Forum Home |  MWR University |  New to the Board? |  IRC Chatroom |  Who Runs This Site? |  ASAP Members |  Microsoft MVP Members |  Downloads |  Good & Bad P2P Programs |  Our Rules

MalWare Removal Forum

Malware Removal University - Teaching people how to support those with infected computers - Teaching them to never give up untill your computer is clean and secure.

Tutorials (etc.) : Boot to Safe Mode - Safely - What to do if your Computer's running slowly
It is currently Mon 20 May, 2013 6:54 am

View unanswered posts | View active topics


Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Forum rules


Please read > >THIS ANNOUNCEMENT< < before posting your NEW topic about your problem.

Please do NOT reply to your topic until a staff member has responded as they are looking for topics that have ZERO replies.

Paste your logs into your post. DO NOT USE ATTACHMENTS! Logs posted as attachments will be ignored and the topic will be closed.

If no expert has replied after 3 days, and you still require assistance, please post in our 72 hour bump room > > CLICK HERE < < Please do NOT reply to your own topic in an attempt to "bump" it. Bumped topics will be closed, requiring you to start again from the beginning.

If you are being helped and you haven't replied to your helper within 3 days of their last post, your topic will be closed as inactive. If that happens, you will need to start a new topic when you have the time available to promptly complete all instructions.

If your topic has been closed due to inactivity, do NOT request that your topic be reopened - we do NOT reopen topics unless they have been closed in error - you will need to start a NEW topic with NEW DDS logs. Do NOT attempt to start a new topic with a post that is essentially a reply to your closed topic.



Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 10 posts ] 
  Previous topic | First unread post | Next topic 
Author Message
fundancepj
 Post subject: My Infected Computer..
New postPosted: Mon 21 Mar, 2005 4:31 pm 
Offline
Active Member

Joined: Mon 21 Mar, 2005 4:12 pm
Posts: 5
HI..I RAN THE hijackthis-scan..WELL, I HAVE A WHOLE LIST OF STUFF AND I'M NOT SURE WHAT TO DELETE ??!! DO I JUST GET RID OF IT ALL OR WILL THAT MESS UP MY COMPUTER EVEN MORE ?? PLEASE HELP !!
THANKS.... :roll:

Top
 Profile  
 
FBJ
 Post subject:
New postPosted: Mon 21 Mar, 2005 5:23 pm 
Offline
Visiting Expert
Visiting Expert
User avatar

Joined: Tue 01 Mar, 2005 5:42 pm
Posts: 32
Location: Copenhagen, Denmark
No - do not get rid of anything. HijackThis will show both good and bad "stuff". Copy the contents of the HijackThis log into this thread and we will tell you what to keep and what to remove.

Please follow these instructions first:

http://www.malwareremoval.com/forum/viewtopic.php?t=12
_________________

Top
 Profile  
 
fundancepj
 Post subject: thanks..
New postPosted: Thu 24 Mar, 2005 3:00 pm 
Offline
Active Member

Joined: Mon 21 Mar, 2005 4:12 pm
Posts: 5
THANKS FOR YOUR REPLY..I'M NOT SURE HOW TO GET THE HIJACKTHIS LOG INTO THIS THREAD :cry:
THANKS FOR YOUR TIME.......[/b]

Top
 Profile  
 
FBJ
 Post subject:
New postPosted: Thu 24 Mar, 2005 3:13 pm 
Offline
Visiting Expert
Visiting Expert
User avatar

Joined: Tue 01 Mar, 2005 5:42 pm
Posts: 32
Location: Copenhagen, Denmark
Try and see if this tutorial is any help:

http://www.bleepingcomputer.com/forums/ ... utorial=42

The text under figure 3 should explain how to....
_______________________________________

Please don't use Caps Lock. Using only capital letters means that you are shouting :)
_________________

Top
 Profile  
 
fundancepj
 Post subject: thanks...
New postPosted: Mon 28 Mar, 2005 2:34 pm 
Offline
Active Member

Joined: Mon 21 Mar, 2005 4:12 pm
Posts: 5
:lol: thanks for your help..sorry for using the capital letters..i didn't know that it meant that..
i would've answered sooner, but, my pages keep getting re-directed..and, i'm about to pull my hair out..lol :shock:
i'm running the hijackthis scan now..
thanks...

Top
 Profile  
 
fundancepj
 Post subject: HijackThis Log: Please help Diagnose
New postPosted: Mon 28 Mar, 2005 3:40 pm 
Offline
Active Member

Joined: Mon 21 Mar, 2005 4:12 pm
Posts: 5
Logfile of HijackThis v1.99.1
Scan saved at 9:13:18 AM, on 3/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\Profiles\Patsy\Desktop\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\Profiles\Patsy\Desktop\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1CFEF10E-5A33-4C22-9CF8-BD90D866A445} - C:\WINDOWS\SYSTEM\BEKG.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\SE.DLL,DllInstall
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O18 - Filter: text/html - {CFE31907-A4B8-44F1-9A9B-E3B57F1A2D24} - C:\WINDOWS\SYSTEM\BEKG.DLL
O18 - Filter: text/plain - {CFE31907-A4B8-44F1-9A9B-E3B57F1A2D24} - C:\WINDOWS\SYSTEM\BEKG.DLL

Top
 Profile  
 
FBJ
 Post subject:
New postPosted: Mon 28 Mar, 2005 8:49 pm 
Offline
Visiting Expert
Visiting Expert
User avatar

Joined: Tue 01 Mar, 2005 5:42 pm
Posts: 32
Location: Copenhagen, Denmark
That is a short HijackThis log. Did you fix anything yourself..? If yes, you need to run HijackThis, click Config in the lower right corner, click Backups, put a checkmark to the left of all lines and click Restore. This will restore all lines that you fixed.

If you fixed anything you now need to reboot your computer and post a fresh log here - do not follow the instructions below the line (*****).

***************************************************************

If you didn't fix anything yourself.....

1. First of all I need you to download some programs for use later.

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Download FxAgentB from here

2. Ensure hidden files and folders are set to show;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

3. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

4. Open Cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

5. Now run HijackThis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\Profiles\Patsy\Desktop\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\Profiles\Patsy\Desktop\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1CFEF10E-5A33-4C22-9CF8-BD90D866A445} - C:\WINDOWS\SYSTEM\BEKG.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\SE.DLL,DllInstall
O18 - Filter: text/html - {CFE31907-A4B8-44F1-9A9B-E3B57F1A2D24} - C:\WINDOWS\SYSTEM\BEKG.DLL
O18 - Filter: text/plain - {CFE31907-A4B8-44F1-9A9B-E3B57F1A2D24} - C:\WINDOWS\SYSTEM\BEKG.DLL
6. Find and delete:

C:\WINDOWS\SYSTEM\BEKG.DLL
C:\WINDOWS\Profiles\Patsy\Desktop\se.dll

7. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

8. Finally run the FxAgentB tool you downloaded earlier.

9. Now reboot,and run hijackthis again and post a fresh log along with the about buster log.

Top
 Profile  
 
fundancepj
 Post subject: HijackThis Log: Please help Diagnose
New postPosted: Tue 29 Mar, 2005 12:06 am 
Offline
Active Member

Joined: Mon 21 Mar, 2005 4:12 pm
Posts: 5
Logfile of HijackThis v1.99.1
Scan saved at 6:11:08 PM, on 3/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLCK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msn.dll/index
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msn.dll/msn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://msn.dll/msn
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1CFEF10E-5A33-4C22-9CF8-BD90D866A445} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: (no name) - {881DEEBA-B562-4C9F-B249-9A42B4F9B7B8} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O2 - BHO: (no name) - {D9A063F7-354F-4794-BDD3-EE05987B5148} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [sp] rundll32 C:\SE.DLL,DllInstall
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [XoftSpy] C:\PROGRAM FILES\XOFTSPY\XoftSpy.exe -s
O4 - HKLM\..\Run: [SwatIt] C:\PROGRAM FILES\SWAT IT V2.1\SWATIT.EXE /tray
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [winltmpv] c:\windows\nvsvwc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {89B684E7-5766-4F50-B795-EC1601919EFF} - C:\WINDOWS\SYSTEM\BEKG.DLL
O18 - Filter: text/plain - {89B684E7-5766-4F50-B795-EC1601919EFF} - C:\WINDOWS\SYSTEM\BEKG.DLL
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - (no file)

Top
 Profile  
 
FBJ
 Post subject:
New postPosted: Tue 29 Mar, 2005 6:11 am 
Offline
Visiting Expert
Visiting Expert
User avatar

Joined: Tue 01 Mar, 2005 5:42 pm
Posts: 32
Location: Copenhagen, Denmark
1. First of all I need you to download some programs for use later.

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Download FxAgentB from here

Download CleanUp! from here

2. Ensure hidden files and folders are set to show;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

3. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

4. Open Cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

5. Now run HijackThis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msn.dll/index
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msn.dll/msn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://msn.dll/msn
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = res://msn.dll/index
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1CFEF10E-5A33-4C22-9CF8-BD90D866A445} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: (no name) - {881DEEBA-B562-4C9F-B249-9A42B4F9B7B8} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O2 - BHO: (no name) - {D9A063F7-354F-4794-BDD3-EE05987B5148} - C:\WINDOWS\SYSTEM\BEKG.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [winltmpv] c:\windows\nvsvwc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - {89B684E7-5766-4F50-B795-EC1601919EFF} - C:\WINDOWS\SYSTEM\BEKG.DLL
O18 - Filter: text/plain - {89B684E7-5766-4F50-B795-EC1601919EFF} - C:\WINDOWS\SYSTEM\BEKG.DLL
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - (no file)
6. Find and delete:

C:\SE.DLL
C:\WINDOWS\SYSTEM\BEKG.DLL
C:\WINDOWS\SYSTEM\MTC.DLL
C:\WINDOWS\SYSTEM\WER8274.DLL
C:\WINDOWS\System\spoolsrv32.exe
c:\windows\nvsvwc.exe
C:\WINDOWS\web\related.htm

7. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.

8. Now run the FxAgentB tool you downloaded earlier.

9. Finally, run CleanUp - let it clean your computer of temp files. Decline when it asks you to log off.

10. Now reboot,and run hijackthis again and post a fresh log along with the about buster log.

Top
 Profile  
 
ChrisRLG
 Post subject:
New postPosted: Thu 14 Apr, 2005 11:48 am 
Offline
MRU Emeritus
MRU Emeritus
User avatar

Joined: Thu 16 Dec, 2004 3:04 pm
Posts: 17763
Location: Southend, Essex, UK
Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 10 posts ] 

Board index » Malware Removal » Malware Removal

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 8 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.

Member site: Alliance of Security Analysis Professionals | UNITE Against Malware

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group