[SOLVED] Trojan.Download.Swizz

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Dogman

Thread Starter
Joined
Jul 12, 2003
Messages
38
Hello all. Just got the above today. Norton qarantined it but could not repair. I searched TSG but only got a username similar. Anyone got an idea for proper repair? Cheerio everyone.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or

even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Dogman

Thread Starter
Joined
Jul 12, 2003
Messages
38
Hi thanks for that. Heres my scan log. Hope it means something to you!
Logfile of HijackThis v1.97.3
Scan saved at 21:13:04, on 09/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\windows\System32\nvsvc32.exe
C:\windows\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\windows\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\SymProxySvc.exe
C:\windows\System32\ZipToA.exe
C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\NISSERV.EXE
C:\windows\Explorer.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\windows\System32\taskswitch.exe
C:\windows\System32\fast.exe
C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\windows\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\windows\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\windows\System32\fast.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton SystemWorks\Norton Internet Security 2002\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18f5cceb7d6401f5e715/netzip/RdxIE2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37621.4113773148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://E:\system\IntraLaunch.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_4.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://lw10fd.law10.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{787F2D32-5911-4929-920F-419DD3CC570A}: NameServer = 195.8.69.7 195.8.69.12
 

Dogman

Thread Starter
Joined
Jul 12, 2003
Messages
38
Hi Dvk and everyone, Id be V grateful if someone could advise me on the above scan, first concern being the Swizz trojan, but also, an overview of what needs to go, and what might be missing. The info on Hijack this about individual entries is, in most cases, so general--(could be good, could be bad!)-that I dare not touch anything. Many thanks.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
I can't see anything bad in the log

Most times Norton or any Antivirus quarantines the file is because the actual file is the virus/trojan and should be prevented from running and deleted from the system.

Many viruses and trojans stay within the file that they came with, do there nefarious deeds from within it and don't infect other files, so there is nothing to fix.

The reason Norton quarantines instead of deleting immediately is that on rare occasions a false positive can be made and a genuine needed file is removed.

Leave the file in quarantine for a week or so & if no program pops up asking for the file then delete it from the quarantine

Norton only fixes files when a legitimate file is infected with a virus and it restores the good file by removing the virus code from the file

read what norton says about it
http://www.symantec.com/avcenter/venc/data/trojan.download.swizz.html
 

Dogman

Thread Starter
Joined
Jul 12, 2003
Messages
38
Hi Dvk, thanks for that. I did look at the Norton item yesterday. My concern is that the trojan is in C:\program files\c2media\setup.exe---which sounds to me like it is needed. This morning I submitted it to Norton, which sent the whole file, rather than just copy!---and it says a reply can take up to a week. That was before seeing your advice to leave it in quarantine. Should I do anything now or just cross my fingers?Cheers from man with spotty dog.
 
Joined
Jun 15, 2000
Messages
104
I have a problem with this virus, everytime I go online I have temp files and EXE files that have this virus. I have sent them in and downloaded what they said but I have a 2002 Norton Antivirus and it seems I can't get rid of it unless I get a newer version. I update everyday and scan everyday. They are in quaranteen or have been submitted.
I read this post and downloaded hijacker and this is what is on my log.

Logfile of HijackThis v1.97.3
Scan saved at 12:06:10 AM, on 10/11/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\EVENTMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\QWDLLS.EXE
C:\ICM532\LAUNCHPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [eventmgr.exe] C:\WINDOWS\SYSTEM\eventmgr.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [sqmewtlw] C:\WINDOWS\SYSTEM\sqmewtlw.exe
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [PopUpInspector] C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\POPUPINSPECTOR.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\BILLMIND.EXE
O4 - Startup: Launchpad.lnk = C:\ICM532\Launchpad.exe
O4 - Startup: EZVideo Chat.lnk = C:\Program Files\Ezonics\EZVideo Chat 2.0\EzChat.exe
O8 - Extra context menu item: Allow popups from this web page - C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\allowsite.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: PopUp Inspector (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspace.com:8350/Java/cs4ms090.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37833.8450462963
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Can I do anything to get this virus off of my computer as it just seems to keep poping back on each time I log on to the internet.

You have helped me before with problems and I really appreciate any help you may give me

Thank you,
Auburn2000
 
Joined
Oct 9, 2001
Messages
9,396
auburn2000....

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"


R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

This is possibly the culprit.
O4 - HKLM\..\Run: [sqmewtlw] C:\WINDOWS\SYSTEM\sqmewtlw.exe


HAVE YOU OR ARE YOU LEARNING TO PLAY BRIDGE?
If not...and you dont know what this next one is,I would like you to email me a copy of this file for analysis.
O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck

Re-boot into safe mode and delete:
C:\WINDOWS\SYSTEM\sqmewtlw.exe

Let us know how it goes.
;)
 

Dogman

Thread Starter
Joined
Jul 12, 2003
Messages
38
To Top Banana Dvk and anyone interested,from Dogman. I removed the "search hook is missing via Hijack this. I searched for the "c2media folder"---which has gone, I assume when I submitted the trojan to Norton. If there was nothing I needed in this folder then I am sorted. Last night i got a reply from Norton saying a betafix for this problem was available. I downloaded it, a 4mb file! described as "sarc intelligent updater"--including something called "antivirus/beta/syncbetadefsi32.exe". I was told to double click on the downloaded file and follow the prompts. I had to search for this file, then it would not open. I tried to contact Norton tech support but gave up. I tried to "repair" the file sent to Norton but still got "could not repair this item". Very awkward. Anyway thanks for your help. Woof.
 
Joined
Jun 15, 2000
Messages
104
Ok, I did the scan again with hijacker and checked the two to fix and then I started in safe mode but didn't really know what to do. So I came back out.

I have check under files and got nothing, and tried to run the C:\WINDOWS\SYSTEM\sqmewtlw.exe
It says the path is wrong. I can't seem to find this file anywhere

How do I find it in the safe mode and how do I delete it.

I get an invalid file name when I try to run the WINDOWS\TEMP\TB_ANI~1.EXE/dcheck

So I need further help can't seem to find either on of these files that I am supposed to delete and the other to send to you.

Not sure after I find it how I send the last one to you or a copy of it. How do I do it? It may click a bell as soon as you start to tell me but I better have complete instructions.

Thank you so very much for your help, I do appreciate it.

Auburn2000
 
Joined
Jun 15, 2000
Messages
104
Sorry, I thought I wrote this but it wasn't there when I posted. I am not trying to learn bridge, so I have no idea why the last windwos\temp\tb_ani!1.exe/dcheck was there.

As I said above can't find it just in the files so I need help to find it and send it.

Thank you again.
Auburn 2000
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
using windows explorer navigate to C:\WINDOWS\TEMP and look for a file that starts TB_ANI

find it , right click it & select copy, then send it to steve


Before you send it, post it's full name , so far we only have the abbreviated form and that makes it more difficult to find out about
 
Joined
Jun 15, 2000
Messages
104
I went into windows explorer and check anything I could find under Windows/Temp there is nothing with that path.

I tried to run it under files again and it says wrong path. I scanned with Hijacker again to see if it was still in the scan and it is but I sure can't find it anywhere. I don't know what to do now.

Also can you help me with deleting that other file Steve told me to delete in Safe mode. I don't know what to do after I get in Safe mode to find that file and then do I just right click to delete it as well?

Thank you again for your help

Auburn2000
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top