Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack this log. Xenlsass.exe, CSC Notifications [RESOLVED]


  • This topic is locked This topic is locked

#1
raleighMS2000

raleighMS2000

    Member

  • Member
  • PipPip
  • 37 posts
Hi,

I went through all the steps listed on the website once before.
But not long after, the pop ups came back.
I noticed when I logged out of one profile.
I often got a message that said xenlsass.exe (and if I was trying to force quit them through Task Manager/Control-Alt-Delete) that's what would come up in the End Program boxes.
There would also be something that said CSC Notification Program - when I tried to log out of one profile into the other.

Greyknight17 suggested I go through the steps again. This is what I did on 11/9/05:

1. Windows Update - the latest
2. Cleanup!
It told me some files were currently in use index.dat files - to log out then log back in.
But even after I did that I could never clean those files up.
3. Trend Micro
Nothing found.
One spware found - Cookie 3182 a Data Miner. Action: removal successful.
4. Panda Active Scan - detected nothing.

I wondered am I all clean now? Nope. I got a bunch of pop-ups.

11/15/05
I tried following KRC's website to install ZoneAlarm Firewall.
ZoneAlarm antispyware detected (but the free version couldn't remove):
-Apropos Media -Broswer Plugin, among some other third party cookies, and SurfAccuracy -Adware
It wouldn't let me install the firewall - because it said Google Toolbar was running. Check yes after I had shut it down. I just close the IE browser. And clicked yes. It showed it initiallizing, verifying installed components. But then it said "Validation failed for C:\WINNT\system32\vsdata.dll"

Then I tried to start over...
1) Cleanup!
Still couldn't get clean index.dat.
2) Adaware - no objects recognized, ignored, critical
3) Spybot - no immediate threats found
4) CWShredder - coolwebsearch not found
5) Trend Housecall. 0 infected files
6) My Hijack This log

I'm afraid everything looks fine but it'll come back. After clean up there were fewer. I have only two popup ads on my screen at the moment, not the deluge I usually get, but I fear they'll come back in force.
Any suggestions on the things that did not work.
Thanks so much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 7:39:14 AM, on 11/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128226731748
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128226719701
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37440.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo! My name is Kat, and I will be helping you get your computer fixed back up and on the go! You should either print these instructions, or save them to a Notepad file on your desktop. Part of the fix may require you to be in Safe Mode, and you will be unable to access the internet at that time!

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please dont' do anything else yet until I have a look at the Startup List! :tazz:
  • 0

#3
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi, Kat!
Thanks for taking on my case!
Here's what you requested.

Ad-Aware SE Personal
Adobe Acrobat 5.0
Brother HL-2040
Cisco Systems VPN Client 4.0.3 (F)
CleanUp!
ContextPlus
DAO 3.5
ewido security suite
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Macromedia Shockwave Player
Microsoft Office 2000 Premium
Mozilla Firefox (1.0.4)
MSN Money Investment Toolbox
Panda ActiveScan
QPS IP 2.1
Quick Links
Quicken Deluxe 2000
RealPlayer
SmartFTP Client
Spybot - Search & Destroy 1.4
Surf Accuracy
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904706
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 7.1
Windows Media Player Hotfix [See Q828026 for more information]
WinZip

Peggy
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ahh yep. That's what I thought. Apropos. Let's kill it, shall we? :tazz:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#5
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi, Kat!

Thanks for your help!

Here's what I got back...


Logfile of HijackThis v1.99.1
Scan saved at 10:57:23 PM, on 11/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\internat.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128226731748
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128226719701
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37440.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\plim\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CrPX7ABncT7D]
"Device"="\\\\.\\fsugcrwz"
"DriverPath"="C:\\WINNT\\system32\\drivers\\nwlbeep.sys"
"DriverName"="firxrnt"
"HideUninstallerName"="C:\\Program Files\\Ewiinzip\\clbpcsvc.exe"
"UninstallerPath"="C:\\WINNT\\system32\\nbtacert.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{3A992CC4-B29E-4BBD-A168-63BDDE6C9B44}"
"UninstallerParams"="/CTUN"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X4a9524c-32bd-30d5-8e7d-b692f12b1180}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Ewiinzip\\xenlsass.exe"
"AutoUpdater"="C:\\WINNT\\system32\\clesgsvc.exe"
"Version"="2.0.106"
--
[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


************

Removing hidden service:
Service firxrnt removed.

Removing hidden folder:
Deletion of folder Ewiinzip succeeded!

Deleting files:

Deletion of file C:\WINNT\system32\drivers\nwlbeep.sys succeeded!
Deletion of file C:\WINNT\system32\clesgsvc.exe succeeded!
Deletion of file C:\WINNT\system32\nbtacert.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CrPX7ABncT7D]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CrPX7ABncT7D]
[-HKEY_LOCAL_MACHINE\Software\Aprps]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A992CC4-B29E-4BBD-A168-63BDDE6C9B44}]

Done!

Finished!
  • 0

#6
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
:tazz: Excellent! How is everything running now? I want to do one last check before I give you the "all clear".

please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#7
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Kat!

Thanks so much! I'm keeping my fingers crossed.

Here are the results:
Is this the format you wanted from Active Scan?
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

---

Logfile of HijackThis v1.99.1
Scan saved at 8:51:45 AM, on 11/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1128226731748
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128226719701
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37440.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

---

I didn't run anything with VundoFix - but just went to find this vundofix.txt file in my C drive folder.
Hope this is what you want...

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 108 'smss.exe'
Threads [104][112][116][124][120][128]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 488 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 132 'winlogon.exe'
Killing PID 132 'winlogon.exe'
Error 0x5 : Access is denied.

File Deleted sucessfully.
Files Deleted sucessfully.

Thanks a gazillion for all your help and speedy advice!
Peggy
  • 0

#8
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
hi Peggy! Looks like I missed something. :tazz: Not a difficult one to remove, but it IS a password stealer. You need to change all of your important passwords. Email, banking/credit card sites, instant messengers, etc. Do this *after* we get this removed.

1. Open HijackThis and click scan. Place a check next to the following entry:
O4 - HKCU\..\Run: [internat.exe] internat.exe

Be sure all other windows, programs and browsers are closed, then click the "Fix Selected" button.

2. Reboot into Safe Mode by repeatedly tapping the F8 key as the machine begins to boot. It will take you to a black screen. Navigate to "Safe Mode" and click "Enter". Once in safe mode, do the following:

Delete the file:
C:\WINNT\system32\internat.exe

3. Reboot normally.

4. Open your Ewido program, and run the update to be sure you have the latest definitions. Then, reboot into Safe Mode again and run a full scan with Ewido. Be sure to save the logfile at the end, and post it for me here. While in Safe Mode with Ewido running, please do not run ANY other program or windows. Only have the Ewido running.

5. Reboot normally, and post a fresh HijackThis log here, as well as the report from Ewido.
  • 0

#9
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello :) I just edited my above post to include instructions to remove another baddie off your system. I apologize that I missed this last time around. :) :tazz:
  • 0

#10
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi, Kat!

Thanks so much for catching that!

I'll follow the steps you suggested.

Does important passwords include
-VPN or QPS login passwords?
-magazine/newspaper/factiva websites?
-amazon/expedia

Will the password stealer be able to do anything if I login to those in the future and they're not changed?

Does that mean for the important ones like email, money etc. they could have accessed my accounts?
:tazz:

Thanks~
Peggy
  • 0

Advertisements


#11
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hey Kat!

Okay - another question -

I did the first step you said about Fixing the selection in HJT.

Then I went into Safe Mode.
I found in C:\WINNT\system32 a file with a question mark icon called internat.

In properties it said it was a Keyboard Language Indicator Applet. 20.2 KB. Version 5.0.2920.0. Created 12/7/99.

I think I accidentally doubleclicked it. And then a blue EN button appeared in my right hand side bottom tool bar.

This is familiar to me as I have been using it when I want to switch to typing in another language (e.g. Chinese).

Is this applet the one causing me problems?

I tried deleting it but it wouldn't let me maybe because I had already double clicked it and activated it.
I was about to reboot into safe mode and then delete it, but I just wanted to double check that that's what I am supposed to delete. The file didn't have .exe anywhere where I could see, and I know if I delete it -- I may be trying to reinstall it later so I can use other languages. Will that be a vulnerable spot in the system?

Thanks!
Peggy
  • 0

#12
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi Peggy. Do you have the computer set to show hidden files? Let's do that, and then check again.
  • Click Start
  • Double click on “My Computer”
  • Select Tools menu, and click on Folder Options..then click the View tab
  • Under Hidden Files and Folders heading, select “Show hidden files and folders”
  • uncheck the “hide protected operating systems files” options.
  • uncheck the “Hide file extensions for known file types” box
  • Click “yes” to confirm, then click “ok”

  • 0

#13
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi Kat!

I tried what you told me - in regular mode. And still only the internat with a question mark icon next to it shows up. :tazz:

Peggy
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello! Looks like in this instance the internat.exe is a legit file. Many times it can be a virus. But if you double clicked it and it put the blue E in your taskbar, then it's the legit program! :tazz:

Is everything else running ok on the computer?
  • 0

#15
raleighMS2000

raleighMS2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
:) :)
So far so good...

THANKS so much KAT!

You were fast, cheerful and totally helpful.

:tazz:

Peggy
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP