help!! trojan/ lost use of all .exe files

Discussion in 'adware, spyware & hijack cleaning' started by zappa, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    From my previous post in this forum called "on a roll":

    The trojan was using, powerpoint.ini, WMplayer.exe and others. I deleted all the reminents but did something wrong as I got into the registry. I used RegRun trojan process analyser and found the troojan was using a certain key,HKLM\System\CurrentControlSet\Control\CommAlias
    and promptly deleted the COM2 part of it.

    None of my exe's work now and I can't open any file that needs an exe. I cannot even get the original rundll32.exe off my original win98se disc.

    What do I do now? thank you!!!

    PS-I can't download a zip file becasue when I go to open it the same thing happens where the extension association will not work for any .exe.

    I can't even run a exe file from the net as in "open" option instead of saving it to HD for same reason.
     
    Last edited: Jul 2, 2004
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Zappa,

    I'm not going to be too much help, but did you mean that you accidently deleted a reg key with RegRen and that's when you lost the file association for .exe files?

    I don't know RegRun (I should, but I dont') but doesn't it have a backup feature you could restore the registry key from?

    Regards,

    snap
     
  3. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Honestly, at this point the little man talking to me on my shoulder knows more than I do. This newest issue started last night and kept going for many hours, I had to stop to do real work today, then back at it now.

    thanks though..
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas

    No backups? Nothing works? Reformat.
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Ok, just so we can get more information that might help someone else that might be able to help you. Do you have a recent hijackthis log that you could post. I know you said you can't run hijackthis now, but if you should happen to have one from just before this started, we might be able to tell something from it as to what was going on. (I'm searching for ideas here). :doubt:

    snap
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Well, this might be a real option at this point. :doubt:
     
  7. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Ron, don't like that idea much. I would not have posted for that type of advice.


    I figured out that RegRun has an optin to fix exe, pif, etc's. Did that but the problem has been that the little sucker keeps renaming itself and morphing.

    So i am on line with my pc and regrun works and so does nod32, ie works, but nothing else.
    thanks.
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    ahh...if you can then, boot into safe mode which hopefully the trojan won't be able to run then. Then try and do a TDS scan if you can, along with a NOD scan, and finally a Hijackthis scan. Alot at once, but at least a start.

    snap
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    RegRun has a Clean Boot DOS feature for Windows 98. From the help file:

    "Clean Boot allows you to load in really clean Windows.
    Clean Boot works in two modes:
    • DOS
    • Windows

    To use Clean Boot DOS you need to activate Secure Start DOS.
    Clean Boot for DOS is available only for Windows 95/98.
    Clean Boot DOS works during DOS mode (autoexec.bat)."

    Might be worth trying just to see how your system behaves. Hopefully, from there you can run one of several DOS-based AVs available. Another option would be to create and boot from a bootdisk (http://www.bootdisk.com/bootdisk.htm) and then clean your system using DOS AVs. That won't help your registry though.

    Nick
     
    Last edited: Jul 2, 2004
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    https://www.wilderssecurity.com/showthread.php?t=38705
    This was your other thread.
    If all this doesn't work, you can try from DOS a repair install for win98 over itself.
    Was this all from deleting only one registry key?
    And you say the trojan / virus / nasty is still not all removed and misbehaving?
    Can you try to boot into safe mode and does anything work from there?
    Like a TDS scan?
    Do online scans work?
    Does your Regrun not make backups if you change anything in the registry?
    How did your system get that infected in the first place?
    Any idea how the registry key should read and what possibly to add again?
    As i don't know a HKEY\System, there should be something between that.
    If we know exactly the name somebody could post maybe whet there should be and post it for you.
    Very strange if RegRun has no backup for deleted keys via that!

    If you registered for the DiamondCS forum you'll find this thread helpful on the scanreg.exe for win98 users
    http://www.diamondcs.com.au/forum/showthread.php?t=1875&highlight=scanreg
    Only hope your regrun didn't block that ability to get several restore versions back.
     
    Last edited: Jul 3, 2004
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Without the benefit of a Hijack This log it's hard to advise...

    Try this: download Exefix08.com from this site: http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

    Doubleclick it, and it will restore the default Windows file associations for exefiles.

    Now try launching Hijack This; will it run?

    If no joy, rename the Hijackthis.exe file to Hijackthis.com and doubleclick that; that should work.
     
  12. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Got my exe files back.

    I will upload my startup/text.

    I will upload my IE log which appears Win Media player has been downloading things other than codecs.

    I will upload the process trace I did that includes Win Media player opening up pstores.exe?

    To answer your questions:
    Was this all from deleting only one registry key?
    I guess since that is all I deleted.

    And you say the trojan / virus / nasty is still not all removed and misbehaving?
    Yes, it still is. I found it in my win.ini file it always saves itself as something else before I shutdown.

    Can you try to boot into safe mode and does anything work from there?
    Like a TDS scan?

    I finally got TDS to run and it found another (new to me) trojan, win32/trojandownloader.In.Service.D trojan. We deleted it.

    Do online scans work?
    Nod is working as it found two more separate versions or exe's of the trojan (prior to running TDS) I have now deleted 3 times called win32 dialer.A.1

    Does your Regrun not make backups if you change anything in the registry?
    Yes, it does but I think that I don't want to use a backup of an infected registry, right? I say that as it appears that my regisrty has been changed a whole bunch, but I know close to 0 so...

    Nick S:
    Since I am worried about any type of OS crash, I do not want to lose any data, I am hesitant to do anything in DOS due to my clueless factor of doing something wrong. Going into DOS to me is like a bad delete dream.

    Tony K-
    Thanks I went to the page that had the zip files and could not find the page you directed me to. Ther is a program there called DD delete..or something again a DOS issueor does it just run itself with me doing nothing, which is always safer.
     

    Attached Files:

  13. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    bootlog.
     

    Attached Files:

  14. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Small part of the entire process tracer results from RegRun Gold.
     

    Attached Files:

  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In fact, the link I posted works, and takes you straight to the section in which Exefix08.com is available for download...

    Also, instead of all that other stuff, would you please run Hijack This, and post a Hijack This log as requested?

    You can find Hijack This here: http://s89223352.onlinehome.us/mirror/hjt/

    Someone here will be happy to help you interpret the results.
     
  16. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Hijack this log attached. I added to the botton of the log a registry entry TDS found that is suspicious to me.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:56:16 PM, on 7/3/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\TDS3\TDS-3.EXE
    C:\PROGRAM FILES\GREATIS\REGRUNSUITE\WATCHDOG.EXE
    C:\WINDOWS\SYSTEM\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\MSAGENT\AGENTSVR.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com/archive/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://start.earthlink.net/start"); (C:\Program Files\Netscape\Users\damiangrand\prefs.js)
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\PROGRAM FILES\SYSSHIELD TOOLS\INTERNET ERASER\PKEXT.DLL
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGITBHO.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\PROGRAM FILES\IE URL SPOOFING PATCH\IEWORKAROUND3.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGITIEADDIN.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\Scanregw.exe /autorun
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Amon] "C:\PROGRAM FILES\ESET\AMON.EXE"
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
    O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
    O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
    O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\GREATIS\REGRUN~1\WatchDog.exe
    O4 - Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: AutoPlay Extender.lnk = C:\WINDOWS\SYSTEM\rundll32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
    O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
    O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
    O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
    O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
    O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
    O8 - Extra context menu item: Advanced Properties - http://www.advancedpropertiesie.com/advprops/advprop.php?rd=1024572924710
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: &Convert and Open - C:\PROGRAM FILES\CAMTECH\CONVERT & OPEN\ConvertIt.htm
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
    O8 - Extra context menu item: Sizer - C:\Program Files\IECrap\tsrSizer.htm
    O8 - Extra context menu item: Zoom Frame - C:\Program Files\IECrap\ZoomFrame.htm
    O8 - Extra context menu item: Debug Box - C:\Program Files\IECrap\DebugBox.htm
    O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
    O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
    O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
    O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
    O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
    O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
    O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
    O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
    O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
    O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
    O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
    O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
    O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
    O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
    O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
    O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
    O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
    O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O8 - Extra context menu item: Add to my&Favorites - C:\Program Files\myFavorites\myFavorites.hta
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Search &Google - C:\PROGRAM FILES\RIGHTCLIELECTEDURL\google.htm
    O8 - Extra context menu item: Open Selected URL - C:\PROGRAM FILES\RIGHTCLIELECTEDURL\openselectedurl.htm
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra button: Favorites Search (HKLM)
    O9 - Extra button: Offline (HKLM)
    O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
    O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
    O9 - Extra button: Wallpaper (HKLM)
    O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
    O9 - Extra button: Maximizer (HKLM)
    O9 - Extra 'Tools' menuitem: IE New Window Maximizer (HKLM)
    O9 - Extra button: Files (HKLM)
    O9 - Extra 'Tools' menuitem: &FileLocator (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O9 - Extra button: AbsoluteShield Internet Eraser (HKCU)
    O9 - Extra button: Cookies (HKCU)
    O9 - Extra button: myFavorites (HKCU)
    O9 - Extra 'Tools' menuitem: myFavorites (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
    O15 - Trusted Zone: http://www.delta.dfg.ca.gov
    O15 - Trusted Zone: https://www.wilderssecurity.com
    O15 - Trusted Zone: http://www.ebay.com
    O15 - Trusted Zone: http://www.fullautofun.homestead.com
    O15 - Trusted Zone: http://www.fullautofun2.com
    O15 - Trusted Zone: http://www.diamondcs.com.au
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37897.1011111111
    O16 - DPF: {10D1242B-6EFF-465D-B2F6-27AB9B310929} (WrapFrontend Control) - http://www.softwrap.com/wrapper.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1553e15e20c14a947506/netzip/RdxIE601.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.com/speed/uk/WebInstall.dll
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/English/bin/npseatools.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/EnvivioTVSilentInstaller.exe
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - https://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {230C
    3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.photogize.com/saxfile.cab

    LOG ends here
    _______________


    TDS found these two changes in registry which have never been there historically speaking:

    HKEY CLASSES ROOT\CLSID\{9209B1A6-964A-11D0-9372-OOAOC9034910}\LOCAL SERVER32 (DEFAULT)
    = C:\WINDOWS\SYSTEM\MDM.EXE
     

    Attached Files:

    Last edited by a moderator: Jul 8, 2004
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Normally the MDM has to do with debugging, if you used the TWEAK utility or allowed the browser to display errors on websites you have that thing in the autostart. That one is not a problem normally spoken.
    The Local Server32 ? are you running some server or is that part of the infection?

    I notice you have notepad in the startup. No need for that. Better drag a shortcut to it in the taskbar or on the desktop and you have it always at hand. Saves some bandwidth.

    Other comemnts and the HJT log i leave to the experts.
     
  18. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Thanks Jooske-

    I deleted the server from registry that TDS found.

    I do not have notepad in startup, probably part of the infevtion too for editing .ini files? Something about the infection for sure but I will remove it from startup. I did not see it in startup, thanks.

    I removed Win Media 9 from my system since wmplayer.exe was infected and changes values of other programs. Once I removed it I lost all my .inf associations!!! Unreal.

    I wiil wait for further remarks about the hijack this log.

    One last thing my netscape browser when open keeps trying to secretely contact a site named ...akami. Is that part of the infection?

    thanks again.
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again Zappa,
    as it is too complicated for my skills we moved your thread to the HJT forum for expert help.
    Fingers crossed, you come out allright with their help to the best of options!
     
Thread Status:
Not open for further replies.