Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ad-Aware Post for gmad[CLOSED]


  • This topic is locked This topic is locked

#16
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
BTW, when I try clicking on the link above, I get promted for a user name and PW. I assume this was not where you wanted me to go.

Gman
  • 0

Advertisements


#17
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Sorry the change it now at the bootm of the first post.

http://forums.skads....hp?showtopic=80
At the bottom of the first post you will see this Attached File remv3.zip ( 21.79k ) Number of downloads: 576
Now download the remv3.zip

Instructions

>> Download the attachment and unzip the contents to a permanent folder[/b]

>> Reboot into safe mode and unhide all files and folders

>> Doubleclick on remv3.bat to run it. Wait untill the dos window closes.

>> Post the contents of c:\log.txt after rebooting into normal mode.

Kc :tazz:
  • 0

#18
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok Thatman, thank you, here's the new log....

The batch is run from -- C:\Documents and Settings\Greg Madrigal\Desktop

Files Found.................
----------------------------------------
clfmon.exe
pxhping.exe
mqbckup.exe
dllhostxp.exe
rdshost32.exe
winsrv32.dll
d3dxov.dll
msacmx.dll
hdr.dll
subsys.exe
dnsping.exe
iecust.exe
sp2chek.exe
clfmon.exe
hdr.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"service.exe"=""
"msacmx.dll"=""
"d3dxov.dll"=""
"winsrv32.dll"=""
"ie4unit.exe"=""
"ipxroutex.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""
"hdr.dll"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"ie4unit.exe"=""
"ipxroutex.exe"=""
"service.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4}"=""
"{A5366673-E8CA-11D3-9CD9-0090271D075B}"=""
"Files"=""
"Ms4Hd"=""
"Processes"=""
"RegKeys"=""
"RegValues"=""
"Vendor"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"clfmon.exe"=""
"dllhostxp.exe"=""
"pxhping.exe"=""
"service.exe"=""


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 7C3C-7DD8

Directory of C:\WINNT\system32

msi.dll
Finished
  • 0

#19
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
;) Thatman, Winpatrol promted we when "clfmon.exe" &
"dllhostxp.exe" tried to add themselves back to the startup registry after I rebooted into regular Windows after running "remv3.bat."

I of course denied it. FYI... :tazz:
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Please read through the instructions before you start (you may want to print this out).

Please download all items to your desktop first.

Please download and install these programs - don't run them yet!!

Download Pocket Killbox and unzip it; save it to your Desktop.

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
cwsserviceremove

cwsserviceremove.zip

Download CW-Shredder at the link below:
CWShredder

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into Safe Mode: Click here if you don't know how to do this.

Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with AdAware and let it remove any bad files found.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Double click on the cwsserviceremove and when asked to merge say yes.

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
C:\WINNT\system32\winsrv32.dll
C:\WINNT\system32\msupgr.exe
C:\WINNT\system32\msacmx.dll
C:\WINNT\system32\dnsping.exe
C:\WINNT\system32\dllhostxp.exe
C:\WINNT\system32\d3dxov.dll
C:\WINNT\system32\subsys.exe
C:\WINNT\system32\pxhping.exe
C:\WINNT\system32\mqbckup.exe
C:\WINNT\system32\sp2chek.exe
C:\WINNT\system32\rdshost32.exe
C:\WINNT\system32\rcpie.dll
C:\WINNT\system32\msupgr32.exe
C:\WINNT\system32\iecust.exe
Let the system reboot.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#21
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
:tazz: Ok, looking better already!!!

Here is my new A.B. log(but I could NOT update. Says- An Error has occurred while updating!

Scanned at: 11:03:47 AM on: 5/28/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

The PandaSoftware ActiveScan only produced an unknown file to my desktop named -track=17490.url

I did a Trend Micro scan too which produced nothing that I know of.


Here is my new HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 1:19:08 PM, on 5/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Mixer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\TDK\Digital MixMaster\DMM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\EXPLORER.EXE
C:\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1FDD6F-EEAD-420A-9E3C-E8CD3B379B6F}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E76F92-72E8-4D3B-99AA-4AE946E25CE1}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F78818-E1B4-4DD7-B906-4C5EC873A8BC}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#22
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

The PandaSoftware ActiveScan only produced an unknown file to my desktop named -track=17490.url
You will find that in your Favorites folder

Have you tryed to update Ewido yet.

Please read through the instructions before you start (you may want to print this out).

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Click on Fix Checked when finished and exit HijackThis.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

How is the system running now please let me know

Kc :tazz:
  • 0

#23
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello again Thatman, we are making progress for sure. I don't have any IE problems with hijackings or redirects anymore! However, I am still unable to update Ewido. I have no firewall at this time(that I know of) so I am dumfounded there.

I deleted the 2 files in HijackThis that you wanted me to.

Panda won't seem to scan either. I get an ERROR ON PAGE message. I can do the Trend Micro scan though. I tried to include the file that Panda produced on a prior scan, but it won't allow me to attach as is a .url type folder. :tazz: FYI-I have cable broadband.

The other problems that I am still having, are that when I reboot, the computer usually freezes somewhere between the BIOS running and opening the first program from the desktop. Sometimes, it doesn't even enter BIOS (I don't here the two beeps from the CPU after powering up.) I just get a dark screen.

Seems that I usually have to do a hard reboot at least twice before I can run properly anymore. ;)

Here is my new HJ log....

Logfile of HijackThis v1.99.1
Scan saved at 1:03:47 PM, on 5/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis[1]\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1FDD6F-EEAD-420A-9E3C-E8CD3B379B6F}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E76F92-72E8-4D3B-99AA-4AE946E25CE1}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F78818-E1B4-4DD7-B906-4C5EC873A8BC}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#24
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Is this your ip
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1FDD6F-EEAD-420A-9E3C-E8CD3B379B6F}: NameServer = 69.50.166.94,69.31.80.244
Please run a check for any of the following files delete if found
Using Windows Explorer, locate the following files/folders, and delete them: [b]If found

clfmon.exe
pxhping.exe
mqbckup.exe
dllhostxp.exe
rdshost32.exe
winsrv32.dll
d3dxov.dll
msacmx.dll
hdr.dll
subsys.exe
dnsping.exe
iecust.exe
sp2chek.exe
clfmon.exe
hdr.dll
C:\WINNT\system32\winsrv32.dll
C:\WINNT\system32\msupgr.exe
C:\WINNT\system32\msacmx.dll
C:\WINNT\system32\dnsping.exe
C:\WINNT\system32\dllhostxp.exe
C:\WINNT\system32\d3dxov.dll
C:\WINNT\system32\subsys.exe
C:\WINNT\system32\pxhping.exe
C:\WINNT\system32\mqbckup.exe
C:\WINNT\system32\sp2chek.exe
C:\WINNT\system32\rdshost32.exe
C:\WINNT\system32\rcpie.dll
C:\WINNT\system32\msupgr32.exe
C:\WINNT\system32\iecust.exe

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)
Exit Explorer.

Try any of the folloing scans
http://www.ravantivirus.com/scan/
http://www.bitdefend...can/licence.php
Kaspersky Worm Removal Tool

Follow up with an online Trojan scan at any of the following:
TrojanHunter
http://www.computerc.../reviews-8.html
a2 Scanner
http://www.emsisoft..../software/free/
Trojan Remover
http://www.simplysup...r/download.html

Post back with the results.

Kc :tazz:
  • 0

#25
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello Thatman,

I searched for, but did not find any of the files you asked about. Looks like Killbox really works! :tazz:

Here are the results from the RAV online scanner:

Scan started at 5/30/2005 2:35:14 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\backup\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Outlook\outlook.pst->Attachment.298: "message.pif" - Win32/Netsky.Q@mm -> Infected
C:\RECYCLER\S-1-5-21-1060284298-1580436667-839522115-1000\Dc33.frB4EF - Trojan:Win32/Small.BX -> Infected

Scanned
============================
Objects: 121900
Directories: 5283
Archives: 11084
Size(Kb): -731016
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 1504

Here are the results of BitDefender Online Scanner-

Scan started at 5/30/2005 2:35:14 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\backup\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Outlook\outlook.pst->Attachment.298: "message.pif" - Win32/Netsky.Q@mm -> Infected
C:\RECYCLER\S-1-5-21-1060284298-1580436667-839522115-1000\Dc33.frB4EF - Trojan:Win32/Small.BX -> Infected

Scanned
============================
Objects: 121900
Directories: 5283
Archives: 11084
Size(Kb): -731016
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 1504





I will run others and post later.
  • 0

Advertisements


#26
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Run killbox and delete the following:
C:\backup\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Outlook\outlook.pst->Attachment.298: "message.pif"
C:\RECYCLER\S-1-5-21-1060284298-1580436667-839522115-1000\Dc33.frB4EF

How is the system running now and from my last post is that you IP address

Kc :tazz:
  • 0

#27
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Will do Thatman!

I'm sorry, I do not know how to tell my IP address.

It's running much better except for the freezing up when restarting.
  • 0

#28
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP