: [Micro Update] dailin.exe O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/200...Inc/bridge.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll |
28-Jul-2004, 10:43 AM
#5 | |||||
| Hi, Good work! Now there are some things to check for me: You should PRINT this info> (there is a printer-friendly button here at the top of pages, no pics or fancy stuff, just text) Unless you have another pc to read messages> that is the best thing to do. I'd like you to re-download AboutBuster, they are updating today....hopefully it will include more files that it finds! http://tools.zerosrealm.com/AboutBuster.zip You may delete the other aboutbuster.zip file if you still have it. I think you can simply DELETE aboutbuster.exe>> or rename it to aboutbuster.old so you dont get confused with a new copy. Unzip the new download to your desktop. We will run it a bit later on.... If you use cable modem, or DSL to get on the Net, and are on the infected machine to read the threads, get a download, etc after you are done and have printed the info, etc, close Internet Explorer etc, and disconnect the network cable from the back of the computer...if you are keeping the bad pc off the Net, so much the better... By the way> do NOT use AdAware just yet if you have it, there are a few things to do FIRST > we will be getting AdAware later if you do not have it> you will have to download as it does not fit on floppy disk (CD maybe? It does have to be updated online....more later! {{Note, I have asked flrman1 to check on one item in the HJT log and post the right way to fix it...so if you get a reply from flrman1, please do what it says!!} Go to Add/Remove Programs: Look for and uninstall any of these- VX2, WindowsSA, Internet Optimizer, WebRebates or similar,Cashback, NaviSearch,,Blackstone>> some may not be there at all. Post any that you are not sure about or any questions... Download from link just below directions, and run it. It may find and delete some files or nothing. Read the directions, these are the key ones: If you are running Windows Me or XP, then disable System Restore. Directions for this below> here is an info page, if you are familiar with this, here are just the steps: Click Start > Programs > Accessories > Windows Explorer Right-click My Computer, and then click Properties. Click the System Restore tab. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box . Click Apply. OK the message about turning it off. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. Close open programs before running the tool. It fits on a floppy disk and you can copy it over to a folder or the desktop and run from there. (if you are using another computer to download small tools, etc) Double-click the FxSasser.exe file to start the removal tool. Click Start to begin the process, and then allow the tool to run. Restart the computer. Run the removal tool again to ensure that the system is clean. http://securityresponse.symantec.com...r/FxSasser.exe NEXT: From Safe Mode ((almost all our work will be)) Using HJT, have the following fixed: F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe, R3 - Default URLSearchHook is missing O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing) O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe O4 - HKCU\..\Run: [Micro Update] dailin.exe O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...TInc/bridge.cab O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll After checks are in all of those, fix them. Remember, close all other windows, offline, etc. RUN box, type services.msc- if any of these are listed double click them, click Action>Properties, and Click STOP, for each of them. Change their startup type to>>Disabled and click OK and close the Services window. mslaugh.exe msconfg.exe- watch the spelling of this one!!! myrzhg.exe hzqaxr.exe alchem.exe--may not be found but look anyway. ((don't stop msconfig.exe, which should not be there, you never know tho)) and, find or search for these files and delete them: wsaupdater.exe mslaugh.exe dailin.exe msconfg.exe myrzhg.exe omniscient.exe alchem.exe {I left out hzqaxr.exe hoping that AboutBuster will pick it up} For those above you will/may have to use the Search>Files or Folders routine, set it to LOOK IN C: or My Computer to find the above files. That's always a good way to check for duplicates or files that sometimes are in other folders than we see in your logs... good typing skills are essential using the FIND/SEARCH feature... NEXT: Delete these if found: in Windows Explorer:: C:\WINDOWS\twaintec.dll C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\System32\vettncfz.exe C:\Program Files\CashBack\bin\cashback.exe C:\Program Files\NaviSearch\bin\nls.