Tech Support Forum - View Single Post - Help with C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL

greyknight17 · 03-20-2005, 07:49 PM

No problem, we'll get rid of that now. We usually give a prevention speech at the end when the user is clean. I will provide that now (See the last paragraph). That should help prevent this from happening again (not 100%, but definitely much better than having no protection). Yes, get a firewall. It's a must these day. We recommend ZoneAlarm which is free:

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Please download a free one at ZoneAlarm.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

ebates

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (HKCU)

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\PYNIX.DLL
C:\WINDOWS\wupdt.exe
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\
c:\windows\sasetup.dll

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

03-20-2005, 07:49 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	No problem, we'll get rid of that now. We usually give a prevention speech at the end when the user is clean. I will provide that now (See the last paragraph). That should help prevent this from happening again (not 100%, but definitely much better than having no protection). Yes, get a firewall. It's a must these day. We recommend ZoneAlarm which is free: You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Please download a free one at ZoneAlarm. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: ebates Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\PYNIX.DLL O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (HKCU) Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\PYNIX.DLL C:\WINDOWS\wupdt.exe C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\ c:\windows\sasetup.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools