Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go ahead and zip up wp.exe and wp.bmp and send them to the address listed above. :tazz:

Thanks for looking for them!
  • 0

Advertisements


#17
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
hmmmm...files sent to the email address...i see you're hard at work on the same problem with others!!

Does the Xoftspy issue mentioned in the other thread pose a threat?

...hope i didn't lose too much of your interest just cuz i couldn't locate those files... :tazz:
  • 0

#18
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi, currently able to restart and view normal desktop; again, all i did was go into the Taskmgr/applications and locate&run the c:\windows\explorer.exe program. This, after running the standard, updated Adaware, Spybot, Microsoft Antispyware, CWShredder...

Still have the following perhaps unrelated issues:
** Microsoft Antispyware flags/blocks a reference to Kernels32 upon startup;
** IE Webpage "unavailable while offline" , request to Connect does work;
** "Outlook is not your current Email server" but allows me to start and use it;
** In Outlook have received several messages, similar received for about 3 weeks, may coincide with Smitfraud, they include emails from (spam only??unrelaged)...luncheonettes@jamvista.com, insolubles@intersales.com.au, and hanger@galiano.it
** Tried MSN.com to get to hotmail, wouldn't work and have still not been able to get to hotmail account;


Otherwise, most things working...desktop looks okay for the moment.

I'm going to follow the instructions in similar thread init'd by fshmn, controlled by don77.

Also, would like to change all of my passwords to financial accounts...BUT WOULD LIKE TO GET THE GOAHEAD ON THAT IDEA FROM SOMEONE HERE...I realize it might be premature.

joshua :tazz:
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

...hope i didn't lose too much of your interest just cuz i couldn't locate those files...

With my position as a staff member of Geeks to Go, I think I would become very disturbed with myself if I were to become mad because your computer does NOT have those malware files in it! :tazz: So, you have my full interest still ;)

Since those files were e-mailed you can now delete:

C:\wp.exe
C:\wp.bmp


Let's get this party started! ;)

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

Restart your computer, while your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following:

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

#20
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Well, i certainly didn't think you were mad!!...just intrigued at how busy you must be...thought it might legitimately have moved me to the bottom of the list since i'm up and running albeit with problems...

Anyhooooo, i've already down those things---or most of them...was following you in the Ladyrocker thread...

No Security IGuard, Virtual Maid, Search Maid located;
UNABLE to access Taskmgr now!!!!!!!!!!!! says I disabled it...working on that...never intentionally did that;
Did the Killbox thing;
Safe mode and deletes...although none located, including no Log Files in System32;
Still no Policies ..System Folder;
Hoster worked;
Don't think DelDomains worked...did what it said...;
and did NOT run the Clean Up as I don't have a harddrive backup;
and did Not run ActiveScan...something shut down Active X...won't let it run...

...Any thoughts on the Taskmgr; Active X; can I run Cleanup without a backup; and and and...since i didn't have those Log Files...where's the trojan??????

and I think I'll go off and change all of my passwords...then take a nap...

say, is it too personal to say..."where the heck are you"...??..like what country??
joshua
  • 0

#21
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Cleanup just clears out temporary files (like Temp and Temporary Internet Files), but if you don't feel safe running it then don't do it!

Don't change your passwords yet, otherwise I'll just have to recommend that you do it after we're done!!

Disabled Task Manager, huh? Well, I don't even want to know what you were doing! :tazz: I'll think about that ;)

Will you post a new HiJackThis log for me?

(btw, I'm from the good old country named Texas ;) )
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
If Task Manager is disabled then there is a policy under current user in the System folder telling it to do so.

Go to Start > Run - copy & paste this in there:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Click OK see if it's still disabled, if yes, reboot your computer and let me know. :tazz:
  • 0

#23
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Okie-dokie...i'm from Wichita originally...AND i don't know ANYONE that would know that one-liner that turns my taskmgr back on...so how the heck do you people from texas get so smart???huh huh...how'd ya know that???seriously....just something they taught you in junior high or what?? :tazz:

The CleanUp instructions said don't run it if you don't have a backup; that's the only reason I was hesitant...plus they referred to several items from 1999...and the y2k thing???...was Steven out of the solar system for a bit?...miss a few years??

Ok, so...here's the log file!!

Logfile of HijackThis v1.99.1
Scan saved at 11:45:49 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\XPsys.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dane\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [s19byn.exe] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [s19byn] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [vOTMRa.exe] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [vOTMRa] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [iframeworks.exe] C:\DOCUME~1\dane\LOCALS~1\Temp\nbmj.dat
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: netdb.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Windows.hta
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Microsoft® JavaScript® Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {F1C82202-A967-4244-A191-441F2D029901} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:...va/cfs31229.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...layer5AxWin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D6C6BBA-79AC-4A08-B60D-280829FFE112}: NameServer = 207.115.64.2,207.115.64.3
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#24
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
bananafana,

the email you requested was blocked by microsoft filter stating that MIME material contained and considered malicious...could that have happened because i was unable to zip the wp.bmp file?

joshua
  • 0

#25
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Drat!! i may have been wrong all along...i have several accounts on this pc...i'm messaging Geeks forum from one that seems to be working...oops was working...popup from Microsoft Antispyware just ALLOWED a change in home page to default/home.

...and my other admin account does NOT allow right-click modification to the desktop!!!!

joshua :tazz:
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well do this for whatever account you were on when you ran HiJackThis!

First, I need you to right click on the desktop and go to New > Folder - click on it and name it whatever you want. Locate HiJackThis.exe on the desktop right click on it and go to "cut", then go into the folder you just made and click "paste". This is to ensure backups are saved and accessible.

Then, (this step is important), I need you to disable the Microsoft Antispyware program as it could interfere with cleaning your system (we'll turn it back on after we clean it!). To disable the program, follow the instructions below:
1.) Right click on the Microsoft Antispyware tray icon (a little red and yellow circle looking thing)
2.) Click on Security Agents Status (Enabled)
3.) Click on Disable Real-time Protection

Press CTRL ALT DELETE (since I know Task Manager is working!) and click on the Processes tab. End the following processes:

netdc.exe
XPsys.exe
kernels32.exe


Exit Task Manager.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O4 - HKLM\..\Run: [s19byn.exe] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [s19byn] C:\documents and settings\dane\local settings\temp\s19byn.exe
O4 - HKLM\..\Run: [vOTMRa.exe] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [vOTMRa] C:\documents and settings\dane\local settings\temp\vOTMRa.exe
O4 - HKLM\..\Run: [iframeworks.exe] C:\DOCUME~1\dane\LOCALS~1\Temp\nbmj.dat
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - Startup: netdb.exe
O4 - Global Startup: Microsoft Windows.hta

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.c...layer5AxWin.cab


Close HiJackThis.
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\netdb.exe
C:\WINDOWS\System32\netda.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\XPsys.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After your computer restarts, follow this path:

C:\documents and settings\dane\local settings\temp

Delete everything in that Temp folder!

Post a new HiJackThis log.

How many accounts are we talking here?
  • 0

#27
joshuageeks6999

joshuageeks6999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 91 posts
Hi,

To disable microsoft antispyware, Right click went nowhere, so i Left clicked, went to real-time protection and disabled Internet, Security, and Application agents.

Went to Taskmgr..it works here..not in the other account..deleted the netdc, XPsys, and kernels32 exe files.

...off to "fix", Screwwith!!,gdblast!!,annhilate""@!#$ the entries suggested via the HJT log...and i'll shutdown Geeks for a moment as you've said i should close everything up!!

brb...bet you can't guess what i named the files??

2 ACCOUNTS

joshua

Edited by joshuageeks6999, 18 April 2005 - 01:46 AM.

  • 0

#28
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Pfft, I can handle 2 accounts, I was thinking like 10 or something by the way you were talking :tazz:

Did you use Killbox on all of these items??

C:\WINDOWS\System32\netdc.exe
C:\WINDOWS\System32\netdb.exe
C:\WINDOWS\System32\netda.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\XPsys.exe
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, nevermind, I see what you meant - you ended them in Task Manager :tazz: Confused me for a second!

What files are you talking about that you named?
  • 0

#30
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Where are you? I was just kidding :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP