Jump to content


Photo

Please help with Backdoor.trojan


  • This topic is locked This topic is locked
56 replies to this topic

#1 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 08:55 PM

This problem just began today and I have been working on it all day but have no idea what to do.

Symantec Corp. Antivirus reports the follwing when starting almost any program:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\SYSTEM32\RESHA.DLL
Location: C:\WINDOWS\SYSTEM32
Computer: JOSH
User: Josh E
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sunday, July 18, 2004 9:48:55 PM

This .dll does not appear in Windows\system32, even in Safe mode (although I was able to see it a couple times at one point when not in safe mode, no idea why, but now its gone again) , and yes I have set the file options to show all hidden files including system files. When I'm not in safemode, the file is recognized in command prompt becuase when i try to do "del resha.dll" it says access denied. I scanned with Nortan Anti-virus corporate edition and found nothing (it is only detected with a popup from Norton saying Virus Found!, usually happening when i open any program). I have tried scanning with ad-aware, spybot, spyware doctor, and cwr shredder but they all found nothing). I see in my hackthis log that it is there as an AppInit registry key and have tried to click fix in hackthis but as soon as it is deleted it comes right back. Any help would be greatly appreciated.

Here's the HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 9:55:10 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\hijackthis\hijackthis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {31E8A994-4C3D-4681-AC6C-EAB39C603F24} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resha.dll



Thanks in advance,
J

#2 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 09:01 PM

One other thing, I'm pretty sure that the C:\WINDOWS\System32\devldr32.exe is part of the virus also because when i deleted it and restarted it came back again, so not sure how to remove that (if that is even the problem). Just a guess.

Thanks

#3 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 09:02 PM

hey

Could you try this, download about:buster http://www.downloads...AboutBuster.zip unzip it to your desktop. Reboot your computer into safe mode by tapping F8 while it's booting. Run about:buster in safe mode twice, save the log of each scan. Then boot back into normal mode, post both logs and a hijackthis log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#4 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 09:02 PM

I'm having the same problem on my son's PC, and oddly enough his is named JOSH also.

http://forums.spywar...showtopic=16301

I'll be watching his thread to see what resolve you may find.

#5 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 09:06 PM

I'm having the same problem but with a file named "logdin.dll". I made 2 posts with the HiJack this log but no one replied. Hopefully we can all find a solution for this annoying problem.

#6 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 09:10 PM

Yes, hopefully ejosh87 got my reply and is doing what I instructed.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#7 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 09:13 PM

I just ran it in safemode 2x. Norton is still detecting virus though.

-- Scan 1 --------
About:Buster Version 1.30
Removed! : C:\WINDOWS\_win32_system_data.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!


-- Scan 2 --------
About:Buster Version 1.30
Attempted Clean Of Temp folder.
Pages Reset... Done!

#8 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 09:14 PM

Sorry forgot hijack log, here it is:

Logfile of HijackThis v1.98.0
Scan saved at 10:13:50 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {31E8A994-4C3D-4681-AC6C-EAB39C603F24} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resha.dll

#9 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 09:27 PM

The problem would be the last part "O20 - AppInit_DLLs: C:\WINDOWS\System32\resha.dll". I have the same damn thing only it says "O20 - AppInit_DLLs: C:\WINDOWS\System32\logdon.dll" I try to fix it using HiJack this but it didn't work!

#10 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 09:28 PM

yea i tried same thing, i hit fix but it just came back

#11 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 09:28 PM

Yes I know that is the problem Y2Ken119, hold on.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#12 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 09:34 PM

ejosh87,

Please download TheKillbox from here: http://www.downloads...org/KillBox.zip

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\resha.dll


Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

When you're back in windows, post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#13 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 09:40 PM

Did everything, still detected :(.

Logfile of HijackThis v1.98.0
Scan saved at 10:39:35 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {31E8A994-4C3D-4681-AC6C-EAB39C603F24} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resha.dll

#14 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 09:45 PM

I tried it as well but just like Josh it was still detected. Thanks anyway pomp86. Much appreciated that you're attempting to help us.

#15 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 10:13 PM

Go to http://www.trendmicr.../enterprise.htm and run and online virus scan, see if it detects anything and delete anything it finds.

Edited by pomp86, 18 July 2004 - 10:14 PM.





PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#16 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 10:14 PM

doing it right now

#17 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 10:54 PM

I did it but it said I didn't have any infection on my PC.

#18 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 11:04 PM

same thing here :(. Does anyone know whats wrong?

thanks in advance

#19 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 11:09 PM

Hey guys, okay, lest see if this will work, there's all different stuff to try, that's why I'm going through them , download this http://tools.zerosrealm.com/pv.zip unzip to the desktop. Open up the folder, Please double click the runme.bat please chose option 7. after that is done run it one more time and chose option 6 and post the new appinit log here.

Post a new Hijackthis log also when done.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#20 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 11:21 PM

I don't think option 7 worked becuase when i did it the virus detected came up again and the program didn't say anything. I did option 6 afterwards and it said:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"="C:\\WINDOWS\\System32\\resha.dll"


Hackthis log is:

Logfile of HijackThis v1.98.0
Scan saved at 12:21:26 AM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {31E8A994-4C3D-4681-AC6C-EAB39C603F24} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resha.dll

#21 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 11:28 PM

K, well that file is in the appnt key so, try and run option 7 to clean that key up, if it doesn't work, try to boot into safe mode and do it. hope to hear back




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#22 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 11:28 PM

Didn't seem to do anything. Option 6 brought this up:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\logdin.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

HiJack This:

Logfile of HijackThis v1.98.0
Scan saved at 12:28:17 AM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Spyware Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:6502
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wwe.com/"); (C:\Documents and Settings\Kenny Majid\Application Data\Mozilla\Profiles\default\ihpugpvd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kenny Majid\Application Data\Mozilla\Profiles\default\ihpugpvd.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\logdin.dll

Edited by Y2Ken119, 18 July 2004 - 11:29 PM.


#23 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 11:32 PM

Yes, k, this seems to be tricky, ejosh87 if what i just told you before doesn't work, try and do what i told you earlier what to do with killbox, do that in safe mode. Do that in safe mode with your file y2ken119 too.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#24 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 11:35 PM

hey yea i tried doing the pv in safemode but the thing is there was no resha.dll in option 6 either. It seems like something is creating the file and registry entry on startup. When i tried killbox in safemode it said file doesn't seem to exsist for resha.dll.

#25 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 July 2004 - 11:37 PM

I hate to sound like an echo but yeah it seems in safemode the file doesn't exist at all. It doesn't appear in a Hijack This scan in safe mode or killbox or anything other programs. This is one tricky trojan!

#26 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 11:40 PM

K, I'm going to give someone this link to this topic and he'll see what he can do..We'll continue this later or sometime tomorrow. Thanks for holding in there guys. Don't think i was doing the wrong things.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#27 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 18 July 2004 - 11:42 PM

one other question is do u have any idea how serious the trojan is? is it safe to use the computer tonight or is it possible for someone to get onto my computer now?

thanks for the help so far

#28 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 18 July 2004 - 11:53 PM

Well, use it if you got to, if you want to like go to bed or whatever shut it down.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#29 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 12:07 AM

pomps thanks for the help so far

#30 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 02:26 AM

I think i found the fix!!!! here is what you do.

Go to safemode (F8) on boot up and enter command prompt.

Once in command prompt type:
cacls nameofyourdll.dll /P Administrator:F

Then type:
del nameofyourdll.dll

Restart and hopefully it will be fixed.

#31 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 02:29 AM

Side note: I'd also recommend AVG virus scanner to everyone. I have norton corporate edition installed and it didn't find some trojans that AVG just now found.

#32 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 July 2004 - 03:16 AM

I think i found the fix!!!! here is what you do.

Go to safemode (F8) on boot up and enter command prompt.

Once in command prompt type:
cacls nameofyourdll.dll /P Administrator:F

Then type:
del nameofyourdll.dll

Restart and hopefully it will be fixed.

The first command appeared to go ok once I ran it at a C:\Windows\System32 prompt ... I ass-u-me this command is to make the file accessible? The second command returned the message file not found.

I'll check back tomorrow, it's getting too late for me <G>

Nip

#33 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 03:32 AM

when you entered the command did it give you a prompt saying y/n where you entered y?

#34 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 19 July 2004 - 09:24 AM

oh yes ejosh87, AVG is really recommended, you can get the FREE EDITION and it's just about the same with the paid ones, they like restrict you on not really important stuff. Did the fix you tried work and where did you find it out? Hope to hear from you.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#35 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 11:24 AM

the fix worked for me, not sure if it will work for everyone but the exact steps i did was what i said earlier but before i did that i also did the calcs yourdllnamehere.dll /p Administrator:F in normal boot also which may make it also seen in safemode for some reason (not sure if that makes sense but before i did that i never saw it in safemode). I don't remember exactly where i found it, i just searched on google for annt_dlls and looked at like 10000 posts till i found something that worked. Thanks for the help earlier though pomp.

good luck people

#36 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 11:26 AM

if anyone uses the method successfully or unsuccessfully please let us know here so we can see how effective it is.

#37 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 19 July 2004 - 11:39 AM

hey ejosh87, can you post a new hijackthis log thanks




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#38 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 12:13 PM

The method ejosh said didn't quite work for me. It said it couldn't find the file. I can't seem to get to the system32 folder in command prompt either.

#39 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 12:25 PM

Y2ken, did you try doing it in normal boot first and then safemode? for some reason every other time i tried doing anything with resha.dll it said couldn't find dll but this time it did. No idea what happened exactly.

Fixed Hijackthis log:

Logfile of HijackThis v1.98.0
Scan saved at 1:24:53 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG7\avgcc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {31E8A994-4C3D-4681-AC6C-EAB39C603F24} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/do...py/iesnoopy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatea...ientControl.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#40 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 12:32 PM

I tried it in both safe mode and normal mode to no avail.

#41 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 12:35 PM

hmm that is wierd, i'm not really good in this area.. i'd say wait for pomp to help you cause he knows what he is talking about. You can also try searching on google while you wait for him, using the log u get from that pv program (thats what i did, i put the appntdll or wahtever its called = blah blah part into google search and just looked around)

good luck, i'll check back periodically to see if i can be of any help.

#42 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 02:35 PM

Ahhhh I was doing something wrong. You said to type "cacls nameofyourdll.dll /P Administrator:F". It is in fact "cacls nameofyourdll.dll/P Administrator:F" which no space between .dll and /P. I was excited cause it seemed to be working but when i went to delete it in safe mode it said the file didn't exist. Also when i tried in normal mode it said that access to the file is denied. :blush:

#43 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 02:41 PM

you weren't able to even process it in normal mode? What i did was process it with the cacls command and then it did say access denied for deleting it in normal mode but then i restarted in safe mode and it seemed to work after i did that in normal mode.

good luck

#44 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 02:56 PM

Yeah it seems to process but I tried the normal mode processing then safe mode and still nothing. Here's what it looks like when i type the command:

Posted Image

#45 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 July 2004 - 04:40 PM

There are a lot of intrusions in this thread. Please DO NOT POST YOUR LOG FILE INTO SOMEONE ELSE'S TOPIC! START YOUR OWN., as it says up above. :)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#46 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 06:29 PM

Sorry about that I didn't notice the BIG RED thing up there. I must be blind. I actually did make 2 topics of my own but no one replied to either. :huh:

#47 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 July 2004 - 07:34 PM

Y2Ken119,

I found and merged your 2 topics:
http://forums.spywar...topic=16306&hl=

Someone will help you there. It's confusing to have more than one problem in a thread.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#48 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 July 2004 - 07:52 PM

Ahhhh I was doing something wrong. You said to type "cacls nameofyourdll.dll /P Administrator:F". It is in fact "cacls nameofyourdll.dll/P Administrator:F" which no space between .dll and /P. I was excited cause it seemed to be working but when i went to delete it in safe mode it said the file didn't exist. Also when i tried in normal mode it said that access to the file is denied.


Well, I got rid of the .dll and here's how I did it. Replace "logojfk.dll" with the .dll you're trying to kill, and the commands referenced must be executed at the prompt of the directory in which the file exists, in my case C:\Windows\System32.

1) In Normal boot mode I did the command "cacls logojfk.dll /P Administrator:F", (with a space before the /P), and selected "Y" at the next prompt. I then tried to run "del logojfk.dll" but got "Access Denied"

2) I restarted in Safe mode and did exactly the same as above with the same results, but instead of "Access Denied" it said "File not found".

3) I restarted in Normal mode, and did the "cacls" command as above, but then ran the command "dir L*.dll" and lo and behold it displayed the .dll in question, logojfk.dll (along with all .dll's beginning with the letter "L"). I ran the command "attrib logojfk.dll" to see if I needed to reset any file attributes, but the archive bit was the only one on. Next I ran "del logojfk.dll" and successfully deleted the file. At this point I no longer got the virus warning, so I ran HJT and it still showed the .dll on the last line of the log file. SO, I checked the box, let HJT fix it, and the next log showed to be clean. Hope this helps somebody, this is a pesky bugger!

As usual, no gaurantees, no-money down, your mileage may vary, etc.

Da Nipster

#49 Y2Ken119

Y2Ken119

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 19 July 2004 - 09:29 PM

Thanks for merging them. I'll be sure to read all rules before I make a mistake like that again!

#50 ImperialFleet

ImperialFleet

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 19 July 2004 - 09:37 PM

I have the same problems, except my file is called "winc.dll" I have tried everything listed in here as well. The problem with running killbox is that when you reboot, the file goes away and there is nothing to delete until the PC is fully booted/logged into again, and by that time the dll is alreay embedded into the memory again. We all are having the same problem, but as of yet nothing is strong enough to cure the problem. About:Buster comes real close, but it cannot delete the file because access is denied. But..then again does it really matter if About:Buster removes the dll? If the dll is not there in safe mode, it means there is another file in addition to the dll that is the real culprit. AAAAAAAAAAAHHHHH! :techsupport:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button