Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

About:Blank + something else [RESOLVED]


  • This topic is locked This topic is locked

#1
tkl7

tkl7

    Member

  • Member
  • PipPip
  • 19 posts
Hi,

I am sorry if this issue has already been posted, but something nasty is infecting my computer: my internet explorer will not run. something keeps killing my Trend Micro antivirus, all the shortcuts in my start menu have been erased and I can't access control panel to add or remove programs. I had a dialer program that was in my start up file, which I stopped by using msconfig. otherwise I am at a loss. I have a couple of suspicious files "ieyh.dll"in my C: and "yaaa.dll" in system32.


Logfile of HijackThis v1.99.1
Scan saved at 11:19:18 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Pccspyui.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCP.EXE
C:\Documents and Settings\Default\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {56F232CB-1514-101F-ABB5-2926D33A1BD3} - C:\WINDOWS\system32\netbb32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [MMTrayLSI] C:\WINDOWS\System32\MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] C:\WINDOWS\System32\MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] C:\WINDOWS\System32\MMTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {80546E66-AFAF-444B-A3AF-FCB7BB13D7C9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {80546E66-AFAF-444B-A3AF-FCB7BB13D7C9} - (no file) (HKCU)
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please do not double post. I closed your other topic.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download FixAgent http://www.greyknigh...py/FixAgent.zip and unzip it. Run FixAgent.exe. It should fix something. If nothing is fixed, skip to the next step for the HijackThis fixes. If something is found, also download home_missing_114 http://www.greyknigh...missing_114.zip and unzip it. Run the Home winkey missing batch file. Remember: ONLY run home_missing_114 if FixAgent found something.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {56F232CB-1514-101F-ABB5-2926D33A1BD3} - C:\WINDOWS\system32\netbb32.dll
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=1c00&lc=0409 (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {80546E66-AFAF-444B-A3AF-FCB7BB13D7C9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {80546E66-AFAF-444B-A3AF-FCB7BB13D7C9} - (no file) (HKCU)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

msmsgs.exe - look for this in the system32 folder
C:\WINDOWS\system32\netbb32.dll

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thank you, greyknight17. I have followed your instructions and have the following log. I still have 2 blank folders on my desktop, one of which, I believe used to be outlook. IE is now blank page, with no address bar. no shortcuts under "programs" on the start menu, and I cannot access most programs simply by clicking.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:41 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Default\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [MMTrayLSI] C:\WINDOWS\System32\MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] C:\WINDOWS\System32\MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] C:\WINDOWS\System32\MMTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check and fix this in HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =


Open up IE and set yuor homepage now. Just right click anywhere on the toolbar in IE and make sure that Address bar is checked. If it is already checked, make sure that the Address bar is not shrunk by mistake. You should be able to see at least the word "Address" if it was shrunk.

What problems are you having with programs? Most programs? Not all?

Download this file and unzip it. Run the .reg file and say Yes.

See if that will fix up the program problem. If not:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#5
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I'll do this when I get home tonight - I am at work now. The problem with starting programs seems to be related to the deletion of all my shortcuts on the start/programs/ menu. I think the desktop shortcuts may be corrupted. (not including Hijack This, which I downloaded after the attack. I can access the programs by going through the My Computer folder, which is how I am able to access Netscape and ad-aware.

I think when I started the IE browser, it automatically starts downloading something. I think the source IP of the download has been shut down, though, and IE crashes after the download fails.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, post the logs when you get home.
  • 0

#7
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, the list is pretty long. Also, I cannot get an address bar in IE. In fact, I cannot change the home page with IE open. when I try to change it through right clicking on the icon on the desktop, I can, but when I open IE, it is killed immediately and I get a message saying that my current security settings will not allow the download - I think IE is automatically redirecting to a malicious IP.


File System Found infected by "myway Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "CMEII Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "GMT Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "bearshare Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "P2P Networking Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mruninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\SYSTEM32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mruninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\GMT\EGGCEngine.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\egIEEngine.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\EGIEProcess.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\EGNSEngine.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\GatorRes.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\GatorStubSetup.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\GMT\GUninstaller.exe infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\CMEIIAPI.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GAppMgr.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GController.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GDwldEng.dll infected by "not-a-virus:AdWare.Gator.3124" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GIocl.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GIoclClient.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GMTProxy.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GObjs.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GStore.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\GStoreServer.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\CMEII\Gtools.dll infected by "not-a-virus:AdWare.Gator.6041" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LimeShop\LimeShop.exe infected by "not-a-virus:AdWare.TopMoxie.e" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP574\A0061855.dll infected by "not-a-virus:AdWare.Gator.5017" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP574\A0061860.exe infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP574\A0061871.exe infected by "not-a-virus:AdWare.Gator.5115" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP581\A0061936.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061945.exe infected by "not-a-virus:AdWare.Gator.6034" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061951.exe infected by "Trojan-Downloader.Win32.Keenval" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061958.dll infected by "not-a-virus:AdWare.BrilliantDigital.3039" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061960.dll infected by "not-a-virus:AdWare.Altnet.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061961.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061963.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061964.dll infected by "not-a-virus:AdWare.Altnet.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061966.exe infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0061976.exe infected by "not-a-virus:AdWare.TopMoxie.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP582\A0062003.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP583\A0062029.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP583\A0062037.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP583\A0062092.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP584\A0062103.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP584\A0062107.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP584\A0062108.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP584\A0062113.exe infected by "Trojan-Clicker.Win32.Agent.cr" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C2B0F233-ED62-4676-A72A-2C88F71F23F7}\RP584\A0062118.exe infected by "Trojan.Win32.Favadd.u" Virus. Action Taken: No Action Taken.
File D:\Program Files\Kazaa\TopSearch.dll infected by "not-a-virus:AdWare.Altnet.c" Virus. Action Taken: No Action Taken.
File D:\SE3DSetup.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I highly recommend that you get rid of the P2P programs since they are not good. Most contribute to these infections.

Download KazaaBegone http://www.greyknigh...KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknigh.../WinsockFix.zip just in case you need it (if it breaks your internet connection).

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Uninstall these from the Add/Remove panel if listed:

MyWay
GMT
CMEII
BearShare
Kazaa
P2P Networking
LimeShop/Limewire


Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Now uncheck the same box to enable System Restore.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM32\wldr.dll
C:\Program Files\Common Files\GMT\
C:\Program Files\Common Files\CMEII\
C:\Program Files\LimeShop\
D:\Program Files\Kazaa\
C:\Program Files\MyWay\


Restart and give me a new HijackThis and mwav log.
  • 0

#9
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, when I access the add/remove programs, it does not list any of the programs installed on my computer (I can't run it from start menu) It seems like windows doesn't think there is anything installed on this computer? If I try to add a program, it says something about an error in rundll... DO I need to reinstall windows? IE still wont start without trying to download something that isn't there and it kills itself. And I still have the 2 mystery folders on my desktop.


Logfile of HijackThis v1.99.1
Scan saved at 10:54:35 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\Documents and Settings\Default\Desktop\HijackThis.exe

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, did you disable and then enable system restore yet? Is the mwav scan now clean?

Let's run the system file check since your log is now clean. Go to Start->Run and type in sfc /scannow and hit OK. Let that scan run. If it doesn't find anything, it will close by itself. If it finds a missing/corrupted file, it will ask you for the Windows CD so that it can copy the file over.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#11
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
IE still doesn't work. I can't reinstall it, because every time I try, the installer claims there is a newer version installed. I can't uninstall what I have on here, becuase it says the unistaller is corrupted. Control Panel still doesn't work because of the rundll problem
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
There's a problem installing/repairing IE when SP2 is installed. I haven't looked into this problem myself, but try asking this question in the Windows forums. They should better assist you over there.

If the problem is resolved there, then post back telling me so that I can close this topic.
  • 0

#13
tkl7

tkl7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, I'll try there. as long as the virus is gone, it seems like it is more of a windows problem to undo any damage. It probably just went through and set all of my files to "read only" or something. Thanks for your help.
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP