Adw.searchaid.a

[mamadawn]

I've been reading through all of your threads and decided to become a member.

I read the article from NormRoy in regards to this issue but am wondering if the Adw.searchaid.a virus is downloaded in different ways and if I need to go off of my own HJT log to know what to delete.

Anyhow, trendmicro Internet Security 2005 detects this virus and cannot delete it. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:41 PM, on 7/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ntmo32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINNT\system32\addxy.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZSTC01.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZENG01.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zmazn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zmazn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4904CA21-9A82-38EC-77E4-62010DBF7279} - C:\WINNT\system32\msaq32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C0A00B79-7786-A229-00BB-5DE13F454EB8} - C:\WINNT\system32\addcp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appox.exe] C:\WINNT\system32\appox.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [addxy.exe] C:\WINNT\system32\addxy.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9BD96E-596B-404B-B2E3-6E3BE44F5CEA}: NameServer = 167.142.225.3 167.142.225.5
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\ntmo32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Any help is greatly appreciated!!
Thanks a bunch!

[sUBs]

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install

Ewido Security Suite - Install & Update it's database but do not run it yet.

KillBox v2.0.0.175

HomeSearchFix

About Buster - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder - Save it to Desktop.

• Open CWShredder and click - I AGREE
• Click - Check For Update
• Close CWShredder after updating

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
3. Continue to do so until the 'Windows Advanced Options' menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start>Run - type services.msc.
Locate the Network Security Service (NSS) service and double-click on it to open the Properties dialog.
Click the Stop button.
In the Startup type dropdown select Disabled.
Click the Apply button and then the Ok button.

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in 11Fßä#·ºÄÖ`I & click the OK button.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zmazn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zmazn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\zmazn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4904CA21-9A82-38EC-77E4-62010DBF7279} - C:\WINNT\system32\msaq32.dll
O2 - BHO: Class - {C0A00B79-7786-A229-00BB-5DE13F454EB8} - C:\WINNT\system32\addcp32.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [appox.exe] C:\WINNT\system32\appox.exe
O4 - HKLM\..\Run: [addxy.exe] C:\WINNT\system32\addxy.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\ntmo32.exe


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CWShredder & click on [Fix].

Run About Buster and click [Begin Removal].

Unzip HomeSearchFix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

• C:\WINNT\zmazn.dll
  C:\WINNT\system32\msaq32.dll
  C:\WINNT\system32\addcp32.dll
  C:\WINNT\system32\appox.exe
  C:\WINNT\system32\addxy.exe
  C:\WINNT\ntmo32.exe

Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

1. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
   Click the dropdown-arrow next to the "Full Path of File to Delete" field.
   Verify that the filenames you pasted are found in there.
2. Select/tick the following:
   • Replace on Reboot
   • Use Dummy
   • End Explorer Shell While Killing File
   • Unregister.dll Before Deleting * if it's not grayed out
3. Click the RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE AGAIN

Run About Buster and click - Begin Removal. Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! & configure the program as follows:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido:

1. Click Scanner
2. Click Complete System Scan to begin scanning.
3. Click OK when prompted to clean files
4. With the first file it prompts to clean, select the option:
   1. "Perform action on all infections"
   2. Choose clean and click OK.
5. Once finished, click the Save report button
6. Save the report to your desktop

Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan
3. About Buster
4. Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[mamadawn]

Thank you so much for answering!

Just a quick note that I am leaving town for a week on business and will do so after I fix this or get frusterated. So don't be mad if I can't answer again until next week.

I have downloaded, installed, and updated all the fix tools as instructed.
I unplugged the internet from my computer.
I restarted in safe mode.
I ran the services.msc and located teh Network security Service (NSS). When I opened it I got a pop up that said "A general internal error occured." With the only option being okay to get rid of the box. I pressed okay and got into the NSS. The stop button was greyed out. I selected the disable option but when I went to apply the changes I got that same pop up again..."A general internal error occured." I pressed okay once again and was able to press okay in the NSS screen. Then onto Hijack this. I stopped when I had to type in the code in the delet an nt service pop up because once again I had forgotten to copy the code to paste it. This may be stupid, but I forgot how to type those weird letters and symbols.

So that's my troubles for now. Should I continue on with that message that keeps coming up and how do I type the weird numbers if I can't get them to paste?

Thanks again for everything!

[mamadawn]

Alright,

I think everything has been taken care of. That Ewido Security softeware is great. It started detecting everything as soon as I installed it. And it had no problems taking care of the infected files!

The only thing that I can tell right now is that my trendmicro isn't working properly. It won't update. It's not detecting the adw_searchaid.a anymore.

So the questions are... Is the Ewido Security conflicting with trendmicro? Should I uninstall Ewido now or is Ewido better than trend micro? The answer better be no because I just bought and installed trendmicro. But as far as I can tell it must be better because of the miracles it just preformed.
Here are a couple of things that happend while using your instructions:

When typing in the "weird" letters in the pop up box in the NSS box a message came up saying "Service weird letters was not found in the registry. Make sure you entered the shortname service., vbExclamation.

Then, I only had 6 of the 15 paths you asked me to delete using the HiJack this program.

When running Cleanup! the "Delete Prefetch files" option was greyed out and unavailable to select.

So, including the part from my last thread regarding the NSS messages does any of this make any difference?

Here are my report logs. The only one I don't have is the "online scan" because I was unsure which scan you were referring to. There are 2 Ewido reports because I accidently skipped cleaning 2 infected files and went back and cleaned them.


******************************************
Logfile of HijackThis v1.99.1
Scan saved at 6:50:08 PM, on 7/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F0B1D569-2C0E-BD75-282F-715116D9131A} - C:\WINNT\iezi32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

************************************************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:42:35 PM, 7/17/2005
+ Report-Checksum: C84E2254

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0E561666-F4B5-BA9C-AC2C-2188C8BABE0D} -> Spyware.CoolWebSearch : Ignored
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Ignored
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CD0FD544-5710-E7D8-7CDF-35F3B6A22A9A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F61C6A80-6232-DD79-A5DA-0C16D4A99041} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\Program Files\backups\backup-20050717-175207-163.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\addfx32.exe -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\apiug32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\appyd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\appzi.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\atlco32.exe -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\atles32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\ciprs.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\crcc32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\crts.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\d3eh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\d3xr.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\hobvh.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\iezi32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\ipvh.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\javajo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\javaqt32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netxr32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\ntmf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\rinuj.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\syser.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32:nuaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINNT\system32\d3bw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\ekves.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\system32\lrkto.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\system32\msos32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\netih32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\netwr.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\ntpr.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\oleadm.dll -> Trojan.Agent.eq : Cleaned with backup
C:\WINNT\system32\qamnx.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\system32\sdkim32.exe -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\system32\sdkkw.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\sdkza.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\windy32.exe -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\system32\wzbge.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Agent.eo : Cleaned with backup
C:\WINNT\winbh32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_delis32.ini:ahfszs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_delis32.ini:dcnmw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_delis32.ini:gkymao -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_delis32.ini:kffvey -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\_delis32.ini:wtnzju -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

***************************************************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:43:32 PM, 7/17/2005
+ Report-Checksum: 6F95EE00

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0E561666-F4B5-BA9C-AC2C-2188C8BABE0D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup


::Report End

**************************************************

AboutBuster 5.0 reference file 30
Scan started on [7/17/2005] at [5:54:10 PM]
------------------------------------------------
Removed Stream! C:\WINNT\Blue Lace 16.bmp:oqmczu
Removed Stream! C:\WINNT\dahotfix.log:rsqvvo
Removed Stream! C:\WINNT\folder.htt:vvmmem
Removed Stream! C:\WINNT\imsins.BAK:gopfbz
Removed Stream! C:\WINNT\KB329115.log:fnodiy
Removed Stream! C:\WINNT\KB823182.log:xohjcj
Removed Stream! C:\WINNT\KB839643.log:mswnnr
Removed Stream! C:\WINNT\KB840987.log:fthbqu
Removed Stream! C:\WINNT\KB841533.log:hrvgxk
Removed Stream! C:\WINNT\KB871250.log:asnmru
Removed Stream! C:\WINNT\KB885836.log:ahsad
Removed Stream! C:\WINNT\KB890175.log:nvenlh
Removed Stream! C:\WINNT\msmqprop.log:nyjoir
Removed Stream! C:\WINNT\OEWABLog.txt:wlttab
Removed Stream! C:\WINNT\win.ini:jjfiyc
Removed Stream! C:\WINNT\WMSysPr9.prx:mdibup
Removed Stream! C:\WINNT\_delis32.ini:emzmlp
Removed Stream! C:\WINNT\_delis32.ini:erjejm
Removed Stream! C:\WINNT\_delis32.ini:gilzxx
Removed Stream! C:\WINNT\_delis32.ini:igvmfi
Removed Stream! C:\WINNT\_delis32.ini:lskomh
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:54:12 PM


AboutBuster 5.0 reference file 30
Scan started on [7/17/2005] at [5:54:54 PM]
------------------------------------------------
Removed Stream! C:\WINNT\_delis32.ini:mlohrn
Removed Stream! C:\WINNT\_delis32.ini:oknyyl
Removed Stream! C:\WINNT\_delis32.ini:semqcn
Removed Stream! C:\WINNT\_delis32.ini:tpflnz
Removed Stream! C:\WINNT\_delis32.ini:xfsgsx
Removed Stream! C:\WINNT\_delis32.ini:yjeeri
Removed Stream! C:\WINNT\_delis32.ini:yvvmsl
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 5:54:55 PM


AboutBuster 5.0 reference file 30
Scan started on [7/17/2005] at [6:07:07 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:07:09 PM
*******************************************************

So, that's all I've got for now. I'm off on business and if I find a computer and internet, I'll check in to see what you've got to say!

Thanks again for all of your help and I definetly will donate!!

YOUR THE BEST!!

[sUBs]

Ewido is most effective when coupled with an antivirus program. Please do not uninstall TrendMicro. It's a great product. We'll take a look at why TrendMicro is unable to update when we have you fully disinfected..

Your log is looking so much cleaner. Please do an online scan at either of the following sites:

• Panda ActiveScan
• Kaspersky Anti-Virus Web Scanner

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

When you have done that, Run HiJackThis & Fix this :

O2 - BHO: Class - {F0B1D569-2C0E-BD75-282F-715116D9131A} - C:\WINNT\iezi32.dll (file missing)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reboot & post a fresh logs from:

1. HiJackThis
2. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[mamadawn]

Hey there,

I'm back at home now and had a chance to fix the item you listed previously in hijack this. I shut down the computer and went to get online to run the panda scan but I can no longer get online.

I get this message... Invalid Syntax error. This page cannot be displayed. I tried going to different sites and nothing happens. The page stays the same.

Not sure what happend but need to at least get the internet back up and running. I'm currently e-mailing you from work which is 30 minutes away from home so any downloading will have to be done here and transported to home. Unfortunaltly I don't have a cd burner here so floppy is the only way to go.

Here is the panda scan and Hijack this log before the fixit tool was used in Hijack this.

Panda scan______________________________________________________
Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\DAWN D. SLEZAK\FAVORITES\SITES ABOUT\Ab scissor.url
Spyware:spyware/aveo-attune No disinfected C:\PROGRAM FILES\Aveo
Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\DAWN D. SLEZAK\APPLICATION DATA\PSGuard.com
Virus:W32/Smitfraud.A Disinfected C:\WINNT\system32\wininet.dll *********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 6:58:30 PM, on 7/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I'll check back this afternoon to see what you have to say.

Thanks!

[sUBs]

It seems that Panda uncovered another infection from your machine. This particular infection is kinda nasty as it overwrites an important file in Windows. I making a guess that Panda must have removed the file & left your computer w/o this file. This would render IE to be inoperable.

I'm gonna prescribe a fix for this infection. This fix would kill the infection & search your computer for a backup copy of the missing file. If it finds one, it will reinstate that copy into it's proper place.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

You should not have any browsers on while carrying out the Fix. So please save the next instructions in Wordpad as this page would not be available then. I have customed my instructions on the assumption that you have Wordpad 'On'. If you should choose to do otherwise, it may lead to some confusion.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download smitRem.zip

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

When doing the fix, you shall be viewing these instructions from Wordpad.
Copy the filename(s) listed below.
Select/Highlight all the filenames & then click on Wordpad's 'Edit' menu & select 'copy'

• C:\DOCUMENTS AND SETTINGS\DAWN D. SLEZAK\FAVORITES\SITES ABOUT\Ab scissor.url
  C:\DOCUMENTS AND SETTINGS\DAWN D. SLEZAK\APPLICATION DATA\PSGuard.com

Launch KillBox.

1. Go to the [File] menu, and choose [Paste from Clipboard].
   Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Reboot to SafeMode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   [Windows Advanced Options] menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• Aveo

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

1. Open Windows Explorer
2. Go to Tools>Folder Options>View tab.
3. enable the option for `Show hidden files and folder´
4. disable the option for `Hide file extensions for known types´
5. disable the option for `Hide protected operating system files´
6. click "Yes" to confirm & then click "OK"

Locate and delete the following folder(s), if present:

• C:\PROGRAM FILES\Aveo

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! with the following configuration:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files (Windows XP only)
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck "Security Info" if present.

Reboot back into Windows and verify if IE is working properly.

If it's working, post a new HijackThis Log along with the afore mentioned smitfiles.txt

Let us know if there's any problems.

Quote:

Here are some contingency plans if the FIX fails

1. As a backup plan, I suggest that you try to locate another copy of this file from the computers in your office. The name of the file is wininet.dll. Try to get a copy of the file from a computer running the same version of IE as you do. - Internet Explorer v6.00 SP1 (6.00.2800.1106).
   
   This file has to be copied into this directory - C:\WINNT\system32\dllcache\
   When you have done that, locate this file (if present) - C:\WINNT\system32\wininet.dll
   Rename the file wininet.dll to wininet.old. Wait for a few moments. Windows should regenerate a new copy for you.
   If that doesn't happen, manually copy a fresh copy to that location
   Reboot your machine
   
   
2. Visit Microsoft's Internet Explorer home page (www.microsoft.com/windows/ie) to download the latest version of IE, which includes the Wininet.dll file.
   
   
3. It's been reported that the missing wininet.dll does not affect other browsers. You may download & install Firefox to regain internet access.

[mamadawn]

I went home last night and followed your instructions word by word. Everything was going smoothly until I got to the Run Cleanup! portion of the Fix. When I opened the program I got this message:

Cleanup.exe unable to located dll

The dynamic link library wininet.dll could not be found in the specified path C:\programfiles\cleanup!;.;C:\winnt\system32;C:\winnt\system;C:\winnt;C\winnt\system32;C:\winnt;C:\winnt\system32\wbem.

I went on in the fix with the next instruction to open the smitrem folder and run the runthis.bat file. Here is the log for that:


smitRem log file
version 2.2

by noahdfear

The current date is: Mon 07/25/2005
The current time is: 21:24:40.29

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

For the next step, I run windows 2000 and I don't have a desktop option or the rest of the path you are refering to when asking me to uncheck the "Security info" option so I'm unsure what to do there.

All in all the internet is still not working and I guess I'm concerned that because the Cleanup! program no longer works that there are other programs affected by it as well.

I downloaded a copy of the newest IE and brought it home to install but because that dll file is missing, the setup wouldn't even run.

Currently I am in search of a computer running windows 2000 with the same version of IE as me so that I can copy the file you recomended.

Can I get that file from my back up CD that came with the computer or would that require me to reformat the hard drive? What about rebooting to last normal configuration?

Here is my last hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:09 PM, on 7/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9BD96E-596B-404B-B2E3-6E3BE44F5CEA}: NameServer = 167.142.225.3 167.142.225.5
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks for any help you can give me. I'm not ready to throw in the towel and buy a new computer!

[sUBs]

How large is the filesize of the IE setup you downloaded?
If it's something you can save onto a floppy, it's incorrect.

Download KB883939 - 3426 kB
Use Winzip or WinRAR to extract the contents to a new folder.
Within that folder, locate wininet.dll
Use this file as a replacement for your missing copy

[mamadawn]

The IE that I downloaded was from microsoft.com and I zipped it so it could fit on a disk.

I found a computer in the office running windows 2000 and the same version of IE that I was. I copied the file and then placed it in the specified folder C:\winnt\system32\dllcache\. Then I went ot locate the wininet.dll file within the system 32 folder and I did not have one. So I put a copy of the one from work in that folder as stated. I restarted and tried to access the internet but this time I didn't have a dial tone from the modem. I tried to open the Cleanup! program and that was properly working. I also tried running the IE setup which was also working but it told me that I already had the most current version loaded. So I ended the setup.

I went to find modem helper and I no longer had that program. So I'm going to try looking for it today online to bring home. In the deivce manager under modems HFC 56K PCI modem is listed. When I look at the properties of that device it states that the device is working properly.

I went through the troubleshoot helper within the device manager and it suggest to contact the manufacturer to see if I have the most current .inf file. Mine is date 7/11/04. I believe the manufacturer is Conexant file version 2.1.2.160.006

There are a couple variables going on that may have affected this, tell me if I'm wrong:
We had a thunderstorm the night before with lots of lighting. I have a surge protector and all the wires and junctures look fine. But was wondering if lighting could have fried the modem.

I'm vaguely remembering this but last year through dell tech support I was having trouble with my modem so they walked me through moving the modem to a different com port.

I also remember talking to dell tech support who had me reformat the hard drive because of a nasty virous I had last year.

I decided to try switching the modem to a different port again. I had no luck with getting a dial tone. The device manager still says it's working properly.

I'm really frusterated now and guess I don't know what to do other than finding the modem helper to see if it can give me anymore answers.

I'll try anything.

[sUBs]

Quote:

File Name: ie6setup.exe
Version:6_sp1
Date Published:9/9/2002
Language:English
Download Size:480 KB - 79324 KB*
Estimated Download Time:1 hr 35 min @ 56K

The IE which you downloaded is just the 480 kB setup file.
What it does is initialise the setup procedures like determining your OS & the current version/configuration before connecting to the internet to download additional files required for the installation. That's why it does not contain the wininet.dll you required.

If you suspect lightning damage, try reseting your surge protector.

If you still posses the installation files for your modem, you might wanna try this.
Go to Start > Run - type devmgmt.msc (this accesses the Device Manager)
From there, locate & uninstall your modem.
Shut down your computer.
If you have an internal modem, you have to physically remove the card from the PCI slot within your CPU
Restart your computer to complete the uninstallation.
When you've done that, shut down the computer again.
Replace the modemwhich you have removed earlier
Reboot & allow Windows to re-install your modem drivers

Let us know how that went

[mamadawn]

You're my hero! But it was common sense finally kicking in that got my modem working. Okay, so I'll stop blaming the modem... It was the surge protector. I don't have a reset switch on it but I did turn it off and back on. Everything was working the same and I still had no dial tone. I finally plug the computer directly into my phone line and, wa la, there's my dial tone. So it looks to me as though lightening hit the surge protector and saved it from ruining my modem. Unless you have any other theories. It must have just come in the phone line and stopped at the surge protector and fried that portion of the protector because my computer, shredder, printer, monitor, etc. are all plugged into the same surge protector and they are all still working properly.

Now, where were we with the whole virus thing. I'm so wiped from the day and stressing myself out about the computer I can't think straight anymore. So I'll leave you with the latest hijackthis and ewido scans. I'll try to run a trendmicro scan and see if it won't update still. I'll try to send that off to you first thing in the morning. I'm too scared to run a panda scan at this point because I don't want the internet to go down again.

Let me know what else needs to be done to finish cleaning out all the viruses. I can tell you that it's taking an aweful long time to execute any programs after windows starts up. I can move the cursor around freely and click to highlight and Icon but if I double click on an icon it takes around 2 minutes for that program to finally open. Once the computer is up and running I don't have that trouble anymore. So either I've added more things to my start up list and don't know about it or there's a virus still learking.

FYI - I burned a copy of the IE file you linked me to and ran the setup on my computer... sure enough it just went on ahead and updated my IE. I didn't go into the actual setup to see if I could find the wininet.dll file to replace the one on my computer with it because I thought that when I updated with your cd that it automatically put that file in. Am I correct?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:35:09 PM, 7/27/2005
+ Report-Checksum: DC27C868

+ Scan result:

C:\Documents and Settings\Dawn D. Slezak\Cookies\dawn d. slezak@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 10:36:07 PM, on 7/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9BD96E-596B-404B-B2E3-6E3BE44F5CEA}: NameServer = 167.142.225.3 167.142.225.5
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Sorry this post was lenghty and jarbbled... I'm sooo tired.
Thanks a million!!

[sUBs]

Your log is clean. The slowness may be due to wininet.dll not being fully compatible with your system. If the problem persist, I suggest that uninstall & re-install IE. This will ensure that you have a clean updated & fully compatible copy of wininet.dll.

Should you decide to pursue this idea, here's are some guides to doing that >
http://www.petri.co.il/reinstall_ie_6_on_xp.htm
http://namaste.cc.vt.edu/ask4help/desktop/vtkb2453.htm

You have nothing to fear from Panda scan. It merely removed a malware that's masquarading as a legitimate file.

Seeing that you're up & running does invoke a deep of satisfaction in me.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   Understanding and Using Firewalls
   
   
5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
7. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
8. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
9. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will further enhance your safety

• IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
  
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here > Using Winpatrol to protect your computer from malicious software
  

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.

[mamadawn]

Few! I successfully got my trendmicro to update and scanned for spyware and viruses. I'm clean as far as that goes. I believe trendmicro has firewalls but I will double check and also install those programs. I think I'll go on ahead and do a complete uninstall of IE and re install it just to see if that will help the slowness.

Thank you again for all of your help! You are one knowledgeable person! I only wish I knew everything you do!

Have a good one and keep up the good work!

[sUBs]

Quote:

Originally Posted by mamadawn

You are one knowledgeable person! I only wish I knew everything you do!

Google is my friend