[Trevuren]

Hi Siraphic,


I see you have been busy and I am glad to see that you were able to delete MOsearch.

NEVER UNINSTALL ANTIVIRUS SOFTWARE UNLESS SO INSTRUCTED

You may always delete any 016 you want. They return if/when you revisit the site. None of yours are bad.

You may delete all the 09s if you are sure you don't want them

That entry O4 - HKCU\..\Run: [Y357RXj7j] IR4IAG.EXE remains unknown and if your system is working well, I would recommend leaving it be at this point.

After removing your 016s and 09s. reboot your system, re-install the newest versions of both Spybot and Ad-aware which you can find in a link at the bottom of my post in my signature pane and configure them according to the instructions provided in the link.

Reboot, scan with HJT and send me a final log for review.


Regards,

Trevuren

[Advertisements]

Hi Siraphic,

Just out of curiosity, is your screen still blue?


Trevuren

[Trevuren]

Hi Siraphic,

Just out of curiosity, is your screen still blue?


Trevuren

[Siraphic]

Spybot ran correctly, and deleted four corruptions.
Adaware downloaded, but stops running at the following file:

C:\Windows\Option\Install\BASE2.CAB

I ran the free version of AVG and it detected the following files to be trojan horses

C:_\Restore\Temp\A0011695.1
C:_\Restore\Temp\A0038519.1
C:_\Restore\Temp\A0038553.1
C:_\Restore\Temp\A0038554.1
C:_\Restore\Temp\A0038591.1
C:_\Restore\Temp\A0073348.CPY
C:_\Restore\Temp\A0073349.CPY
C:_\Restore\Temp\A0073430.CPY
C:_\Restore\Temp\Se.o
counter.exe
counter.cab

AVG prompts that in order to be cleansed the computer needs to be restarted, but cleaning doesn't occur.

Finally, the screen is no longer blue, but black.

Here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 8:46:01 PM, on 5/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Y357RXj7j] IR4IAG.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409

[Trevuren]

Hi Siraphic,

1. I want you to download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds.

REBOOT your system.

2. Since your desktop background appears to be hijacked, then do this also:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Regards,

Trevuren

[Siraphic]

Trojan Hunter keeps stalling during scan

it identified two files before stalling

C:\Windows\Temporary Internet Files\julie.ex/R1~YVHX.exe (Adware Get Update.100)
C:\Windows\bundles\thin-8-1-x-x.exe (Adware Better Internet.100)

Any suggestions

[Trevuren]

Hi Siraphic,

1. Please click HERE to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. Reboot when prompted.

2. You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Regards,

Trevuren

[Siraphic]

Systems security suite doesn't get off the ground - as soon as I press "Clear Selected Items", the program won't respond anymore.

I didn't run option 2, because I was confused by the red line below, saying not to run that option unless asked. I figured I'd ask and see if I should only run it after running option number 1.

Much thanks

[Siraphic]

disregard my previous post. I ran system mechanic, which allowed me to run system security suite. I plan to run option 2 now and then post again

[Siraphic]

Ran lmfix2.bat, but it reads:

Not compatible with 9x or windows nt

[Siraphic]

By running option 2, I meant the second of the two operations, not option 2 within the l2mfix.bat operation. Sorry for the multiple posts.

[Trevuren]

Hi Siraphic,

I am getting a little confused here. Pleae tell what you have run as programs since MY last post to you.

DO NOT TOUCH L2MFIX.


Trevuren

[Siraphic]

Since my last post, I did the following

1. ran system security suite after downloading (it didn't work)
2. ran system mechanic (a program I use to clean the registry)
3. ran system security suite again (worked)
4. downloaded L2mfix, doubled clicked on l2mfix.bat (didn't work). It read:
Not compatible with 9x or windows nt. So I wasn't able to click either option #1 or option #2.
5. AVG Free asked me if I wanted to update virus definitions. I clicked YES, then said I needed to reboot. Computer then turned off. I turned it back on, but it automatically restarts in SAFE mode. I cannot find a way out of SAFE mode back to NORMAL mode now. When I try and restart computer turns off.

I do appreciate your continued patience.

[Trevuren]

Hi Siraphic,

We seem to be going backwards here instead of forward.

1. First, let's try and get you back into Normal Mode.

How To Start To Normal Mode Using The System Configuration Utility Method in Windows 98/98SE/ME

*Close all open programs.
*Click Start > Run when the Run dialog box appears type 'msconfig' (without the quotes)
*click OK.
*the System Configuration Utility opens
*click "Advanced."
*remove the check mark beside 'Enable Startup Menu'
*Click OK, then click OK again
*restart the computer when prompted
*The computer will restart in Normal Mode.

2. Just respond to tell me that you are back in Normal Mode and then we will continue.


Regards,

Trevuren

[Siraphic]

Did as directed.

Whenever I click to start in Normal, the computer shuts off.

[Trevuren]

Hi Siraphic,

You went into MSCONFIG and performed those operations?
At what exact point does your system shut off?


Trevuren