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\Program Files\SideFind\sidefind.dll C:\WINDOWS\msopt.dll C:\Program Files\WindowsSA\omniscient.exe NEXT: FOLDERS to delete: NaviSearch BullsEyeNetwork SideFind Internet Optimizer Cashback WindowsSA I probably missed a few but we will clean them up. Post back whether you run into any that will not give permission: Now, do NOT reboot and do NOT open IE for this:In safe mode still: Run AboutBuster that you unzipped to your desktop earlier, Start it, hit Ok, Start, And Ok again to start the scan. and save the two logs it makes and post them. And, post a fresh HJT log, please. There will be more HJT work and possibly another run of AboutBuster. One last: Do you know what these below go to, a program you have, or something? O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe Above seems to be ok, it's in your user folder /Watkins, I assume it may be something you created? A scan later on may pick it up. Just run AboutBuster, post the logs and a new HJT log 
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 28-Jul-2004 at 03:13 PM.. |
28-Jul-2004, 11:44 PM
#6 | |||||
| |
29-Jul-2004, 01:33 AM
#7 | |||||
|
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 29-Jul-2004 at 02:49 AM.. |
29-Jul-2004, 10:29 AM
#8 | |||||
| |
29-Jul-2004, 04:20 PM
#9 | |||||
|
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 29-Jul-2004 at 05:29 PM.. |
29-Jul-2004, 06:19 PM
#10 | |||||
| Last edited by daisy flower; 29-Jul-2004 at 06:40 PM.. |
29-Jul-2004, 07:52 PM
#11 | |||||
|
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 30-Jul-2004 at 12:56 AM.. |
29-Jul-2004, 08:51 PM
#12 | |||||
| |
29-Jul-2004, 09:00 PM
#13 | |||||
|
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 29-Jul-2004 at 10:22 PM.. |
29-Jul-2004, 09:01 PM
#14 | |||||
|
__________________ If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site. |
29-Jul-2004, 09:50 PM
#15 | |||||
| Right, flrman1, the link in one of my replies above has a solved thread with the .reg file, and also uses Get Active Services to find the service running (if any are.)..our user daisyflower here at TSG is running XP Home but not with NT so here paths are C:\Windows for the random files as you can see. About Buster works fine on removing all the files, it has twice. What I did not have her do: --The correct steps after typing services.msc in RUN box- got confused with processes and had her looking for random FILES in services  --change the file attributes for the random file found --Run the .reg file --and check for instances of the same random .exe AND same filename but as a .DLL I guess they can exist so that so might be a good idea... The end result was a clean log...until next morning when as she posted, things were so bad she just made a new HJT log right then. The trojan downloader worked hard all nite apparently... Then she posted another log about 15 minutes later AFTER apparently running only aboutbuster, that log was clean except for the Winshow trojan downloader msopt.dll, and I did not know how to deal with that, then. I think she may have done her own fixing with HJT then, not sure... So, all she needs is a rerun through the steps and then perhaps the Getactiveservices checker and the .reg file and regedit to get rid of it I hope... There are a lot of Google results today for msopt.dll showing the same thing, but also the correct fix. You dont really need much else but a new HJT log, and to have her download the two new things. Wonder if AboutBuster has updated...I will give her the link to that below. I will PM her and have her bounce a log back for you and find out if she is going to try tonite. Does AB have built in updating? I've never used it hands on. She did get the latest 1.32 just a day or two ago. I was trying to keep using this XP eMachine I was working on the other day when I PMed you twice....to look over the locations of files, etc. BUT> I need to get this back to owner in the morning and I have been up way way too late all week. I got to get the firewall and some other stuff set up on here, I just have SP1 and AVG going... and I dont want these aliens invading tonite! I suppose I could lift the steps from the CC forum post and sub in her filenames but I cannot work that way... Quote:
Don't worry, help will be coming soon. You are able to get online with the infected computer now and pages in IE open? As I posted above> it would be best if you could read posts here from a good computer at the same location> and keep the infected one off the cable! All the tools or fixing can be done with floppy disk and disconnected completely from the Internet...
__________________ Mung (computer term), the act of making several incremental changes to an item that combine to destroy it Donate directly to help the site TSG Library TSG's Welcome Guide- Tips, Rules, How to use TSG and more! Last edited by Byteman; 29-Jul-2004 at 11:09 PM.. |
 |
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 08:18 PM. Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved. |  |
Facebook
Twitter
TechGuy.tv
TSG Mobile