Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Shortcut error


  • Please log in to reply

#61
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
Yes. I just learned about that.


Please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a window should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,
  • 0

Advertisements


#62
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

Here is the C:\log.txt file details:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\Windows\SYSTEM\mc-58-12-0000093.exe: UPX!
C:\Windows\SYSTEM\protect.exe: FSG!
C:\Windows\SYSTEM\convert.exe: FSG!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\Windows\vsapi32.dll: UPX!t4
C:\Windows\tsc.exe: UPX!
Finished
bye

Just in case you need it here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:57 PM, on 7/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A1838561-F1EB-11D9-9FAE-4445EC14C48D} - C:\WINDOWS\SYSTEM\ENGH.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {A1838560-F1EB-11D9-9FAE-444583586116} - C:\WINDOWS\SYSTEM\ENGH.DLL
O18 - Filter: text/plain - {A1838560-F1EB-11D9-9FAE-444583586116} - C:\WINDOWS\SYSTEM\ENGH.DLL

Regards
  • 0

#63
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
Good.

Can you do me a favor and upload these files:
C:\Windows\SYSTEM\protect.exe
C:\Windows\SYSTEM\convert.exe
Follow the instructions here to do so:
http://www.thespykil...x.php?topic=5.0

Please delete:
C:\Windows\SYSTEM\mc-58-12-0000093.exe

Also do a Find files for system32.dll
Let me know if and where you find it.

Download http://www.derbilk.de/SpSeHjfix112.zip to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A1838561-F1EB-11D9-9FAE-4445EC14C48D} - C:\WINDOWS\SYSTEM\ENGH.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {A1838560-F1EB-11D9-9FAE-444583586116} - C:\WINDOWS\SYSTEM\ENGH.DLL
O18 - Filter: text/plain - {A1838560-F1EB-11D9-9FAE-444583586116} - C:\WINDOWS\SYSTEM\ENGH.DLL

Reboot and post a fresh log.

Regards,
  • 0

#64
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

I could not find the file system32.dll .

I've applied the updates as requested, here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:54 PM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#65
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
I couldn't find the uploads at TheSpykiller.

Which username did you use there?

Regards,
  • 0

#66
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

My bad, I posted under this site instead the spykiller site.

Try again, I have now posted under the same user name iisupreme and the topic is shortcut error

Regards
  • 0

#67
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

I have been reviewing the files recently placed under the C:/Windows/System Folder and have found the following:

Folder
cache32_rtneg4

2 files - 100dsktptr.bin
msg.bin

Files

ps3-2abc (icon)
xbox_round11 (bitmap image)
kill all spywareadsfadsf123 (icon)
bose (icon)
ringtone3 (icon)
sefe (application)
own (application)
tasks (file)
richup (application)
mssys (application)
wp (bitmap image)
intel32 (application)

Can I delete any of these?

Regards
  • 0

#68
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
Found and identified.

You can delete those two. Unfortunately they are packed, so it will take a bit to find out if more files will be involved.

Can you surf to: http://virusscan.jotti.org/
and have this file scanned:
C:\WINDOWS\SYSTEM\CMMON32.EXE
I think that is the real one, but I want to make sure.

Regards,
  • 0

#69
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts

Hi Pieter

I have been reviewing the files recently placed under the C:/Windows/System Folder and have found the following:

Folder
cache32_rtneg4

2 files - 100dsktptr.bin
          msg.bin

Files

ps3-2abc (icon)
xbox_round11 (bitmap image)
kill all spywareadsfadsf123 (icon)
bose (icon)
ringtone3 (icon)
sefe (application)
own (application)
tasks (file)
richup (application)
mssys (application)
wp (bitmap image)
intel32 (application)

Can I delete any of these?

Regards

View Post



Sorry I missed that post. Yes you can delete those.
For future convenience, enable file extension viewing:
http://antivirus.abo...fileextview.htm

Regards,
  • 0

#70
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

I have deleted the files and scanned cmmon32.exe and there were no hits found. It appears ok, also it has been on my PC for a while (apr 99) with a bunch of other files.

What's next

Regards
  • 0

Advertisements


#71
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

I have also found the following files under C:/Windows and scanned them as well

Explorer.exe

File: Explorer.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 6f2c165069ab1a365b5873284ff836d6
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found W32.Bube.J
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Win32.Bube.L
ClamAV Found W32.Bube.L
Dr.Web Found Win32.Beavis.5708
F-Prot Antivirus Found nothing
Fortinet Found W32/Bube.I
Kaspersky Anti-Virus Found Virus.Win32.Bube.l
NOD32 Found Win32/Bube.L
Norman Virus Control Found nothing
UNA Found Win32.Bube.l
VBA32 Found Win32.Worm.Bube.l

iun6002.exe

File: iun6002.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 9433d5ac20edcf7d39c454fe2f67b43d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


uninstIU.exe

File: uninstIU.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 29178058f9cd9a7d9e3353591a9e8642
Packers detected: -
Scanner results
AntiVir Found TR/Agent.EO
ArcaVir Found Trojan.Agent.Ff
Avast Found nothing
AVG Antivirus Found Agent.CN
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Fakealert
F-Prot Antivirus Found nothing
Fortinet Found W32/Agent.FF-tr
Kaspersky Anti-Virus Found Trojan.Win32.Agent.ff
NOD32 Found Win32/Agent.FF
Norman Virus Control Found W32/Agent.FCN
UNA Found Trojan.Win32.Agent
VBA32 Found Trojan.Win32.Agent.ff

hosts.sam
Amaoaeck

Regards
  • 0

#72
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
Wow. Can you upload uninstIU.exe to the same thread at TheSpykiller you used before.
It's part of http://vil.mcafeesec...nt/v_131814.htm
(You may recognize the screenshot)

While you are there you can follow the instructions they have for cleaning Bube:
http://www.thespykiller.co.uk/bube.htm

Keep me posted on your progress.

Regards,
  • 0

#73
iisupreme11

iisupreme11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi Pieter

I am having some problems with my keyboard, any way I downloaded the kaspersky av software and installed it. When I tried to open the application, it just states that the database is corrupted and uploaded the file master.xml. I have uninstalled it and sent an update to the kaspersky site.

Regards
  • 0

#74
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,627 posts
Can you see if you can get Kaspersky updated like this.
Download the cumulative.zip (Complete) & daily.zip (Current), from here:http://www.kaspersky.com/avupdates/zip

Then you unzip them into the Bases folder, you find it in "Documents and Settings" > "All Users" > "Application Data" > "Kaspersky Anti-virus Personal" > "5.0" > "Bases". (click yes, when you are asked if it's ok to overwrite) When you have unzipped both zip's to this folder, then do a reboot (important!)

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP