It happened again!

[sailorvenus]

I am so sorry to bother ya all again, but the same thing that happened to me about a week or two ago that ya all helped me with happened again!
Adaware found somethings on my computer. When i went to delete them, there were two files that it couldn't delete, and said that they would be deleted after I restarted, so I restarted. When I restarted, my Yahoo messanger wouldn't start, kept saying error, and generated an error log. I had to uninstall it. Also Windows update page is blank again. Now I know that I could just follow the directions from the last time this happened and fix my problems, but I would like to know how these problems began, so that it wouldn't happen again. Here's the log of what was quarintined on Adaware right before problems began (hope you don't mind me posting it):



ArchiveData(auto-quarantine- 2005-05-19 00-05-51.bckp)
Referencefile : SE1R46 17.05.2005
======================================================

BEGIN2SEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb}
obj[1]=RegValue : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb} ""
obj[2]=Regkey : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e}
obj[3]=RegValue : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e} ""
obj[4]=Regkey : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668}
obj[5]=RegValue : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668} ""
obj[6]=Regkey : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a}
obj[7]=RegValue : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a} ""
obj[8]=Regkey : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31}
obj[9]=RegValue : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31} ""
obj[10]=Regkey : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b}
obj[11]=RegValue : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b} ""
obj[12]=Regkey : software\microsoft\downloadmanager
obj[13]=File : C:\WINNT\system32\msxml3.dll
obj[14]=File : C:\WINNT\system32\msxml3r.dll


and here's my hjt log (in case you wanted to see that):

Logfile of HijackThis v1.99.1
Scan saved at 12:57:41 AM, on 5/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe


I'm sorry for troubling ya all again, but thanks for the help!

[greyknight17]

That's ok, we're here to help

So what problems are you having now? I will provide the fix below, see if it fixes the problem.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Download the attachment (see the bottom of this post) and unzip that delete.reg file. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Delete these files if found:

c:\windows\system32\reg6523.exe
c:\windows\system32\winb2s32.dll
c:\windows\system32\winbbb.dat
c:\windows\system32\dsktrf.dll
c:\windows\system32\trgen<number>.dll
c:\windows\system32\cache32_trgen
c:\windows\system32\b2s_cache
c:\windows\system32\cache32_dsktptr
c:\windows\system32\rtneg<number>.dll
c:\windows\Downloaded Program Files\winb2s32.inf

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart. Any problems now?

[sailorvenus]

ok greyknight, i did everything you said, but when i tried to search for those files you said to look for and delete, it kept saying that
c:\windows\ is not a valid file.

also windows update page is still blank.

i also usually type notebook in the run area to bring it up and it says that it cannot find the file notebook (or one of its components). Make sure the path and file name are correct and that all required libraries are available. Where did notebook go?

Why did these problems happen again? The same exact thing happened with my last problem. I ran cwshreddar, spybot and both of those found nothing.
When I ran AdAware (after updating it), it found the problems i posted earlier on this thread, and now yahoo won't install correctly,windows update page is blank, and now a new problem, no notebook. By the way notebook was missing before i did the regedit thing you said to do.

I do have spywareblaster and spywareguard (which i keep up to date), i also have zonealarm, and still that begin2search thing was found on AdAware. I tried using Mozilla in the past, but Windows kept shutting it down.

My computer runs just fine, no popups and its not running slow. Homepage is also fine.

Please help me.....

[greyknight17]

So Begin2Search is still found? OK, where is it found in Ad-aware? Just give me the location of the found entries (copy and paste only those entries, I don't want the whole Ad-aware log).

notebook? Do you mean notepad? Try notepad and see if it works.

Go to c:\winnt\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, please post them here.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs.com.au/index.php?page=download. Learn how to use it at http://tds.diamondcs.com.au/index.php?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs.com.au/index.php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

[sailorvenus]

ok, i feel like a dummy..notepad is there, don't know why i was thinking notebook...lol

ok, adaware no longer finds anything now. What i was saying was that when I deleted the files that were infected with begin2search, my problems began. I posted the areas that were infected with it when I began this thread, but here it is again:

ArchiveData(auto-quarantine- 2005-05-19 00-05-51.bckp)
Referencefile : SE1R46 17.05.2005
======================================================

BEGIN2SEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb}
obj[1]=RegValue : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb} ""
obj[2]=Regkey : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e}
obj[3]=RegValue : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e} ""
obj[4]=Regkey : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668}
obj[5]=RegValue : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668} ""
obj[6]=Regkey : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a}
obj[7]=RegValue : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a} ""
obj[8]=Regkey : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31}
obj[9]=RegValue : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31} ""
obj[10]=Regkey : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b}
obj[11]=RegValue : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b} ""
obj[12]=Regkey : software\microsoft\downloadmanager
obj[13]=File : C:\WINNT\system32\msxml3.dll
obj[14]=File : C:\WINNT\system32\msxml3r.dll

was there something that got infected and than deleted that wasn't supposed too?


when i opened up the hosts file to notepad, nothing came up...is that a problem?

here's what came up on tds:

File Trace: Default Trojan filename Suspicious c:\winnt\regedit.com

(had trouble copying, and couldn't find scandump.txt so I just typed in the alarm that was found)

that kept coming up the last time i needed help, and when i ran it at kaspersky, it came back clean. was told that since it was suspicious that nothing was wrong, by someone on here, cant remember who.

Mahalo...

[greyknight17]

Go to this site and upload this file c:\winnt\regedit.com there. Click Submit button. What does it report back?

Now to the report you posted, what program is reporting this? Ad-aware? They should have been deleted when I asked you to run that delete.reg file earlier. Do you still have signs of it being detected now?

[sailorvenus]

Quote:

Originally Posted by greyknight17

Go to this site and upload this file c:\winnt\regedit.com there. Click Submit button. What does it report back?

Now to the report you posted, what program is reporting this? Ad-aware? They should have been deleted when I asked you to run that delete.reg file earlier. Do you still have signs of it being detected now?

I uploaded file, and it found nothing, system is ok.

Adaware reported that report I posted before I did the delete.reg thing. I was just wondering if any of those files that got deleted is what caused my Yahoo messanger to have errors installing, uninstalling, and trying to run it. Also, windows update page comes up blank.

When installing, or uninstalling Yahoo messanger this error comes up:

YMSGR-~1.exe has generated errors, and will be close by windows.

When trying to run ym this comes up:

YPAGER.exe has generated erros...

Last time I fixed the ym problems by just going to Yahoo help, but now that won't fix the problem.

These things happened to me about 2 wks ago, the exact same problem. I had no idea I was infected with anything, just doing a scan to be safe, and those were there.
No, adaware is not reporting anything now.

[greyknight17]

So you can't uninstall or reinstall Yahoo? See if you can find the folder for it in Program Files and then delete that whole folder. Restart and try reinstalling.

For the Windows Update problem, it can be due to various reasons. Put the windows update site in your trusted zone/sites to see if that helps. If not, try asking this question in the windows forum.

So anything spyware related found now? If not:

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

For your other questions ask in Windows and Software (for Yahoo) forums if they are not resolved.

[sailorvenus]

thanks greyknight..