Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt-tan16


  • This topic is locked This topic is locked
12 replies to this topic

#1 tan16

tan16

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 28 November 2004 - 06:41 AM

hi
could you plz help me with this log
i've been infected by swapx
Logfile of HijackThis v1.98.2
Scan saved at 5:09:08 PM, on 11/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchosttt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\72bxue3j77wuthd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winmine.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\X4ED5Z~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NDIS Adapter] svchosttt.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\72bxue3j77wuthd.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] svchosttt.exe
O4 - HKLM\..\RunOnce: [NDIS Adapter] svchosttt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NDIS Adapter] svchosttt.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] svchosttt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{20FD2951-2CC1-4702-AB67-0D128774A80E}: NameServer = 202.144.96.4 202.144.50.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{20FD2951-2CC1-4702-AB67-0D128774A80E}: NameServer = 202.144.96.4 202.144.50.4
O20 - AppInit_DLLs: 11s538o3bbrn2tll.dll.dll.dll.dll

thanks
tan

BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 28 November 2004 - 08:35 AM

hi
It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.



first open control panel > add/remove programs and uninstall new.net.

1, Download CWShredder from here
After you download the program, unzip it into a directory. Don't use it yet.

2. Download Ad-aware SE: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Download System Security Suite here:System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet.

4. Download the Hoster from here. Unzip the program to your desktop. Don't use it yet.

5. Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop. Don't use it yet.

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}]
[-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj]
[-HKEY_CLASSES_ROOT\redalert.here]
[-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}]


6. Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\system32\11s538o3bbrn2tll.dll.dll.dll.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

instead repeat the above procedure, only this time copy/paste this line in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\72bxue3j77wuthd.exe


Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot. Check if C:\WINDOWS\system32\11s538o3bbrn2tll.dll.dll.dll.dll is gone. If you can find it repeat step no. 6.

Please reboot into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

7. Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31130123321001

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\X4ED5Z~1.DLL

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [NDIS Adapter] svchosttt.exe

O4 - HKCU\..\Run: [NDIS Adapter] svchosttt.exe

O4 - HKCU\..\RunOnce: [NDIS Adapter] svchosttt.exe

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\72bxue3j77wuthd.exe

O4 - HKLM\..\RunServices: [NDIS Adapter] svchosttt.exe

O4 - HKLM\..\RunOnce: [NDIS Adapter] svchosttt.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm10.chm::/ieloader.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe

Close all other windows and browsers, and press the Fix Checked button.

enable showing of system and hidden files:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* uncheck the box hide known extensions (or similar , my OS is a finnish localised version )
* Click Yes to confirm.
* Click OK.



8. Search for these files and delete them if found:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe <-- this file, please read the note below
Note: there is a legitimate Windows file with a similar name: winlogon.exe in the c:\windows\system32\ folder. Do not delete the legitimate winlogon.exe file.
Note the difference:
winlogin.exe - bad file
winlogon.exe - legitimate Windows file
C:\WINDOWS\System32\72bxue3j77wuthd.exe
C:\WINDOWS\System32\X4ED5Z~1.DLL<-- the file will have a longer name starting withX4ED5Z


also while in safe mode
locate these files
C:\WINDOWS\system32\winmine.exe
C:\WINDOWS\System32\svchosttt.exe

when found, right click the file and select rename from the r-click menu
rename them to for example winmine.vir and svchosttt.vir
answer ok when prompted about it



9. Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

10. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

11. With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

12. Double-click on the fix.reg file you saved earlier on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

13. Open Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

14. Locate Hoster on your desktop, press Restore Original Hosts and press OK. Exit Program. This will restore the Hosts file.


locate those files you renamed earlier, zip the files, password protect the zip file and send the as attachment to illukkaATdslr.net (replace AT with @ )

see this link how to create a password protected zip file

after sending the files go ahead and delete them

go to http://housecall.trendmicro.com/housecall/start_corp.asp
to do an online virus scan, set it to auto clean



15. REBOOT normally. Run HijackThis! again and post a new log please.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 01 December 2004 - 07:08 AM

i cannot dowload the hoster when i try to open it it says the file is corrupted.
Also do i have to download all of this software my connection is very very slow and it takes ages for it to download. i already have norton antivirus and spybot i also have downloaded killbox and cw shredder
thanks tan

#4 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 01 December 2004 - 07:12 AM

i just downloaded security suite but i got the same error message as i did for the hoster

#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 01 December 2004 - 08:51 AM

hi

it can be that the nasties have slowed down you r connection, they also use a great deal of system resources

please can you post a new log so i can see what is the situation now, and if the above fix failed

to clean temp files you can use this batch file:

copy the contents of the code box below into notepad,
save as clean.bat, save as type "all files"

del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f

then locate clean.bat and doubleclick it to clean temp files

answer y(es) when prompted

and post the new log :D
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#6 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 04 December 2004 - 03:02 AM

