[Brute Force Deletion needed...] -
Brute Force Deletion needed...
Discuss Brute Force Deletion needed...
Posted by: Nubius
I got this file which I suspect might be behind me getting lag on servers in multiplayer games which used to never happen. The ping fluctuates so I attribute it to something trying to access the internet. I scanned with Spybot, adaware, all with updated definitions, used [url]www.pc-cillin.com[/url] and zone-alarm to try and see if something was up, or trying to access the internet. Nothing found anything on my computer.
I have this file I cannot delete that says it's 1kb in size, but 4kb in size on disk..like the file isn't finished or something, but I've already run it and it's a DOS Prompt (which with this file I knew it was going to be) and it seemed as if everything was OK. Now I can't delete that file off my secondary HD so this is mainly why I suspect it of foul play.
I keep getting the 'this program is in use...close application before trying to delete' I even booted in safe mode and it gives me that. I can't for the life of me figure out what program it's attached to. I need to be able to delete this crap. Plus I've had it happen before in the past, so does anyone have any programs that'll just DELETE something regardless if it's being used by another program? Because this is getting REALLY annoying
Posted by: Inaris
first what is the file called. Second, download
[url]http://www.sysinternals.com/ntw2k/source/filemon.shtml[/url]
and
[url]http://www.sysinternals.com/ntw2k/freeware/procexp.shtml[/url]
use File mon to look for access to that program, and then processxp to look for handles to it. Should help you identify what is going on.
Posted by: Nubius
it's called hl2fix.exe was supposed to stop this error message that I kept getting that would say A.I. Disabled when I loaded a level. Now it just keeps saying it's in use by another program. I downloaded both those programs and dont see any reference to that file. Also there's no network activity being shown, so I'm not sure if it's the game or what, because I've noticed no lag in downloading or anything of that sort, so this seems kind of weird. Also it lags for my friend when he plays on another computer that I KNOW can't possibly be infected with anything cause it hasn't been used on the internet except for today. So this has got me perplexed.
Posted by: southernlady
Nubius, Download and run HiJack This and in the morning when my eyes aren't about to seal shut, I'll read your log. Make sure you post it in the HiJack Forum, ok? Liz
Posted by: Nubius
Thanks Liz, I'll have to give that a go. I just downloaded a program called Shredder95 and it was able to delete the program regardless of the 'It's in use', but I think I need to get that hijack this log just to make sure nothing else is running.
Posted by: southernlady
Okay, I'll see you in the morning, night. Liz
Posted by: Nubius
Aright here's my log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner\RivaTuner.exe" /T
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098614801093[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
I used this Hijack This tutorial from Major Geeks:
[url]http://forums.majorgeeks.com/showthread.php?t=38752[/url]
to understand what exactly Hijack this was finding. I didn't see anything out of the ordinary, but since this is my first time perhaps I overlooked something. Yes I did purposely download the google toolbar :p
Posted by: southernlady
Nubius, you're missing the top half of the log which *I* NEED and can we move this to the hijack forum please? Liz
Posted by: Nubius
Yeah sorry for not putting it in this forum in the first place. It was about 3:30am when I did it after trying other things on the computer and yeah my brain wasn't all there =/ Here's the log again:
Logfile of HijackThis v1.98.2
Scan saved at 3:41:32 AM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\RivaTuner\RivaTuner.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Josh\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner\RivaTuner.exe" /T
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098614801093[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
Thanks again for your help SouthernLady :)
Posted by: southernlady
Nubius, Click here: [url]http://www.spyware911.net/downloads.htm[/url] to download About Buster.
Unzip it to your desktop.
Then reboot into Safe Mode by tapping F8 key repeatedly during bootup.
Double click aboutbuster.exe, click Update, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.. Liz
Posted by: southernlady
Download and run CWShredder: [url]http://www.richardthelionhearted.com/~merijn/downloads.html[/url]
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"
[b]R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank[/b]
[b]R3 - Default URLSearchHook is missing[/b]
[b]O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl[/b]
[b]O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll[/b]
[b]O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll[/b]
[b]O17 - HKLM\System\CCS\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14[/b]
[b]O17 - HKLM\System\CS1\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14[/b]
[b]O17 - HKLM\System\CS2\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14[/b]
Restart to safe mode. [url]http://service1.symantec.com/SUPPOR...001052409420406[/url]
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [b]%temp%[/b] in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files".
Reboot.
Empty the Recycle Bin
Then post another log. Liz
Posted by: Nubius
Regarding the things to fix...I've always kept my search at about:blank, I hit 'FIX' on the R3 default search hook is missing. Also I installed AIM, and Partypoker myself, and the O17's are my DNS gateway. I have 4 computers on a network so in the TCP/IP protocol properties section instead of 'Obtain IP automatically' I put in my own set of numbers. The 24.205.1.62 and the 24.205.1.14 are my DNS gateways, so those numbers aren't unfamiliar. Are you sure I need to delete those?
Also I'm trying to cleaning out of everything. Couldn't delete some of the files in the %temp% folder accessed via the RUN menu and typing in %temp% said some files were in use. Soooo I'll be restarting in safemode and trying that program you linked, but I wanted to ask about this Hijack this fixes first.
I very much appreciate your help on this SouthernLady. Next time I should be able to troubleshoot this much better myself :D
Posted by: southernlady
THAT AIM isn't a valid one, if you google aim.exe -cnetwait.odl you will come up this: [url]http://tinyurl.com/4s4se[/url] As far as Party Poker, I kept getting lots of google sites with other techs taking it off..if you want to keep it, that's fine. The DNS just looked wrong, that's why, LOL...if it's right, then just ignore that.
But yes, that AIM isn't the right one.
As far as your temp folder, is it because they are read only? Liz
Posted by: Nubius
The temp folder is not read only. I was able to delete all but one of the files which is "Perflib_Perfdata_658.dat" which isn't the same as the file I couldn't delete yesterday. I ran and updated Aboutbuster and was in safe mode and scanned and that program didn't find anything.
EDIT: Well I just fixed the AIM and when I start up AIM, it wants to add that registry file back to the registry. Spybot alerts me of the registry deletion from Hijack this and then it alerted me to the adding of that registry key when I started up AIM. I denied the change though so I prevented it from doing it.
Posted by: southernlady
Question, do you have SpywareGuard and SpywareBlaster on your system? Especially SpywareGuard. That one alerts you to any program that tries to add a BHO or change your home page. It's a very handy program. Both liniks are in my signature.
Do you want to post a final HiJack log to see if it's clean or do you feel comfortable enough to read your own. Liz
Posted by: Nubius
I don't have either of those particular spyware programs. I just have ad-aware installed for scannings, Spybot Search and Destroy installed that'll look out for some installations of files, registry keys, etc... but not SpywareGuard. I also generally use [url]www.pc-cillin.com[/url] for a quick virus scan. Generally I format pretty often, close to once a month because I'm always installing and uninstalling, overclocking my computer requires a lot of restarts when I'm fine tuning it which has once cause the HD to need a format out of the blue, but that was because of the computer restarting when it shouldn't have.
Here's a final check of my log:
Logfile of HijackThis v1.98.2
Scan saved at 11:36:36 AM, on 12/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\RivaTuner\RivaTuner.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Josh\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner\RivaTuner.exe" /T
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098614801093[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{26D68BFE-63A3-45A0-A0D8-14DF71DAC5B9}: NameServer = 24.205.1.62,24.205.1.14
I 'Fixed' that AIM key last night and even chose for Spybot to NOT let the entry be added to the registry, but it looks like it did it anyway. I could always go to the actual reg key and put in bogus information, but that won't work on something that keeps renewing itself.
I've gotten past some very intrusive spyware before like that. When it uses a file from my system I'll make it read only make it a blank file and it's worked for a quick fix when I've needed it.
I'll indeed give SpywareGuard a check out.
Posted by: southernlady
Nubius, These two just WILL NOT go away:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
I want you to go here: [url]http://www.spyware911.net/downloads.htm[/url] and downlad a program called Killbox. "A last resort tool for removing stubborn unwanted malware files. Can be used to remove on reboot as well."
UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click on the msg{} .dll find button. This will open another window and it will and display a list of .dll files in the upper area and possibly a string of numbers in the lower area. In the upper right corner cick on the "Save Log" button. This will open a notepad file with the contents of the log. Please copy and paste that log back here. Liz
Posted by: Nubius
aright, this one:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
is gone I just did it and checked and it's not coming back or anything. This one:
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
Keeps coming back when I start AIM, and when I googled it mainly I found other peoples hijack this logs, but nothing about it being a virus or spyware. Spybot S&D catches the registry key when it's being deleted by hijack this, and I allowed the deletion of the key from hijack this. Then when I started up AIM, Spybot wants my approval for the adding of it back to the registry and I denied it, but it still shows up in Hijack this.
Killbox, I don't see where you're describing. Not even the Save log part. It comes as the stand alone .exe from the website you linked from me. Says Pocket Killbox as the title but I downloaded the one that says "A last resort tool for removing stubborn unwanted malware files. Can be used to remove on reboot as well."
Posted by: southernlady
Okay, do one last thing on the AIM entry and then we will give up on it.
I know you have scanned for virus/worms with your A/V but let's also do a Trojan scan. Go here and download this one: [url]http://www.emsisoft.com/en/software/free/[/url] If it comes up clean, then let that entry alone.
It may have been a different version of Killbox. I was using the instructions from a different page. Liz
Posted by: southernlady
Nubius what's your status? Liz
Posted by: southernlady
Nubius, I'm closing this thread. if you need it reopened, let me know, ok? Liz