Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hello,
Any help would be much appreciated.

I've used HJT to try to get rid of CWS and the toolbar.

I've been deleted entry 03 below over and over but it re-enters there at every reboot.

Below is the latest HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 15:00:39, on 02/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\VXFJJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [GSISETUP] C:\WINDOWS\TEMP\GsiInst.exe INSTALL C:\WINDOWS\TEMP\.\V205Res 23
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BCMHal] rundll32.exe bcmhal9x.dll,BCInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll

Thanks in advance,
Chris
 

·
Premium Member
Joined
·
14,311 Posts
Hi Chris and welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\VXFJJ.DLL


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\VXFJJ.DLL

Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Panda log.
 

·
Registered
Joined
·
2 Posts
Discussion Starter #3
CWS & TOOLBAR Problem

Hi there GreyKnight,

Thanks for the information.

I've gone through all you advised and here is the Panda scan results and a new HJT Log:


Adware:Adware/Megatds No disinfected C:\WINDOWS\SYSTEM\csewr.exe
Virus:Trj/Full.A Disinfected C:\WINDOWS\SYSTEM\dmuai.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\SYSTEM\bndmod.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\SYSTEM\hlmicro.exe
Dialer:Dialer.CVG No disinfected C:\RECYCLED\DC72.EXE
Adware:Adware/SBSoft No disinfected C:\RECYCLED\DC101.DLL
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032551.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032552.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032553.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032554.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032555.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032556.CPY
Dialer:Dialer.Gen No disinfected D:\_RESTORE\TEMP\A0032557.CPY
Possible Virus. No disinfected D:\WINDOWS\SYSTEM\InstantPleasure-uninstall.exe
Dialer:Dialer.Gen No disinfected D:\WINDOWS\SYSTEM\UKVideo2-uninstall.exe
Virus:Trj/Qukart.B Disinfected D:\WINDOWS\SYSTEM\Mhmfco32.exe
Virus:Trj/Qukart.C Disinfected D:\WINDOWS\SYSTEM\Icmajpfl.dll
Dialer:Dialer.TS No disinfected D:\WINDOWS\TEMP\dia3275.exe
Dialer:Dialer.TS No disinfected D:\WINDOWS\TEMP\dia6202.exe
Dialer:Dialer.TS No disinfected D:\WINDOWS\TEMP\diaE324.exe
Dialer:Dialer.TS No disinfected D:\WINDOWS\TEMP\diaA1F1.exe
Possible Virus. No disinfected D:\WINDOWS\TEMP\dia6112.exe
Dialer:Dialer.BAZ No disinfected D:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
Dialer:Dialer.BAZ No disinfected D:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
Virus:Trj/Downloader.APJ Disinfected D:\dload.exe

By the way D Drive above is no longer used - only C Drive in use.

Logfile of HijackThis v1.99.1
Scan saved at 19:31:03, on 02/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\VXFJJ.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [GSISETUP] C:\WINDOWS\TEMP\GsiInst.exe INSTALL C:\WINDOWS\TEMP\.\V205Res 23
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BCMHal] rundll32.exe bcmhal9x.dll,BCInit
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab


Noticed 03 above still listing the offending file but IE seems to be working ok now - no toolbar in sight !

Do I need to do anything more about CWS?

Many thanks for your help.
Chris
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please download & install CleanUp.exe
Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Have HijackThis fix these entries:

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\VXFJJ.DLL (file missing)
O4 - HKLM\..\Run: [GSISETUP] C:\WINDOWS\TEMP\GsiInst.exe INSTALL C:\WINDOWS\TEMP\.\V205Res 23




Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)
Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\SYSTEM\csewr.exe
    C:\WINDOWS\SYSTEM\dmuai.exe
    C:\WINDOWS\SYSTEM\bndmod.exe
    C:\WINDOWS\SYSTEM\hlmicro.exe
    D:\WINDOWS\SYSTEM\InstantPleasure-uninstall.exe
    D:\WINDOWS\SYSTEM\UKVideo2-uninstall.exe
    D:\WINDOWS\TEMP\diaA1F1.exe
    D:\WINDOWS\TEMP\dia3275.exe
    D:\WINDOWS\TEMP\dia6202.exe
    D:\WINDOWS\TEMP\diaE324.exe
    D:\WINDOWS\TEMP\diaA1F1.exe
    D:\WINDOWS\TEMP\dia6112.exe
    D:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
    D:\WINDOWS\Downloaded Program Files\btwebcontrol.inf
    D:\dload.exe
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
Post a new HJT log after this
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top