I did everything but it has not helped in fact now i cannot even access this website from my computer. Also the website that i am redirected to has changed it is kita-search.

here is the latest hjt logLogfile of HijackThis v1.98.2
Scan saved at 1:11:45 PM, on 12/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tanya\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZMJZ4Y~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20FD2951-2CC1-4702-AB67-0D128774A80E}: NameServer = 202.144.13.50 202.144.50.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{20FD2951-2CC1-4702-AB67-0D128774A80E}: NameServer = 202.144.13.50 202.144.50.4
O20 - AppInit_DLLs: 449pg7uku0.dll

please help i need to have my comp fixed reallly fast
tan

#7 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 04 December 2004 - 05:34 AM

hi

click start>> control panel> add/remove programs. seek for entries of new.net, or newdotnet and uninstall it



reboot

e don't normally recommend running two antivirus programs together. The program I am going to tell you to install has been successful removing this particular variant in the past.

Could you disable norton antivirus for now and go here to download the free version of Grisoft's AVG AntiVirus program.

Install the program, check for updates and scan your system allowing it to remove whatever it finds.

Download KillBox here: KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the address bar:
C:\WINDOWS\System32\ZMJZ4Y~1.DLL


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

C:\WINDOWS\System32\449pg7uku0.dll

After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

On restart, verify that the files have been deleted.

Run HijackThis!, press Scan, and put a check mark next to all these:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZMJZ4Y~1.DLL
O20 - AppInit_DLLs: 449pg7uku0.dll

Close all other windows and browsers, and press the Fix Checked button.

REBOOT and post a new log please.
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#8 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 04 December 2004 - 11:04 AM

hi again
i cannot download the antivirus software you told me to.When i follow the email link i keep getting redirected to the swapx page and then internetexplorer says there is an error and it has to close . is there anything else i can do

#9 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 04 December 2004 - 12:20 PM

download and install an alternate browser from here
http://www.mozilla.org/products/firefox/

use it to download the stuff
then do the fix as posted above

good luck!
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#10 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 05 December 2004 - 12:03 AM

i have at least 15 different files in my system32 folder with weird names like the ones you told me to delete that have been added recently should i delete all of them some of them have the extension .bak some .dll. should i send you the names

#11 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 05 December 2004 - 03:08 AM

hi
first is you home page now what it's supposed to be?

'to get the file names:

pen Notepad (Start>All Programs>Accessories>NotePad)
Copy/paste the following quote (bold) to Notepad:


@echo off
if exist %SYSTEMDRIVE%\baddlllist.txt del %SYSTEMDRIVE%\baddlllist.txt
dir %SYSTEMROOT%\System32\*.dll.dll > %SYSTEMDRIVE%\baddlllist.txt
notepad %SYSTEMDRIVE%\baddlllist.txt
cls
exit


-Go up to the Notepad File menu, and select: Save As
-In the Save As dialogue box:
--Save in: Desktop
--File Name: find_bad_dlls.bat
--Save as Type: use right side arrow to select: All Files
-Click: Save button

Now, go to the Desktop
-Double click on find_bad_dlls.bat
-A baddlllist - NotePad text will appear with the contents of: Directory of C:\WINDOWS\System32
-Copy and paste the contents of the resulting text file and post them back to this thread


you can safely delete those wth .bak extensions

Edited by illukka, 05 December 2004 - 03:12 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#12 tan16

tan16
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 07 December 2004 - 05:29 AM

the homepage is not what it is supposed to be yet. will this all go away if i re-install internet explorer? I am still trying to download the anti-virus software
here are the file names

Volume in drive C has no label.
Volume Serial Number is 646C-19C6

Directory of C:\WINDOWS\System32

12/04/2004 01:11 PM 6,656 zweco5t24mlmhy2.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 1xpy7esv5jt7r92.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 kygzn2rs5rm6n92.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 ph4oum8nmpv7v22.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/06/2004 06:00 PM 6,656 38dir7zjzggb4dll.dll.dll
12/04/2004 01:11 PM 6,656 mxtf69vndc4tu22.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 xbnehrd8vsjbr92.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 725ne8j9gu61b12.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 umu65uzcccv7v22.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 94clouudp738u22.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 86xkzz5s8t54u22.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 v1h827hl5cxdss2.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
12/04/2004 01:11 PM 6,656 7z5ssf7plk3lsj2.dll.dll
13 File(s) 86,528 bytes
0 Dir(s) 13,679,001,600 bytes free

#13 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:09:46 PM

Posted 07 December 2004 - 06:20 AM

hi

gettting avg is essential for this fix to work, it's a small file, can you download it using someone elses computer, then burn it to a cd, or use an usb drive to transfer it to your comp.

please post a fresh hijackthis log, and a fresh list of bad dlls

From the moment you post the find_bad_dll log do not shut down your computer! Doing so will cause the file names to change and the fix to fail
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users