Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I need help with TROJAN-SPY.HTML.SMITFRAUD.C


  • This topic is locked This topic is locked

#1
Howie1

Howie1

    New Member

  • Member
  • Pip
  • 5 posts
A freind of my wife's sent her computer over to me to straighten out and this is what I've got.
She had some free spyware deals on their and i did away with them. I then put McAfee internet security suite 2005 ver. 7.0 that she had purchased on the computer (by the way all of this is being done in safe mode because normal mode
will not start up.) I cant access the internet with her pc so I am doing this through mine.
I did the scan and removed all the spyware except for two which I'm guessing is this trojan-spy,it cant do anything to get rid of it .

This is the message that comes up- with the blue screen:

( A fatal error in IE has occured at 0028:c0011e36 in vxd vmm<01> 00010e36.
ERROR WAS CAUSED BY TROJAN-SPY.HTML.SMITFRAUD.C

System can not function in normal mode.
Please check your security settings.

Scan your pc with any available anti-virus / spyware remover program to fix the problem. )


Here's the logfile:


Logfile of HijackThis v1.99.1
Scan saved at 8:32:12 PM, on 05/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPCTR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us/10095/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/10095/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/10095/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us/10095/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us/10095/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/10095/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/10095/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us/10095/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/10095/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/10095/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us/10095/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us/10095/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us/10095/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us/10095/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A735B882-D027-5BD9-D071-C006F852FC66} - C:\WINDOWS\SYSXD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [agrsmMSG] agrsmMSG.exe
O4 - HKLM\..\Run: [nwikwon] c:\windows\system\nwikwon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [WAOL.EXE] C:\AMERICA ONLINE 6.0\WAOL.EXE
O4 - HKLM\..\Run: [MFCDH.EXE] C:\WINDOWS\SYSTEM\MFCDH.EXE
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [MSLG32.EXE] C:\WINDOWS\SYSTEM\MSLG32.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [IEKK32.EXE] C:\WINDOWS\IEKK32.EXE /s
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Otvimli] \erodve.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\STUBINSTALLER5356.EXE"
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcaf...can/mcasupd.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://lovefreegames...egames_live.cab
O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://68.191.229.13...ooInstaller.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk...349_7469711.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4239
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\\MAIN.MHT!http://clean-thumbs....ex.chm::/ad.exe
O21 - SSODL: eplrr9 - {A4972E91-2AF5-450B-A910-6AAEF93AC9D9} - C:\WINDOWS\SYSTEM\mspdnx.dll
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Howie1 and welcome, I guess you didn't know what you signed up for when you took this one home :tazz:

Hope you have a fair supply of floppies you will need to download quite a bit till we can get the machine back on line,
Some of the following you wont be able to do, but I will give you the full run down just the same ,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
Howie1

Howie1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
DON77
THANKS FOR THE QUICK REPLY !
It may take me awhile to get all of this done, but I will get back to ya
as soon as I do.

Thanks
Howie1
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
No problem Howie,
i m about to turn in for the night, This will only take care of half of the problems on that machine, I will check back in tomorrow,

Good luck,


After you have run through the above post see if this will help you get back online,

http://www.geekstogo...=download&id=21
  • 0

#5
Howie1

Howie1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Tried to run the aboutbuster on the computer and it want even let me do that.
Thanks anyway but i need to go through and figure out what to remove manualy I guess.
If any one has a list of files they removed from the log that would be great.
thanks
Howie1
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Howie1
  • Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.
  • Update CWShredder by click on the update button,Next be sure and click on the "fix" button.Close out the program when done
  • Please set your system to show
    all files; please see here if you're unsure how to do this.



  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us/10095/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/10095/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/10095/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us/10095/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us/10095/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/10095/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/10095/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us/10095/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uqyng.dll/sp.html#34429
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/10095/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/10095/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us/10095/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us/10095/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us/10095/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us/10095/
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {A735B882-D027-5BD9-D071-C006F852FC66} - C:\WINDOWS\SYSXD.DLL
    O4 - HKLM\..\Run: [nwikwon] c:\windows\system\nwikwon.exe
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.AMS /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [180ClientStubInstall] "C:\WINDOWS\STUBINSTALLER5356.EXE"
    O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O9 - Extra button: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {98735FD7-16F1-4DB0-9B00-91C429C18441} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
    O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba.../0006_adult.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4239
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topcon...vex/website.ocx
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\\MAIN.MHT!http://clean-thumbs....ex.chm::/ad.exe
    O21 - SSODL: eplrr9 - {A4972E91-2AF5-450B-A910-6AAEF93AC9D9} - C:\WINDOWS\SYSTEM\mspdnx.dll


    Click on Fix Checked when finished and exit HijackThis.

  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\SYSXD.DLL
    c:\windows\system\nwikwon.exe
    C:\WINDOWS\CXTPLS_LOADER.EXE
    C:\WINDOWS\STUBINSTALLER5356.EXE
    C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\
    C:\WINDOWS\SYSTEM\mspdnx.dll

    Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
  • 0

#7
Howie1

Howie1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Don77
I finally got all the programs to work from your first post and picked up another virus in hijackthis after running the cleanup
Mcafee virus scan pop up window-It reads
The file C:windows\desktop\hijackthis.exe was infected by the W32\GENERIC.worm\p2p virus and has been deleted to complete the clean process.
I tried to put hijackthis.exe back on the computer in the safe mode with the floppy and it deleted it from the disk.
so im going to delete everything from the list on your last post and see what happens there.
Thanks again for your help and if you think of something else let me know.
I'll make another floppy of hijackthis.exe to see if I can get another log
in here.
Thanks
Howie1
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Howie, I m heading off shortly I will check back tomorrow but it sounds like your making progress,

Did you try and run this http://www.geekstogo...=download&id=21
To see if you could get online ?
  • 0

#9
Howie1

Howie1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok
I finally had sometime to do a little work on the computer.
Here's the latestest log, maybe not the floppy disk are not formatted now when I try to load them on my computer . I talked to the owner and she told me to take it to the shop in the morning . So I'm done with this one!
Thanks,
Howie1
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Howie1.
Sorry we couldn't get it sorted out for you,

I will close this topic now, if you need it reopened please pm a member of the staff, Please provide a link to this topic,

Good Luck
Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP