Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HiJackThis Download[RESOLVED]


  • This topic is locked This topic is locked

#1
digimime

digimime

    Member

  • Member
  • PipPip
  • 23 posts
Greetings :tazz:

Too bad my first post has to be about Aurora, but then I'm 100% glad I found this group when it was most needed!


Thanks for your help!

Edited by digimime, 30 May 2005 - 10:26 AM.

  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello thatman,

Following is the Panda log. I was unable to find a way to download the HJT log. Your help is much appreciated!

Edited by digimime, 30 May 2005 - 10:29 AM.

  • 0

#4
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello again, thatman,

Edited by digimime, 30 May 2005 - 10:30 AM.

  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi digimime

Please read through the instructions before you start (you may want to print this out).

Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Download Pocket Killbox and unzip it; save it to your Desktop.

Reboot into Safe Mode: Click here if you don't know how to do this.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run ewido fullscan save the log psot the log with the other items

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\polall1r.inf
C:\WINDOWS\INF\farmmext.inf
C:\WINDOWS\SYSTEM32\SWLAD1.dll
C:\WINDOWS\SYSTEM32\setup_incred_1.exe
C:\WINDOWS\SYSTEM32\ss_msi1_setup.exe
C:\WINDOWS\SYSTEM32\PopOops2.dll
C:\WINDOWS\SYSTEM32\xmlparse.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\PopOops.dll
C:\WINDOWS\SYSTEM32\SWRT01.dll
C:\WINDOWS\SYSTEM32\SWLAD2.dll
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\SYSTEM32\c58bKs.dll
C:\WINDOWS\SYSTEM32\Lycos.dll
C:\WINDOWS\SYSTEM32\biK.exe
C:\WINDOWS\SYSTEM32\lsp.dll
C:\WINDOWS\SYSTEM32\im64.dll
C:\WINDOWS\SYSTEM32\msbb.exe
C:\WINDOWS\SYSTEM32\msbbhook.dll
C:\WINDOWS\SYSTEM32\sahagent1019.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\SYSTEM32\stmtreco.exe
C:\WINDOWS\SYSTEM32\randreco.exe
C:\WINDOWS\SYSTEM32\lmlysfj.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\kxut.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\satmat.ini
C:\WINDOWS\TEMP\biK.inf
C:\WINDOWS\TEMP\bi.dll
C:\WINDOWS\TEMP\biprep.exe
C:\WINDOWS\TEMP\Belt.ini
C:\WINDOWS\TEMP\polmx2.inf
C:\WINDOWS\TEMP\polmx2.exe
C:\WINDOWS\TEMP\twc\installer\bin\AddFavorites.vbs
C:\WINDOWS\TEMP\bi.cab
C:\WINDOWS\TEMP\bi.cab[bi.inf]
C:\WINDOWS\TEMP\bi.cab[bi.dll]
C:\WINDOWS\TEMP\bi.inf
C:\WINDOWS\TEMP\randreco.exe
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.inf
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.exe
C:\WINDOWS\TEMP\THI675.TMP\polall1r.inf
C:\WINDOWS\TEMP\THI675.TMP\polall1r.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\Downloaded Program Files\lsp_.dll
C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
C:\WINDOWS\Downloaded Program Files\xmltok_.dll
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\BI.DLL
C:\WINDOWS\svcproc.exe
C:\WINDOWS\fjooqt.exe
C:\WINDOWS\TSAd.dll
C:\WINDOWS\VcpDLL.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\BIPREP.EXE
C:\WINDOWS\SAHUninstall.exe
C:\WINDOWS\POLMX2.EXE
C:\Program Files\Common Files\updater\data1.dat
C:\Program Files\Common Files\updater\data2.dat
C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE
C:\Program Files\Lycos\Sidesearch\offline.htm
C:\Program Files\VBouncer\VBouncerInner.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\disp1150.exe
C:\Program Files\Web_Rebates\README.txt
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe
C:\SahAgent.log
C:\undo\backup.cab[BI.INF]
C:\undo\backup.cab[BIK.INF]
C:\undo\backup.cab[POLMX2.INF]
C:\undo\backup.cab[POLALL1R.INF]
C:\undo\backup.cab[Belt.ini]

