Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

From Cumberland Mike & Dialing DSL - HJT

This is a discussion on From Cumberland Mike & Dialing DSL - HJT within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. HI all, TO continue the thread started in a different forum: http://techsupportforum.com/showthread.php?t=51558 One more piece of info to add ...


 
 
Thread Tools Search this Thread
Old 05-03-2005, 03:03 AM   #1
Registered Member
 
Cumberland Mike's Avatar
 
Join Date: May 2005
Location: Rhode Island, USA
Posts: 44
OS: WinXP



HI all,

TO continue the thread started in a different forum: http://techsupportforum.com/showthread.php?t=51558

One more piece of info to add ... I have a firewall in my Belkin wireless router. Alll the computers are inside it, none set for outside (the DMZ).

HJT log follows
==================================
==================================

StartupList report, 5/3/2005, 5:50:57 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PRONoMgrWired = C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
SoundMan = SOUNDMAN.EXE
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
NVCLOCK = rundll32 nvclock.dll,fnNvclock
nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.co...?1098219805359

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Kodak DCFS2K Driver: system32\drivers\dcfs2k.sys (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Hardware Clock Driver: C:\WINDOWS\System32\hwclock.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,900 bytes
Report generated in 0.219 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

===========================================
===========================================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all for the help!

Mike

__________________
Cumberland Mike is offline  
Old 05-03-2005, 12:38 PM   #2
Manager, The Conversation Pit/Analyst, Security Team
 
bry623's Avatar
 
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 14,432
OS: window7pro sp1 64bit


Send a message via MSN to bry623
Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it here. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

__________________
Finally back!
bry623 is offline  
Old 05-04-2005, 04:09 AM   #3
Registered Member
 
Cumberland Mike's Avatar
 
Join Date: May 2005
Location: Rhode Island, USA
Posts: 44
OS: WinXP



Hi,

OK I updated and ran CWShredder, didn't get any hits there.

Downloaded, updated and ran Spybot S&D ... couldn't finish a scan there. Keeps locking up in random spots. However in one of its partial scans it did find a tracking cookie that was successfully removed.

Ran AD-Aware got about half-dozen hits on tracking cookies and one data miner. Ran the VX2 tool with no hits

Ran HJT and the analizer. Posted that as requested.

Thanks so much!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Eset\nod32kui.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Eset\nod32krn.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 9:15:44 PM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Windows\Desktop\Mike\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098219805359
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab


End of KRC HijackThis Analyzer Log.
====================================================================
__________________
Cumberland Mike is offline  
Old 05-04-2005, 05:33 AM   #4
Manager, The Conversation Pit/Analyst, Security Team
 
bry623's Avatar
 
Join Date: Apr 2002
Location: NW Territory circa 1787
Posts: 14,432
OS: window7pro sp1 64bit


Send a message via MSN to bry623
Your log is clean

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. Turn it back to create a new restore point by repeating the process.


To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools/programs provide
__________________
Finally back!
bry623 is offline  
Old 05-04-2005, 03:50 PM   #5
Registered Member
 
Cumberland Mike's Avatar
 
Join Date: May 2005
Location: Rhode Island, USA
Posts: 44
OS: WinXP



The disconnection problem is still happening.

Is there something I can run that lists everything going on, and will list whatever piece of software is trying to dial somehow?

Maybe I just gotta bite the bullet and re-install XP

And suggestions will be helpful


Mike
__________________
Cumberland Mike is offline  
Old 05-04-2005, 10:20 PM   #6
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,386
OS: WinXP Home, Vista, Windows 7 64bit


Hello Cumberland Mike,

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-07-2005, 08:28 AM   #7
Registered Member
 
Cumberland Mike's Avatar
 
Join Date: May 2005
Location: Rhode Island, USA
Posts: 44
OS: WinXP



Hi,

I downloaded, installed, updated & ran TDS as requested. I could not scan my D drive though ... everytime I tried it would run for a few minutes and then completely shut down my computer. I set TDS to scan everything except D: top of screen results are
======================================
======================================

10:15:42 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:15:42 [Init] Started 07-05-05 10:15:42 Eastern Standard Time (UTC: 5), Internet Time @635.90
10:15:42 [Init] Loading TDS-3 Systems ...
10:15:42 [Init] • Priority : OK.
10:15:42 [Init] Token successfully adjusted.
10:15:42 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:15:42 [Init] • Plugins : OK. Loaded 13
10:15:42 [Init] • Exec Protection : Not Installed
10:15:42 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:15:42 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:15:42 [Init] Licensed users can use the Update facility from the TDS menu
10:15:42 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:15:47 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:15:47 [Init] • Systems Initialised [54077 references - 27887 primaries/13961 traces/12229 variants/other]
10:15:47 [Init] Radius Systems loaded. <Databases updated 05-05-2005>
10:15:47 [Init] TDS-3 Ready. <Windows@192.168.2.3, 127.0.0.1 - United States>
10:15:47 [Tip Of The Day] If you're suspicious about a certain file, use the String Extractor (from the Utilities menu). This will run through the file and strip out ANSI strings of 5 characters or more in length, enabling you in some cases to get a better 'view' of the file.
10:15:47 [TDS] Good morning Windows.
10:15:50 [Mutex Memory Scan] Started...
10:15:51 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:15:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
10:31:44 [File Scan] Scanning in C:\ ...
11:05:46 [File Scan] Scanned 43453 files: 6 alarms in 2042.406 seconds (Avg 22.28 files/sec)
11:07:57 [Memory Scan] Memory scan started, please wait a moment ...
11:07:59 [Memory Scan] Memory scan complete.
11:07:59 [Mutex Memory Scan] Started...
11:08:01 [Mutex Memory Scan] Finished (no trojan mutexes found).
11:08:01 [Trace Scan] Started...
11:08:22 [Trace Scan] Finished.
11:08:22 [ServiceScan] Scanning for services and drivers ...
11:08:24 [CRC32] Started - verifying 29 files ...
11:08:24 [CRC32] File doesn't exist: C:\autoexec.bat
11:08:26 [CRC32] Test finished.
11:08:31 [ServiceScan] Scanned 305 services and drivers.
11:08:31 [Scan] Finished.

===========================================
===========================================

Scandump of bottom of screen:


Scan Control Dumped @ 11:26:43 07-05-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\windows\desktop\mike\bittorrent-4.0.1.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.3.2.62-7288971l\program\restart.exe

Positive identification: Riskware.ProcessRestart
File: c:\program files\logitech\desktop messenger\8876480\6.1.4.36-8876480l\program\restart.exe

Positive identification: RAT.Small.eo
File: c:\windows\system32\hwclock.0xe

Positive identification (DLL): Adware.WildTangent.b (dll)
File: c:\windows\wt\wtvh.dll

===========================================
============================================

I didn't do or change anything pending your advise.

Thanks again!

Mike
__________________
Cumberland Mike is offline  
Old 05-07-2005, 09:42 AM   #8
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,386
OS: WinXP Home, Vista, Windows 7 64bit


Ok Mike, couple things I'd like you to do:

Pleae print this out or copy to Notepad.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

I'd like to try another scanner if you don't mind.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Reboot into Safe Mode.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\system32\hwclock.0xe

Now, delete that file using Windows Explorer:

c:\windows\system32\hwclock.0xe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode.

Run the Mwav Scan and post that log here
Also, could you post a new HijackThis Scan, do not run it through the Analyzer.

Also, I didn't see Weatherbug in your previous HJT logs:

WeatherBug - it's adware. If you didn't install this yourself, we'll address uninstalling it. If you did install it yourself, you may keep it and ignore the warnings in the TDS-3 or Mwav logs.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-15-2005, 04:58 AM   #9
Registered Member
 
Cumberland Mike's Avatar
 
Join Date: May 2005
Location: Rhode Island, USA
Posts: 44
OS: WinXP



<sigh> when it rains it pours....
I was running the scans above as recommended when my computer suddenly shut down ... hmmmm....... so I reboot and it won't start ... but it did after a few minutes!!! then it shut down again during the re-scan ... at a different spot! SO I pop the cover and sho'nuff the processor cooling fin block thing is all plugged with dust and its hot as heck. So I let it cool - it was too hot to touch - and take off the fan and remove the chip and get it cleaned off ... reinstall it and the computer won't re-boot .. pop off the chip to find I bent a couple of pins .... CRAP ... so I won't be continuing this thread for a little while.

Thanks to all who help - I think we were making great progress and I was learning a lot!

I'll be back!!!

Mike

__________________
Cumberland Mike is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 12:02 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts