Jump to content


Photo

CWS infected my machine


  • This topic is locked This topic is locked
173 replies to this topic

#51 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 06:25 PM

Oh I forgot
in registry there was a number 12 and something called patrol...

I didn't delete those, I didn't know what they were.

Carol

Lets step back to that for a minute Carol. Will you please find those keys again, right click them when found and choose "export" , save them to a convienient location. After that is done, go to where you saved them, right click the file(s) choose "edit" and then paste the contents as a reply to this thread.

Lets do some cleanup of unnecessary files.
Go to Start>All Programs>Accessories>System Tools>Disk Cleanup
You want to clean the C drive if it asks
In the files to delete pane select all options except for "compress old files" and "catalog files for the content indexer"
This will empty your recycle bin, if you want to avoid that for any reason then do not check that option.
Click ok and allow it to finish.

If disk cleanup freezes on the initial scan, try this reg file to see if it helps. Copy the contents of the quote box to a notepad document, call it fixcleaner.reg and save as type "all files"

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Compress old files]

Double click fixcleaner.reg and say yes to add it to the registry then try disk cleanup again.

Look in add/remove programs....how many installations of java do you have?

#52 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 07:37 PM

Funny you should mention Java....

One of my groups is having a club chat tonight--so naturally explorer didn't have the option--said I had to download something called a Microsoft Java blah blah--but MS doesn't have it on their site anymore because of a lawsuit with Sun Microsystems. I dl'd sun...my groups chat interface didn't like it...so I dl'd the Mozilla browser--which I don't like even though it has the Netscape interface...What's this got to do with anything? Nothing. :) But I already have the Java2m platform.
But it wouldn't work on my chat group. Only whatever is in the Mozilla browser works for this particular group.

We can delete what's unnecessary. I'll do everything you suggested after the chat tonight :) Hmm, how many Java platforms does one need? :)

Carol

#53 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 07:39 PM

NO OUTHOST is gone :) (hopefully there aren't any hidden remnants anywhere) *LOL* When I get my checkboxes back, I'll check the boxes you recommended.

Carol

#54 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 08:04 PM

You only need on Java (the one from sun) it interfaces fine with IE and Mozilla. Do you have the installer from sun downloaded?

#55 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 09:17 PM

No the disk clean up is working. :)

How do I get Netscape to dl? and my checkmarks back in Explorer tools options?

Carol

#56 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 09:28 PM

Done!
Removed from your system:
- CWS.Yexe

Windows XP (5.01.2600 )
CWShredder v1.57.0
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://www.spywareinfoforum.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywarein...chronicles.html

For donations to help support CWShredder, visit:
http://www.spywarein...ijn/donate.html

#57 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 09:30 PM

I got CWS to install

Did you ever go here?

http://www.mvps.org/.../IEFAQ.htm#Tabs

I followed that registry thing, I changed the number to zero nothing happened!

and I did that other dl and I still don't have checkboxes.

Carol

Edited by Good_Day, 20 May 2004 - 09:30 PM.


#58 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 09:32 PM

Go to start>control panel>folder options
Do you have them there?

I need more information on the Netscape problem. You are trying to download the installer and it only goes halfway and then quits or are you trying to install it from the web? What exactly is happening.

#59 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 09:38 PM

Are you missing your tabs in internet explorer? I thought you were referring to windows explorer.

Which is it?

#60 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 20 May 2004 - 10:31 PM

Are you missing your tabs in internet explorer? I thought you were referring to windows explorer.

Which is it?

Nope--Internet Explorer ver. 6.0--I have no checkmark boxes....so when you told me a few days ago to click something in there...I can't do it as I have nothing to click on.

and Netscape (which I like to have on hand as a default browser) was on my system pre-virus...but ever since I got infected and even now that I'm clean
It won't open...I tried dl'ing it twice even deleting the old one and starting over
and I get the icons on the taskbar, desktop, including the annoying"BUY AOL!" buttons, but the program WILL NOT launch...and for the heck of it...let's do a recent hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 11:31:12 PM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\LittleBlackBook.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5....m/c381/chat.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/emCraft1.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} - http://download.rich...st/twophase.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...TInc/bridge.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#61 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 10:44 PM

You need to tick these two lines in order to be able to access Internet Options from within internet explorer.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Have you completely uninstalled Netscape (via control panel>add/remove programs) ?

#62 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 10:46 PM

Also Carol, you are behind on your updates which makes it much easier to get malware onto your system. You need to visit Windows Update and apply all critical updates.

#63 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 20 May 2004 - 10:55 PM

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/emCraft1.cab
That one should go too, they are partnered with lycos (sidesearch), abetterinternet,shopat homeselect. If you have AT games installed I would remove them via add/remove programs.

#64 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 12:41 AM

Well I did the windows updates and when I logged on here, I got a pop up saying "Windows has recovered from an error" WTF?

And I still don't have any checkboxes in the tools-internet options

and Netscape won't launch.

Carol

#65 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 06:16 AM

Post a fresh HijackThis log please Carol

#66 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 08:44 AM

Logfile of HijackThis v1.97.7
Scan saved at 9:44:20 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\msiexec.exe
C:\LittleBlackBook.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5....m/c381/chat.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell...iler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} - http://download.rich...st/twophase.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...TInc/bridge.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

I hope this helps!~Carol

#67 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 10:54 AM

Good job getting the updates.
This one still needs fixing
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...TInc/bridge.cab

I don't see the entries locking you out of Internet Options from within Internet Explorer anymore, can you use Tools>Internet Options now?
If not can you access Start>Control Panel>Internet Options?

When you say the checkboxes are missing do you mean you can open Internet Options but when you click the advanced tab there is nothing in the windows or just the boxes are missing?

Well I did the windows updates and when I logged on here, I got a pop up saying "Windows has recovered from an error" WTF?

Did that only happen one time or is it reoccuring? What is the error number?

#68 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 10:56 AM

Re--The pop window--I don't know--it was one in the morning and I didn't write it down. *LOL*

The actual checkmark boxes are missing.

Tools--Options--Advanced Tab *no checkmark boxes*

Okay, I'll remove that annoyance that you mentioned :)

Carol

#69 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 02:10 PM

I noticed this awhile ago but didn't think about it until now---I lost things that were on my start menu like half of the games--microsoft picture it...that stupid Lycos sidesearch button is still there...and I have something weird called Top Text iLookup...what is it?

I didn't lose the items, they just aren't on the start bar. I did drag a spider solitare icon down to the top of the start bar, but I'd rather it be in it's normal spot in the games folder--infact the whole games bar is gone--solitaire, freecell, spider solitaire, etc.

More remnants from CWS! :(

Carol

#70 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 02:15 PM

download this:

http://www.mvps.org/...estrictions.reg

save it to the desktop.
Close all Ie's
Double click it.
when asked to merge say yes.

See if that makes a difference.



#71 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 02:28 PM

Hi Shadowwar,

Well I don't know if this was in response to my lack of checkmark boxes or the start bar, but I did what you said (it didn't ask to merge, it asked me if I wanted to add it to the registry) but I did it...and nothing changed.

And everytime I finish doing these tasks, I reboot.

Carol

#72 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 06:59 PM

This has been a long thread spanning two boards, I don't recall if you have Spybot S&D (version 1.3) installed or not. If you do then update it and then do a scan, fix all items it lists in red.

*****
Here are instructions to download and run Spybot if you need them.

Get Spybot S&D to clear out some of the malware. If you have a problem downloading from there, use this link.

Install Spybot S&D, run it and select "search for updates" (under "online") and put a checkmark in the box of each one it finds.
Press the download button at the top left.

Close all browser windows and shut down all other programs with a placeholder in the taskbar.
Click the "search and destroy" icon in the left pane, then click the "check for problems" button at the bottom of the window.
When it is finished scanning, make sure there is a check mark next to any items labeled in red, click the "fix selected problems" button at the bottom.

When Spybot gets done, reboot your computer (this is very important).

******
Hopefully Spybot will remove any leftover malware on your machine including the lycos and iLookUp from the start menu but if it doesn't then right click them, choose properties and then click the "find target" button. If that leads to a file then paste the contents of the "target" box from the shortcut properties dialog here, if you get a message saying "the system cannot find the file" then go ahead and delete the shorcut. After we clean up those shorcuts we'll move on to the missing game shortcuts and then the internet explorer boxes.

#73 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 08:26 PM

When you click the advanced tab in Internet Explorer options do you just get a blank white background with nothing on it where the check boxes should be or are just the boxes missing but the text is there?

#74 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 08:45 PM

Rand,

I'll read your fixes in a minute--OH god...all I did was replace my AOLIM and Yahoo msg'r FROM their official sites
and I got the Y toolbar and the my websearch with smiley central...ewww! How do I get it off?

Carol

#75 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 21 May 2004 - 08:48 PM

Cool

No, I couldn't get Spybot--I know I can now...since I got the CWShredder--the window used to close on me, I'll do this before bed...thanks...I appreciate all the help!

Carol

#76 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 21 May 2004 - 09:27 PM

You should be able to remove mywebsearch in add/remove programs. It will be easier on both of us if you don't insall any other programs until we get your current problems solved.

#77 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 11:32 AM

Hi Rand--

Well the reason I dl'd the msg'rs was because in my other life of non-frustrated computer user--I moderate a board and there was a problem we needed to take care of with one of the members.

Interesting stuff--I dl'd search and destroy it wouldn't have been me without a problem--

It found all these things and started to fix them--
then it stopped--and it said can't continue because xmltok.dll is missing--
and to reinstall the program....
and I'm like WTHell--well I clicked the OK to get rid of the pop up--
and it started to FIX and all the x's turned to checkmarks

So, I'm like why did I get that popup if everything worked out in the end?

Then I rebooted like you said....

IT GOT RID OF Lycos search and the other crappy things on the bar.

Still no checkmark boxes....

So despite that weird pop up it was a success. :) Do you need another
HiJack This log?

Carol

#78 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 22 May 2004 - 01:20 PM

You seem to be missing a few different files that should be there. It would be time for a repair install at this point I think if you had a windows cd.

Do a search of your computer for xmltok.dll and let me know where you find it.

Run regetrar lite and paste the following into the Address bar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions
Hit enter

Do you see this in the left pane.

Attached Images

  • IEAdvanced.GIF


#79 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 01:46 PM

Okay--is it perfectly normal--you know when you are searching and see all the names of the folders go by--well I noticed some of the folders say "outhost"...i take it that's normal....

Search has found xmltok.dll in:

C:/ProgramFiles/Radio@NetscapePlus/Program

and

C:/ProgramFiles/YahooMessenger

PS--I should tell you when I tried reinstalling my Norton a few weeks ago when I still was infected--I did it on the desktop...and there were a bunch of dlls and other like files that I put in C:/. Since then I did uninstall Norton.

Now on to the other task :)

Carol

Edited by Good_Day, 22 May 2004 - 05:54 PM.


#80 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 01:58 PM

Yes, I see everything shown--and one extra--

an ab (default) (value not set)


I won't touch it..I don't know if should be there or not...but it wasn't on the screen cap you showed. But everything else that you mentioned, I do have.:)

Carol

#81 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 22 May 2004 - 06:08 PM

ok, no worries on smltok then Carol as long as Yahoo is working ok. is Netscape ok now too?

Lets try this for your IE Options boxes
Click Start>Control Panel>Display then click the Appearance tab
Under the themes tab click the drop down menu and choose "Windows Classic" (unless that is the one you are using, then choose a different one) then click Apply. Did that help with the internet options boxes.

Yes, I see everything shown--and one extra--

an ab (default) (value not set)


I won't touch it..I don't know if should be there or not...but it wasn't on the screen cap you showed. But everything else that you mentioned, I do have.

Carol

Right click the registry key in question and choose "export" save it as a .reg file, then right click the file, choose "edit" and paste it as a reply here (unless it is longer than a HJT log).

#82 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 06:58 PM

Netscape still WILL NOT launch.

Windows Classic worked! I got my checkmark boxes...now I'll have to go back three or so pages to find the things you wanted me to click on....

Then I'll do that thing you suggested with that "weird" registry key.

EXPORT-is SHADED so I can't click on it...I even tried at the top
of the page and that export button is SHADED also.

Carol

Edited by Good_Day, 22 May 2004 - 07:07 PM.


#83 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 22 May 2004 - 10:03 PM

Yes, I see everything shown--and one extra--

an ab (default) (value not set)

EXPORT-is SHADED so I can't click on it...I even tried at the top
of the page and that export button is SHADED also.

The ab value must be in the right pane then. Is that with "Advanced Options" highlighted in the left pane (as it is in the screen shot I posted)?

Netscape still WILL NOT launch.

Have you completely uninstalled Netscape, rebooted and then deleted the netscape folder in program files. Also do the following
go to start>run and type
%temp% hit enter
In the window that comes up go to edit>select all
All the files in the temp folder should become highlighted, press your delete key one time and say yes to delete all the files
Once that is done, go here and download the Windows Full Installer
http://wp.netscape.c...ll_install.html
Shut down all other programs and then double click NSSetup-full.exe to begin the installation.

Edited by rand1038, 22 May 2004 - 10:04 PM.


#84 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 11:18 PM

I did what you said with Netscape--it will install but won't open.
I thought deleting everything like you said would work but it didn't.

And yes, the advanced pane was highlighted but export was still SHADED. (Import isn't)


Carol

#85 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 22 May 2004 - 11:37 PM

Good news!

I got Norton installed :) It works!

Bad news! (wouldn't be me without it) *lol*

Notepad is now an exe file in my start...Wordpad disappeared a week ago but I dragged an icon from the program files to the desktop so I can access it that way. I don't know what happened with Notepad! Something seems to be "eating" my start bar programs.
They don't delete them--they just delete them completely from the start bar or turn them into exe boxes.

Carol

#86 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 23 May 2004 - 12:02 AM

Try these steps Carol for netscape.

And yes, the advanced pane was highlighted but export was still SHADED. (Import isn't)

Right click the "Advance Options" key and choose "Permissions", with "Administrator" highlighted in the top pane the bottom pane shoudl have checkmarks in the "full control" and "read" boxes.

#87 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 23 May 2004 - 12:05 AM

They don't delete them--they just delete them completely from the start bar or turn them into exe boxes.

Do they disappear from Start>Programs or just from the start menu "quick list" of programs that shows when you first click the start button?

#88 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 10:13 AM

They are off the start bar start--programs--some are gone and some like notepad are now exe boxes.

Oh Norton found a Trojan last night! But said it couldn't delete it...but then I did a CWS search and it said my system was clean. I didn't finish the Norton search as it was too late.

I'll try the netscape thing--does that mean I have to delete the recent dl?

I know the answer is yes. :)

Carol

#89 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 10:23 AM

I can see that's pretty lengthy. I'll have to do it later. I'm going to resume my Norton scan.

Carol

#90 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 23 May 2004 - 11:29 AM

I'll try the netscape thing--does that mean I have to delete the recent dl?

The installer you downloaded should be fine, you don't need to download it again.

Do the Norton scan in safe mode and see if that will work.

Do you have Trojan Hunter yet?
Download Trojan Hunter (free version).
Next go here and download the latest update zip file.
Install Trojan Hunter and make a note of the full path to the folder where it is installed, by default this is
X:\program files\TrojanHunter 3.8 (X is the drive Trojan Hunter is installed on, usually C).
After installation unzip the update file you downloaded to the installation folder you took note of.
Say "Yes to All" when you are asked about replacing files.
You have to completely shut down Trojan Hunter for the new files to be used.
Double click the desktop icon to run Trojan Hunter, click to continue evaluation.
Click the "Full Scan" button on the upper left.

#91 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 11:53 AM

Yikes! Will do.

I'm curious what Norton will find so It's still scanning from when I posted before. (It takes forever)--you know apart from the real dangerous Trojans and the like--I'm wondering if Norton, McAffee, AVG etc will always FIND something, even if some of the things that they find are harmless?

So far it says it "detected 7" things. "Fixed 1"

I wanted to let you know if there's something we missed which is why
I'm letting this scan complete. After I post the results, I'm going to do that Trojan thing you recommended.

B02802040113.dll Adware Virtual Bouncer
key2.txt Adware Blaze find
sidesearch1400.dll Adware Side Search
UnstSA2.exe Adware Blaze find
mmind.cmd IRC Trojan
startuplist.txt Bloodhound.Exploit.6

NORTON SAID IT fixed the IRC Trojan and startuplist.txt Bloodhound.Exploit.6

The others are at risk...I will follow the instructions

Quarantined 2
Deleted 4

Hopefully this will be of some help.

Carol

#92 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 12:00 PM

allrighty, wow...

I dl'd the Trojan Hunter (I'm sure you are aware that it is a trial version)
and dl'd the zip thing which C:/35X-2--4-05-21.zip

What do I do with it?

The Trojan Hunter guard is disabled

and I have the Winzip of the update folder opened....

Carol

#93 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 01:38 PM

Trojan Hunter:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
No trojan files found

#94 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 23 May 2004 - 08:16 PM

Trojan Hunter:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
No trojan files found

A clean bill of health from Trojan Hunter, thats good to see. Thanks for noting the "trial version" I'll change my speech to reflect that in the future.
You can try an online scan to make sure Norton didn't miss anything. I like Trendmicro.

Yes, sometimes malware scanners find things that are "actively" bad, like the startuplist.txt one in your list was probably just a registry key or file name listed in a startuplist report. You want to be careful that the path to the file it says is bad does not contain a malware scanners folder (such as Spybot S&D, Ad-Aware or TrojanHunter's) as these type of programs contain "signatures" which they use to identify the junk files. Sometimes the signature files confuse other scanners.

Did you do the Safe Mode scan with Norton?
Did you get Netscape working yet?

#95 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 23 May 2004 - 10:32 PM

No...I was bad, I watched the Soprano's. *LOL*

But I'm going to do that Netscape thing today and tomorrow I'll do the Norton in safe mode.

Carol

#96 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 24 May 2004 - 06:33 AM

Thats a good show. I'll bet you Tony could fix your computer. You would just have to glue it back together when he was done. :blink:

#97 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 24 May 2004 - 09:50 AM

*LOL* Rand :)

Well Netscape still won't launch. I did that "Everybody" thing--but it only said to do so in the Mozilla folder. Wouldn't it make sense to do it in the Netscape folder too?

Oh--I woke up with a note from Norton saying I had a Trojan in Windows Recycler.

I haven't had time to do a safe mode scan. I will today.

Carol

#98 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 25 May 2004 - 11:04 PM

I would do it in the Netscape folder too Good_Day

#99 Good_Day

Good_Day

    Advanced Member

  • Full Member
  • PipPipPip
  • 182 posts

Posted 26 May 2004 - 11:25 AM

Thanks, Rand. :)

Oh I also did the safe mode scan yesterday--1 virus detected. Adware from Lycos side search. But I didn't get anymore windows recycler trojan pop ups.

Carol

#100 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 26 May 2004 - 09:04 PM

Ok, so whare are we at Carol. Please list any concerns you still have and post a fresh HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button