1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] Trojan.Download.Swizz

Discussion in 'Virus & Other Malware Removal' started by Dogman, Oct 9, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Dogman

    Dogman Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    38
    Hello all. Just got the above today. Norton qarantined it but could not repair. I searched TSG but only got a username similar. Anyone got an idea for proper repair? Cheerio everyone.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or

    even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Dogman

    Dogman Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    38
    Hi thanks for that. Heres my scan log. Hope it means something to you!
    Logfile of HijackThis v1.97.3
    Scan saved at 21:13:04, on 09/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\windows\System32\nvsvc32.exe
    C:\windows\system32\slserv.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\SymProxySvc.exe
    C:\windows\System32\ZipToA.exe
    C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\NISSERV.EXE
    C:\windows\Explorer.EXE
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\windows\System32\taskswitch.exe
    C:\windows\System32\fast.exe
    C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\IAMAPP.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\windows\sllights.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\windows\System32\taskswitch.exe
    O4 - HKLM\..\Run: [FastUser] C:\windows\System32\fast.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\IAMAPP.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18f5cceb7d6401f5e715/netzip/RdxIE2.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37621.4113773148
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://E:\system\IntraLaunch.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_4.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{787F2D32-5911-4929-920F-419DD3CC570A}: NameServer = 195.8.69.7 195.8.69.12
     
  4. Dogman

    Dogman Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    38
    Hi Dvk and everyone, Id be V grateful if someone could advise me on the above scan, first concern being the Swizz trojan, but also, an overview of what needs to go, and what might be missing. The info on Hijack this about individual entries is, in most cases, so general--(could be good, could be bad!)-that I dare not touch anything. Many thanks.
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    I can't see anything bad in the log

    Most times Norton or any Antivirus quarantines the file is because the actual file is the virus/trojan and should be prevented from running and deleted from the system.

    Many viruses and trojans stay within the file that they came with, do there nefarious deeds from within it and don't infect other files, so there is nothing to fix.

    The reason Norton quarantines instead of deleting immediately is that on rare occasions a false positive can be made and a genuine needed file is removed.

    Leave the file in quarantine for a week or so & if no program pops up asking for the file then delete it from the quarantine

    Norton only fixes files when a legitimate file is infected with a virus and it restores the good file by removing the virus code from the file

    read what norton says about it
    http://www.symantec.com/avcenter/venc/data/trojan.download.swizz.html
     
  6. Dogman

    Dogman Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    38
    Hi Dvk, thanks for that. I did look at the Norton item yesterday. My concern is that the trojan is in C:\program files\c2media\setup.exe---which sounds to me like it is needed. This morning I submitted it to Norton, which sent the whole file, rather than just copy!---and it says a reply can take up to a week. That was before seeing your advice to leave it in quarantine. Should I do anything now or just cross my fingers?Cheers from man with spotty dog.
     
  7. Top Banana

    Top Banana

    Joined:
    Nov 10, 2002
    Messages:
    1,344
  8. auburn2000

    auburn2000

    Joined:
    Jun 15, 2000
    Messages:
    104
    I have a problem with this virus, everytime I go online I have temp files and EXE files that have this virus. I have sent them in and downloaded what they said but I have a 2002 Norton Antivirus and it seems I can't get rid of it unless I get a newer version. I update everyday and scan everyday. They are in quaranteen or have been submitted.
    I read this post and downloaded hijacker and this is what is on my log.

    Logfile of HijackThis v1.97.3
    Scan saved at 12:06:10 AM, on 10/11/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\EVENTMGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\OPLIMIT\OCRAWARE.EXE
    C:\OPLIMIT\OCRAWR32.EXE
    C:\PROGRAM FILES\QWDLLS.EXE
    C:\ICM532\LAUNCHPAD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [eventmgr.exe] C:\WINDOWS\SYSTEM\eventmgr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [sqmewtlw] C:\WINDOWS\SYSTEM\sqmewtlw.exe
    O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
    O4 - HKLM\..\Run: [PopUpInspector] C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\POPUPINSPECTOR.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Quicken Startup.lnk = C:\Program Files\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\Program Files\BILLMIND.EXE
    O4 - Startup: Launchpad.lnk = C:\ICM532\Launchpad.exe
    O4 - Startup: EZVideo Chat.lnk = C:\Program Files\Ezonics\EZVideo Chat 2.0\EzChat.exe
    O8 - Extra context menu item: Allow popups from this web page - C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\allowsite.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: PopUp Inspector (HKCU)
    O9 - Extra 'Tools' menuitem: PopUp Inspector (HKCU)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspace.com:8350/Java/cs4ms090.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37833.8450462963
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    Can I do anything to get this virus off of my computer as it just seems to keep poping back on each time I log on to the internet.

    You have helped me before with problems and I really appreciate any help you may give me

    Thank you,
    Auburn2000
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    auburn2000....

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"


    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

    This is possibly the culprit.
    O4 - HKLM\..\Run: [sqmewtlw] C:\WINDOWS\SYSTEM\sqmewtlw.exe


    HAVE YOU OR ARE YOU LEARNING TO PLAY BRIDGE?
    If not...and you dont know what this next one is,I would like you to email me a copy of this file for analysis.
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck

    Re-boot into safe mode and delete:
    C:\WINDOWS\SYSTEM\sqmewtlw.exe

    Let us know how it goes.
    ;)
     
  10. Dogman

    Dogman Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    38
    To Top Banana Dvk and anyone interested,from Dogman. I removed the "search hook is missing via Hijack this. I searched for the "c2media folder"---which has gone, I assume when I submitted the trojan to Norton. If there was nothing I needed in this folder then I am sorted. Last night i got a reply from Norton saying a betafix for this problem was available. I downloaded it, a 4mb file! described as "sarc intelligent updater"--including something called "antivirus/beta/syncbetadefsi32.exe". I was told to double click on the downloaded file and follow the prompts. I had to search for this file, then it would not open. I tried to contact Norton tech support but gave up. I tried to "repair" the file sent to Norton but still got "could not repair this item". Very awkward. Anyway thanks for your help. Woof.
     
  11. auburn2000

    auburn2000

    Joined:
    Jun 15, 2000
    Messages:
    104
    Ok, I did the scan again with hijacker and checked the two to fix and then I started in safe mode but didn't really know what to do. So I came back out.

    I have check under files and got nothing, and tried to run the C:\WINDOWS\SYSTEM\sqmewtlw.exe
    It says the path is wrong. I can't seem to find this file anywhere

    How do I find it in the safe mode and how do I delete it.

    I get an invalid file name when I try to run the WINDOWS\TEMP\TB_ANI~1.EXE/dcheck

    So I need further help can't seem to find either on of these files that I am supposed to delete and the other to send to you.

    Not sure after I find it how I send the last one to you or a copy of it. How do I do it? It may click a bell as soon as you start to tell me but I better have complete instructions.

    Thank you so very much for your help, I do appreciate it.

    Auburn2000
     
  12. auburn2000

    auburn2000

    Joined:
    Jun 15, 2000
    Messages:
    104
    Sorry, I thought I wrote this but it wasn't there when I posted. I am not trying to learn bridge, so I have no idea why the last windwos\temp\tb_ani!1.exe/dcheck was there.

    As I said above can't find it just in the files so I need help to find it and send it.

    Thank you again.
    Auburn 2000
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    using windows explorer navigate to C:\WINDOWS\TEMP and look for a file that starts TB_ANI

    find it , right click it & select copy, then send it to steve


    Before you send it, post it's full name , so far we only have the abbreviated form and that makes it more difficult to find out about
     
  14. auburn2000

    auburn2000

    Joined:
    Jun 15, 2000
    Messages:
    104
    I went into windows explorer and check anything I could find under Windows/Temp there is nothing with that path.

    I tried to run it under files again and it says wrong path. I scanned with Hijacker again to see if it was still in the scan and it is but I sure can't find it anywhere. I don't know what to do now.

    Also can you help me with deleting that other file Steve told me to delete in Safe mode. I don't know what to do after I get in Safe mode to find that file and then do I just right click to delete it as well?

    Thank you again for your help

    Auburn2000
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170695

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice