• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
kilt01

CWS but still get funny F2 on HJ this

16 posts in this topic

This F2 comes back after re-boot. have ad aware spy bot all up to date. Have used CWS shredder,High jack this, anf the afore mentioned. Tried rubberduckys buster and it got rid od a bunch of stuff but it has something called LEGACY tht keeps coming back and says cant clean all the temp files.. Whats that all about?

 

Logfile of HijackThis v1.98.0

Scan saved at 2:19:30 PM, on 07/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe

C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Trend Micro\Internet Security\pccguide.exe

C:\Program Files\Trend Micro\Internet Security\PCClient.exe

C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AOL 9.0b\waol.exe

C:\Program Files\AOL 9.0b\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Admin\My Documents\spyware control\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Hi there,

 

Try this,

 

Restart your computer in

Safe Mode

 

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

 

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

 

 

Delete all the files etc in c:\windows\temp - But do not delete the directory itself.

 

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

Did exactly as you asked. Same bloody F2 is back.. any more suggestions

 

Logfile of HijackThis v1.98.0

Scan saved at 9:03:54 PM, on 07/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe

C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Trend Micro\Internet Security\pccguide.exe

C:\Program Files\Trend Micro\Internet Security\PCClient.exe

C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\AOL 9.0b\waol.exe

C:\Program Files\AOL 9.0b\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\Documents and Settings\Admin\My Documents\spyware control\HijackThis\HijackThis.exe

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Hi there,

 

There are still problems with the BKDR_CCT.A trojan. Follow these links, go to Trend for details regarding the solution, run Trend Micro's free Housecall Scan Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CCT.A. Follow the instuctions carefully.

 

 

Then repost a fresh logfile.

Share this post


Link to post
Share on other sites

POSTING THEIR INSTRUCTIONS SO U CAN FOLLOW : SEE WHT HAPPENED WITH ME BELOW THEN. i STILL HAVE THIS NIGHTMARE.

This Trojan steals critical information by monitoring windows accessed by the user. It logs all keystrokes on windows containing certain strings.

It also disables access to antivirus Web sites in order to stop users from upgrading to the latest pattern files.

Upon execution, it drops copies of itself as:

· %System%\netda.exe

· %System%\netdc.exe

· %Startup%\netdb.exe

· %Windows%\prntsrv.dll

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.

2. NOTE all files detected as BKDR_CCT.A.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.

» On Windows 95, 98, and ME, press

CTRL+ALT+DELETE

» On Windows NT, 2000, and XP, press

CTRL+SHIFT+ESC, then click the Processes tab.

2. In the list of running programs*, locate the malware file(s) detected earlier.

3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.

4. Do the same for all detected malware files in the list of running processes.

5. To check if the malware process has been terminated, close Task Manager, and then open it again.

6. Close Task Manager.

 

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

3. In the right panel, locate and delete the entry:

load32 = “%System%\netda.exe”

Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

4. In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Winlogon

5. In the right panel, locate the entry:

Shell = “Explorer.exe %System%\netdc.exe”

Modify this registry to: Shell = “Explorer.exe”

6. Close Registry Editor.

 

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Removing Autostart Entries from System Files

 

Malware sometimes modify system files so that they automatically execute at Windows startup. These autostart entries must be removed before an affected system can be restarted safely.

1. Open the SYSTEM.INI file. Click Start>Run. In the Open input box, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).

2. Under the [boot] section, locate the line that begins with:

Shell=Explorer.exe

3. From the same line, delete the malware path and file name:

%System%\netdc.exe

4. Close the SYSTEM.INI file and click Yes when prompted to save.

Restoring the Windows HOSTS File

Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.

1. Open the following file using your default text editor:

%System%\Drivers\etc\Hosts

2. Locate and delete the following lines:

o 127.0.0.1 www.trendmicro.com

o 127.0.0.1 trendmicro.com

o 127.0.0.1 rads.mcafee.com

o 127.0.0.1 customer.symantec.com

o 127.0.0.1 liveupdate.symantec.com

o 127.0.0.1 us.mcafee.com

o 127.0.0.1 updates.symantec.com

o 127.0.0.1 update.symantec.com

o 127.0.0.1 www.nai.com

o 127.0.0.1 nai.com

o 127.0.0.1 secure.nai.com

o 127.0.0.1 dispatch.mcafee.com

o 127.0.0.1 download.mcafee.com

o 127.0.0.1 www.my-etrust.com

o 127.0.0.1 my-etrust.com

o 127.0.0.1 mast.mcafee.com

o 127.0.0.1 ca.com

o 127.0.0.1 www.ca.com

o 127.0.0.1 networkassociates.com

o 127.0.0.1 www.networkassociates.com

o 127.0.0.1 avp.com

o 127.0.0.1 www.kaspersky.com

o 127.0.0.1 www.avp.com

o 127.0.0.1 kaspersky.com

o 127.0.0.1 www.f-secure.com

o 127.0.0.1 f-secure.com

o 127.0.0.1 viruslist.com

o 127.0.0.1 www.viruslist.com

o 127.0.0.1 liveupdate.symantecliveupdate.com

o 127.0.0.1 mcafee.com

o 127.0.0.1 www.mcafee.com

o 127.0.0.1 sophos.com

o 127.0.0.1 www.sophos.com

o 127.0.0.1 symantec.com

o 127.0.0.1 securityresponse.symantec.com

o 127.0.0.1 www.symantec.com

3. Save the file and close the text editor.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CCT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

 

HELP HELP HELP HELP HELP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

OH MAN!! okay here's whats happened. 1) Scan at trendmicro showed nil. But i believe thats because i used it when i first got this thing and deleted the files..

So I cant go into Windows task manager and stop them from running.. so on to next way to ditch this thing 4) Removing auto start from Registry.. in the first part under "run" there is nothing , under the secound part of instructions says under "winlogon" BINGO says modify netdc.exe . Well i modify re boot and it comes right back on. So i modify dont reboot , continue to next phase of removal instructions. 5)Removing auto start entries from System files . Well I follow thier instuctions and this is what i get under SYSTEM.INI. AS U CAN SEE no [boot} section . NIL UNDER RUN, CANT GET SYSTEM.INI BOOT. ANY OTHER SUGESTIONS?? BESIDES A GUN FOR ME AND A HAMMER FOR THE MACHINE..

for 16-bit app support

 

[drivers]

wave=mmdrv.dll

timer=timer.drv

 

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

[Windows]

load=C:\WINDOWS\System32\services\wmplayer.exe

Share this post


Link to post
Share on other sites

Hi there,

 

The line at the bottom I find very suspicious,

 

for 16-bit app support

 

[drivers]

wave=mmdrv.dll

timer=timer.drv

 

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

[Windows]

load=C:\WINDOWS\System32\services\wmplayer.exe

 

 

I suggest you go back into system.ini and delete that line I have in bold.

 

Reboot, then post me another fresh logfile, there may be more to do.

Share this post


Link to post
Share on other sites

Did you clear out the hosts file?

Share this post


Link to post
Share on other sites

Hey Thanks for your time!!!! Wish I could buy ya a beer!! here's what the HJ this log says:

Logfile of HijackThis v1.98.0

Scan saved at 3:18:37 PM, on 07/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

 

Also IM NOT SURE HOW TO CLEAR THE HOST FILES??? bUT i DID GO TO FILE , system32, then to Drivers , etc , Hosts this is what was there.Logfile of HijackThis v1.98.0

Scan saved at 3:18:37 PM, on 07/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

 

This is what was in system 32, drivers ,etc,hosts which i opened with word pad.Oh i did clear that line off in System.ini.

## Copyright © 1993-2001 Microsoft Corp.

#

# This file has been automatically generated for use by Microsoft Internet

# Connection Sharing. It contains the mappings of IP addresses to host names

# for the home network. Please do not make changes to the HOSTS.ICS file.

# Any changes may result in a loss of connectivity between machines on the

# local network.

#

 

#192.168.0.1 THE-TIME-EATER.mshome.net # 2008 4 5 25 16 54 7 218

 

 

So i wasnt sure what to do next??? or where to find those host files it mentions to clear in the %system% (which is the sames as system 32 i believe)\Drivers\etc\Hosts because ,w ell you can see the lines it tells you to clean arnt in there??

 

THANKS

Share this post


Link to post
Share on other sites

Hi there,

 

Ok lets do this now,

 

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

 

Restart your computer in

Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

 

C:\WINDOWS\System32\netdc.exe<<<<File

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

 

I see that the hosts file is clean, do you manage to update your AVG Viruscan without any problems?

Share this post


Link to post
Share on other sites

Did exactly as you said . Deleted the netdc file . However when i rebooted and came into normal mode it was all back. So i did it all again and then ran HJ this in safe mode heres what shows on that log.

Logfile of HijackThis v1.98.0

Scan saved at 11:16:07 AM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

 

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - Startup: netdb.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

 

Then i went into regular mode did HJ this and fixed tht line again . went to safe deled the file rebooted and heres that log

Logfile of HijackThis v1.98.0

Scan saved at 1:25:44 PM, on 07/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\AOL 9.0b\waol.exe

C:\Program Files\AOL 9.0b\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Hi there,

 

Ok lets do this now,

 

You need to find and remove this hidden startup entry

 

Restart your computer in

Safe Mode

 

Then go Start>Run>All Programs>Startup

 

delete netdc.exe

 

Restart, then post a fresh log.

Share this post


Link to post
Share on other sites

HA HA THE WITCH IS DEAD , THE WITCH IS DEAD!. I HAVE HAD A PROBLEM WITH AVG. IT WOULDNT UPDATE.SO I TRIED TO UNINSTALL AND REINSTALL IT WILL NOT DO EITHER . SAYS ERROR CANT FIND SHLL.DLL. THEN IT SAYS Cannot find the file C:\PROGRA~1\Grifsoft\AVG6\SETUP.EXE (or one of its components).Check to ensure the path and filename are correct and that all required libraries are available. NOTE at the top of this notice says Cant run 16-bit Windows program. See i thought i had gotten rid of the monster you just destoyed aand tried to update my AVG6 this is when i discovered the problem YOU just dealt with..any ideas on this???? THANKS THANKS 12G

Logfile of HijackThis v1.98.0

Scan saved at 9:36:00 AM, on 07/19/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe

C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe

C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\Grxp4exe.exe

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\AOL 9.0b\aoltray.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\AOL 9.0b\waol.exe

C:\Program Files\AOL 9.0b\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\temp software\temp software 2\hijackthis\HijackThis.exe

 

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Hi there,

 

First let us deal with AVG, if uninstall is not working, I want you to find and delete all instances of AVG. Next follow the link on my signature and download it again.

 

Your logfile is now clean, although for some reason it is showing that you are running it from a temp directory. It would be a good idea to move it back to a permanent folder, just in case you need to run it again. To help not to, do this,

 

To provide future protection - download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

 

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download

Here

Both are very small free programs that you run once, and then just weekly to check for updates.

 

And also see

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

Hi. I downloaded AVG from the site off ur signiture. Deleted all the AVG from Grisoft folder . It wouldnt let me get rid of avgse.dll (AVG Shell Extension Module)

or avgserv. So i opened the new AVG , hit setup and up pops file error, cannot find SHELL.DLL and has a close button. hit the close and message says cannot find the file C:\DOCUME~1Admin\LOCALS~1\Temp\WZS80.tmp\setup.exe (or one of its components).Check to ensure the path and filename are correct and that all required libraries are avaiable. This has an okay button ya hit okay and it all closes down?????

How can i make my logfile run from a perm folder and not a temp like you noticed?? Possible tht has to do with this??Thanks

Share this post


Link to post
Share on other sites
cannot find SHELL.DLL and has a close button. hit the close and  message says cannot find the file C:\DOCUME~1Admin\LOCALS~1\Temp\WZS80.tmp\setup.exe (or one of its components).Check to ensure the path and filename are correct and that all required libraries are avaiable.    This has an okay button ya hit okay and it all closes down?????

How can i make my logfile run from a perm folder and not a temp like you noticed?? Possible tht has to do with this??Thanks

Hi there,

 

To replace the shell.dll do this,

 

First, show hidden files also make sure you are showing protected system files, to do that go tools>folder options>view>uncheck hide protected system files.

 

Next,

 

Go to C:\WINDOWS\SYSTEM\

 

See if there is a 'Shell.dll' there. If so, COPY (right-click > Copy) and PASTE (right-click PASTE) it to C:\WINDOWS\SYSTEM32\

 

It should work by copying Shell.dll from C:\WINDOWS\SYSTEM\ to C:\WINDOWS\SYSTEM32 (COPY it, do not MOVE it).

 

Make sure there is a "copy" of Shell.dll in each path

 

Now try installing AVG again.

 

 

HIjackThis should be run from a permanent folder like this, C:\HJT\HijackThis.exe move HijackThis to this folder, then delete this one C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\temp software\temp software 2\hijackthis\HijackThis.exe

 

Run a fresh logfile from there and post it here, for me to check it.

Share this post


Link to post
Share on other sites

I HAVE AVG6 . THANK-YOU THANK-YOU THANK-YOU!!!! Its late so I will do the HJ this into a perm file tomorrow. Then post a log : :D:D:D

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0