Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Too Much Spyware - You take a look!

Started by Mynnx , Dec 30 2004 11:35 PM

  • Please log in to reply

#1
Mynnx
Posted 30 December 2004 - 11:35 PM

Mynnx

    Member

  • Member
  • PipPip
  • 11 posts
Hey guys. I've been working for about a week trying to get rid of some spyware. Usually, I consider myself capable of dealing with it, but this stuff won't quit! AA doesn't even see it, Spybot sees 7 variants of CWS but won't cure them, and nothing looks out of the ordinary from HJT, either.

Here are some logs, if anyone is kind enough to lend a hand:

HJT:
Logfile of HijackThis v1.99.0
Scan saved at 12:33:48 AM, on 12/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vqikiv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Ldee] C:\Documents and Settings\Administrator\Application Data\cttm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Find-It:
Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\Spyware Removal\Find-It\Find It NT-2K-XP

 ------- System Files in System32 Directory -------
 Volume in drive C has no label.
 Volume Serial Number is EC4F-7627

 Directory of C:\WINDOWS\System32

12/31/2004  12:04 AM               512 NpzW4m.71i
12/31/2004  12:04 AM           253,973 Wab8.exe
12/31/2004  12:04 AM           253,973 Dyf0o5.exe
12/31/2004  12:04 AM           253,973 RvkY0ko.exe
12/31/2004  12:04 AM           253,973 HhmDU5G.exe
12/31/2004  12:04 AM           253,973 MtkN7qy.exe
12/31/2004  12:04 AM           253,973 Jug5W.exe
12/31/2004  12:04 AM           499,733 HacH5X.exe
12/31/2004  12:04 AM           499,733 Qxcn74j.exe
12/31/2004  12:04 AM           499,733 Mzc2.exe
12/30/2004  11:47 PM    <DIR>          dllcache
12/30/2004  05:08 PM           224,966 n2p4lc7q1f.dll
12/30/2004  03:19 PM           224,966 jt8607lse.dll
12/30/2004  03:09 PM           224,966 o8480ihue8480.dll
12/29/2004  04:58 PM           224,966 q6pslg7716.dll
12/29/2004  12:20 PM           222,992 n86qlij518o.dll
12/29/2004  11:18 AM           223,232 mzorc32r.dll
12/29/2004  12:50 AM           223,232 lv8009lme.dll
12/29/2004  12:36 AM           223,372 h04m0ah1ed4.dll
12/29/2004  12:31 AM           223,961 lv2s09f7e.dll
12/22/2004  02:19 PM           389,120 ?hkntfs.exe
09/04/2003  03:20 AM    <DIR>          Microsoft
              20 File(s)      5,429,322 bytes
               2 Dir(s)  85,314,273,280 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is EC4F-7627

 Directory of C:\WINDOWS\System32

12/31/2004  12:04 AM               512 NpzW4m.71i
12/31/2004  12:04 AM           253,973 Wab8.exe
12/31/2004  12:04 AM           253,973 Dyf0o5.exe
12/31/2004  12:04 AM           253,973 MtkN7qy.exe
12/31/2004  12:04 AM           253,973 HhmDU5G.exe
12/31/2004  12:04 AM           253,973 Jug5W.exe
12/31/2004  12:04 AM           253,973 RvkY0ko.exe
12/31/2004  12:04 AM           499,733 HacH5X.exe
12/31/2004  12:04 AM           499,733 Qxcn74j.exe
12/31/2004  12:04 AM           499,733 Mzc2.exe
12/30/2004  11:47 PM    <DIR>          dllcache
12/22/2004  02:19 PM           389,120 ?hkntfs.exe
09/04/2003  01:57 AM               488 logonui.exe.manifest
09/04/2003  01:57 AM               488 WindowsLogon.manifest
09/04/2003  01:57 AM               749 sapi.cpl.manifest
09/04/2003  01:57 AM               749 ncpa.cpl.manifest
09/04/2003  01:57 AM               749 nwc.cpl.manifest
09/04/2003  01:57 AM               749 wuaucpl.cpl.manifest
09/04/2003  01:57 AM               749 cdplayer.exe.manifest
              18 File(s)      3,417,390 bytes
               1 Dir(s)  85,314,269,184 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is EC4F-7627

 Directory of C:\WINDOWS\System32

12/31/2004  12:11 AM           224,966 guard.tmp
               1 File(s)        224,966 bytes
               0 Dir(s)  85,314,269,184 bytes free

 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is EC4F-7627

 Directory of C:\WINDOWS\System32

12/31/2004  12:11 AM           224,966 guard.tmp
12/29/2004  12:43 AM                 0 ~GLH0014.TMP
03/31/2003  07:00 AM             2,577 CONFIG.TMP
               3 File(s)        227,543 bytes
               0 Dir(s)  85,314,265,088 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2B670ADF-F66B-4E50-A09E-13D39DF8F66D}"=""


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o8480ihue8480.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ------------------ Locate.com Results ------------------
 ------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\isoaoi.dll: updates.qoologic.com
C:\WINDOWS\system32\liypyl.dll: updates.qoologic.com
C:\WINDOWS\system32\lxzqzl.exe: updates.qoologic.com

 -------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\vqikiv.exe: .aspack
C:\WINDOWS\system32\wgavaw.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kfunuk.exe: .aspack

 ----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"ASUS Probe"="C:\\Program Files\\ASUS Probe\\AsusProb.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
  65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Narrator"="C:\\WINDOWS\\System32\\vqikiv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I do have the Google Toolbar, btw. If anyone needs any other logs (like Spybot, although that doesn't seem to be helpful), I'd be glad to show them.

Thanks!
~Mynnx
  • 0

Advertisements

#2
Mynnx
Posted 30 December 2004 - 11:39 PM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
[Edit (Is there an edit button?)]Here's something kind of fishy that I see in the StartupList log, too:

...
--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\dacprop2.dll||C:\WINDOWS\system32\dacprop2.dll||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\A~NSISu_.exe|||\

--------------------------------------------------
...

Hope this helps, too! [/edit]
  • 0

#3
Metallica
Posted 31 December 2004 - 02:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\n2p4lc7q1f.dll
C:\WINDOWS\System32\jt8607lse.dll
C:\WINDOWS\System32\o8480ihue8480.dll
C:\WINDOWS\System32\q6pslg7716.dll
C:\WINDOWS\System32\n86qlij518o.dll
C:\WINDOWS\System32\mzorc32r.dll
C:\WINDOWS\System32\lv8009lme.dll
C:\WINDOWS\System32\h04m0ah1ed4.dll
C:\WINDOWS\System32\lv2s09f7e.dll
C:\WINDOWS\system32\isoaoi.dll
C:\WINDOWS\system32\liypyl.dll
C:\WINDOWS\system32\lxzqzl.exe
C:\WINDOWS\system32\vqikiv.exe
C:\WINDOWS\system32\wgavaw.da
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kfunuk.exe <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2B670ADF-F66B-4E50-A09E-13D39DF8F66D}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Then fix these with HijackThis:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Reboot once more and post a new HijackThis log.

Also, can you do me a favor.
You have this file in your system32 folder
?hkntfs.exe

I would love to have a copy of one of these, but no-one ever was able to find it (even with hidden files showing) You strike me as pretty computer-savvy.
Can you give it a try to find it?

Regards,

Pieter

Edited by Metallica, 31 December 2004 - 02:54 AM.

  • 0

#4
Mynnx
Posted 01 January 2005 - 08:21 AM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I'll get on it after I go and get off of work today, around six. This ?hkntfs seems to be a nasty bugger - I don't see it in Explorer, but here's something from DOS that's interesting:

C:\WINDOWS\system32>dir /A:H /B
cdplayer.exe.manifest
dllcache
Dyf0o5.exe
HacH5X.exe
HhmDU5G.exe
Jug5W.exe
logonui.exe.manifest
MtkN7qy.exe
Mzc2.exe
ncpa.cpl.manifest
NpzW4m.71i
nwc.cpl.manifest
Qxcn74j.exe
RvkY0ko.exe
sapi.cpl.manifest
Wab8.exe
WindowsLogon.manifest
wuaucpl.cpl.manifest
?hkntfs.exe

C:\WINDOWS\system32>copy "?hkntfs.exe" "..\..\Documents and Settings\Administrator\My Documents"

chkntfs.exe
1 file(s) copied.

Those logs up there are not as fresh as they should be, given GtG's downtime yesterday. Would it still work with stale logs?
  • 0

#5
Mynnx
Posted 01 January 2005 - 08:31 AM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Uhm, I don't know what this means, but after choosing to let it reboot, KillBox tells me:

PendingFileRenameOperations Registry Data has been remvoved by external process!

...? Help? Thanks!
  • 0

#6
Metallica
Posted 01 January 2005 - 10:06 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
PendingFileRenameOperations Registry Data is what Killbox uses to delete the files.

You are the second one reporting this error, which worries me.
Which file were you trying to delete?

Regards,

Pieter
  • 0

#7
Metallica
Posted 01 January 2005 - 10:26 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
From Shadowwar:

see if you can go to recycler in dos.

do an attrib -h -s desktop.ini

have them copy it to the root of c:
then see if they can open with notepad and paste it into the thread


Could you do that please. It'll tell us if it really is a newer version.

Regards,

Pieter
  • 0

#8
Mynnx
Posted 01 January 2005 - 10:26 AM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Actually, I got that error after plugging in all of the files, and then choosing that I would reboot...I'm going to check now (I rebooted manually) to see if the files actually were deleted.
  • 0

#9
Mynnx
Posted 01 January 2005 - 10:28 AM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Lol, Metallica, we replied at the same time. Here's what I get, whatever it means:

C:\>cd recycler

C:\RECYCLER>attrib -h -s desktop.ini

C:\RECYCLER>
  • 0

#10
Metallica
Posted 01 January 2005 - 11:16 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK. Now copy the desktop.ini from Recycler to C: and open it in notepad.

That's what we need to see.

Regards,

Pieter
  • 0

Advertisements

#11
Mynnx
Posted 01 January 2005 - 09:40 PM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's the desktop.ini from Recycler:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{2B670ADF-F66B-4E50-A09E-13D39DF8F66D}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>

  • 0

#12
Metallica
Posted 02 January 2005 - 04:55 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
200 is the latest version we have as well.

Would you be willing to betatest something?
I'd need your email address, since we do not want to spread the donwloadlink.

It's a cleaner for this infection. It would save us mountains of work if we can use this automated fix.

Regards,

Pieter
  • 0

#13
Mynnx
Posted 03 January 2005 - 05:09 AM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sure, Metallica, anything's worth a shot. Check your PM.
  • 0

#14
Metallica
Posted 03 January 2005 - 05:15 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Check your PM.

View Post


Likewise. :tazz:

And a happy New Year,

Pieter
  • 0

#15
Mynnx
Posted 06 January 2005 - 06:05 PM

Mynnx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey Metallica, I sent you another PM that said the link doesn't work; I don't know if you've gotten it yet. Let me know!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP