[solved] newbie..help and dropper.small.AK (merged)

cool site

could use some input on deleting

dropper.small.AK

C:systemvolumeinformation\_restore{C1667488-2B62-44A5-B03A-2D5F7A0139F}RP460\A0032010.exe

i searched for this in files/folders to delete but came up with nothing.....

Also do i scan for viruses and such with the system restore off?

thanks to sites like this i have search and destroyed, ada-ware, house call then AVGn also FINALLY figured out out to disable system restore and reboot then scan..etc.
my ventures didn't turn up the above virus, but did locate a different one to delete..

also found this software tool, can you make sense of it for me......

thank you all so much
Logfile of HijackThis v1.97.7
Scan saved at 9:52:36 PM, on 11/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\javaw.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\console.exe
C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*h...earch?p=%s
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LimeWire 4.0.5.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.8.3.20/s...assets.cab
O16 - DPF: Ali Baba Slots TM by pogo.com - http://slots02.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino02.pogo.com/applet/domino/...assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool17.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://pool26.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet/drawpo...assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.3.20/p...assets.cab
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared...Engine.cab
O16 - DPF: Keno by pogo.com - http://keno.pogo.com/applet/keno/keno-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.20...assets.cab
O16 - DPF: Sci-Fi Slots by pogo.com - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
O16 - DPF: The Sims Pinball by pogo.com - http://simball01.pogo.com/applet/simbal...assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo14.pogo.com/applet/turbo21/...assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/...assets.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/...rix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\MDG Customer\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luc...lashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24EBF81-64F8-42B0-8C33-E66C2A6FB865}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24EBF81-64F8-42B0-8C33-E66C2A6FB865}: NameServer = 192.168.2.1



thanks all


thanks

 

dropper.small.AK

could use some input on deleting

dropper.small.AK

C:systemvolumeinformation\_restore{C1667488-2B62-44A5-B03A-2D5F7A0139F}RP460\A0032010.exe

i searched for this in files/folders to delete but came up with nothing.....

Also do i scan for viruses and such with the system restore off?


no matter what program i use....cannot locate and delete

suggestions any one??

p.s

this site facinates me the knowledge you people have

thanks for helping us meer mortals

mal

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

I have merged you two threads together (although the 2nd one is just about a duplicate). Please do not start a new thread for the same problem.

You have also posted all 4 threads now in the DiamondCS TDS Forum. Are you using TDS-3?

Your latest thread is regarding the removal of your McAfee antivirus. That one I will move to the appropriate forum.

Regards,

snap

 

Re: newbie..help and dropper.small.AK (merged)

Snapdragin, are you familiar with this HJT log enough or do we need to call more helping troups? I'm no expert in this field. I'm better with explaining how TDS works!

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

I have moved your thread from the TDS forum over into this one.

The file being flagged as dropper.small.AK is backed up in your System Restore, but don't worry about that yet as that can be easily taken care of later by turning System Restore off and doing a reboot.

Let's first get your system clean, then you can try uninstalling McAfee later and see if it uninstalls properly.

Before you begin, please create a permanent folder and move HijackThis.exe out of the temp folder and into the new folder. HijackThis creates backups in the folder it is ran from, and in a temp folder those backups will soon be lost.

If you did not knowingly install MyWebSearch (MyBar), then uninstall it through the Add/Remove Programs in the Control Panel.

Next, with only Hijackthis open, place a check beside the following items.
Make sure you have ALL browsers/windows closed, and click *Fix checked:

(If you did not set this as your Search page, then include it to be fixed)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*h...earch?p=%s

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: LimeWire 4.0.5.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5\LimeWire.exe

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/...rix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luc...lashAX.cab

(these one's listed in blue are optional to fix, but they do not have to startup with your computer and can be manually started through Start-->Programs)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Uninstall the P2P Networking through the Add/Remove Programs in the Control Panel, and I would also recommend uninstall Kazaa too.

Make sure you have all files and folders viewable:
How to Show Hidden Files and Folders

Reboot your computer, preferably into Safe Mode by tapping the F8 key just before windows begins to load.

Then find and delete the following folders listed in bold:
C:\Program Files\MyWebSearch <--if you've chosen to uninstall it.
C:\Program Files\LimeWire
C:\WINDOWS\System32\P2P Networking

****
Do you know what this is for? If not, could you navigate to the console.exe file and right-click it (do not left-click it) and look under it's properties and tell me what it says about the file.
O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe

****

Then reboot your computer normally, and follow up with another scan with Ad-Aware. Make sure you have Ad-Aware up to date before scanning.

Post a new log here in this thread when done.

Regards,

snap

 

Re: newbie..help and dropper.small.AK (merged)

thanks for the reply!!! have been looking for it but it was moved

i am at work so i will have to do all of this when i get off work and try and decipher all of yoiur suggestions......i did forget to mention i tried to uninstall kaaza without luck ( i started using limewire,,,,, which you say to delete, should i still?)


"Do you know what this is for? If not, could you navigate to the console.exe file and right-click it (do not left-click it) and look under it's properties and tell me what it says about the file.
O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe"

1..what are you asking me....do i know what what is?? (sorry)

2..since i am not at home, in case i don't know.. how do i make a permanent folder for hijkthis

3. console.exe? and right click what?....sorry again

4. when i delete and uninstall things, should i empty recycle bin B4 i scan/or run hijack?

5. is safe mode easy to get out of?

thanks for everything

 

Re: newbie..help and dropper.small.AK (merged)

FYI there is a couple of things that can't/won't delete (christmas screensavers,kaaza )......we'll worry about these later??

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe"

1..what are you asking me....do i know what what is?? (sorry)

Yes, I was asking if you recognized it at all since I am not finding any information on it.

2..since i am not at home, in case i don't know.. how do i make a permanent folder for hijkthis

Open Explorer by clicking on the Start button -->All Programs -->Accessories -->Windows Explorer.
Once Windows Explorer is open, then create a new folder (call it whatever you would like) somewhere on your C drive by going to File -->New -->Folder and give it a name. Then move Hijackthis.exe into that new folder so it will be in a permanent folder of it's own.

3. console.exe? and right click what?....sorry again

First locate the file called console.exe in the Windows System32 folder.
Then right-click on it, and choose Properties. Then under the tabs, see what it says the file is for, who made it, etc. Any information there under those tabs that might help identify what it is. Then post that information back here so I can see what it is and why it is running at startup.

If there is no information under it's tabs that would help identify it, could you upload it for a scan at Kaspersky, then post the scan results back here in a reply post.

4. when i delete and uninstall things, should i empty recycle bin B4 i scan/or run hijack?

You can wait until later to do that.

5. is safe mode easy to get out of?

Yes. You just reboot normally. The instructions are there in the link I provided if you need more detail.

FYI there is a couple of things that can't/won't delete (christmas screensavers,kaaza )......we'll worry about these later??

I don't know what program put the screensavers there, or if they came with an uninstaller, so I cannot help you too much with that.
Kaaza should be able to be uninstalled. I don't use it myself but I beleive it comes with an uninstall, or you can uninstall it through Add/Remove Programs.
There is a removal utility called Kazabegone, that you can try. But please read the warning and download the LSPfix file before using Kazabegone, just in case you run into any trouble, you'll have the LSPfix tool to get your internet connection back. Here is the link for Kazabegone (just scroll down to the very bottom of that page) http://www.spywareinfoforum.com/~merijn/downloads.html

Regards,

snap

 

Re: newbie..help and dropper.small.AK (merged)

will do thanks ALOT! .........again......

i'm up for an adventure i am sure.......

 

Re: newbie..help and dropper.small.AK (merged)

O MY FRIGGIN GOD................JUST NOW GOT BACK ON LINE....SCREWED MY INTERNET CONECTION had to re-instal drivers...oh well

when i in depth adaware it found 180 files after my safe mode...still never found the dropper.small

that console.exe.........just says its an application file 52 mb??

here is my updated (i think) hijackthis



Logfile of HijackThis v1.97.7
Scan saved at 10:03:08 PM, on 12/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\console.exe
C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105


thanks

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,


About the Limewire; this use to come bundled with spyware but apparently they are saying their version 4 (the newest version) is spyware free. I don't use that so I cannot confirm it. But to keep limewire is definitely your choice.

Let's have the Experts take a closer look at the 'console.exe' file just to be on the sure side. Please navigate to the System32 folder and zip up a copy of the console.exe file and email it to This Email Address for analysis. Include the url back to this thread in the body of the email along with a brief message.
Send a zipped copy of it to this email also: submit@diamondcs.com.au


You can fix this one in Hijackthis.
O4 - Startup: PowerReg Scheduler.exe

Reboot after doing so.

If you are still getting an alert on dropper.small, then turn off your System Restore, reboot your computer to clear the old restore points, then turn System Restore back on and do another scan with your anti-virus.
See instructions here for how to turn System Restore off: System Restore Instructions.

Regards,

snap

 

Re: newbie..help and dropper.small.AK (merged)

wellllllllllllll

i just tried to zip the file msn came on and said "file has virus on it, cannot send"

yoiu guys are good

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

First bring up TaskManager (ctrl+alt+del keys) and end the running process on the file. Then upload the console.exe to Kaspersky for a scan. Let's see if it says anything about it so we have some idea of what we're dealing with.

Then try sending the zipped file again, but this time password protect it.
If it still won't go through, you can try renaming the zipped file by right-licking it, select rename, and rename the console.zip to console.txt. You will get a message warning that the file will not be able to be run when renamed, just press OK.

In the body of the email message make sure you give the password for the file, and state that it is infected and you've renamed the zipped file, so those receiving it will know what it is.

While we wait to see what the Experts say about the file, rename the console.exe to console.bak so it won't run the next time you reboot your computer.

Regards,

snap

fixed the wrong spelling of console.exe

 

Re: newbie..help and dropper.small.AK (merged)

Hi Derek,

So rather than have phatkid rename the console.exe to console.bak, they should just delete it after subitting the password-protected zipped file to submit@diamondcs.com.au

Regards,

snap

 

Re: newbie..help and dropper.small.AK (merged)

so how a i getting it off, and how do i know what one is bad?

 

Re: newbie..help and dropper.small.AK (merged)

i tried to rename then move to a folder, and it just oges back to origin

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

Since Derek said it is an infected file, you can go ahead and delete it, but before deleting the file, please try sending it again to the two addresses I mentioned above, but passwording the zipped file so it will get past the antivius programs. You can keep a copy of the zipped file for a few days until we hear back from the Experts.

Leave both the console.dll & conime.exe alone though since they are legitimte window files.

What did the Kaspersky scan say about the console.exe?

snap

 

Re: newbie..help and dropper.small.AK (merged)

You will be able to delete the console.exe file in Safe Mode.

 

Re: newbie..help and dropper.small.AK (merged)

thank you so much.........every time i tried in regular mode it just poped back up..in safe mode it killed that sucker....

i got rid of all the console and conmine as there were copies and i could not tell what was the clean one....

here is my new hijackthis file

Logfile of HijackThis v1.97.7
Scan saved at 3:37:13 AM, on 13/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: Digital Patrol Update.lnk = C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105

thsi was more hassle than i like, but the two times i have taken the puter to where i got it (free)i have to reinstall everything (HUGE pain......finding registration Numbers....etc....

lastly, i cannot delete christmas hearth.....
wise uninstall....could not open install.log fil

kazza....RUNDLL
C:\WINDOWS\system32\cd_clintdll
that should cure me for good i have my mcafee disc, hopefully it has uninstall


thank you everyone so much

 

Re: newbie..help and dropper.small.AK (merged)

what is the worst that would happen if i deleted files i needd??

also, in the system 32 folder they were console.dll and conime.dll....not exe

still couldn't delete


p.s that safe mode is cool......wish i could read that stuff good enoughas to not bug any one.............that won't be happining

phats

 

Re: newbie..help and dropper.small.AK (merged)

I'm wondering:
when i can't zip a file for some reason, i try tochange it's extension into .tmp so it can't run anymore and most scanners don't make problems on a tmp file (till now) But zipped password protected is the best.
Only you said it was a 52 MB file? that is really BIG!
What you always can do in windows explorer carefully rightclick the file to look at it's properties (i say careful to make sure you don't click and activate it unintended) and if possible details of the file, does it look like a normal MS file, was it recently modified, look at dates etc.
If it was 52MB indeed you could not upload it at the kaspersky online checker (i love that thing, using it frequently as a second opinion); but any of your av/at scanners would have been able to scan it or an online scanner.
It might have been an original which got infected, or an original which has code now detected as bad stuff, whatever.
This is why i like to look for the original properties and description, so if it was said to be an original MSN messenger file (for example) you could write to MSN support and telling this story, pointing to this thread, as that saves you lot or writing
If there is guaranteed nothing wrong and it is the original file scanners worldwide can exclude the file from their databases. But if it is an original and bad thing MSN has to replace it with an innocent version.
If it got infected on your system only it's another story and removing is the only thing.

If you lost needed files:
If they were system files, doesn't have XP theautomatic ability to put them back, or in worse cases via system restore?
with syustem restore all the other stuff is back too, so that is depending on the advice of the experts here.
The worst thing could be you have to re-install a program.
But following the exact advices from the experts here nothinhg can go wrong.

BTW: if i don't trust a file i have the habit to send in a copy for advice of course but also to keep the file with an extra extension, like your console.exe could become console.exe.tmp so i can always find it back and i can find out if anything stops running or other errors show up with the file not being able to run.

This is general, for this console.exe i really don't know as long there is no expert advice from the file itself. thhis version at least sounded very suspicious!

BTW: if it was part of MSN Messenger: i have MSN messenger but no console.exe, but i didn't update it long time as i never use it and i don't run XP, so maybe other XP and MSN Messenger owners can have a look if they have such files on their system and their size, so you might feel less bad about having removed a baddy.
When all is clean you can re-install MSN Messenger if it would have been part of that and if the program would not run properly anymore.

 

Re: newbie..help and dropper.small.AK (merged)

too late...............deleted console......take no chances!!!

i was thinking of uninstalling windows and reinstalling....... i doubt not having the files will effect me too bad...

for future references how do we password protect a zipped file..

snap.... i never had a chance to upload th file, sorry

phats

 

Re: newbie..help and dropper.small.AK (merged)

Hi phatkid,

I'm a bit lost where you are at the moment as to what files you actually deleted?

Did you delete the infected file console.exe successfully?
Did you delete the files console.dll and conime.dll?

The console.dll is the Control Panel Console Applet and is a legitimate Microsoft file, and needed. The file is about 65kb in size, and there should be one in the Windows\System32 folder, and one in the Windows\System32\dllcache folder (at least that is what I have on my computer)

You may still be able to retrieve the console.dll from your Recycle Bin if you haven't emptied it, but that file should be protected by Windows so it may well have been put back by Windows after a reboot.

I do not have a conime.dll on my XP-Home, nor can I find any information on that one, so it may well have belonged to the other infected file, console.exe.

Have you since done a scan with your antivirus (or an on-line scan) and has everything come back clean now?

As for how to password protect a file, here is the Microsoft article that describes that: http://support.microsoft.com/default.aspx?scid=kb;en-us;306531#4

It would have been good to have the infected console.exe file to see exactly what it does and if it has dropped any other files that we can't see in the hijackthis log, and submit it for analysis and detection. But if you've already deleted it, then not to worry, as long as your system is clean now that's what counts.

I have moved your other thread regarding the removal of McAfee Antivirus over into our Other Antivirus Software forum: https://www.wilderssecurity.com/showthread.php?t=36090
You can follow-up with removing McAfee over in that thread.


Could you post a final hijackthis log so we can check it to make sure it is ok.

Thank you.

snap

 

Re: newbie..help and dropper.small.AK (merged)

yes i deleted those 2 files, but copied them from my XP master disk back to the system 32 folder....

i did send the files, however they were not zipped, then i deleted them sorry!!!

i thought i posted an updated log....any where here she is

Logfile of HijackThis v1.97.7
Scan saved at 10:35:40 PM, on 13/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: Digital Patrol Update.lnk = C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105

thanks