Tech Support Forum - View Single Post

tetonbob · 08-07-2006, 09:40 AM

I still need the results from the jotti scan, please. I see I forgot to ask for it in the last post. Instructions in Post #5.

---------------------------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe
O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing)
O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll (file missing)
O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing)

---------------------------------------------------------------------------------------------

Download Pocket Killbox and unzip the exe file to your desktop.

Launch KillBox.exe & select the following options:

delete on Reboot

All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\WINDOWS\uni_ehhh.exe
C:\WINDOWS\system32\mswmmqce.dll
C:\WINDOWS\system32\rsmpmcis.dll
C:\WINDOWS\system32\shmecmse.dll
C:\WINDOWS\system32\ciaddavc.dll
C:\WINDOWS\system32\mljgg.dll
C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe
C:\WINDOWS\system32\clcbt.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

---------------------------------------------------------------------------------------------

Once the machine has rebooted, please do this:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Also post a new HijackThis log.

So I need results from:

Jotti scan
DrWeb
SmitfraudFix
HijackThis

08-07-2006, 09:40 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,208 OS: 2000 Pro; XP Pro; XP Home	I still need the results from the jotti scan, please. I see I forgot to ask for it in the last post. Instructions in Post #5. --------------------------------------------------------------------------------------------- CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe O4 - HKCU\..\Run: [1c9533f4.exe] C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe O20 - AppInit_DLLs: shmecmse.dll ciaddavc.dll O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - C:\WINDOWS\system32\2240_28.dll (file missing) O21 - SSODL: FvCbll - {0F1A1BF6-A5B0-B15C-1FC6-DBCC512310CD} - C:\WINDOWS\system32\elis.dll (file missing) O21 - SSODL: hksrv.dll - {9B4B67AA-F230-4602-8344-66104AFB4A25} - hksrv.dll (file missing) --------------------------------------------------------------------------------------------- Download Pocket Killbox and unzip the exe file to your desktop. Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\WINDOWS\uni_ehhh.exe C:\WINDOWS\system32\mswmmqce.dll C:\WINDOWS\system32\rsmpmcis.dll C:\WINDOWS\system32\shmecmse.dll C:\WINDOWS\system32\ciaddavc.dll C:\WINDOWS\system32\mljgg.dll C:\Documents and Settings\Paul\Local Settings\Application Data\1c9533f4.exe C:\WINDOWS\system32\clcbt.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. --------------------------------------------------------------------------------------------- Once the machine has rebooted, please do this: * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. --------------------------------------------------------------------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available: Avast! AVG Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. --------------------------------------------------- Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! --------------------------------------------------------------------------------------------- Also post a new HijackThis log. So I need results from: Jotti scan DrWeb SmitfraudFix HijackThis __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009