[freebird53]

Also, previously I couldnt' stay online long enuff to do anything before I began getting all of these popups and then nothing would work on my computer....notepad.....etc.

[Advertisements]

It should get better soon.

Here's how to do killbox one by one.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINNT\system32\cdrtc921.exe
C:\WINNT\system32\appqw.exe
C:\WINNT\System32\APPXEC32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

You do not have to disable AVG, just the spyware killer. That detects us making changes to the registry.

[g2i2r4]

It should get better soon.

Here's how to do killbox one by one.

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINNT\system32\cdrtc921.exe
C:\WINNT\system32\appqw.exe
C:\WINNT\System32\APPXEC32.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

You do not have to disable AVG, just the spyware killer. That detects us making changes to the registry.

[freebird53]

I never could run Adaware. It kept freezing when it got to files that dont exist in my applications data. I used Spyware Doctor instead. These are the reports from Spyware, Ewido, and the online virus scan from Panda. Spyware Doctor said I am infected with a high risk virus that they would not remove with the free version. Purity Scan and Slagent virus. Below are the reports.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:04 AM, 06/26/2005
+ Report-Checksum: 1596D171

+ Date of database: 06/25/2005
+ Version of scan engine: v3.0

+ Duration: 17 min
+ Scanned Files: 40693
+ Speed: 39.85 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Common Files\kqki\kqkip.exe -> Spyware.Xupiter.m -> Cleaned with backup
C:\WINNT\system32\acsetupc.exe -> Spyware.UrlSpy -> Cleaned with backup
C:\WINNT\system32\adsldp49.exe -> Spyware.UrlSpy -> Cleaned with backup
C:\WINNT\system32\аttrib.exe -> Spyware.PurityScan -> Cleaned with backup


::Report End


Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINNT\system32\datastore.dll
Adware:Adware/nCase No disinfected C:\WINNT\msbb*
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/IEDriver No disinfected C:\WINNT\system32\Searchx.htm
Adware:Adware/CommanderToolbarNo disinfected C:\WINNT\system32\ietb.dll
Adware:Adware/NaviPromo No disinfected Windows Registry
Adware:Adware/SideFind No disinfected C:\Program Files\Common Files\kqki\kqkip.exe
Virus:Trj/WmvDownloader.A Disinfected C:\Program Files\Kazaa\My Shared Folder\Yeah!.wma
Virus:W32/Smitfraud.A Disinfected C:\WINNT\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet_dll.vir
Adware:Adware/nCase No disinfected C:\WINNT\msbb32.dll
Spyware:Spyware/UrlSpy No disinfected C:\WINNT\system32\acsetupc.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINNT\system32\adsldp49.exe
Adware:Adware/IEDriver No disinfected C:\WINNT\system32\catsrvps.exe
Adware:Adware/SaveNow No disinfected C:\WINNT\system32\datastore.dll
Adware:Adware/CommanderToolbarNo disinfected C:\WINNT\system32\ietb.dll
Adware:Adware/IEDriver No disinfected C:\WINNT\system32\Searchx.htm
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\Shex.exe
Spyware:Spyware/ShopNav No disinfected C:\WINNT\unist2.exe SPYWARE RESULTS
Scan Results:
scan start: 06/26/2005 4:53:25 AM
scan stop: 06/26/2005 4:58:59 AM
scanned items: 46090
found items: 4
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Disk Scanner



Infection Name Location Risk
Slagent HKCU\Software\mc Elevated
Slagent HKCU\Software\mc## Elevated
Slagent HKCU\Software\mc##SA Elevated
PurityScan C:\WINNT\system32\wtssvsu.exe Elevated

[g2i2r4]

Please reboot to save mode.

Use Windows Explorer to remove these folders:
C:\Program Files\Common Files\kqki\
C:\WINNT\msbb\

***

Use killbox to delete these files on reboot:

C:\WINNT\msbb32.dll
C:\WINNT\system32\catsrvps.exe
C:\WINNT\system32\datastore.dll
C:\WINNT\system32\ietb.dll
C:\WINNT\system32\Searchx.htm
C:\WINNT\system32\Shex.exe
C:\WINNT\system32\wtssvsu.exe
C:\WINNT\unist2.exe

***

Reboot to normal mode.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Download Spybot S&D 1.4
Install it, update it and let it run.
Remove items in red.

Let me know how things are now.

Edited by g2i2r4, 26 June 2005 - 10:33 AM.

[freebird53]

ErrorGuard: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\Install.Install.1

ErrorGuard: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\Install.Install

Connect MFC Application: Program directory (Directory, nothing done)
C:\Program Files\Instant Access\

eGroup.InstantAccess: User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-600398548-1825380940-1390150559-500\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo bgdjdn

SpyHunter: Program group (Directory, nothing done)
C:\Program Files\Enigma Software Group\

SpywareStormer: Program directory (Directory, nothing done)
c:\Program Files\Spyware Stormer\


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-23 Includes\Dialer.sbi
2005-06-23 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-06-23 Includes\Malware.sbi
2005-06-09 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-15 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-06-21 Includes\Trojans.sbi

[g2i2r4]

SpyHunter, SpywareWarrior and Errorguard need to go.

Let's see what you have on that computer:
Please download and run this script List Installed Programs. You need to scroll down a bit.
If you get a warning of a malicious script trying to run, grant permission to run the entire script.

Post the log here.

[freebird53]

Ok, i'll do that...might take a few because I'm going back and forth from this computer and the other one so I can send you a message when I get it....thanks!

[g2i2r4]

I see you are using Spybot version 1.3

Please remove it using software panel.
Then install the latest version 1.4:
http://www.see-cure..../spybotsd14.exe
Install it, update it and let that one run.

[freebird53]

Here's the list:

Abacast Client
Ad-Aware SE Personal Ver: 1.06
Adobe Acrobat 5.0 Ver: 5.0
Appswebservice.com Search Assistant
AVG Free Edition
CleanUp!
Deer Hunter 4
Ecco the Dolphin
ewido security suite
GameSpy Arcade
hibcdfu
HijackThis 1.99.1 Ver: 1.99.1
IBM Rescue and Recovery with Rapid Restore Ver: 2.04.0182 Installed: 06/23/2005
IE Host R3
Instant Access
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Interactive Curriculum
Internet Dialer
Internet Explorer Exception pack
Internet Explorer ReadMe
Internet Update
Java 2 Runtime Environment Standard Edition v1.3.1_04
Kazaa Media Desktop 2.1.1
Lexmark Supplies Monitor
Lexmark Z25-Z35
Madden NFL TM 2002
Microsoft Data Access Components KB870669
Microsoft Office 97, Professional Edition
Microsoft VGX Q833989
Microsoft Windows Journal Viewer Ver: 1.5.2315.0 Installed: 12/09/2002
Microsoft Windows Update Auto Update Ver: 5.4.3630.11 Installed: 11/21/2002
Midnight Outlaw Illegal Street Drag - Nitro Edition
Mozilla Firefox (1.0.4) Ver: 1.0.4 (en-US)
Need For Speed III
Need For Speed Underground
OIN Ver: 1.0
Outlook Express Q823353
QuickTime
rudveatobk
Shockwave
Shockwave Flash
Spybot - Search & Destroy 1.3 Ver: 1.3
Spyware Doctor 3.2 Ver: 3.2
Starware
Sygate Personal Firewall Ver: 5.6.2808 Installed: 06/26/2005
WebFldrs Ver: 9.00.3907 Installed: 11/21/2002
Windows 2000 Hotfix - KB823182 Ver: 20030618.121409
Windows 2000 Hotfix - KB823559 Ver: 20030627.135515
Windows 2000 Hotfix - KB824105 Ver: 20030716.151320
Windows 2000 Hotfix - KB825119 Ver: 20030827.151123
Windows 2000 Hotfix - KB826232 Ver: 20031007.160553
Windows 2000 Hotfix - KB828035 Ver: 20031023.142138
Windows 2000 Hotfix - KB828741 Ver: 20040311.130332
Windows 2000 Hotfix - KB828749 Ver: 20031023.124056
Windows 2000 Hotfix - KB835732 Ver: 20040323.171849
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839645 Ver: 20040519.160457
Windows 2000 Hotfix - KB840315 Ver: 20040622.153749
Windows 2000 Hotfix - KB840987 Ver: 20040825.01015
Windows 2000 Hotfix - KB841356 Ver: 20040730.185536
Windows 2000 Hotfix - KB841533 Ver: 20040824.233811
Windows 2000 Hotfix - KB841872 Ver: 20040520.90850
Windows 2000 Hotfix - KB841873 Ver: 20040610.95344
Windows 2000 Hotfix - KB842526 Ver: 20040521.202909
Windows 2000 Hotfix - KB873339 Ver: 20041116.24305
Windows 2000 Hotfix - KB885835 Ver: 20041101.10457
Windows 2000 Hotfix - KB885836
Windows 2000 Service Pack 4
Windows Blaster Worm Removal Tool (KB833330)
Windows Media Player system update (9 Series)
WinZip Ver: 8.1 (4331)

[g2i2r4]

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:

hibcdfu
Appswebservice.com Search Assistant
Instant Access
rudveatobk
Spybot - Search & Destroy 1.3 Ver: 1.3

Press ‘delete this entry’ for each one.
Close HijackThis and reboot.

***

Now download Spybot using the link I gave you. Make sure it's up to date.

***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Use Windows Explorer to delete these folders:
C:\Program Files\Enigma Software Group\
C:\Program Files\Instant Access\
c:\Program Files\Spyware Stormer\

***

Now reboot to safe mode and let Spybot 1.4 scan, remove items found in red.

Keep me informed.

[freebird53]

I did everything you said, however those programs are not showing. HiJack this had them all listed except for the hibcdfu file. Spybot is showing that one in the WINNT\sys32 files and they tried to change the entry into the registry and then it kept giving me an access denied script in Spybot. It is frozen when they try to change it....soooooo what next?

[freebird53]

I hope you're not getting as frustrated as I am......lol

[freebird53]

Should these be taken out with HiJack This the way we did the other files yesterday?
HKEY_CLASSES_ROOT\Install.Install.1
HKEY_CLASSES_ROOT\Install.Install
HKEY_USERS\S-1-5-21-600398548-1825380940-1390150559-500\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo bgdjdn

[g2i2r4]

I'm not frustrated, and neither should you be.
It may take some effort, but we will get there.

Copy the contents of the quote box below to a blank notepad. Make sure the formatting remains the same.
Close it, saving to your desktop as:

File name: zipzap.reg
Save As Type: All Files

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hibcdfu]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hibcdfu"=-

Reboot to safe made. Double click the zipzap.reg file and allow it to merge with the registry.

I think we may have taken on those two as well when we are done (and if not, we will hunt them).

You were able to remove these?
Appswebservice.com Search Assistant
Instant Access
rudveatobk
Spybot - Search & Destroy 1.3 Ver: 1.3

[freebird53]

Yes I removed them, just not the program files you told me to remove. They are not showing in Program Files under those names and I don't have any folders hidden. I have still not been able to boot into safe mode. Whatever this is, I think it's keeping that from happening.