[don77]

Great news bbrown4 !

Is it okay to delete this file - O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h? I believe this is what started my problems in the first place.

Sure can, Use HJT to remove it same way you have been,

Search for files/folders and remove the folder

Ares
and
SAH

Other than that,

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection

Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep Ad-aware and Spybot handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,

[Advertisements]

Don77,

You are good and thank you so much for your help! My system is running great. There is still one pop-up called aurora that I am getting, but I can live with that. I will definitely be sending you a small donation to show my appreciation.

Thanks again for your help!

Burrell

[bbrown4]

Don77,

You are good and thank you so much for your help! My system is running great. There is still one pop-up called aurora that I am getting, but I can live with that. I will definitely be sending you a small donation to show my appreciation.

Thanks again for your help!

Burrell

[don77]

Your very welcome Burrell, And Thank you,

Give this program a try. They have a free verison you can download.

Ewido Security Suite
http://www.ewido.net/en/

Be sure to get the updates first before scanning. Do the scan in Safe Mode so it has the best chance of killing any files that want to run on startup.

[bbrown4]

Thanks for the file Don77, it found more viruses and hidden malware. Okay since you have all the answers, what do you know about this callinghome.biz that spybot cannot remove? The 2 files to this application are hidden in my registry as DLMAX.

I plan to load XP SP2 today. Will these files cause conflicts?

Thanks,

Burrell

[don77]

Did you download and run Cleanup!
If not do so now,

Next
Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Make sure you check the 'Disinfect automatically' option in Active scan, and check the “Auto Clean” option in TrendMicro, Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.

[bbrown4]

Yes, I did download and run Cleanup.

I ran Activescan and below is what it found. It says it found 47 infections. The other online scan TrendMicro's HouseCall would not download or run.


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\System32\cache32_rtneg?
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/WUpd No disinfected C:\Program Files\DeskAd Service
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Burrell IV\Favorites\Finances & Business
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/ClockSync No disinfected C:\Program Files\ClockSync
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Burrell IV\Application Data\sskknwrd.dll
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/Adtomi No disinfected C:\found.001\dir0000.chk\A0009985.exe
Adware:Adware/Adtomi No disinfected C:\found.001\dir0000.chk\A0009986.sys
Adware:Adware/Adtomi No disinfected C:\found.001\dir0000.chk\A0009987.sys
Adware:Adware/Adtomi No disinfected C:\found.001\dir0000.chk\A0009988.exe
Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant\180searchassistant.exe
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978068.asw
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978068.asw[mySetp.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978545.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87735151.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87736871.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87740932.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87742812.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87844683.asw
Adware:Adware/WUpd No disinfected C:\Program Files\DeskAd Service\DeskAdComm.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\abasa5jrp.ini
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\cxtpls_loader.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\hochkaod3.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\u6f6uftuc.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\Temp\THICDE.tmp\dlmax.inf
I ran spybot again and callinghome.biz still exist. The 2 files hidden in the registry are HKEY_USERS\S-1-5-18\Software\DLMAX and
HKEY_USERS\DEFAULT\Software\DLMAX

Below is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:29 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\AOLHOS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\110288~1\EE\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsout...ge=hb/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102883278\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Concur Expense Applets - https://etravel.usps...ets/cnqr_ie.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095565157140
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://grsbncswea1/R...tivexviewer.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.23...ll/gtdowngc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7314BA0-21BA-41E0-819E-C00260E29C93}: NameServer = 205.152.37.23,205.152.132.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usps.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usps.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usps.gov
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[bbrown4]

Don77,

The system is running great. Just trying to remove the callinghome.biz from registry, before I download XP SP2.

Burrell

[don77]

Good to hear Burrell, Lets see if we can get rid of this for you,

Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD


C:\WINDOWS\System32\cache32_rtneg?
C:\WINDOWS\bsx32
C:\Program Files\cxtpls
C:\Program Files\Ares
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\wt
C:\Program Files\DeskAd Service
C:\Program Files\ClockSync
C:\Documents and Settings\Burrell IV\Application Data\sskknwrd.dll
C:\found.001\dir0000.chk\A0009985.exe
C:\found.001\dir0000.chk\A0009986.sys
C:\found.001\dir0000.chk\A0009987.sys
C:\found.001\dir0000.chk\A0009988.exe
C:\Program Files\180searchassistant\180searchassistant.exe
C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\Program Files\DeskAd Service\DeskAdComm.dll
C:\WINDOWS\system32\abasa5jrp.ini
C:\WINDOWS\system32\cxtpls_loader.exe
C:\WINDOWS\system32\hochkaod3.ini
C:\WINDOWS\system32\u6f6uftuc.ini
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\Temp\DrTemp\farmmext.exe
C:\WINDOWS\Temp\DrTemp\farmmext.inf
C:\WINDOWS\Temp\DrTemp\farmmext.ini
C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe
C:\WINDOWS\Temp\THI1995.tmp\farmmext.inf
C:\WINDOWS\Temp\THI1995.tmp\farmmext.ini
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.inf
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.ini
C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll
C:\WINDOWS\Temp\THICDE.tmp\dlmax.inf

Restart your computer,


Please go Here
Download Reglite, Open Reistrar Lite,
Open the program, Click Ctrl and f, this will open search registry. In the upper box type or copy and paste,
DLMAX
Click on the search Button, When it finds the file or files and anything associated with it, Highlight it and click Delete the large red x on the bottom of the box.


Scan again with Spybot and let us know what it finds

[bbrown4]

Don77,

I could not delete the files below. I kept getting a message that ACCESS IS DENIED. MAKE SURE DISK IS NOT FULL OR WRITE-PROTECTED AND THAT THE FILE IS NOT CURRENTLY IN USE.

C:\WINDOWS\Temp\DrTemp\farmmext.exe
C:\WINDOWS\Temp\DrTemp\farmmext.inf
C:\WINDOWS\Temp\DrTemp\farmmext.ini
C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe
C:\WINDOWS\Temp\THI1995.tmp\farmmext.inf
C:\WINDOWS\Temp\THI1995.tmp\farmmext.ini
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.inf
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.ini
C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll
C:\WINDOWS\Temp\THICDE.tmp\dlmax.inf


Spybot scan results:

Congratulations!: No immediate threats were found.

Thanks for getting rid of callinghome.biz, but now the above problems has arisen.

Will you be able to remove these harmful files?

Burrell

[don77]

Hi Burrell
Please run this Fixbinet

Run another scan with Active and lets see how we made out

[bbrown4]

Fixbinet scan results:

Symantec Adware.BetterInternet Removal Tool 1.0.6


C:\Documents and Settings\Burrell IV\My Documents\My Music\Do As Infinity\???: (not scanned)
C:\Documents and Settings\Burrell IV\My Documents\My Music\iTunes\iTunes Music\Do As Infinity: (not scanned)
C:\System Volume Information: (not scanned)
C:\WINDOWS\Temp\mcu37.tmp: (not scanned)
Adware.BetterInternet has not been found on your computer.


Activescan results found 19 infected files. Results of scan are as follows:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\ritsacnk.dat
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Burrell IV\Favorites\Finances & Business
Adware:Adware/Beginto No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Burrell IV\Application Data\ssk?wrd.dll
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Burrell IV\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Burrell IV\Application Data\Sskuknwrd.dll
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978068.asw
Adware:Adware/MyWay No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978068.asw[mySetp.exe]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\42978545.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87735151.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87736871.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87740932.asw
Adware:Adware/SAHAgent No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87742812.asw
Spyware:Spyware/Altnet No disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\87844683.asw
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\q17i9a4j.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI1995.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI45B7.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\Temp\THICDE.tmp\dlmax.inf
Thanks again for your assistance with helping me get rid of these harmful files.

Burrell

[don77]

Hi Burrell,
Run Cleanup! again please,

Next Check Ad-aware for updates and run a scan having it fix all ity finds,

I think you already have it if not,
Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.


Run a scan with TrendMicro's HouseCall

Let us know how you make out please

[bbrown4]

Don77,

I ran Cleanup!

I updated and ran Ad-aware and I am setup on how to use it.

Unable to run a scan with TrendMicro's HouseCall. It will not load.

I ran a scan with Ewido Security suite and this is what it found:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:29:49 PM, 4/27/2005
+ Report-Checksum: BD652E44

+ Date of database: 4/27/2005
+ Version of scan engine: v3.0

+ Duration: 27 min
+ Scanned Files: 45937
+ Speed: 28.19 Files/Second
+ Infected files: 4
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 4

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\Temp\DrTemp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll -> Spyware.DlMax.a -> Error during cleaning


::Report End

Is Farmmext and Dlmax invincible or something?

Burrell

[don77]

They are persistant aren't they,,,,

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\system32\a95kfrhe.ini
C:\WINDOWS\system32\ap2nqrd4.dat
C:\WINDOWS\system32\baur5s9q.dat
C:\WINDOWS\system32\q10pvbrv.dat
C:\WINDOWS\system32\q17i9a4j.ini
C:\WINDOWS\system32\ritsacnk.dat
C:\WINDOWS\Temp\DrTemp\farmmext.exe
C:\WINDOWS\Temp\DrTemp\farmmext.inf
C:\WINDOWS\Temp\DrTemp\farmmext.ini
C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe
C:\WINDOWS\Temp\THI1995.tmp\farmmext.inf
C:\WINDOWS\Temp\THI1995.tmp\farmmext.ini
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.inf
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.ini
C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll
C:\WINDOWS\Temp\THICDE.tmp\dlmax.inf


For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.


Run another scan with ewido lets see how we made out

[bbrown4]

Don77,

Killbox gave me a message when I click it to reboot after I pasted the last file name. The message was "PendingfilenameOperations Registry Data has been removed by External Process".

I ran ewido and below is the scan report:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:02 PM, 4/28/2005
+ Report-Checksum: DA389446

+ Date of database: 4/29/2005
+ Version of scan engine: v3.0

+ Duration: 20 min
+ Scanned Files: 46150
+ Speed: 38.41 Files/Second
+ Infected files: 4
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 4

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\Temp\DrTemp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THI1995.tmp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THI45B7.tmp\farmmext.exe -> Spyware.ConsCorr -> Error during cleaning
C:\WINDOWS\Temp\THICDE.tmp\dlmax.dll -> Spyware.DlMax.a -> Error during cleaning


::Report End

These guys are tough. They got to be ready to go down soon.

Also, I notice the Wupdt in the C:\Windows\Temp\DrTemp\wupdt.exe. Shouldn't that file be deleted?

Burrell