[PartySizeNuts]

Have one dll that ewido keeps seeing as trojan highjacker. I cant fix it. Please help. Oh yeah, bazooka keeps telling me about exploit ebs.f**k-access.com, cant fix that either.



Logfile of HijackThis v1.99.1
Scan saved at 7:35:27 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = -access.com/index.phtml?source=app]http://www.kephyr.com/spywarescanner/libra...html?source=app
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Edited by PartySizeNuts, 08 September 2005 - 08:06 PM.

[Advertisements]

i found a topic about removing repairs.dll, trying that, still dont know what the exploit is

[PartySizeNuts]

i found a topic about removing repairs.dll, trying that, still dont know what the exploit is

[PartySizeNuts]

1. Download RegLite from here
http://www.resplendence.com/downloads

2. REBOOT into Safe Mode

3. Open Reglite and Copy&Paste the bold text below into the Address Bar and hit Enter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

4. In the smaller left hand pane-> Right Click the Windows folder (Highlighted in Blue)
Select Rename-> Rename it to Windoz-> Hit Enter

5. In the larger right hand pane-> locate and double click AppInit_DLLs
Under Value-> Remove(Delete)-> repairs.dll

6. Open the Search Assistant (Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced options

7. Under All Files and Folders, enter this into the text box:
repairs.dll

Delete any exact matches


8. Restart and Open Reglite again
Locate the folder you renamed to Windoz
Rename it again,back to Windows.

9. Have HijackThis fix this entry (if its still there):

O20 - AppInit_DLLs: repairs.dll





these were the instruction Trevuren gave on a different post. Doesnt work for me. the part about searching for repairs.dll i cant get to. every time i try to open search in safe mode i get a pop up window that says "COMMON SHELL""I need ResXX\Mcshield.dll" and the search window doesnt work. i am at a loss now for what to do.