There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post System Check problem
Go to first new post Cannot access any google sites - youtube ...
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Overall Sluggish Performance, Video Hicc ...
Go to first new post Extremely slow computer
Go to first new post RegClean Pro
Go to first new post software will not update
Go to first new post Something is very wrong with pc it takes ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post security sheild
Go to first new post We Got System Checked :-(
Go to first new post Trojan infection preventing boot (scvhos ...
Go to first new post "Congratulations, you won" &am ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard netgear network printer problem ram registry repair router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Home Search (New)

Page 2 of 3 1 2 3
Reply  
Thread Tools
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 11:09 PM #16
Logfile of HijackThis v1.98.0
Scan saved at 9:00:53 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [ntoq32.exe] C:\WINDOWS\ntoq32.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - HKLM\..\RunOnce: [appzj32.exe] C:\WINDOWS\system32\appzj32.exe
O4 - HKLM\..\RunOnce: [sdkso.exe] C:\WINDOWS\sdkso.exe
O4 - HKLM\..\RunOnce: [atloh32.exe] C:\WINDOWS\atloh32.exe
O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\atluc32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\ntcp32.exe
O4 - HKLM\..\RunOnce: [iezy32.exe] C:\WINDOWS\system32\iezy32.exe
O4 - HKLM\..\RunOnce: [apiti.exe] C:\WINDOWS\system32\apiti.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
Register for free to hide this ad!
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
29-Jul-2004, 11:16 PM #17
First please do this:

Download the attached zip file and unzip it to your desktop. Doubleclick to run it. It will get a list of active services. Please post the list that is generated.
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
29-Jul-2004, 11:21 PM #18
As to your mention of the get active services script used at the link at CC. I've been using it for a couple of weeks now Bill. Remember I mentioned it in my PM the other day.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 11:22 PM #19
I will completely disconnect infected computer after tonight. Will review post from work, print them out, and bring them home to infected computer. I will patiently wait for specific step by step instructions, and am very grateful for you help and patience.

These are the Current Active Services:

APPLICATION LAYER GATEWAY SERVICE: ALG
C:\WINDOWS\System32\alg.exe

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS AUTO CONNECTION MANAGER: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

PORTABLE MEDIA SERIAL NUMBER: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

LEXBCE SERVER: LexBceS
C:\WINDOWS\system32\LEXBCES.EXE

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NVIDIA DRIVER HELPER SERVICE: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

PANDA PROCESS PROTECTION SERVICE: PavPrSrv
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

PANDA ANTI-VIRUS SERVICE: PAVSRV
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe

TREND MICRO PERSONAL FIREWALL: PccPfw
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

TREND NT REALTIME SERVICE: Tmntsrv
"C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe"

TREND MICRO PROXY SERVICE: tmproxy
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

WORKSTATION NETLOGON SERVICE: ½O.#ž‚„õØ´â
C:\WINDOWS\mfcch.exe /s
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
29-Jul-2004, 11:43 PM #20
To Bill

The following is the fix that I have been using Bill. It is almost identical to the one at the link you posted from Computer Cops. I didn't want to interupt the thread and interject this method the yesterday as you were using a method that has worked on occassion albeit a hit and miss scenario. I am a member of the Security Experts group at Computer Cops. The SE group is a private group where the Experts from just about every forum you can think of get together and hash out a lot of these fixes. There are a couple of threads in the SE forum where the fixes for this hijacker are being worked out.

To Daisy:


First Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

___________________________________________________________________________
Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg
Save as Type: All Files
****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.

Quote:
REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#ž‚„õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#ž‚„õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#ž‚„õØ´â]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]
______________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
______________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop and have it ready to run, but don't run it yet.
_____________________________________________________________________

Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Restart to safe mode.

How to start your computer in safe mode


Perform the following steps in safe mode:

____________________________________________________________________

Double click on fix.reg that you saved earlier to enter into the registry. Answer yes when asked to have it's contents added to the registry.
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll

O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE

O4 - HKLM\..\Run: [ntoq32.exe] C:\WINDOWS\ntoq32.exe

O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - HKLM\..\RunOnce: [appzj32.exe] C:\WINDOWS\system32\appzj32.exe
O4 - HKLM\..\RunOnce: [sdkso.exe] C:\WINDOWS\sdkso.exe
O4 - HKLM\..\RunOnce: [atloh32.exe] C:\WINDOWS\atloh32.exe
O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\atluc32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\ntcp32.exe
O4 - HKLM\..\RunOnce: [iezy32.exe] C:\WINDOWS\system32\iezy32.exe
O4 - HKLM\..\RunOnce: [apiti.exe] C:\WINDOWS\system32\apiti.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE

Find and delete these files:

C:\WINDOWS\IEXPLORE.EXE
C:\WINDOWS\mfcch.exe
C:\WINDOWS\ipeg32.dll
C:\WINDOWS\sdkso.exe
C:\WINDOWS\atloh32.exe
C:\WINDOWS\atluc32.exe
C:\WINDOWS\ntcp32.exe
C:\WINDOWS\ntoq32.exe
C:\WINDOWS\mfcch.exe
C:\WINDOWS\system32\appzj32.exe
C:\WINDOWS\system32\iezy32.exe
C:\WINDOWS\system32\apiti.exe

Delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Watkins (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.



Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.



When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
29-Jul-2004, 11:47 PM #21
ok....now I have tried to go back and run get active services...and get error "the compressed (zip) folder is corrupted or invalid when trying to open it...When unzipping it....no files found
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
29-Jul-2004, 11:59 PM #22
Quote:
Originally Posted by daisy flower
ok....now I have tried to go back and run get active services...and get error "the compressed (zip) folder is corrupted or invalid when trying to open it...When unzipping it....no files found
Don't worry about that now. I got the info that I needed from the Active services list that you posted. I posted the directions for the fix already. See my last post.

Good luck!
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
30-Jul-2004, 12:13 AM #23
DF-
You may need to find the folder that you first unzipped the original download to...zipped files often put up that message when extraction has taken place before...
[EDIT::: never mind the above as flrman1 replied while I was posting]
Hi Mark! Nice work. I have seen you use the tools many times> very aware here of the good work you are into. I just posted what I could find, that CC thread was the first result in a Google search. I wasn't referring her there... just in case someone may have need of a possible fix... if it is an old .reg or does not work as well --will change to something new. Newer tools are what we all going to be getting tons of it looks like! Your hard work is appreciated!
anyway, thank you very much...
Now I see what you mean about services and I think what you meant in regard to AB not always showing/removing running services... this whole type of thing will pretty much be a work in progress, seems to me...given the things that are invading computers recently.
Just trying to keep up with the latest is the real work.
Well I have to go make this eMachine XP Home Edition into XP Second Edition somehow so the owner's kids can play safely.

Daisyflower: You did a great job...after you get all cleared up> the one more thing you can do after finishing with the pc for the evening is...simply turn off the cable modem by pressing the power button, unhooking the cable is also effective but may give something a jolt of current...
Of course the protective programs can help a lot but the safe bet is to turn off the modem, that's what I do every shutdown.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Last edited by Byteman; 30-Jul-2004 at 12:33 AM..
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
30-Jul-2004, 01:51 AM #24
whew....everything went fine...the only issue I had in safe mode was I could not run aboutbuster. Will do it all again if needed, but wanted to check first. No viruses found in online housecall scan...but do have two that were popping up while, doing online housecall, in Trend Micro Internet Security that I loaded earlier. Doesn't seem to be any problems with anything right now, but will wait to hear a reply before doing any play on computer.


Thanks again

Here is the virus log


Log List
"Time","Scan Type","Source Type","Virus Name","Infected Source","First Action","Second Action"
"19:13","Real-time Scan","File","WORM_RBOT.ER","C:\windows\system32\dailin.exe","Quarantine Successful",""
"19:28","Real-time Scan","File","TROJ_DELF.RA","C:\WINDOWS\2_0_1browserhelper2.dll","Quarantin e Successful",""
"19:29","Real-time Scan","File","TROJ_DLOADER.F","C:\Documents and Settings\Watkins\Application Data\oeta.exe","Quarantine Successful",""
"20:35","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:35","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:37","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:37","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.C","C:\windows\ipeg32.dll","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:50","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:51","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:57","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:57","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:03","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:05","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:05","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netqa.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:08","Real-time Scan","File","TROJ_EMT.A","C:\WINDOWS\ntoq32.exe.$$$","Quarantine Successful",""
"21:11","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"21:21","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"21:24","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\apiih.exe","Deny Access",""
"21:38","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netnf.exe","Deny Access",""
"21:38","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\winmf.exe","Deny Access",""
"21:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"21:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3lq32.exe","Deny Access",""
"21:43","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"21:44","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\apiih.exe","Deny Access",""
"21:44","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netnf.exe","Deny Access",""
"21:46","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\winmf.exe","Deny Access",""
"21:46","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3lq32.exe","Deny Access",""
"21:55","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"22:11","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\mfcgs32.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\addlc32.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\cryw.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\msup.exe","Deny Access",""
"22:20","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:09","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"23:14","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\sysfe.dll","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netqa.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\apiih.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netnf.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\winmf.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3lq32.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\atlge.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3rs.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\mfcgs32.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\addlc32.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\ipob32.dll","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\cryw.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\msup.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\crks.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"23:18","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\apiih.exe","Deny Access",""
"23:18","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netnf.exe","Deny Access",""
"23:19","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\winmf.exe","Deny Access",""
"23:20","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3lq32.exe","Deny Access",""
"23:20","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\atlge.exe","Deny Access",""
"23:21","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\vkxwvc.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\opvvxx.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\lotvoi.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\iquetf.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ekqxcc.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\sianib.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\syhodm.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\atllq.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\Documents and Settings\Watkins\Desktop\backups\backup-20040728-204226-246.dll","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\Documents and Settings\Watkins\Desktop\backups\backup-20040729-052929-447.dll","Deny Access",""
"23:23","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3rs.exe","Deny Access",""
"23:24","Real-time Scan","File","ADW_ISTBAR.II","C:\Program Files\ISTsvc\istsvc.exe","Deny Access",""
"23:27","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\mfcgs32.exe","Deny Access",""
"23:29","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\addlc32.exe","Deny Access",""
"23:29","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\cryw.exe","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\msup.exe","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\crks.exe","Deny Access",""
"23:38","Real-time Scan","File","ADW_ISTBAR.II","C:\PROGRAM FILES\ISTsvc\istsvc.exe","Deny Access",""
"23:39","Real-time Scan","File","SPYW_TWANT.B","C:\windows\javace.exe","Deny Access",""
"23:39","Real-time Scan","File","SPYW_TWANT.B","C:\windows\netoy32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\ipcw32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\appkh.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\atllq.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\javavu.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\atllq.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\netqa.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\apiih.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\netnf.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\winmf.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\d3lq32.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\atlge.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\d3rs.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\mfcgs32.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\addlc32.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\cryw.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\msup.exe","Deny Access",""
"23:43","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\crks.exe","Deny Access",""
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
30-Jul-2004, 10:35 AM #25
I did run aboutbuster after posting the last post.
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
30-Jul-2004, 12:41 PM #26
DaisyFlower: It looks like a couple of items (trojans) were put into quarantine, that is OK for now, they are locked up...

flrman1 may have you delete those in quarantine later on.
I am not that familiar with Panda logs, but also it appears that the SPYW_ entries it could not deal with, that is expected> the special programs we use for ad-junk will handle them coupled with "manual" fixes. Depending on when you made this scan, the files may or may not actually be present.
You do need to check that files your system needs are present RE:

Quote:
Originally Posted by flrman1
[b]To Daisy:



This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.


control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here
You should tell us if you had to replace any of those files AND that you have checked Active X settings> you may find that they are changed!
You did have a successful run of AboutBuster after your post, if I read that right....? When you have some time later I am sure flrman1 will be asking for those or NEWER logs along with a new HJT logfile. He may have some steps that differ from the usual way so wait for his directions.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Last edited by Byteman; 30-Jul-2004 at 01:27 PM..
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
30-Jul-2004, 07:27 PM #27
Let's see another Hijack This log please.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
30-Jul-2004, 08:47 PM #28
ran Holster
do not have Spybot
copied and pasted shell.dll
control.exe is present
ActiveX settings set to recommendations


About buster Scan from last night

-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\bsahe.dat
Removed! : C:\WINDOWS\erruo.dat
Removed! : C:\WINDOWS\javace.exe
Removed! : C:\WINDOWS\pxwxi.dat
Removed! : C:\WINDOWS\netoy32.exe
Removed! : C:\WINDOWS\ntqq32.exe
Removed! : C:\WINDOWS\ipcw32.exe
Removed! : C:\WINDOWS\wmbrn.dat
Removed! : C:\WINDOWS\qibrs.dat
Removed! : C:\WINDOWS\qibrs.dll
Removed! : C:\WINDOWS\escuk.dat
Removed! : C:\WINDOWS\fvuqx.dat
Removed! : C:\WINDOWS\appkh.exe
Removed! : C:\WINDOWS\sysem.exe
Removed! : C:\WINDOWS\ipyv32.exe
Removed! : C:\WINDOWS\atllq.exe
Removed! : C:\WINDOWS\addfq.exe
Removed! : C:\WINDOWS\syspz32.exe
Removed! : C:\WINDOWS\javavu.exe
Removed! : C:\WINDOWS\System32\zfumw.dat
Removed! : C:\WINDOWS\System32\deczg.dll
Removed! : C:\WINDOWS\System32\msbk32.exe
Removed! : C:\WINDOWS\System32\viiva.dat
Removed! : C:\WINDOWS\System32\xegly.dat
Removed! : C:\WINDOWS\System32\qhzik.dll
Removed! : C:\WINDOWS\System32\ekhov.dat
Removed! : C:\WINDOWS\System32\hgffs.dll
Removed! : C:\WINDOWS\System32\netqa.exe
Removed! : C:\WINDOWS\System32\addvc32.exe
Removed! : C:\WINDOWS\System32\apiih.exe
Removed! : C:\WINDOWS\System32\netnf.exe
Removed! : C:\WINDOWS\System32\winmf.exe
Removed! : C:\WINDOWS\System32\d3lq32.exe
Removed! : C:\WINDOWS\System32\atlge.exe
Removed! : C:\WINDOWS\System32\d3rs.exe
Removed! : C:\WINDOWS\System32\sysyf32.exe
Removed! : C:\WINDOWS\System32\mfcgs32.exe
Removed! : C:\WINDOWS\System32\addlc32.exe
Removed! : C:\WINDOWS\System32\cryw.exe
Removed! : C:\WINDOWS\System32\msup.exe
Removed! : C:\WINDOWS\System32\syslz.exe
Removed! : C:\WINDOWS\System32\crks.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 6:32:40 PM, on 7/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
Flrman1's Avatar
Distinguished Member with 46,425 posts.
  
Join Date: Jul 2002
Location: Thomasville NC
Experience: 100% Geek
30-Jul-2004, 09:05 PM #29
Clean!

IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY!
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
daisy flower's Avatar
Junior Member with 18 posts.
  
Join Date: Jul 2004
Experience: Beginner
30-Jul-2004, 10:03 PM #30
all critical updates and services packs installed
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 3 1 2 3

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 11:16 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.