Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create an account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Sign In Create Account

Google search redirected


  • Please log in to reply

#1
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
My google searchs are being redirected to different sites than selected. I have run the full range of tools with no success. I did check a couple of other posts on the same topic and it looks like HJT can fix the problem but I could not readily identify the files that need to be deleted. I did see a file that is questionable but I wanted to have someone here look before I deleted a file that might be needed to keep the system running.

Here is my HJT file. Any help is greatly appreciated.

Wazoo

ogfile of HijackThis v1.99.1
Scan saved at 1:55:23 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\d2F6\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jucheck.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmogt.exe] C:\WINNT\system32\dmogt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E067B82-B45D-482A-A973-7A04CD338159}: NameServer = 85.255.114.62,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Similar Topics: Google search redirected     x


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
click Start> Run> type in CMD tap enter. Copy/Paste the following into command prompt:

sc stop cmdService

Hit 'enter' and copy/past the following:

sc delete cmdService

At the command prompt: type exit.

Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINNT\d2F6 <--Delete folder if listed.

---------------------------------------------

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKLM\..\Run: [dmogt.exe] C:\WINNT\system32\dmogt.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E067B82-B45D-482A-A973-7A04CD338159}: NameServer = 85.255.114.62,85.255.112.75
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe


Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Edited by didom, 05 November 2005 - 07:41 AM.

  • 0

#3
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
Thank you for getting back to me. I was out over the weekend so I did not get to the fix until today.

When I went to the command prompt and typed in sc stop cmdservice, I got a message that sc was not a reconized command. So I was not able to stop or delete the service. So, when I tried to delete the folder it said one of the files was in use. Am I missing something with "sc stop cmdservice"?

I did run that fixwareout and deleted the files. The HJT log is provided below. It looks like things are better but I got an internet wizard when I ran IE so I am concerned that I am reinfecting until I can delete that folder.

Wazoo
  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Try to disable and delete the service this way:

Click Start>Run, type services.msc into the Open: text box and click the Ok button.
  • In the Services window look for the Command Service (cmdService) service and double-click on it.
  • Click on the Stop button
  • In the Startup type dropdown box select Disabled
  • Click Apply button and then the Ok button.
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type cmdService and press OK.
  • OK any prompts, close HijackThis, and restart your computer.
Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINNT\d2F6 <--Delete file if listed.

Then reboot your computer.

----------------------------------

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.
  • 0

#5
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
I am still having a problem stopping the command service. I was trying to fix the problem yesterday and while I was working on it the entire office lost our internet connection. I am guessing this was just a coincidence but we have never had a problem with our ISP connection before. Do you think the two things could be connected? I would still like to get rid of that folder but not if there is a chance it will screw up my internet connection. It took almost two days to get it back.

Thank you,

Wazoo
  • 0

#6
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Hi wazoo,

That has to be a coincidence!! I am sure you don't screw up your internet connection when you delete that folder!

After you did that please run Panda ActiveScan and post the results from Panda and the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Regards,
  • 0

#7
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
Thank you for the response. I can access the command services but the actions functions are grayed out. Do you have any suggestion on how to stop the service?
  • 0

#8
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
To stop the service:

Scan again with HijackThis and check the following items:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type cmdService and press OK.
  • OK any prompts, close HijackThis, and restart your computer.
After you did that please run Panda ActiveScan and post the results from Panda and the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
  • 0

#9
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
I was able to delete the folder and things appear to be okay. Thank you very much for your efforts. I have attached the latest HJT log. Please let me know if there is anything else that I need to do.

Wazoo

Logfile of HijackThis v1.99.1
Scan saved at 10:52:13 AM, on 11/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\waz\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#10
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with the contents of the logfile C:\fixwareout\report.txt and a new HijackThis log.
  • 0

#11
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
I have completed the fixes and here are the logs.


Incident Status Location

Adware:adware/coupons No disinfected C:\WINNT\cpbrkpie.ocx
Adware:adware/sidesearch No disinfected C:\Documents and Settings\waz\Application Data\Lycos
Adware:adware/commad No disinfected Windows Registry
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\2332134.rar[dddd.exe]
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\543.rar[dddd.exe]
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\asappsrv.dll
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\command.exe
Adware:Adware/Findspy No disinfected C:\WINNT\system32\bndmod.exe
Adware:Adware/Dloader No disinfected C:\WINNT\system32\dgprpsetup.exe
Adware:Adware/Adultpage No disinfected C:\WINNT\system32\favme.exe
Adware:Adware/QuickWeb No disinfected C:\WINNT\system32\hlmicro.exe

Logfile of HijackThis v1.99.1
Scan saved at 5:31:55 PM, on 11/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\waz\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#12
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and copy the following text into a new file:

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler

Save the file as recyclerem.bat and make sure the "Save as type" field says "All files".
Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.

Step #2

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINNT\cpbrkpie.ocx <= this file
C:\WINNT\system32\favme.exe <= this file
C:\WINNT\system32\bndmod.exe <= this file
C:\WINNT\system32\hlmicro.exe <= this file
C:\WINNT\system32\dgprpsetup.exe <= this file

C:\Documents and Settings\waz\Application Data\Lycos <= this folder



Reboot your computer normally.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Step #6

Make sure all hidden files and folders are visible (see step Step #3)

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next file, submit it on that site and let it scan:

C:\Program Files\QuickTime\qttask.exe

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
  • 0

#13
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
I completed the steps from you email. The Panda Activescan log is provided below. virusscan.jotti.org came back with all showing nothing detected.

Incident Status Location

Adware:adware/coupons No disinfected Windows Registry
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\2332134.rar[dddd.exe]
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\543.rar[dddd.exe]
Adware:Adware/Adultpage No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc10.exe
Adware:Adware/Findspy No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc8.exe
Adware:Adware/Dloader No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc9.exe
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\asappsrv.dll
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\command.exe
Adware:Adware/QuickWeb No disinfected C:\WINNT\system32\hlmicro.exe
  • 0

#14
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

You need to clean these items from your archived items:
2332134.rar[dddd.exe]
543.rar[dddd.exe]


Please look here for help:
http://www.uwb.edu/l...tml#Archivedpst

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINNT\system32\hlmicro.exe <= this file

Double-Click on the file recyclerem.bat (you made before), a small DOS type window should open and close immediately.

Reboot your computer normally.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
  • 0

#15
Wazoo

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
I am able to access my archived files but would you have any suggestions other than the standard outlook to find those two files? I have also eliminated the other folder.

Wazoo
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured