1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: A Mess.....3 viruses

Discussion in 'Virus & Other Malware Removal' started by Roe727, Feb 5, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    I have a question. Why are you asking FrankLaValle for help? I thought we were working together. Please. This has been a long and complex process. We have your startups using Hijackthis. Stay out of msconfig until I have finished. I cannot afford to have you go off and do something without my knowing what that is. I am asking you to stop.

    Maybe I am confused. Didn't you say earlier that you keep getting a warning about a trojan named like dell.dll?
     
  2. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    This one needs to be fixed too. The file is running from the norton Protected Recycle Bin.

    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\RECYCLER\NPROTECT\00741092.exe
     
  3. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    79,001
    First Name:
    Frank
    Roe727:

    DON'T start messing with the startup list until these guys get through helping you.

    You asked me how to do it, so I told you, but please wait.
     
  4. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Wait...I am not working with him. I am working with you. I had e-mailed him and talked to Candy when it seemed that things were at a standstill and he JUST got back to me. That was before you started helping me. I'm sorry if I stepped on any toes. I am doing exactly what you have told me to do, I'm not doing anything extra, I was just looking. I'm really sorry about this confusion.

    Ok..I fixed that entry. I ran lspfix and took care of that. I deleted the file from sindows/system. BUT the other files you listed were not there, there were only 2 that were there, but not named exactly Explorerz.exe was listed as Explorerz and kyf.dat was listed as kyf....I left them alone, let me know if you want me to delete them. I deleted the 2 folders in system 32 with no problem.

    That file dell.dll it will not let me copy ...there is no version, just a general tab, says application extention and that's about it. There is another one that just came up in the last 1/2 hour called designer.dll...same location, same story on the information.

    When I open the VX2 finder the button user agent is in light gray and can't be clicked, I clicked on the "click to find VX2.betterinternet" and after it ran the button could now be pushed, but when I push it is says "Delete the User Agent String?"...I didn't know what to do from there so I said no and closed out. Let me know.

    I attached the startuplist.

    Again I apologize for any misunderstanding.
    Roe
     

    Attached Files:

  5. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Ok. Sorry. Let's see if we can make some headway for you. Keep that other computer off the Internet until We get this dell.dll issue solved. It sounds ugly.

    Go ahead and say yes to delete the User Agent String.

    Delete those two files:
    Explorerz and kyf.dat

    Go to Folder Options >View

    Be sure this is not selected. Hide Extensions for knwon File types. If it is, then click on it to remove the check. Press apply. Press OK


    You are running the indexing service in the background. That slows you down considerably. This is not a spyware issue but maybe will give you a better shutdown and a faster machine.

    There are two steps involved.

    First go to Start>Search

    Click Change Preferences.

    Get rid of the animated Character.
    Get rid of With Indexing Service.

    Then go to Start>Run and type

    Services.msc
    Press enter

    Scroll to Indexing Service and double click on it.

    This will bring up its property page.
    Stop the service using the Stop Button.

    Go up to Startup Type and set it to manual. Press Apply and OK

    ----------------

    No properties page. Let's try something.

    Restart in Safe mode.

    Open the Killbox.

    Select Kill Explorer shell.

    Select Replace on Reboot.

    Paste in the path to dell.dll

    Press the red Button
    Restart the computer.

    See if the file is no longer there.

    Open the Killbox.

    Go to the toolbar to File? Open !Submit

    The file should be in there. See if it will copy now. If not, it is still active.



    Also, if you have a music match icon in systray, close it before you shutdown and see if that helps.


    Let me know. I'll read your startuplist while you do these things.
     
  6. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    I said yes to the delete the user string agent and then clicked the restore policy button and came up with..."Administrator Policy" This will reset the SeDeBugPrivilege for Administrators, if you already removed the VX2.BetterInternet files using Recovery Console and it wants me to hit ok or cancel...what do you want me to do??
     
  7. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Click OK to reset the Se Debug Priviledge. Then a restart.

    Flrman had you download a file track.vbs

    It will open a text file with results. I need that too please.
    In Control Panel >Scheduled Tasks what is this one doing?

    (D6R1HG21-Susan Zweig).job
     
  8. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    That one says that it is scheduled to run every 5 minutes and then in status is says "could not start"...

    Wow...tried to run the track and got this...

    Norton Antivirus..Alert: Malicious script detected
    Object Windows script Host Shell object
    Activity: Run
    Your computer is halted and needs to do something about this script

    File: C:|DOCUMENTS AND SETTINGS\SUSAN ZWEIG\LOCAL SETTINGS\TEMP\TEMPORARY DIRECTORY 1 FOR TRACK.ZIP\TRACK.VBS...

    Then it says...what do you want to do:
    Stop this script (recommended)
    allow this activity once
    allow the entire script once
    quarantine this script..

    what should I do.?
     
  9. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Allow track.vbs to run. Norton always tries to stop scripts because many are malicious. I wrote trqack.vbs and promise you it is just a diagnostic.

    Anything scheduled to run every 5 minutes is malicious. Go ahead and delete that job in Task Scheduler. It isn't running anyway but probably is attempted start every 5 minutes and that takes memory.

    Also, delete this file:
    C:\WINDOWS\zeta.exe
     
  10. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    I'm a bit confused this says track .zip....you are saying track.vbs??
     
  11. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    In the meantime I deleted those 2 files and changed the indexing things...

    With the folder options....where do I go into that??
     
  12. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    go to control Panel >Folder options

    Extract track.vbs from track.zip into a new folder. Double click on Track.vbs to run it.


    After yo do that, go back and read my last several sets of directions and follow them. Please report how you did on each one.
     
  13. Roe727

    Roe727 Thread Starter

    Joined:
    Mar 9, 2004
    Messages:
    1,016
    Ok...here is the report from the track file:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
    "DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
    "NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
    "WFXSwtch"="C:\\PROGRA~1\\NORTON~1\\WinFax\\WFXSWTCH.exe"
    "WinFaxAppPortStarter"="wfxsnt40.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    -----------------
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


    Subkey --- Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}
    C:\WINDOWS\System32\cscui.dll

    Subkey --- Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- qmnmtg
    {114f60a8-d050-430d-98cf-7b297435c9e5}
    C:\WINDOWS\System32\pawaog.dll

    Subkey --- qynytg
    {219b806b-ca31-4b10-9dcd-a2be328e534d}
    C:\WINDOWS\System32\puyuog.dll

    Subkey --- Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

    Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin
    C:\WINDOWS\system32\SHELL32.dll
    -----------

    System32 Dat Files

    ---------- C:\WINDOWS\SYSTEM32\DOOLSAV.DAT
    ´ Í!¸LÍ!This program cannot be run in DOS mode.


    ---------- C:\WINDOWS\SYSTEM32\DSSEC.DAT

    ---------- C:\WINDOWS\SYSTEM32\DUTFWSINC.DAT

    ---------- C:\WINDOWS\SYSTEM32\EMPTYREGDB.DAT

    ---------- C:\WINDOWS\SYSTEM32\FNTCACHE.DAT

    ---------- C:\WINDOWS\SYSTEM32\MLANG.DAT

    ---------- C:\WINDOWS\SYSTEM32\NOISE.DAT

    ---------- C:\WINDOWS\SYSTEM32\OEMBIOS.DAT

    ---------- C:\WINDOWS\SYSTEM32\PERFC009.DAT

    ---------- C:\WINDOWS\SYSTEM32\PERFD009.DAT

    ---------- C:\WINDOWS\SYSTEM32\PERFH009.DAT

    ---------- C:\WINDOWS\SYSTEM32\PERFI009.DAT

    ---------- C:\WINDOWS\SYSTEM32\SECUPD.DAT

    ---------- C:\WINDOWS\SYSTEM32\VH.DAT

    ---------- C:\WINDOWS\SYSTEM32\VP.DAT
     
  14. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Good. We'll use this infomration in a while to clean up some leftovers. In the meantime, I'll wait for you to finish all the other tasks and get back.
    Folder options Click the view tav. then look for the entry I pointed out.

    Looking at your StartupList I am not sure the other reg files imported. So We'll address that after you have finished and get back. We have a lot more cleaning up to do.
     
  15. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    79,001
    First Name:
    Frank
    Roe727:

    Keep working with Flrman1 and Mosaic1 until they give you the all-clear, then we'll start working on your startup list.

    You're not stepping on any toes. Just give priority to what they're helping you with. Viruses and "nasties" need to go first.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326954

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice