Jump to content


Photo

CWS but still get funny F2 on HJ this


  • Please log in to reply
15 replies to this topic

#1 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 13 July 2004 - 02:48 PM

This F2 comes back after re-boot. have ad aware spy bot all up to date. Have used CWS shredder,High jack this, anf the afore mentioned. Tried rubberduckys buster and it got rid od a bunch of stuff but it has something called LEGACY tht keeps coming back and says cant clean all the temp files.. Whats that all about?

Logfile of HijackThis v1.98.0
Scan saved at 2:19:30 PM, on 07/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\My Documents\spyware control\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 13 July 2004 - 10:37 PM

Hi there,

Try this,

Restart your computer in
Safe Mode

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":


F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe


Delete all the files etc in c:\windows\temp - But do not delete the directory itself.


Reboot, then post a fresh logfile so that I can check to see if it is clean.

#3 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 14 July 2004 - 07:06 PM

Did exactly as you asked. Same bloody F2 is back.. any more suggestions

Logfile of HijackThis v1.98.0
Scan saved at 9:03:54 PM, on 07/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Admin\My Documents\spyware control\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 15 July 2004 - 06:55 AM

Hi there,

There are still problems with the BKDR_CCT.A trojan. Follow these links, go to Trend for details regarding the solution, run Trend Micro's free Housecall Scan Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CCT.A. Follow the instuctions carefully.


Then repost a fresh logfile.

#5 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 July 2004 - 08:06 AM

POSTING THEIR INSTRUCTIONS SO U CAN FOLLOW : SEE WHT HAPPENED WITH ME BELOW THEN. i STILL HAVE THIS NIGHTMARE.
This Trojan steals critical information by monitoring windows accessed by the user. It logs all keystrokes on windows containing certain strings.
It also disables access to antivirus Web sites in order to stop users from upgrading to the latest pattern files.
Upon execution, it drops copies of itself as:
· %System%\netda.exe
· %System%\netdc.exe
· %Startup%\netdb.exe
· %Windows%\prntsrv.dll
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Identifying the Malware Program
To remove this malware, first identify the malware program.
1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as BKDR_CCT.A.
Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro’s free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.
1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
load32 = “%System%\netda.exe”
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Winlogon
5. In the right panel, locate the entry:
Shell = “Explorer.exe %System%\netdc.exe”
Modify this registry to: Shell = “Explorer.exe”
6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Removing Autostart Entries from System Files

Malware sometimes modify system files so that they automatically execute at Windows startup. These autostart entries must be removed before an affected system can be restarted safely.
1. Open the SYSTEM.INI file. Click Start>Run. In the Open input box, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
2. Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
3. From the same line, delete the malware path and file name:
%System%\netdc.exe
4. Close the SYSTEM.INI file and click Yes when prompted to save.
Restoring the Windows HOSTS File
Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.
1. Open the following file using your default text editor:
%System%\Drivers\etc\Hosts
2. Locate and delete the following lines:
o 127.0.0.1 www.trendmicro.com
o 127.0.0.1 trendmicro.com
o 127.0.0.1 rads.mcafee.com
o 127.0.0.1 customer.symantec.com
o 127.0.0.1 liveupdate.symantec.com
o 127.0.0.1 us.mcafee.com
o 127.0.0.1 updates.symantec.com
o 127.0.0.1 update.symantec.com
o 127.0.0.1 www.nai.com
o 127.0.0.1 nai.com
o 127.0.0.1 secure.nai.com
o 127.0.0.1 dispatch.mcafee.com
o 127.0.0.1 download.mcafee.com
o 127.0.0.1 www.my-etrust.com
o 127.0.0.1 my-etrust.com
o 127.0.0.1 mast.mcafee.com
o 127.0.0.1 ca.com
o 127.0.0.1 www.ca.com
o 127.0.0.1 networkassociates.com
o 127.0.0.1 www.networkassociates.com
o 127.0.0.1 avp.com
o 127.0.0.1 www.kaspersky.com
o 127.0.0.1 www.avp.com
o 127.0.0.1 kaspersky.com
o 127.0.0.1 www.f-secure.com
o 127.0.0.1 f-secure.com
o 127.0.0.1 viruslist.com
o 127.0.0.1 www.viruslist.com
o 127.0.0.1 liveupdate.symantecliveupdate.com
o 127.0.0.1 mcafee.com
o 127.0.0.1 www.mcafee.com
o 127.0.0.1 sophos.com
o 127.0.0.1 www.sophos.com
o 127.0.0.1 symantec.com
o 127.0.0.1 securityresponse.symantec.com
o 127.0.0.1 www.symantec.com
3. Save the file and close the text editor.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CCT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

HELP HELP HELP HELP HELP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH MAN!! okay here's whats happened. 1) Scan at trendmicro showed nil. But i believe thats because i used it when i first got this thing and deleted the files..
So I cant go into Windows task manager and stop them from running.. so on to next way to ditch this thing 4) Removing auto start from Registry.. in the first part under "run" there is nothing , under the secound part of instructions says under "winlogon" BINGO says modify netdc.exe . Well i modify re boot and it comes right back on. So i modify dont reboot , continue to next phase of removal instructions. 5)Removing auto start entries from System files . Well I follow thier instuctions and this is what i get under SYSTEM.INI. AS U CAN SEE no [boot} section . NIL UNDER RUN, CANT GET SYSTEM.INI BOOT. ANY OTHER SUGESTIONS?? BESIDES A GUN FOR ME AND A HAMMER FOR THE MACHINE..
for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[Windows]
load=C:\WINDOWS\System32\services\wmplayer.exe

#6 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 09:03 AM

Hi there,

The line at the bottom I find very suspicious,

for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[Windows]
load=C:\WINDOWS\System32\services\wmplayer.exe



I suggest you go back into system.ini and delete that line I have in bold.

Reboot, then post me another fresh logfile, there may be more to do.

#7 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 09:04 AM

Did you clear out the hosts file?

#8 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 July 2004 - 01:45 PM

Hey Thanks for your time!!!! Wish I could buy ya a beer!! here's what the HJ this log says:
Logfile of HijackThis v1.98.0
Scan saved at 3:18:37 PM, on 07/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab

Also IM NOT SURE HOW TO CLEAR THE HOST FILES??? bUT i DID GO TO FILE , system32, then to Drivers , etc , Hosts this is what was there.Logfile of HijackThis v1.98.0
Scan saved at 3:18:37 PM, on 07/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

This is what was in system 32, drivers ,etc,hosts which i opened with word pad.Oh i did clear that line off in System.ini.
## Copyright © 1993-2001 Microsoft Corp.
#
# This file has been automatically generated for use by Microsoft Internet
# Connection Sharing. It contains the mappings of IP addresses to host names
# for the home network. Please do not make changes to the HOSTS.ICS file.
# Any changes may result in a loss of connectivity between machines on the
# local network.
#

#192.168.0.1 THE-TIME-EATER.mshome.net # 2008 4 5 25 16 54 7 218


So i wasnt sure what to do next??? or where to find those host files it mentions to clear in the %system% (which is the sames as system 32 i believe)\Drivers\etc\Hosts because ,w ell you can see the lines it tells you to clean arnt in there??

THANKS

#9 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 16 July 2004 - 02:04 PM

Hi there,

Ok lets do this now,

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

C:\WINDOWS\System32\netdc.exe<<<<File

Reboot, then post a fresh logfile so that I can check to see if it is clean.

I see that the hosts file is clean, do you manage to update your AVG Viruscan without any problems?

#10 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 18 July 2004 - 11:27 AM

Did exactly as you said . Deleted the netdc file . However when i rebooted and came into normal mode it was all back. So i did it all again and then ran HJ this in safe mode heres what shows on that log.
Logfile of HijackThis v1.98.0
Scan saved at 11:16:07 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Startup: netdb.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab

Then i went into regular mode did HJ this and fixed tht line again . went to safe deled the file rebooted and heres that log
Logfile of HijackThis v1.98.0
Scan saved at 1:25:44 PM, on 07/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

#11 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 18 July 2004 - 03:22 PM

Hi there,

Ok lets do this now,

You need to find and remove this hidden startup entry

Restart your computer in
Safe Mode

Then go Start>Run>All Programs>Startup

delete netdc.exe

Restart, then post a fresh log.

#12 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 July 2004 - 07:46 AM

HA HA THE WITCH IS DEAD , THE WITCH IS DEAD!. I HAVE HAD A PROBLEM WITH AVG. IT WOULDNT UPDATE.SO I TRIED TO UNINSTALL AND REINSTALL IT WILL NOT DO EITHER . SAYS ERROR CANT FIND SHLL.DLL. THEN IT SAYS Cannot find the file C:\PROGRA~1\Grifsoft\AVG6\SETUP.EXE (or one of its components).Check to ensure the path and filename are correct and that all required libraries are available. NOTE at the top of this notice says Cant run 16-bit Windows program. See i thought i had gotten rid of the monster you just destoyed aand tried to update my AVG6 this is when i discovered the problem YOU just dealt with..any ideas on this???? THANKS THANKS 12G
Logfile of HijackThis v1.98.0
Scan saved at 9:36:00 AM, on 07/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
C:\Program Files\Hummingbird\Connectivity\9.00\HostExplorer\PrintServices\PESRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\temp software\temp software 2\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35EBA954-8AB4-4CF0-8EE0-AF1C5D119A8C}: NameServer = 205.188.146.146

#13 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 19 July 2004 - 11:23 AM

Hi there,

First let us deal with AVG, if uninstall is not working, I want you to find and delete all instances of AVG. Next follow the link on my signature and download it again.

Your logfile is now clean, although for some reason it is showing that you are running it from a temp directory. It would be a good idea to move it back to a permanent folder, just in case you need to run it again. To help not to, do this,

To provide future protection - download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download
Here
Both are very small free programs that you run once, and then just weekly to check for updates.

And also see
So how did I get infected in the first place?

#14 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 July 2004 - 04:40 PM

Hi. I downloaded AVG from the site off ur signiture. Deleted all the AVG from Grisoft folder . It wouldnt let me get rid of avgse.dll (AVG Shell Extension Module)
or avgserv. So i opened the new AVG , hit setup and up pops file error, cannot find SHELL.DLL and has a close button. hit the close and message says cannot find the file C:\DOCUME~1Admin\LOCALS~1\Temp\WZS80.tmp\setup.exe (or one of its components).Check to ensure the path and filename are correct and that all required libraries are avaiable. This has an okay button ya hit okay and it all closes down?????
How can i make my logfile run from a perm folder and not a temp like you noticed?? Possible tht has to do with this??Thanks

#15 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 19 July 2004 - 05:33 PM

cannot find SHELL.DLL and has a close button. hit the close and  message says cannot find the file C:\DOCUME~1Admin\LOCALS~1\Temp\WZS80.tmp\setup.exe (or one of its components).Check to ensure the path and filename are correct and that all required libraries are avaiable.    This has an okay button ya hit okay and it all closes down?????
How can i make my logfile run from a perm folder and not a temp like you noticed?? Possible tht has to do with this??Thanks

Hi there,

To replace the shell.dll do this,

First, show hidden files also make sure you are showing protected system files, to do that go tools>folder options>view>uncheck hide protected system files.

Next,

Go to C:\WINDOWS\SYSTEM\

See if there is a 'Shell.dll' there. If so, COPY (right-click > Copy) and PASTE (right-click PASTE) it to C:\WINDOWS\SYSTEM32\

It should work by copying Shell.dll from C:\WINDOWS\SYSTEM\ to C:\WINDOWS\SYSTEM32 (COPY it, do not MOVE it).

Make sure there is a "copy" of Shell.dll in each path

Now try installing AVG again.


HIjackThis should be run from a permanent folder like this, C:\HJT\HijackThis.exe move HijackThis to this folder, then delete this one C:\Documents and Settings\Admin\My Documents\spyware control\spykillers\temp software\temp software 2\hijackthis\HijackThis.exe

Run a fresh logfile from there and post it here, for me to check it.

#16 kilt01

kilt01

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 July 2004 - 11:34 PM

I HAVE AVG6 . THANK-YOU THANK-YOU THANK-YOU!!!! Its late so I will do the HJ this into a perm file tomorrow. Then post a log : :D :D :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button