Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I hope you guys are the Silver Bullet for this Werewolf!


  • Please log in to reply
18 replies to this topic

#1 The Rain King

The Rain King

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 December 2004 - 11:17 AM

Hi Guys,
I've got an Internet Explorer hijacker I've had for about a week now. I've tried everything I know of and everything I've found out there to kill it with no success. I found you guys and I installed the "HijackThis" program and read my computer. I'm pretty sure I can pick out the problem items since I recognize some of the titles and explanations for what they are, but to be on the safe side I wanted to get an opinion from you guys before I did anything. So I'll post my log below. I really hope this finaly works. My hair is going white from the strain and anger.....lol...Please post a reply as soon as possible...Thanx!

The Rain King


Logfile of HijackThis v1.98.2
Scan saved at 10:52:15 AM, on 12/21/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\AGRSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\IPCFG.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\QUICKENW\QWDLLS.EXE
C:\SLIDESHW\SNSICON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\GOOGLETOOLBARINSTALLER.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {46504833-168C-4EB8-C028-DE6C21CB5E0B} - xwiz.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {0388EC16-BA98-416f-9D9B-B9A031E427AF} - C:\WINDOWS\SYSTEM\rdxyt6vf4x.dll (file missing)
O2 - BHO: (no name) - {9D27B19A-2978-4737-B429-89174DFD9882} - C:\WINDOWS\SYSTEM\KEO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUST.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FX] C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [MONITER] utsgmon.exe
O4 - HKLM\..\Run: [msag] MNTP.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [ABCXYZ] AppMasterCenter.exe
O4 - HKCU\..\Run: [MNTP] nmdllw.exe
O4 - HKCU\..\Run: [dialer423] slamm.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Snsicon.lnk = C:\SLIDESHW\Snsicon.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {25DFA659-9231-457F-A6B9-32D8461ECA54} - C:\WINDOWS\SYSTEM\KEO.DLL
O18 - Filter: text/plain - {25DFA659-9231-457F-A6B9-32D8461ECA54} - C:\WINDOWS\SYSTEM\KEO.DLL

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 21 December 2004 - 09:10 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Please do the following:

Download the program FindNFix from the following location:

http://www10.brinkster.com/expl0iter/freeatlast/FNF/

Once it is downloaded, double-click on the file to run it. Follow the prompts to install the program. Once it is installed a window will open up showing the installation directory and a bunch of files in the right section of the window.

On the right portion of the window look for the file called !LOG!.bat and double-click on it. It will scan through your computer for a while, so be patient. When it is completed it will automatically open a notepad window called Log.txt.

Copy the contents of that file into a reply to this post.

#3 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 December 2004 - 04:49 PM

Hi Grinler,
Thanx for responding so quick. OK..problem..Did you expect anything else?...lol..I downloaded the FindNFix thing you said to download...opened it..double clicked the LOG file..but a window flashed open and shut fast then I got an error message saying...."Winoldap has caused an error in IPHLPAPI.DLL". What do you think is happening? Incidentaly...This is a message I see regulurly since this started, whenever I reboot or when I try to run some programs...it'll say whatever I'm running has caused an error in that file. I am completely lost...lol....What do think?...Hope you can reply soon...and thanx again

The Rain King

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 22 December 2004 - 07:50 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#5 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 24 December 2004 - 12:16 PM

Did what you said...all that happened was it came up with 3 files...2 regular files; Drivers.desc.and Drivers32..and a file that looks like torn paper that has AB written on it and says (default) in the discription. Incidentaly nothing happened pressing enter..I had to hit the go button at the top...maybe that's what you meant. Anyway what now?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 24 December 2004 - 04:08 PM

When you open registry lite and paste the following into the address field and press enter:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

You do not see in the right hand side of the program window a key highlighted that says appinit_dlls?

#7 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 24 December 2004 - 08:36 PM

Nope..only the three files I listed in the last post. I am also starting to get a prompt that says Spool 32 is causing problems and will shut down. I've never seen this before. This has just started today. Beats me what's going on. Anyway MERRY CHRISTMAS.....LOL

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 25 December 2004 - 11:14 PM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#9 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 December 2004 - 11:18 PM

There is no "Sytem Hooks" section...could be called something else?

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 26 December 2004 - 11:23 PM

Do the startdreck log

#11 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 28 December 2004 - 07:04 AM

Ok Grinler.....here's the Startdreck log:


StartDreck (build 2.1.7 public stable) - 2004-12-28 @ 07:03:45 (GMT -05:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as user at Q5P7V6

舞egistry
舞un Keys
翟urrent User
舞un
*ABCXYZ=AppMasterCenter.exe
*MNTP=nmdllw.exe
*dialer423=slamm.exe
*McAfee.InstantUpdate.Monitor="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
舞unOnce
聞efault User
舞un
*ABCXYZ=AppMasterCenter.exe
*MNTP=nmdllw.exe
*dialer423=slamm.exe
*McAfee.InstantUpdate.Monitor="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AGRSMMSG=AGRSMMSG.exe
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*FX=C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
*MSUpdSrv=msupdsrv.exe
*C:\WINDOWS\IPCFG.EXE=C:\WINDOWS\IPCFG.EXE
*MONITER=utsgmon.exe
*msag=MNTP.exe
*McAfee Guardian="C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
*AOL Spyware Protection="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*McAfeeVirusScanService=C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
*McAfee Firewall="C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
舞unServicesOnce
**imt=rundll32 C:\WINDOWS\SYSTEM\KBD.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFEFE409=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA2E9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE0329=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0B75=C:\WINDOWS\AGRSMMSG.EXE
+FFFE1829=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEDD81=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEFAF5=C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
+FFFE99E1=C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
+FFFDDD15=C:\WINDOWS\RUNDLL32.EXE
+FFFD2F15=C:\WINDOWS\EXPLORER.EXE
+FFFCC575=C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
+FFFC331D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFC8ED1=C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
+FFFBD5BD=C:\WINDOWS\TASKMON.EXE
+FFFA4775=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFBF7F5=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFA7B09=C:\WINDOWS\IPCFG.EXE
+FFFA14C1=C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
+FFFACF89=C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
+FFFAC055=C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
+FFF9556D=C:\QUICKENW\QWDLLS.EXE
+FFFAFC9D=C:\SLIDESHW\SNSICON.EXE
+FFF89091=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF8B165=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
+FFFBEA95=C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
+FFF844FD=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF966B5=C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
+FFE7C61D=C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
+FFE73801=C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
+FFE734D9=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFE40DED=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFE3055D=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFE32259=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFE03879=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 28 December 2004 - 01:55 PM

Can you please zip and email the following files to grinler@yahoo.com:

C:\WINDOWS\SYSTEM\IECUST.DLL
C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
c
When you email me, please include a link to this topic. In your reply let us know if you sent the files.

Thanks


1. Goto the site : http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

2. Download Win98Fix.zip and extract it into c:\win98fix.

3. Navigate to the c:\win98fix folder and double-click on the RunFix.reg. If it prompts you to allow it run, say Yes.

4. When that is done reboot your computer.

5. Now find C:\WINDOWS\SYSTEM\KBD.DLL which should be visible now and delete the file.

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {46504833-168C-4EB8-C028-DE6C21CB5E0B} - xwiz.dll (file missing)
O2 - BHO: (no name) - {0388EC16-BA98-416f-9D9B-B9A031E427AF} - C:\WINDOWS\SYSTEM\rdxyt6vf4x.dll (file missing)
O2 - BHO: (no name) - {9D27B19A-2978-4737-B429-89174DFD9882} - C:\WINDOWS\SYSTEM\KEO.DLL
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUST.DLL
O4 - HKLM\..\Run: [FX] C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [MONITER] utsgmon.exe
O4 - HKLM\..\Run: [msag] MNTP.exe
O4 - HKCU\..\Run: [ABCXYZ] AppMasterCenter.exe
O4 - HKCU\..\Run: [MNTP] nmdllw.exe
O4 - HKCU\..\Run: [dialer423] slamm.exe
O18 - Filter: text/html - {25DFA659-9231-457F-A6B9-32D8461ECA54} - C:\WINDOWS\SYSTEM\KEO.DLL
O18 - Filter: text/plain - {25DFA659-9231-457F-A6B9-32D8461ECA54} - C:\WINDOWS\SYSTEM\KEO.DLL

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\SYSTEM\KEO.DLL
C:\WINDOWS\SYSTEM\IECUST.DLL
C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
c:\windows\system\msupdsrv.exe
C:\WINDOWS\IPCFG.EXE
c:\windows\system\utsgmon.exe
c:\windows\system\MNTP.exe
c:\windows\system\AppMasterCenter.exe
c:\windows\system\nmdllw.exe
c:\windows\system\slamm.exe
C:\WINDOWS\SYSTEM\KEO.DLL

Reboot your computer to go back to normal mode and post a new log.

#13 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 December 2004 - 08:39 AM

Ok..I think I've got your instructions straight. I don't have a printer so I'm going to run to my brothers house tonight and print them out to follow so I don't screw anything up. I'm just curious though..Why do you want me to mail those two files to you?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:02 AM

Posted 29 December 2004 - 11:00 AM

I am curious to see what they do when I infect myself with them :thumbsup:

#15 The Rain King

The Rain King
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 31 December 2004 - 11:56 AM

Man I think you must be nuts...lol...Anyway I'm not sure what you want me to send you..Are you just wanting a text file of the contents of those files or what? And to be honest I've never mailed a ZIP file.....lol..it's true...how do I do that? Anyway let me know what you want me to do as soon as you can because if I understand right you want the files before I fix anything...correct?...Anyway get back to me

(feeling pretty stupid)
The Rain King




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users