Reboot when prompted. as normal

Delete the following folders.
C:\Program Files\Common Files\updater[b]<--Dele the whole folder
C:\Program Files\[b]TimeSink\AdGateway[b]<--Dele the whole folder
C:\Program Files\Lycos\[b]Sidesearch[b]<--Dele the whole folder
C:\Program Files\[b]VBouncer[b]<--Dele the whole folder
C:\Program Files\[b]AdDestroyer[b]<--Dele the whole folder
C:\Program Files\[b]Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\[b]Web_Rebates[b]<--Dele the whole folder
C:\Program Files\[b]Ebates_MoeMoneyMaker[b]<--Dele the whole folder
C:\[b]SahAgent.log[b]<--Dele the whole folder
C:\[b]undo[b]<--Dele the whole folder

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda virus scan and HJT.log
we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Back again after many detours. I did some more work with activescan reports and killbox, and the last scan showed no problems. Here are the latest ewido and hijackthis logs. Are there any more scans I need to do before downloading SP2? I'm getting pretty blitzed out... ;)


Thanks :tazz:

Edited by digimime, 30 May 2005 - 10:34 AM.

  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi digimime

Please read through the instructions before you start (you may want to print this out).

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM32\Ud3rT0n5.dll (file missing)
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: WagBHO.WagBHO - {A7DE7922-14CB-11D6-8BCA-0010A48E5285} - C:\webacc\WagBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O9 - Extra button: Settings - {02E998F8-5FF1-4a65-9D1D-99059AFCEC01} - C:\webacc\WagBand.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloff...O1/Ud3rT0n5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\PROGRA~1\IncrediFind<--Delete the whole folder
C:\webacc<--Delete the whole folder
C:\Program Files\Ebates_MoeMoneyMaker<--Delete the whole folder
C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder
C:\Program Files\Web_Rebates<--Delete the whole folder
Exit Explorer.Reboot as normal.

Post a new HJT.log

Kc :tazz:
  • 0

#8
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello thatman:

Sunday's best:

Logfile of HijackThis v1.99.1
Scan saved at 9:06:09 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Edited by digimime, 02 June 2005 - 03:53 PM.

  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi digimime

Please read through the instructions before you start (you may want to print this out).

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Click on Fix Checked when finished and exit HijackThis.

C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#10
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks a million! Your assistance has been so valuable.

Please stay with this area--I work pretty fast.:tazz:

Best,
Digimime
  • 0

Advertisements


#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi digimime

I will be here waiting

Kc :tazz:
  • 0

#12
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Can it be that this is almost done?? ;)

Panda:

Housecall: none

Hope you weren't sitting up all night waiting for this :tazz: I see that you're in the UK, so would be about 6 hrs. ahead of the sates.

Best, digimime

Edited by digimime, 03 June 2005 - 09:03 AM.

  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi digimime

Please stay with this area--I work pretty fast :tazz:

Where is your HJT.log is that coming in the next six hours ;)

Delete all the temp files:

C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.exe]
C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.ini]

Kc ;)
  • 0

#14
digimime

digimime

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello thatman,

[quote]Where is your HJT.log is that coming in the next six hours laughing.gif[/quote]

Waiting for Panda to finish ;) Here goes:

Logfile of HijackThis v1.99.1
Scan saved at 11:32:28 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


[quote]Delete all the temp files:



All I can find now is a satmat 26kb app and two 1KB files for setup & info. Kill all of that?? ;)

Thanks again :tazz:

digimime

Edited by digimime, 02 June 2005 - 06:24 PM.

  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP